The CISA Increase Catalog of New Vulnerabilities with 10 New Items
The United States Cybersecurity and Infrastructure Security Agency (CISA) has announced that it has added ten new active vulnerabilities to the “Known Exploited Vulnerabilities (KEV) Catalog,” most of which appear to be affecting industrial automation software from Delta Electronics.
This particular issue, CVE-2021–38406 (CVSS score: 7.8), heavily impacts DOPSoft 2 versions 2.00.07 and prior versions, which could result in arbitrary code execution. Furthermore, what’s worth noting is that its vulnerability was flagged initially in September 2021.
In a statement, the CISA explains, “Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation), resulting in an out-of-bounds write that allows for code execution.”
Along with that original point, the CISA says that the “impacted product is end-of-life and should be disconnected if still in use.” All US Federal Civilian Executive Branch (FCEB) agencies are now formally required to follow this new guideline by September 15, 2022.
Here is a list of the additional vulnerabilities that the CISA has flagged:
- CVE-2022–26352 — dotCMS Unrestricted Upload of File Vulnerability
- CVE-2022–24706 — Apache CouchDB Insecure Default Initialization of Resource Vulnerability
- CVE-2022–24112 — Apache APISIX Authentication Bypass Vulnerability
- CVE-2022–22963 — VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
- CVE-2022–2294 — WebRTC Heap Buffer Overflow Vulnerability
- CVE-2021–39226 — Grafana Authentication Bypass Vulnerability
- CVE-2020–36193 — PEAR Archive_Tar Improper Link Resolution Vulnerability
- CVE-2020–28949 — PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
- iOS and macOS flaws added to the list
Hungry for more? Join me each week, where I’ll break down complex topics and dissect the latest news within the cybersecurity industry and blockchain ecosystem, simplifying the tech world.
#simplifyingtheworldoftech #worldoftech #tech #remotework #cybersecurity