Security News > 2023 > April > CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug
The U.S. Cybersecurity and Infrastructure Security Agency on Friday added three security flaws to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
"In a cluster deployment, MinIO returns all environment variables, including MINIO SECRET KEY and MINIO ROOT PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023.
The threat intelligence company, in an alert published late last month, also noted how a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT relied on an older version of MinIO that's vulnerable to CVE-2023-28432.
Also added to the KEV catalog is a critical remote code execution bug affecting PaperCut print management software that allows remote attackers to bypass authentication and run arbitrary code.
The vulnerability has been addressed by the vendor as of March 8, 2023, with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.
Lastly added to the list of actively exploited flaws is a Google Chrome vulnerability affecting the Skia 2D graphics library that could enable a threat actor to perform a sandbox escape via a crafted HTML page.
News URL
https://thehackernews.com/2023/04/cisa-adds-3-actively-exploited-flaws-to.html
Related news
- Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence (source)
- CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List (source)
- CISA tags critical Ivanti EPM flaws as actively exploited in attacks (source)
- CISA: Medusa ransomware hit over 300 critical infrastructure orgs (source)
- CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation (source)
- CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation (source)
- CISA extends funding to ensure 'no lapse in critical CVE services' (source)
- CISA Adds Actively Exploited Broadcom and Commvault Flaws to KEV Database (source)
- Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-22 | CVE-2023-28432 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 7.5 |