Security Vulnerability of the Week 20/06/22

Previous Issues of vulnerability Weekly

This week we deep dive into Couchbase releasing several vulnerabilities, SPLUNK, CISCO, Azure Synapse vulnerability and oracle cloud’s latest vulnerabilities.



Couchbase Server is a modern cloud-native distributed database that fuses the greatest strengths of relational and NoSQL. 

10 CVEs so far have been registered against several version of the Couchbase Server version for versions early than 7.0.4 and Sync Gateway 3x before 3.0.2. Amongst the CVEs identified few one have a very high severity due to bypassing of authentication and credentials. Some other CVEs have also medium due to leaked credentials exploit.

The CVSS Severity one of which is critical, can really be swayed and bumped up to critical for the system cli, admin console and Gateway that are Externally exposed. As always fix and protect systems that are externally facing 

Upgrade to the latest version of Gateway > 3.0.2 or later 

Upgrade to the latest version of sever> 7.0.4

There are currently no available exploit in metaexploit for those vulnerabilities 

  • CVE-2022-32565 – CVSS Low 1.8 –  Backup service log leak
  • CVE-2022-32564 – CVSS High 7.8 – Couchbase CLI couchbase-cli, server-eshell leaks the Cluster Manager cookie
  • CVE-2022-32192 – CVSS Medium 5.5 – couchbase-cli leaks Secrets Management master password as a command-line argument.
  • CVE-2022-32563 – CVSS Critical 9.8 – Couchbase Sync Gateway 3x before version 3.0.2 – CVSS 6.8 as credentials not authenticated using X509 certificate. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users 
  • CVE-2022-32562 – Server Before 7.0.4 –  CVSS High 8.8 – mitigation from CVE-2018-15728  were insufficient 
  • CVE-2022-32561 – Server Before 7.0.4 – CVSS High 8.8 Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network.
  • CVE-2022-32560 – Server Before 7.0.4 – CVSS Medium 4.0 – XDCR – lacks role checking when changing internal settings
  • CVE-2022-32559 – Server Before 7.0.4 – CVSS High 7.4 – HTTP Request leads to leaked credentials 
  • CVE-2022-32558 – Server Before 7.0.4 – CVSS Medium 6.4 – Bucket loading might leak user credentials
  • CVE-2022-32557 – Server Before 7.0.4 – CVSS HIGH 8.2-  Index Service does not enforce authentication for TCP/TLS servers

For all the latest security updates:  and 

WordPress Ninja Form Vulnerability

WordPress Vulnerability Update

The recent vulnerability in WordPress could affect up to 730K and more servers. The vulnerability affects Ninja Forms with more than 1 million installations. 

Ninja form is a popular free plugin used to capture form information and customer details

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.

OWASP Describes as following deserialization attacks

Deserialization is the reverse of turning some object into a data format. Deserialization is taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.

Leveraging deserialization an attacker can have the ability to inject code resulting in remote code execution and potential takeover of the whole website

The researcher discovered the ability to make unauthenticated calls to a number of Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.


There is currently not an official update out but most websites have been force-updated based on the number of downloads since this flaw was patched on June 14.

Currently, there are 49598 downloads of the form with a total32 Million downloads and an active 1 million installations.

Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.

According to bleeping computer WordPress has forced updates for other critical and highly popular vulnerabilities

Jetpack Contact Form block in December 2018, a critical bug in the way some Jetpack shortcodes 

February 2022, 3 UpdraftPlus WordPress plugins were force-patched 




On 2022 June 14 the security advisory from SPLUNK sent out the advertisement for vulnerability on SPLUNK enterprise server. The vulnerability exploits on the Universal Forwarder endpoint can result in an RCE (remote code execution) 

For full CVSS code:

CVSS Critical for For more details: 

Announcement on Twitter: 

Hurricane Labs is aware of the recent vulnerability involving Splunk Enterprise deployment servers. 

An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. 

All Splunk Enterprise deployment servers prior to version 9.0 are vulnerable. No patch or workarounds are currently available for older Splunk versions. Splunk has indicated that they do not intend to port the fix for this issue to older versions of Splunk Enterprise. 


Currently, there are no Active exploits of the vulnerability 

To fix the vulnerability upgrade to version 9.0 

At the time of this writing (2022-06-14), there is no patch available for any supported versions of Splunk, and there are no plans to backport the fix to prior Splunk versions, including Splunk 8.2.x and older. 


  • Upgrade to 9.0 – the current recommendation
  • For version 8.2.x and before 
    • Temporarily disable access to the deployment server. (This option is only practical if you have a standalone deployment server.)
  • Enable host firewall rules on the deployment server to limit management traffic to Splunk infrastructure only. Remove these host firewall rules on this instance only when making changes to forwarders or other deployment clients.

CISCO Email Security Critical bug update

Cisco issued  fixes to address a critical security flaw affecting Email Security Appliance (ESA) and Secure Email and Web Manager on Wednesday 15/6/22

The vulnerability if exploited could bypass the authentication. 

 CVE-2022-20798, currently rated 9.8 CVSS affects the Lightweight Directory Access Protocol (LDAP) for external authentication. 

Cisco Announced:

“An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device,” Cisco noted in an advisory. “A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device.”

The vulnerability got identified during a technical assistance call (TAC centre for cisco)

The Vulnerability Impacts ESA and Secure Email and Web Manager running vulnerable AsyncOS software versions 11 and earlier, 12, 12.x, 13, 13.x, 14, and 14.x and when the following two conditions are met –

  • The devices are configured to use external authentication, and
  • The devices use LDAP as the authentication protocol

For full details: 

CISCO Small Business Router unpatchable vulnerability

Cisco has identified another critical vulnerability on Small Business RV110W, RV130, RV130W, and RV215W routers. 

CVE-2022-20825 (CVSS score: 9.8) – the vulnerability affects HTTP packet.

CISCO will not release a patch as the product are end of life

For full details:


SYN LAPSE Azure Data analytical Service RCE score 7.8

Another vulnerability has been disclosed by ORCA security team named SYNLAPSE  

In may Orca had issued together with Microsoft a disclosed quickly fixed 

Orca Security is issuing this security advisory for CVE-2022-29972 to address hazards in the use of the Microsoft Azure Synapse service

The vulnerability originally identified and disclosed on January 4th got recent attention by Microsoft security.

Orca has recently disclosed a new variation of the vulnerability after Microsoft fixes

 Tzah Pahima is credited with discovering SynLapse—a critical Synapse Analytics vulnerability in Microsoft Azure, also affecting Azure Data Factory. It permitted attackers to bypass tenant separation while including the ability to:

  • Gain Credential of customer accounts (Azure Synapse)
  • Control azure Synapse workspace 
  • Execute code on target customer
  • Leak customer credentials 

Why this vulnerability is bad?

  • An attacker can gain access to a customer account acting as synapse workspace
  • An attacker can leak the credentials of a customer in their synapse workspace
  • An attacker can leverage the vulnerability to run code (RCE) on any customer’s integration runtimes 

What is SYN Lapse

Azure Synapse Analytics is an important service that is leveraged by many services that process a high quantity of data  (e.g., CosmosDB, Azure Data Lake, and external sources such as Amazon S3).

When reporting the issue ORCA suggested to Microsoft to implement a few mitigations, mainly:

  1. A sandbox – Move the shared integration runtime to a sandboxed ephemeral VM. This means that if an attacker could execute code on the integration runtime, it is never shared between two different tenants, so no sensitive data is in danger.
  2. Limit API access – Implement least privilege access to the internal management server, this will prevent attackers from using the certificate to access other tenants’ information. 

At the beginning of June Microsoft shared with ORCA that they have implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens.

ORCA has then removed the security advisory 

Timeline (100 Days to fix)

  • January 4 – The Orca Security research team disclosed the vulnerability to the Microsoft Security Response Center (MSRC), along with keys and certificates we were able to extract.
  • February 19 & March 4 – MSRC requested additional details to aid its investigation. Each time, we responded the next day.
  • Late March – MSRC deployed the initial patch.
  • March 30 – Orca was able to bypass the patch. Synapse remained vulnerable.
  • March 31 – Azure awards us $60,000 for our discovery.
  • April 4 (90 days after disclosure)  – Orca Security notifies Microsoft that keys and certificates are still valid. Orca still had Synapse management server access.
  • April 7 – Orca met with MSRC to clarify the implications of the vulnerability and the required steps to fix it in its entirety.
  • April 10 – MSRC patches the bypass, and finally revokes the Synapse management server certificate. Orca was able to bypass the patch yet again. Synapse remained vulnerable.
  • April 15 – MSRC deploys the 3rd patch, fixing the RCE and reported attack vectors.
  • May 9 – Both Orca Security and MSRC publish blogs outlining the vulnerability, mitigations, and recommendations for customers.
  • End of May – Microsoft deploys more comprehensive tenant isolation including ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.

Previous response to vulnerabilities:

Oracle Cloud Medium Vulnerability

CVE-2022-21503 on Oracle Cloud infrastructure has been confirmed on 18/6/2022

Score for the moment is 4.9 but with potential confidential impact Vector: 

Current versions of the exploit are being reported to be easy. It is possible to launch the attack remotely. Additional levels of successful authentication are required for 

exploitation. The technical details are unknown and an exploit is not available

CWE is classifying the issue as CWE-200. This is going to have an impact  

Previous Issues of vulnerability Weekly

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.