Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-0857-01

Red Hat Security Advisory 2023-0857-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a file download vulnerability.

Packet Storm
Open in Source
#vulnerability#linux#red_hat#js#php#sap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: pcs security update
Advisory ID: RHSA-2023:0857-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0857
Issue date: 2023-02-21
CVE Names: CVE-2022-45442
====================================================================

  1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.1 Update
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

  1. Description:

The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.

Security Fix(es):

  • sinatra: Reflected File Download attack (CVE-2022-45442)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2153363 - CVE-2022-45442 sinatra: Reflected File Download attack

  1. Package List:

Red Hat Enterprise Linux High Availability E4S (v. 8.1):

Source:
pcs-0.10.2-4.el8_1.3.src.rpm

aarch64:
pcs-0.10.2-4.el8_1.3.aarch64.rpm
pcs-snmp-0.10.2-4.el8_1.3.aarch64.rpm

ppc64le:
pcs-0.10.2-4.el8_1.3.ppc64le.rpm
pcs-snmp-0.10.2-4.el8_1.3.ppc64le.rpm

s390x:
pcs-0.10.2-4.el8_1.3.s390x.rpm
pcs-snmp-0.10.2-4.el8_1.3.s390x.rpm

x86_64:
pcs-0.10.2-4.el8_1.3.x86_64.rpm
pcs-snmp-0.10.2-4.el8_1.3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-45442
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY/S5F9zjgjWX9erEAQhzUxAAi8UkJNwV5jCQoZK3b5TdAIzRTWBJP6e9
Nm+TNfORMSjIiucmyDpHpOfbhQKeyA/IAIQ5zUf1WKRkERyB4XTYAtOOYsHNp8aZ
a6KiQBtjHdB85v7Ued9k6hcmWpLdMdZtcop22s+Ox6xi9zApHThuxiY4cwGCGoJ1
BcRh6bsTp+gGTpSjUXWTJALzojZeZYKVZyabIpUDuebmtq9jvfamhjQ83TrgwyvZ
g47474ca1cXbmRUpyDwtnW0pZO/cHJJnZpVCPMP6c+aeO2XEhSPTjB7NsSIFZB47
5M6TTOKfpsLpudJ1IY5XFOE4xggjB9qk76Ag2jDAe0Oa+AWgQ9B7nBeqMxJjQnWv
i5Su/qIogWEmVLd5fsfrs3LbVaGrj9pNBQoEci1e5R+kqk4hHEpbmm6VvGmYcRPF
vhRgfL1CMYMSv0u3ypjH7BZshxmIkaela6m95HW8mZDiG8xeeRQwA9kITmSv0od1
C10AUDq23HuEPFvbvOlX0zBCa6XrmJlOIH5LfOQwo7x/xxL488KPkarWxIDMxjJS
IkIZBXc5u8jl2YEfoqNSD052Tj/gz4+G7Jt1+JUUA4y51kZ/o4Rp1RMblzOixE7x
qwl7Ctx7UKaSf4CCBJkmR1FOFSltu20idoM2rdAdn87xtUg/UdKmY9EHJhITGmK3
APs39EHbJzk=k0Ul
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

RHSA-2023:0974: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: A flaw was found in Sinatra, a domain-specific language for creating web applications in Ruby. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

Red Hat Security Advisory 2023-0855-01

Red Hat Security Advisory 2023-0855-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a file download vulnerability.

RHSA-2023:0857: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: A flaw was found in Sinatra, a domain-specific language for creating web applications in Ruby. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

RHSA-2023:0855: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: A flaw was found in Sinatra, a domain-specific language for creating web applications in Ruby. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

RHSA-2023:0527: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: sinatra: Reflected File Download attack

RHSA-2023:0506: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: sinatra: Reflected File Download attack

Red Hat Security Advisory 2023-0427-01

Red Hat Security Advisory 2023-0427-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a file download vulnerability.

Red Hat Security Advisory 2023-0393-01

Red Hat Security Advisory 2023-0393-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a file download vulnerability.

RHSA-2023:0427: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: sinatra: Reflected File Download attack

RHSA-2023:0393: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45442: sinatra: Reflected File Download attack

GHSA-2x8x-jmrp-phxw: Sinatra vulnerable to Reflected File Download attack

### Description An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. ### References * https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf * https://github.com/advisories/GHSA-8x94-hmjh-97hq

CVE-2022-45442: CVE-2022-36359 - GitHub Advisory Database

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.

Packet Storm: Latest News

Falco 0.39.1
Packet Storm