关联漏洞
标题:nGrinder 安全漏洞 (CVE-2024-28213)Description:nGrinder是一个压力测试平台,使您能够同时执行脚本创建、测试执行、监控和结果报告生成器。 nGrinder 3.5.9之前版本存在安全漏洞,该漏洞源于允许接受未经身份验证用户的序列化Java对象,可能允许远程攻击者通过不安全的Java对象反序列化执行任意代码。
Description
Here's a brief description of CVE-2024-28213: "CVE-2024-28213 is a critical vulnerability affecting versions prior to 3.5.9 of nGrinder. It allows unauthenticated users to send serialized Java objects to the application, potentially leading to the execution of arbitrary code through unsafe Java object deserialization.
介绍
## CVE-2024-28213 Vulnerability
### Description
nGrinder version prior to 3.5.9 is vulnerable to a critical security issue, CVE-2024-28213. This vulnerability allows unauthenticated users to send serialized Java objects to the application, potentially enabling a remote attacker to execute arbitrary code through unsafe Java object deserialization.
### Vulnerability Details
- CVE ID: CVE-2024-28213
- Published Date: 2024-03-07
- Updated Date: 2024-03-07
- Source: Naver Corporation
- Vulnerability Category: Execute code
- CWE IDs: CWE-502 (Deserialization of Untrusted Data)
### Impact
The exploitation of this vulnerability could lead to remote code execution, giving attackers unauthorized access to the system and potentially allowing them to take control of the affected server.
### Affected Versions
nGrinder versions prior to 3.5.9 are affected by this vulnerability.
### Mitigation
To mitigate the risk associated with this vulnerability, it is highly recommended to upgrade nGrinder to version 3.5.9 or later, where the issue has been addressed. Additionally, organizations should ensure that the application is not directly accessible from untrusted networks and implement proper network segmentation and access controls.
### References
- [CVE-2024-28213 on CVE Details](https://cve.naver.com/detail/cve-2024-28213.html)
- [NAVER Security Advisory](https://cve.naver.com/detail/cve-2024-28213.html)
### Exploit Prediction
According to the Exploit Prediction Scoring System (EPSS), the probability of exploitation activity in the next 30 days is estimated to be 0.04%.
### Proof of Concept (PoC)
A proof of concept (PoC) for CVE-2024-28213 is available for purchase. The PoC is priced at $270.22 USD (by current exchange rate) 5 and is available in a limited quantity of 5. To obtain the PoC : https://satoshidisk.com/pay/CKp6DL
文件快照
[4.0K] /data/pocs/f8d518a2b15276ee6af619128ccd728240a502af
└── [1.8K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。