image
Home Credits Team CVE

Carleton College
Winter 2023 CS Comps

image
Resources Inspiration Process Our story
CVE-2021-44228

Apache Log4J

A zero-day vulnerability discovered in 2022 in the Apache Log4j that allows easy-to-exploit remote code execution in Java applications. Log4J is a popular Java-based logging utility widely used for generating log messages. An attacker can exploit CVE-2021-44228 by sending a specially crafted log message to a vulnerable application that uses Log4J.
Learn More
CVE-2020–25627, CVE-2020–14321, CVE-2020–25629, CVE-2019-11631

Moodle

Moodle is our course management system. Here we demonstrated four vulnerabilities on Moodle 3.9, released on 5 June 2020, along with three opportunities you've missed if you are a senior/junior: 1: Log in as a teacher and change your grades 2: Become a site manager 3: Taking over the system with a remote shell
Learn More
CVE-2017-0144

Windows 7 EternalBlue

EternalBlue is a Windows exploit created by the National Security Agency (NSA) of the United States. NSA analysts spent a year hunting for a bug in Microsoft’s software, and developed EternalBlue as part of their cyber-arsenal stockpile for (ostensibly) counterterrorism missions. In April 2017, the Shadow Brokers hacking group leaked it. It uses a flaw in the Microsoft implementation of the SMB Protocol, which allows remote attackers to execute arbitrary code on a target system by sending crafted messages to the SMBv1 server
Learn More
CVE 2022-26134

Confluence

CVE-2022-26134 was a zero-day OGNL injection vulnerability discovered in the Atlassian Confluence Server and Data Center software. Confluence is a widely used collaboration and documentation tool (basically a wiki for your team). The vulnerability allows arbitrary remote code execution on a targeted server.
Learn More
CVE-2022-1329

WordPress

WordPress is a commonly used website builder with many third-party plugins available for download to extend functionality. One of them, the Elementor plugin (versions 6.0.0 - 6.3.0), handles AJAX requests insecurely, which can result in the upload and execution of a .zip file containing any code as long as the labels and headers appear correct.
Learn More
CVE-2014-6271

Shellshock

Bash is the default Unix shell for most Linux distributions. Shellshock is a Bash vulnerability first discovered in 2014—but the software has been vulnerable since 1989. Typical Shellshock exploits attempt remote command execution by telling Bash to assign an empty function declaration to an environment variable
Learn More
CVE-2014-2630

Android NMap

NMap is a very common utility for network discovery and security auditing. When installed with high privilege levels it can create exploitable issues within linux kernel systems such as Android. Once a low level shell has been obtained, attackers can use this exploit to escalate their privileges to those NMap has, often resulting in root access.
Learn More
Carleton College CVE Comps, 2023