A security flaw in the Gemini CLI coding tool allows hackers to execute malicious commands silently, bypassing user notifications, due to inadequate command whitelisting. The vulnerability was exploited through crafted prompt injections that tricked the tool into running harmful commands without alerting the user. Users are advised to update to version 0.1.14 and run untrusted code in sandboxed environments to mitigate risks.
Palo Alto Networks has issued guidance for a command injection vulnerability (CVE-2024-3400) in PAN-OS versions 10.2, 11.0, and 11.1, with reports of active exploitation in the wild. CISA advises users to review the security advisory, apply mitigations, and update affected software when fixes are available, adding the vulnerability to its Known Exploited Vulnerabilities Catalog.
Rust has addressed a critical vulnerability, CVE-2024-24576, that could lead to command injections on Windows machines due to improper escaping of arguments when invoking batch files. The fix, included in version 1.77.2, mitigates the issue by improving the escaping code and ensuring the Command API returns an InvalidInput error when it can't safely escape arguments. The vulnerability, dubbed BatBadBut, affects multiple technologies, including Erlang, Go, Python, and Ruby, with Node.js and PHP working on patches and Java not planning to address it.
A critical security vulnerability named "BatBadBut" has been found in the Rust standard library on Windows, allowing attackers to execute arbitrary shell commands by bypassing the escaping mechanism when invoking batch files with the Command API. The vulnerability affects versions before 1.77.2 and has a CVSS score of 10.0. The Rust team has released version 1.77.2 with a fix for the issue, and developers are advised to update to mitigate the risk of potential command injection attacks.
A critical vulnerability in the Rust standard library, known as BatBadBut and tracked as CVE-2024-24576, exposes Windows systems to command injection attacks when batch files are invoked with untrusted arguments. The flaw impacts all versions of Rust before 1.77.2 and has a maximum severity score. Security researcher RyotaK discovered and reported the bug, advising caution when executing commands on Windows and recommending moving batch files to a directory not included in the PATH environment variable to prevent unexpected execution.
A critical security vulnerability in the Rust standard library, tracked as CVE-2024-24576, allows threat actors to execute command injection attacks on Windows systems. The flaw, rated as critical by GitHub, enables unauthenticated remote exploitation and affects all Rust versions before 1.77.2 on Windows. The Rust security team addressed the issue by improving the robustness of the escaping code and modifying the Command API. The vulnerability, dubbed BatBadBut, also impacts other programming languages, with some having released patches or documentation updates. The White House has urged the adoption of memory-safe programming languages like Rust to enhance software security.
QNAP has disclosed and released fixes for two new vulnerabilities, one of which is a zero-day discovered in early November. There is confusion over the severity of the security problem, with QNAP assigning a middling severity score while Unit 42 and the German Federal Office for Information Security (BSI) express more urgent concerns. The vulnerabilities, including command injection flaws, affect various QNAP firmware versions and could lead to remote code execution. The company's disclosure process has been marred by disagreements over coordination and patch release dates. Users are advised to apply patches quickly and upgrade to the latest available firmware versions.
QNAP has released security updates to address two critical security flaws, CVE-2023-23368 and CVE-2023-23369, that could allow remote attackers to execute commands via a network. The vulnerabilities affect QTS, QuTS hero, QuTScloud, Multimedia Console, and Media Streaming add-on. Users are urged to update to the latest versions to mitigate potential threats, especially considering QNAP devices have been targeted in ransomware attacks in the past.
