The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a NextGen Healthcare Mirth Connect vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
The issue, tracked as CVE-2023-43208, is a Deserialization of Untrusted Data Vulnerability.
Deserialization of untrusted data vulnerability is a security flaw that occurs when an application deserializes data from an untrusted source without properly validating or sanitizing it. Deserialization is the process of converting serialized data (data formatted for storage or transmission) back into an object or data structure that a program can use.
The flaw impacts NextGen Healthcare Mirth Connect before version 4.4.1, an unauthenticated remote attacker can trigger the issue to achieve code execution.
US CISA also addressed recently disclosed Google Chromium V8 Type Confusion Vulnerability (CVE-2024-4947).
The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix these vulnerabilities by June 10, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)