The Cybersecurity and Infrastructure Security Agency (CISA) has added MinIO, PaperCut and Google Chrome vulnerabilities to its Known Exploited Vulnerabilities Catalog.
CISA warned “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”
As a result, these vulnerabilities have been added to the Catalog based on evidence of active exploitation.
On April 21, 2023, CISA added one MinIO Information Disclosure Vulnerability (CVE-2023-28432) to the Exploited Vulnerabilities Catalog.
MinIO is a high-performance, S3 compatible object storage and is native to Kubernetes.
MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables (including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD), which allows for information disclosure.
In addition, CISA added a PaperCut MF/NG Improper Access Control Vulnerability (CVE-2023-27350) to the Catalog.
According to an advisory, PaperCut confirmed CVE-2023–27350 (ZDI-CAN-18987) “allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.”
“We have evidence to suggest that unpatched servers are being exploited in the wild,” PaperCut wrote in the advisory.
PaperCut also warned in the same advisory that a second vulnerability (User account data vulnerability CVE-2023–27351) was also being exploited in the wild.
Finally, CISA added a third vulnerability, Google Chrome Skia integer overflow vulnerability (CVE-2023-2136), to the Exploited Vulnerabilities Catalog.
This vulnerability resides in Skia which serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and other products.
Google patched this flaw as part of a security update for Chrome 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux, released on April 18, 2023.
Google also acknowledged that an exploit for CVE-2023-2136 exists in the wild.
- CISA Adds Veritas, Windows and Arm Mali GPU Vulnerabilities To Known Exploited Vulnerabilities Catalog
- CISA Adds IBM and Mitel Vulnerabilities To Known Exploited Vulnerabilities Catalog
- CISA Adds Telerik and Zoho Vulnerabilities To Known Exploited Vulnerabilities Catalog
- CISA adds Critical CWP vulnerability to Known Exploited Vulnerabilities Catalog