Headline
CVE-2023-32686: Kiwi TCMS 12.3
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded. The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploiting this flaw, a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. This issue has been patched in version 12.3.
We’re happy to announce Kiwi TCMS version 12.3!
IMPORTANT: this is a small release which contains security related updates, general improvements and new translations!
You can explore everything at https://public.tenant.kiwitcms.org!
Supported upgrade paths:
5.3 (or older) -> 5.3.1 5.3.1 (or newer) -> 6.0.1 6.0.1 -> 6.1 6.1 -> 6.1.1 6.1.1 -> 6.2 (or newer)
—
Upstream container images (x86_64):
kiwitcms/kiwi latest 1cbaba8640d9 594MB
IMPORTANT: version tagged and multi-arch container images are available only to subscribers!
Changes since Kiwi TCMS 12.2
Security
- Update Django from 4.1.8 to 4.2.1 which contains a fix for CVE-2023-31047. We believe this does not affect Kiwi TCMS
- Implement better scanning for embedded <script> tags in uploaded files
- Force Content-Type: text/plain when serving uploaded files. See GHSA-x7c2-7wvg-jpx7
- Explicitly configure top-level permissions for CI jobs as read-all
- Pass untrusted input via intermediate ENV variables in CI jobs
Improvements
- Update nginx from 1.20 to 1.22
- Update django-grappelli from 3.0.5 to 3.0.6
- Update pygithub from 1.58.1 to 1.58.2
- Add Helm chart examples (Michael Abramovich)
Refactoring and testing
- Update node_modules/webpack-cli from 5.0.1 to 5.1.1
- Update node_modules/webpack from 5.80.0 to 5.83.1
- Update node_modules/eslint from 8.38.0 to 8.40.0
- Update tests/bugzilla/fedora from 37 to 38
- Enable the checkov static linter
Kiwi TCMS Enterprise v12.3-mt
Based on Kiwi TCMS v12.3
Update dj-database-url from 1.3.0 to 2.0.0
Update django-ses from 3.3.0 to 3.5.0
Update kiwitcms-tenants from 2.5.0 to 2.5.1
Explicitly set permissions to read-all
Enable checkov linter
Private images:
quay.io/kiwitcms/version 12.3 (aarch64) 8bf8cd56c565 22 May 2023 601MB quay.io/kiwitcms/version 12.3 (x86_64) 1cbaba8640d9 22 May 2023 592MB quay.io/kiwitcms/enterprise 12.3-mt (aarch64) 36d6670c3fca 22 May 2023 845MB quay.io/kiwitcms/enterprise 12.3-mt (x86_64) e769e6bdb5c1 22 May 2023 835MB
IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!
Related news
Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.
Red Hat Security Advisory 2023-4591-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include bypass and denial of service vulnerabilities.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30608: A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS). * CVE-2023-31047: A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.
Ubuntu Security Notice 6054-2 - USN-6054-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Ubuntu Security Notice 6054-1 - Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.