Detectify Security Updates for June 1

Our Crowdsource ethical hacker community has been busy sending us security updates, including 0-day research. For Asset Monitoring, we now push out tests more frequently at record speed within 25 minutes from hacker to scanner. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner in the last weeks:

Ghost CMS Install Exposure RCE
This module checks for an exposed admin configuration endpoint in Ghost CMS. If exposed, an attacker will be able to create an admin account and inject NodeJS to cause RCE.

CVE-2021-28073: Ntopng Authentication Bypass
This module checks for CVE-2021-28073. An attacker can traverse to and read find_prefs.lua.

Nexus Repository Unauthenticated Source Code Disclosure
This module tries to forcefully reveal the source code files in instances of Nexus Repository. An unauthenticated attacker can view the source code of files handled by Nexus Repository.

SAP Netweaver Directory Listing
This module is checking if SAP Netweaver has directory listing enabled. If enabled an attacker will be able to list all files (and sub-directories) in the current directory.

CVE-2021-33564: Argument Injection in Ruby Dragonfly
This module looks for an argument injection in the Ruby Gem “Dragonfly”. An attacker can download arbitrary files from the server.

CVE-2021-29622: Prometheus Open Redirect
This module is checking if it’s possible to conduct open redirect attacks using a flaw in version 2.23.0 in Prometheus. If vulnerable, an attacker can leverage this to steal secrets passed as a part of the referrer header.

CVE-2021-3509: Redhat Ceph Cookie XSS
Redhat Ceph versions 14.2.17 through 14.2.20, 15.2.10 through 15.2.11 and 16.2.0 through 16.2.3 are vulnerable to an XSS vulnerability. An attacker can execute JavaScript which can steal the original token value and get access to the API.

AWS CodeBuild Build Spec Exposure
This module looks for Internet exposed AWS CodeBuild build spec files. The CodeBuild build spec files could contain sensitive information about the projects.