Veikleikar hjá ArubaOS, CrushFTP, Gitlab, JudgeO og R

Vulnerabilities have been reported in ArubaOS, CrushFTP, Gitlab, JudgeO, and the R programming language. Microsoft also issued a warning due to a so-called Dirty stream attack. CERT-IS recommends updating as soon as possible to a version where the vulnerabilities have been fixed.

Serious weaknesses (e. critical)


The vulnerabilities CVE-2024-26305, CVE-2024-26304, CVE-2024-33511 CVE-2024-33512 all have a CVSSv3 vulnerability score of 9.8 and allow an unidentified attacker to execute code remotely by sending a specially crafted packet to Aruba’s access point management protocol). Exploitation of the vulnerabilities can also lead to the execution of code on the underlying operating system with system rights (e. privileged user) [x,y]. The vulnerabilities have been patched in ARubaOS versions 10.6.xx, and higher, and higher, and higher, and and higher [1,2].


The vulnerability CVE-2024-4040 with a CVSSv3 vulnerability score of 10.0 allows a remote attacker to escape the CrushFTP virtual file system (e.g. escape virtual file system) to the underlying operating system. The vulnerability has been fixed in versions >= 11.1 [3,4,5].


The vulnerability CVE-2024-2279 with CVSSv3 vulnerability score of 8.7 allows a threat actor to execute commands on behalf of the victim. The vulnerability has been patched in versions 16.10.2, 16.9.4 and 16.8.6 [6,7].

JudgeO sandbox

Vulnerabilities CVE-2024-28185 and CVE-2024-28189 with CVSSv3 vulnerability score of 10.0 together with vulnerability CVE-2024-29021 with vulnerability score of CVSSv3 9.1 may allow an attacker to break out of Jugde0’s sandbox environment and gain root privileges on the underlying operating system. The vulnerabilities have been fixed in version 1.13.1 [8].

The R programming language

The vulnerability CVE-2024-27322 has a CVSSv3 vulnerability level of 8.8 allows a threat actor to perform supply chain attacks via specially crafted R packages that can lead to arbitrary code execution when rebuilding (e. deserializing) unreliable data. The vulnerability has been fixed in version 4.4.0 [9].

Dirty Stream

Microsoft has warned about the so-called „Dirty Stream“ of the year, which allows malicious Android apps to overwrite files in the home directory of other apps that are not properly implemented. Overwriting files can lead to arbitrary code execution and secrets theft. An example of a bad implementation involves an applet trusting untrusted file names, which allows a threat actor to abuse the FileProvider in overwriting files [10].


[1]  https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos
[2]  https://www.arubanetworks.com/assets /alert/ARUBA-PSA-2024-004.txt
[3]  https://blog.sonicwall.com/en-us/2024/05/crushftp-server-side-template-injection-ssti/
[4]  https: //nvd.nist.gov/vuln/detail/CVE-2024-4040
[5]  https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
[6]  https://about.gitlab. com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/
[7]  https://blog.sonicwall.com/en-us/2024/04/gitlab-xss-via -autocomplete-results/
[8]  https://thehackernews.com/2024/04/sandbox-escape-vulnerabilities-in.html
[9]  https://thehackernews.com/2024/04/new-r-programming- vulnerability-exposes.html
[10]  https://www.bleepingcomputer.com/news/security/microsoft-warns-of-dirty-stream-attack-impacting-android-apps/

Deildu núna


Post Tags

Scroll to Top