Hello and welcome to the Monday, April 22nd, 2004 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

And we got more changes to CBEs and how vulnerabilities will be communicated.

Meider, the company who is in charge of assigning CVE numbers, so far used the CVE

JSON 4.0 format.

Well, they now started releasing vulnerability information in the JSON 5.0 format and JSON 4.0 will go away end of June.

So you don't have a lot of time here to react and switch over to the new feed.

Not sure how sort of backwards compatible it is. I still have to look into it myself, but definitely something

that you need to get ready for if you are consuming these feeds directly. This may of course

also affect various open source and commercial products that are reading this feed directly

from MITR. And then you have more vulnerabilities in Enterprise File Transfer Software.

Remember all the chaos that moved it cost a few months back.

This time it's Crush FTP.

Crush FTP version 11 below 11.1.

Have a vulnerability that can be used to escape their VFS and download system files.

So this has been patched in version 11.1.0. And in particular, if you are exposing Crush FTP to the public, you should patch now as CrowdStrike states that

this vulnerability has already been exploited. There are also patches available for version 10

of Crush FTP and version 9, according to Crush FTP, is no longer supported.

So no one should be running it anymore, according to them.

And we have an interesting vulnerability or maybe, well, an easy-to-abuse feature in

GitHub that is being abused in order to distribute malware.

One of the problem with repositories like GitHub is

...