{"vulnerability": "CVE-2021-3770", "sightings": [{"uuid": "66fa4f6a-b294-489d-9715-e1b5c4e74098", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37701", "type": "seen", "source": "https://t.me/cibsecurity/28108", "content": "\u203c CVE-2021-37701 \u203c\n\nThe npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-31T20:33:42.000000Z"}, {"uuid": "efad7110-1e4b-4e6d-ba18-e25facd0e3dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37706", "type": "seen", "source": "https://t.me/cibsecurity/34525", "content": "\u203c CVE-2021-37706 \u203c\n\nPJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u00e2\u20ac\u2122s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u00e2\u20ac\u2122s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-22T20:19:06.000000Z"}, {"uuid": "95dfd4e0-8c57-40f4-ac4d-9192701ebae5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37701", "type": "published-proof-of-concept", "source": "https://t.me/cKure/7189", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 5 RCEs in npm for $15,000+.\n\n\u25aa\ufe0eCVE-2021-32804\u00a0($10,000)\n\u25aa\ufe0eCVE-2021-32803\u00a0($2,000)\n\u25aa\ufe0eCVE-2021-37701\u00a0($2,500)\n\u25aa\ufe0eCVE-2021-37712\u00a0(found internally - $1,000 token payout)\n\u25aa\ufe0eCVE-2021-37713\u00a0(found internally)\u25aa\ufe0eCVE-2021-39134\u00a0(TBD)\n\nhttps://robertchen.cc/blog/2021/09/20/npm-rce", "creation_timestamp": "2021-09-21T07:57:09.000000Z"}, {"uuid": "88e5b1e2-d683-4c34-add9-31df3c0c08e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-3770", "type": "seen", "source": "https://t.me/cibsecurity/28293", "content": "\u203c CVE-2021-3770 \u203c\n\nvim is vulnerable to Heap-based Buffer Overflow\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-06T16:40:39.000000Z"}, {"uuid": "c5147a27-ca18-4b2c-9a3e-1c3e8c84ae90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37708", "type": "seen", "source": "https://t.me/cibsecurity/27413", "content": "\u203c CVE-2021-37708 \u203c\n\nShopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-17T00:14:55.000000Z"}, {"uuid": "d6393bbf-d87b-4dc4-9ca5-7ae96afaf10b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37702", "type": "seen", "source": "https://t.me/cibsecurity/27525", "content": "\u203c CVE-2021-37702 \u203c\n\nPimcore is an open source data & experience management platform. Prior to version 10.1.1, Data Object CSV import allows formular injection. The problem is patched in 10.1.1. Aside from upgrading, one may apply the patch manually as a workaround.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-18T18:17:02.000000Z"}, {"uuid": "4ba0e7bd-6ab2-4872-b504-53e0ec8220cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37704", "type": "seen", "source": "https://t.me/cibsecurity/27275", "content": "\u203c CVE-2021-37704 \u203c\n\nPhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-13T00:40:16.000000Z"}, {"uuid": "cc8cf440-c105-42f5-8482-eb8ecff42842", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37705", "type": "seen", "source": "https://t.me/cibsecurity/27344", "content": "\u203c CVE-2021-37705 \u203c\n\nOneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-14T00:11:23.000000Z"}, {"uuid": "65d1a346-1d73-48f1-8ddc-de17956a911a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37707", "type": "seen", "source": "https://t.me/cibsecurity/27404", "content": "\u203c CVE-2021-37707 \u203c\n\n### Impact Manipulation of product reviews via API ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-16T22:15:02.000000Z"}, {"uuid": "ecc91b32-c928-49b6-b273-6e65507b0380", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37700", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/27271", "content": "\u203c CVE-2021-37700 \u203c\n\n@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string ``, a **div** is dynamically created, and the clipboard content is copied into its **innerHTML** property without any sanitization, resulting in improper execution of JavaScript in the browser of the victim (the user who pasted the code). Users directed to copy text from a malicious website and paste it into pages that utilize this library are affected. This is fixed in version 0.3.4. Refer the to the referenced GitHub Advisory for more details including an example exploit.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-13T00:40:10.000000Z"}, {"uuid": "a73d2999-9838-4a81-8f57-4e7849060052", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-3770", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/4471", "content": "#exploit\nCVE-2021-3770:\nHeap-based Buffer Overflow in vim/vim, the text editor that's preinstalled on 100M+ Apple Mac/UNIX devices\nhttps://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365", "creation_timestamp": "2021-10-08T12:05:33.000000Z"}]}