For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 13 December.
CVE-2018-14912: cgit Path Traversal
A vulnerability in cgit was recently made public by Google Project Zero. After getting it as a submission through Detectify Crowdsource we implemented it as a module. More information about the issue can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627
CVE-2018-5006: Adobe AEM SSRF via SalesforceSecretServlet
Adobe AEM, also called Adobe Experience Manager, has previously had a few known vulnerabilities. Frans Rosén, one of our security advisors, has done a presentation on this here: https://www.youtube.com/watch?v=_j9ZEIodMDs
However, a new SSRF was released recently, which in addition to all the other research has been implemented to the scanner.
Apache Hadoop RCE
Read more about the story around this vulnerability here: https://securityaffairs.co/wordpress/77565/malware/hadoop-zero-day-exploit-leaked.html
jQuery-File-Upload related vulnerabilities
The last of the three! See the following blog post: https://blog.detectify.com/2018/12/13/jquery-file-upload-a-tale-of-three-vulnerabilities/
A few of the other things implemented…
- CVE-2018-9845: Etherpad Authentication Bypass https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9845
- Exposed Docker configuration file
- Header-Based SSRF
- URL-based Authentication Bypass
Questions or comments on our latest security updates? Let us know in the section below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Already have an account? Login to check your assets.
Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!