Improved

Jul 25, 2024
4.22.2-2024072501

We have updated the version of Metasploit Framework to include new modules and enhancements.

PR 19325 - Updates the TARGETURI description for the geoserver_unauth_rce_cve_2024_36401 module.
PR 19338 - Improves error handling and progress tracking in the auxiliary/gather/kerberos_enumusers and gather/asrep modules.

Fixed

Pro: Fixes a crash when visiting the notes analysis page.
Pro: Fix Metasploit Pro command shell logging when setg SessionLogging true is enabled.
Pro: Fix an issue with session compatibility detection that caused the quick pen test message Unable to reach Metasploit Pro Service to appear.
PR 19312 - Fixes a regression issue that caused the Mettle sniffer extension to not correctly load.
PR 19322 - This fixes an issue that was causing some Meterpreters to consume large amounts of memory when configured with an HTTP or HTTPS transport that was unable to connect.
PR 19324 - This updates the rpc_session library such that rpc compatible modules are able to handle unknown sessions, i.e. rpc.call('session.compatible_modules', -1).
PR 19327 - This bumps the version of metasploit_payloads-mettle to pull in changes for the Linux and OSX Meterpreters. The changes fix an issue which prevented the sniffer extension from loading.

PR 19274 - This adds an exploit for CVE-2024-29824, which is unauthenticated SQLi in Ivanti Endpoint Manager 2022 SU5 and prior which can be used to obtain RCE.
PR 19304 - This adds an auxiliary module for an XXE which results in an arbitrary file in Magento which is being tracked as CVE-2024-34102.
PR 19311 - This adds an exploit module for CVE-2024-36401, an unauthenticated RCE vulnerability in GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.
PR 19314 - This adds an exploit for CVE-2024-21638 which is an authenticated RCE in Atlassian Confluence affecting all versions prior to 7.17 and many versions up to 8.9.0.