Which Critical Vulnerabilities Discovered in 2023 Can Do Serious Damage? Read Our Report
Software vulnerabilities are among the biggest security risks organizations face today, and several critical vulnerabilities have already been revealed in 2023.
Software bugs plague enterprises and small organizations alike and wreak havoc on entire supply chains. What’s worse, new bugs emerge on a regular basis, forcing security leaders and teams to scramble for solutions to avoid data breaches and other incidents. Cyber criminals look to exploit software vulnerabilities to launch attacks, and in recent years we’ve seen incidents involving weaknesses in software code that became launching points for attacks.
A new report from Rezilion describes some of the more notable software vulnerabilities from the first half of 2023 and offers suggested remediations. Security risks related to software come from multiple sources. For example, vulnerabilities can be introduced during the development process, in open source software, in supply chains and by other means.
Regardless of the origin of software flaws, security leaders need to learn about the latest vulnerabilities to see if they apply to their own organizations. While some vulnerabilities can have serious consequences; others might be much less impactful than researchers originally thought.
A Round Up of Critical Vulnerabilities Discovered in 2023
This vulnerability was published in March 2023 with a Common Vulnerability Scoring System (CVSS) score of 3.7. It affected the Open AI ChatGPT service, which had to be shut down so that the issue could be fixed. The vulnerability was discovered in the Redis open source library, and affected OpenAI’s ChatGPT payment accounts. This resulted in a leak of user data.
Although the vulnerability has a low severity score, it’s significant because of organizations’ increased reliance on these types of artificial intelligence (AI) services.
Apache Superset (CVE-2023-27524)
Horizon3.ai in April 2023 discovered CVE-2023-27524), a CVSS 9.8 critical vulnerability in Apache Superset. It was caused by the use of the default SECRET_KEY configuration generated by the application. Using the key isn’t secure because it’s publicly available and can easily be discovered by attackers. Once they obtain the key they can generate a cookie and sign it using the key, enabling them to gain unauthorized access to the application.
In response to the vulnerability, developers at Horizon3.ai deployed a fix that prevents server from starting if it’s configured to deploy with the default SECRET_KEY.
This vulnerability, reported by the Zero Day Initiative and published in March 2023, is an actively exploited CVSS 9.8 remote code execution bug
in print management applications PaperCut NG and PaperCut MF. Because of the vulnerability, which stems from an access control issue within the SetupCompleted java class in the pcng-server-web jar file, an attacker can easily bypass authentication and access a page with admin permissions.
After bypassing the authentication, an attacker can create scripts in PaperCut and execute code with system privileges on the affected PaperCut server.
Fortinet FortiOS (CVE-2022-41328)
This is a CVSS 7.1 zero-day vulnerability in the Fortinet FortiOS known to be exploited in the wild. As of May 2023, the Cybersecurity & Infrastructure Security Agency (CISA) had reported 10 Fortinet FortiOS known exploited vulnerabilities. Threat actors exploiting the vulnerability installed malware designed to establish contact with a remote server to download files, exfiltrate data from the compromised host and grant remote shell access.
Attackers have targeted government agencies and large organizations via the vulnerability, resulting in data loss and operating system and file corruption.
Given these and other vulnerabilities, security leaders can’t afford to fall behind bad actors determined to leverage software bugs to launch attacks. They need to educate themselves and their teams about the latest threats.
Learn more by reading the Rezilion report on our site today.