CISA adds 11 vulnerabilities to Known Exploited Vulnerabilities Catalog (including recent Firefox zero-days)

The Cybersecurity and Infrastructure Security Agency (CISA) has added 11 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Recent additions include two Firefox zero-days, VMware, Pulse Secure, Atlassian Jira Server, Netgear and Adobe product vulnerabilities.

An attacker could exploit these vulnerabilities to take over impacted systems.

Firefox zero-days

On March 5, 2022, Mozilla patched two Critical zero-day Firefox vulnerabilities (CVE-2022-26485 and CVE-2022-26486), recently added to CISA’s Known Exploited Vulnerabilities Catalog.

Each of these issues could lead to an exploitable use-after-free condition. The second flaw can also result in an exploitable sandbox escape.

“We have had reports of attacks in the wild abusing this flaw,” Mozilla warned in the advisory.

vSphere Client SSRF 

In February 2021, VMware fixed an SSRF vulnerability in the vSphere Client (CVE-2021-21973), which CISA added to its Known Exploited Vulnerabilities Catalog.

“A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,” VMware noted.

Atlassian Jira vulnerability

In July 2010, Atlassian issued a security update for a critical Jira Server vulnerability, another one of the exploits CISA added to the Known Exploited Vulnerabilities Catalog.

According to Atlassian, a server-side template injection vulnerability CVE-2019-11581 affected Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions.

Other added vulnerabilities

Moreover, CISA added these additional vulnerabilities to Known Exploited Vulnerabilities Catalog:

CVE ID Vulnerability Name 
CVE-2020-8218Pulse Connect Secure Code Injection Vulnerability
CVE-2017-6077NETGEAR DGN2200 Remote Code Execution Vulnerability
CVE-2016-6277NETGEAR Multiple Routers Remote Code Execution Vulnerability
CVE-2013-0631Adobe ColdFusion Information Disclosure Vulnerability
CVE-2013-0629Adobe ColdFusion Directory Traversal Vulnerability
CVE-2013-0625Adobe ColdFusion Authentication Bypass Vulnerability
CVE-2009-3960Adobe BlazeDS Information Disclosure Vulnerability

Readers can check out the CISA post for the full list of vulnerabilities added to the exploit catalog on March 7, 2022.

Related Articles