Here are the CVE updates for the week of October 14th through the 20th.
Critical Severity Vulnerabilities
SolarWinds Web Help Desk (WHD) Hardcoded Credential | CVE-2024-28987: is a critical hard-coded credential vulnerability affecting SolarWinds Web Help Desk (WHD) software. This vulnerability allows a remote, unauthenticated attacker to access internal functionality and modify data.
Veeam Backup and Replication Deserialization | CVE-2024-40711: is a critical vulnerability in Veeam Backup & Replication software. This flaw, related to insecure deserialization, allows unauthenticated attackers to remotely execute arbitrary code on affected systems. The vulnerability is particularly dangerous due to its low complexity, enabling attackers to exploit it with ease. It impacts the “Backup & Replication” service by exploiting the /trigger URI on port 8000, which could lead to the creation of unauthorized administrative accounts.
Mozilla Firefox Use-After-Free | CVE-2024-9680: is a critical vulnerability affecting Mozilla’s Firefox and Thunderbird applications. This vulnerability is a use-after-free issue in the animation timelines of these products, which could allow attackers to execute arbitrary code in the browser’s content process. The exploit has been observed in the wild, making it a significant security concern.
High Severity Vulnerabilities
Microsoft Windows Kernel TOCTOU Race Condition | CVE-2024-30088: is a Windows Kernel Elevation of Privilege vulnerability that affects multiple versions of Windows, including Windows 10, Windows 11, and Windows Server (2016, 2019, 2022). The issue arises from improper handling of security attributes during the copying process, leading to a Time of Check to Time of Use (TOCTOU) flaw. This type of vulnerability allows an attacker to exploit race conditions, which could result in gaining unauthorized elevated privileges within the system.
Oracle Contract Lifecycle Management | CVE-2024-21278: is a vulnerability affecting Mozilla’s Firefox and Thunderbird applications. This vulnerability is a use-after-free issue in the animation timelines of these products, which could allow attackers to execute arbitrary code in the browser’s content process. The exploit has been observed in the wild, making it a significant security concern.
Oracle Financial Services Applications | CVE-2024-21285: is a security vulnerability affecting the Android operating system. This flaw resides in the setMetadata method of the MediaSessionRecord.java file, where it allows a potential information disclosure issue. Specifically, it could enable a malicious actor to view another user’s images due to a “confused deputy” scenario. The exploit does not require additional execution privileges and can occur without user interaction.
Windows Kernel Elevation of Privilege | CVE-2024-30088: is a serious vulnerability affecting the Windows Kernel, specifically in versions of Windows 10, Windows 11, and Windows Server 2016, 2019, and 2022. This vulnerability is categorized as an Elevation of Privilege (EoP) issue, which arises in the AuthzBasepCopyoutInternalSecurityAttributes function. The problem occurs when the kernel improperly handles the copying of security attributes, potentially allowing attackers to manipulate access tokens.
Oracle Sourcing component | CVE-2024-21279: is a significant vulnerability affecting the Oracle Sourcing component of the Oracle E-Business Suite, specifically versions 12.2.3 to 12.2.13. The flaw allows low-privileged attackers with network access via HTTP to exploit the system, potentially leading to unauthorized creation, deletion, or modification of critical data within Oracle Sourcing.
Oracle Banking Liquidity Management product | CVE-2024-21284: is a vulnerability affecting Oracle’s Banking Liquidity Management product, specifically version 14.5.0.12.0. It has a CVSS score of 7.1, indicating a high level of severity. The vulnerability arises from weaknesses in the “Reports” component of the application, which allows attackers with low privileges and network access (via HTTP) to exploit the system. For the exploit to succeed, human interaction from a user other than the attacker is required.
Oracle PeopleSoft Enterprise HCM Global Payroll Core product | CVE-2024-21283: identifies a high-severity vulnerability within Oracle PeopleSoft Enterprise HCM Global Payroll Core, affecting versions 9.2.48 to 9.2.50. The vulnerability allows low-privileged attackers with network access via HTTP to gain unauthorized control over the system. Once exploited, attackers can modify, delete, or create critical data within the Global Payroll Core, severely compromising data confidentiality and integrity. However, this vulnerability does not impact system availability.
Oracle Financials component within the Oracle E-Business Suite | CVE-2024-21282: is a high-severity vulnerability affecting the Oracle Financials component within the Oracle E-Business Suite (versions 12.2.3 to 12.2.13). It allows attackers with low privileges and network access via HTTP to exploit weaknesses in authentication, leading to unauthorized creation, deletion, or modification of critical financial data.
Medium Severity Vulnerability
Jetty DOS vulnerability on DosFilter | CVE-2024-9823: is a denial of service (DoS) vulnerability affecting Jetty’s DosFilter. This vulnerability allows an attacker to trigger OutOfMemory errors and exhaust the server’s memory by repeatedly sending crafted requests.
Samsung eMMC with KLMAG2GE4A and KLM8G1WEMB firmware | CVE-2024-31955: is a vulnerability identified in Samsung’s eMMC chips, specifically those utilizing the KLMAG2GE4A and KLM8G1WEMB firmware. The issue allows for a code bypass through Electromagnetic Fault Injection (EMFI), enabling an attacker to authenticate and write to the Replay Protected Memory Block (RPMB) without needing the associated secret information.
Oracle’s PeopleSoft Enterprise ELM (Enterprise Learning Management) | CVE-2024-21286: refers to a vulnerability in Oracle’s PeopleSoft Enterprise ELM (Enterprise Learning Management) version 9.2. It allows a low-privileged attacker with network access via HTTP to exploit the system. The attack complexity is low, and the attack requires human interaction, though not from the attacker. A successful exploitation could enable unauthorized access to sensitive data, allowing for the unauthorized update, insertion, or deletion of accessible data within the system.