Pierluigi Paganini June 27, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds GeoSolutionsGroup JAI-EXT, Linux Kernel, and Roundcube Webmail bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
• CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability
• CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

Below are the descriptions of the flaws added to the KEV catalog:

1. GeoServer Flaw CVE-2022-24816 (CVSS score of 9.8) is a code injection issue in the Jai-Ext open source project. The flaw can be exploited to achieve remote code execution, it exploits Jiffle scripts compiled into Java code via Janino. The flaw was addressed with the release of GeoServer version 1.2.22 in April 2022. Technical details and PoC exploit code are publicly available since August 2022.
2. Linux Kernel Flaw CVE-2022-2586 (CVSS score of 7.8) is a use-after-free vulnerability in nft tables, that can lead to privilege escalation. White hat hackers demonstrated an exploit for this issue during the Pwn2Own Vancouver 2022. The vulnerability was fixed in August 2022, however technical details and PoC were published a few weeks later.
3. Roundcube Webmail CVE-2020-13965 (CVSS score of 6.1) is a cross-site scripting (XSS) issue. The vulnerability affects versions before 1.4.5 and 1.3.12. Successful exploitation of the flaw can lead to arbitrary JavaScript code execution. Roundcube addressed the flaw in June 2020, and PoC code was released shortly thereafter.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by July 17, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)