CVE-2022-41667 An adversary with local user privileges can load a malicious DLL to execute malicious code. This is a CWE-22 vulnerability.
This vulnerability affects all versions of the product prior to 3.3.10. The attacker can exploit this vulnerability by uploading a DLL file to the system via a specially crafted HTTP request. An attacker can leverage insecure DLL upload method to exploit this issue. This issue has been assigned the Common Vulnerability Identifier (CVE) – CVE-2018-9242. Reportedly, there are many DLL files available on the internet which can be loaded by the attacker to exploit this issue. This issue has been assigned the Common VLLa (CVE) – CVE-2018-9242. Solution: Upgrade to version 3.3.10 or later.
CVE-2018-9243: Unauthenticated Access to Multifactor Authentication via Proxy This issue has been assigned the Common VLLa (CVE) – CVE-2018-9243. An attacker can force authentication on a target system by initiating a connection with the target system via HTTP(S) proxy. In this scenario, the target system does not have any DLL files on its local disk which can be loaded by the attacker to exploit this issue. An adversary can force authentication by proxy by sending the target system an HTTP(S) request with an Authorization header. Reportedly, there are many HTTP(S) proxies available on the internet which can be used by an attacker to exploit this issue. This issue has been assigned the Common VLLa (CVE) – CVE-2018-9243. Solution
Installing to a non-default location
It is possible to install the product to a non-default location. By default, when installing the product, it will be installed in %ProgramFiles%\Veracode\Veracode Client\bin. However, if you would like to install the product to another location, you can specify that location as an argument via the command line installation method.
Timeline
Published on: 11/04/2022 12:15:00 UTC
Last modified on: 11/05/2022 02:02:00 UTC