The US Cyber and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
That three vulnerabilities are as follows –
- CVE-2023-28432 (CVSS Score – 7.5) – MiniO Information Disclosure Vulnerability
- CVE-2023-27350 (CVSS Score – 9.8) – PaperCut MF/NG Access Control Vulnerability Incorrect
- CVE-2023-2136 (CVSS Score – TBD) – Google Chrome Skia Integer Overflow Vulnerability
“In cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure,” MiniO maintainer said in an advisory published on March 21, 2023.
Threat intelligence company, in a warning published late last month, also notes how a reference implementation provided by OpenAI for developers to integrate their plugin into ChatGPT based on an old version of MinIO which is vulnerable to CVE-2023-28432.
“While the new features released by OpenAI are valuable tools for developers looking to access live data from multiple providers within their ChatGPT integration, security must remain a core design principle,” said GreyNoise.
Also added to the KEV catalog is a critical remote code execution bug affecting PaperCut’s print management software allowing a remote attacker to bypass authentication and run arbitrary code.
The vulnerability was addressed by the vendor on March 8, 2023, with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9. Zero Day Initiative, which reported issue on 10 January 2023, expected to release additional technical details on 10 May 2023.
According to a renew shared by the Melbourne-based company earlier this week, evidence of active exploitation of unpatched servers emerged in the wild around 18 April 2023.
Cybersecurity company Arctic Wolf said it “has observed intrusion activity related to the vulnerable PaperCut Server where the RMM Synchro MSP tool was loaded onto the victim’s system.”
Last to add to the list of actively exploited vulnerabilities is a Google Chrome vulnerability affecting the Skia 2D graphics library that could allow a threat actor to perform sandbox escapes via generated HTML pages.
The Federal Civil Executive Branch Agency (FCEB) in the US is advised to patch identified vulnerabilities by May 12, 2023, to secure their network against active threats.