The Cybersecurity and Infrastructure Security Agency (CISA) has added 11 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Recent additions include two Firefox zero-days, VMware, Pulse Secure, Atlassian Jira Server, Netgear and Adobe product vulnerabilities.
An attacker could exploit these vulnerabilities to take over impacted systems.
On March 5, 2022, Mozilla patched two Critical zero-day Firefox vulnerabilities (CVE-2022-26485 and CVE-2022-26486), recently added to CISA’s Known Exploited Vulnerabilities Catalog.
Each of these issues could lead to an exploitable use-after-free condition. The second flaw can also result in an exploitable sandbox escape.
“We have had reports of attacks in the wild abusing this flaw,” Mozilla warned in the advisory.
vSphere Client SSRF
In February 2021, VMware fixed an SSRF vulnerability in the vSphere Client (CVE-2021-21973), which CISA added to its Known Exploited Vulnerabilities Catalog.
“A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,” VMware noted.
Atlassian Jira vulnerability
In July 2010, Atlassian issued a security update for a critical Jira Server vulnerability, another one of the exploits CISA added to the Known Exploited Vulnerabilities Catalog.
According to Atlassian, a server-side template injection vulnerability CVE-2019-11581 affected Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions.
Other added vulnerabilities
Moreover, CISA added these additional vulnerabilities to Known Exploited Vulnerabilities Catalog:
|CVE ID||Vulnerability Name|
|CVE-2020-8218||Pulse Connect Secure Code Injection Vulnerability|
|CVE-2017-6077||NETGEAR DGN2200 Remote Code Execution Vulnerability|
|CVE-2016-6277||NETGEAR Multiple Routers Remote Code Execution Vulnerability|
|CVE-2013-0631||Adobe ColdFusion Information Disclosure Vulnerability|
|CVE-2013-0629||Adobe ColdFusion Directory Traversal Vulnerability|
|CVE-2013-0625||Adobe ColdFusion Authentication Bypass Vulnerability|
|CVE-2009-3960||Adobe BlazeDS Information Disclosure Vulnerability|
Readers can check out the CISA post for the full list of vulnerabilities added to the exploit catalog on March 7, 2022.