CISA KEV Update Part V – April 2023
The U.S. CISA added three security flaws to its Known Exploited Vulnerabilities KEV ctalog, based on evidence of active exploitation.
The vulnerabilities are as follows –
- CVE-2023-28432 (CVSS score – 7.5) – MinIO Information Disclosure Vulnerability
- CVE-2023-27350 (CVSS score – 9.8) – PaperCut MF/NG Improper Access Control Vulnerability
- CVE-2023-2136 (CVSS score – TBD) – Google Chrome Skia Integer Overflow Vulnerability
In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. As many as 18 unique malicious IP addresses from the U.S., Netherlands, France, Japan, and Finland have attempted to exploit the flaw in recent times
A critical RCE bug affecting PaperCut print management software that allows remote attackers to auth bypass and run arbitrary code. The vulnerability has been addressed by the vendor as of March 8, 2023, with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.
Third is an actively exploited flaws is a Google Chrome vulnerability affecting the Skia 2D graphics library that could enable a threat actor to perform a sandbox escape via a crafted HTML page