An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

There are 2 issues here:  
1\. In sox-fmt.c function startread, there is no check on the value passed to the value of comment\_bytes. If the value of comment\_bytes is on the boundary of overflow, it results in "comment\_bytes + 1" to be 0, hence calling lsx\_calloc will give null pointer.  
2\. Further, there is no check that this returned buffer can be null. Passing the null buffer down the line will trigger a segmentation fault when the program tried to use the buffer to store the result of fread (in formats\_i.c on function lsx\_readbuf).

Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>

The output of SoX with -V -V enabled:  
time: Oct 3 2018 08:02:13  
uname: <removed> #178-Ubuntu SMP Tue Jun 11 08:30:22 UTC 2019 x86\_64  
compiler: gcc 4.2.1 Compatible Clang 7.0.0 (branches/release\_70)  
arch: 1248 48 44 L </removed>

CVE-2019-13590: SoX - Sound eXchange / Bugs

A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.329
*   **Jenkins LTS** up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Plugin** up to and including 9.10.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.330
*   **Jenkins LTS** should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

CVE-2022-23112: Jenkins Security Advisory 2022-01-12

Check Point Research has discovered cybercriminals exploiting the popular Godot Game Engine to deliver malicious software. Discover the techniques used by attackers and how to protect yourself from these threats.

****SUMMARY****

*   **Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.**

*   **GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.**

*   **The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.**

*   **GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.**

*   **The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.**

Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.

The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments.  The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024. 

“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.

According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.

Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.

For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.

As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.

The attack flow (Via CPR)

****Godot Engine’s Statement****

The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.

The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.

Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.

1.  **Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm**
2.  **What is Blockchain Gaming and its Play-to-Earn Model?**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **Winos4.0 Malware Hits Windows via Fake Gaming Apps**
5.  **Gaming Firms, Community Members Hit by Dark Frost Botnet**

Godot Engine Exploited to Spread Malware on Windows, macOS, Linux

In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657

_Published February 22, 2022_

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 12L. Android 12L devices with a security patch level of 2022-03-01 or later are protected against these issues (Android 12L, as released on AOSP, will have a default security patch level of 2022-03-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 12L release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Announcements**

*   The issues described in this document are addressed as part of Android 12L. This information is provided for reference and transparency.
*   We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**Android 12L vulnerability details**

The sections below provide details for security vulnerabilities fixed as part of Android 12L. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

**Framework**

   

CVE

References

Type

Severity

CVE-2021-39749

A-205996115

EoP

High

CVE-2021-39743

A-201534884

EoP

Moderate

CVE-2021-39746

A-194696395

EoP

Moderate

CVE-2021-39750

A-206474016

EoP

Moderate

CVE-2021-39752

A-202756848

EoP

Moderate

CVE-2021-39758

A-205130886

EoP

Moderate

CVE-2022-20002

A-198657657

EoP

Moderate

CVE-2021-39744

A-192369136

ID

Moderate

CVE-2021-39745

A-206127671

ID

Moderate

CVE-2021-39747

A-208268457

ID

Moderate

CVE-2021-39748

A-203777141

ID

Moderate

CVE-2021-39751

A-172838801

ID

Moderate

CVE-2021-39753

A-200035185

ID

Moderate

CVE-2021-39755

A-204995407

ID

Moderate

CVE-2021-39756

A-184354287

ID

Moderate

CVE-2021-39757

A-176094662

ID

Moderate

CVE-2021-39754

A-207133709

ID

Moderate

**Media Framework**

   

CVE

References

Type

Severity

CVE-2021-39759

A-180200830

EoP

Moderate

CVE-2021-39760

A-194110526

ID

Moderate

CVE-2021-39761

A-179783181

ID

Moderate

CVE-2021-39762

A-210625816

ID

Moderate

**Platform**

   

CVE

References

Type

Severity

CVE-2021-39741

A-173567719

EoP

Moderate

CVE-2021-39763

A-199176115

EoP

Moderate

CVE-2021-39764

A-170642995

EoP

Moderate

CVE-2021-39767

A-201308542

EoP

Moderate

CVE-2021-39768

A-202017876

EoP

Moderate

CVE-2021-39771

A-198661951

EoP

Moderate

CVE-2021-25393

A-180518134

ID

Moderate

CVE-2021-39739

A-184525194

ID

Moderate

CVE-2021-39740

A-209965112

ID

Moderate

CVE-2021-39742

A-186405602

ID

Moderate

CVE-2021-39765

A-201535427

ID

Moderate

CVE-2021-39766

A-198296421

ID

Moderate

CVE-2021-39769

A-193663287

ID

Moderate

CVE-2021-39770

A-193033501

ID

Moderate

**System**

   

CVE

References

Type

Severity

CVE-2021-39776

A-192614125

EoP

High

CVE-2021-39787

A-202506934

EoP

High

CVE-2021-39772

A-181962322

EoP

Moderate

CVE-2021-39780

A-204992293

EoP

Moderate

CVE-2021-39781

A-195311502

EoP

Moderate

CVE-2021-39782

A-202760015

EoP

Moderate

CVE-2021-39783

A-197960597

EoP

Moderate

CVE-2021-39784

A-200163477

EoP

Moderate

CVE-2021-39786

A-192551247

EoP

Moderate

CVE-2021-39789

A-203880906

EoP

Moderate

CVE-2021-39790

A-186405146

EoP

Moderate

CVE-2021-39773

A-191276656

ID

Moderate

CVE-2021-39775

A-206465854

ID

Moderate

CVE-2021-39777

A-194743207

ID

Moderate

CVE-2021-39778

A-196406138

ID

Moderate

CVE-2021-39779

A-190400974

ID

Moderate

CVE-2021-39788

A-191768014

ID

Moderate

CVE-2021-39791

A-194112606

ID

Moderate

CVE-2021-39774

A-205989472

DoS

Moderate

**Additional Vulnerability details**

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. **These issues are not required for SPL compliance.**

**Android TV**

   

CVE

References

Type

Severity

CVE-2021-1000

A-185190688

EoP

Moderate

CVE-2021-1033

A-185247656

EoP

Moderate

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

Android 12L, as released on AOSP, has a default security patch level of 2022-03-01. Android devices running Android 12L and with a security patch level of 2022-03-01 or later address all issues contained in these security release notes.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**Versions**

  

Version

Date

Notes

1.0

February 22, 2022

Security Release Notes Published

CVE-2022-20002: Android 12L Security Release Notes  |  Android Open Source Project

By Waqas
The February 2024 Global Threat Index report released by Check Point Software Technologies Ltd. exposes the alarming vulnerability of cybersecurity worldwide.
This is a post from HackRead.com Read the original post: FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

WordPress websites are under attack! FakeUpdates malware exploits vulnerabilities and injects malicious code. LockBit3 dominates the world of ransomware. Web server flaws leave organizations exposed. Experts advocate strong security and zero tolerance for cyber threats.

As of March 2024, approximately 835 million websites are utilizing the WordPress Content Management System (CMS). This vast presence makes WordPress an extremely **lucrative target** for cybercriminals.

To highlight the ongoing threats to WordPress, according to the February 2024 Global Threat Index released by Check Point Software Technologies Ltd., this week, researchers have uncovered a fresh wave of cyber threats including malware attacks aimed at WordPress websites.

The campaign, identified as **FakeUpdates or SocGholish**, involved compromising WordPress sites through hacked admin accounts. The malware employed various tactics, including modified versions of legitimate WordPress plugins, to infiltrate websites and deceive users into downloading a Remote Access Trojan.

Despite efforts to combat it, FakeUpdates has persisted since at least 2017, posing a significant threat to website security. Some of the attack’s examples are previously identified incidents targeting products like **Windows** and **Chrome browsers**.

In the attack, the malware primarily targets websites with content management systems, aiming to trick users into downloading malicious software. Associated with the Russian cybercrime group **Evil Corp**, FakeUpdates is believed to generate revenue by selling access to infected systems.

As per the research shared with Hackread.com ahead of publication on Monday, Maya Horowitz, VP of Research at Check Point Software, emphasized the importance of protecting websites from cyber threats.

She highlighted the critical role websites play in modern society and the potential consequences of malware attacks on online presence and reputation. Horowitz stressed the need for proactive measures and a zero-tolerance approach to cybersecurity threats.

****LockBit and Ransomware****

Check Point’s Global Threat Index also **revealed** insights into ransomware activities, including data from approximately 200 ransomware “shame sites” operated by double-extortion ransomware groups.

Lockbit3, **despite its shutdown**, not only **returned** also but remained the most prevalent ransomware group in February, responsible for 20% of reported incidents. Play and 8base followed closely, with 8% and 7% of incidents, respectively. Play, which entered the top three for the first time, was responsible for a **recent cyberattack** on the city of Oakland.

Additionally, the report highlighted the most exploited vulnerabilities globally in February. The “Web Servers Malicious URL Directory Traversal” vulnerability affected 51% of organizations, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection,” each impacting 50% of organizations.

****Protect Your WordPress Website****

Here are 6 important tips to protect your WordPress website:

****Strong Login Credentials:****

*   Always use a strong and unique password for your WordPress admin account. Avoid using easily guessable information like your name, birthday, or pet’s name.
*   Consider using a password manager to generate and store strong passwords for all your online accounts.
*   Enable two-factor authentication (2FA) for an extra layer of security. This requires a second verification code, typically sent to your phone, in addition to your password when logging in.

**Regular Updates:**

*   Regularly update your WordPress core, themes, and plugins. Updates often contain security patches that address newly discovered vulnerabilities.
*   You can enable automatic updates in the WordPress dashboard to ensure your website stays up-to-date.

**Security Plugins:**

*   Consider installing a security plugin to add additional layers of protection to your website. These plugins can help monitor your website for malware, block suspicious activity, and protect against brute-force login attempts.

**Backups:**

*   Regularly back up your website files and database. This will allow you to restore your website to its previous state if it is compromised by a cyberattack.
*   There are several plugins available that can automate the backup process.

****Limit User Access:****

*   Only grant users the minimum level of access they need to perform their tasks. For example, if a user only needs to edit blog posts, there is no need to give them administrator privileges.

****Secure Hosting Provider**:**

Choose a reputable web hosting provider that prioritizes security measures. While choosing a hosting service, always look for features like the following:

*   Regular security audits and vulnerability assessments.
*   Automatic malware scanning and removal.
*   Firewalls and intrusion detection systems.
*   Secure data centres with physical and digital access control.

1.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
2.  Fake Skype, Zoom, Google Meet Sites Infect Devices with RATs
3.  The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads
4.  Hackers on WordPress Websites Hacking Spree with Balada Malware
5.  Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor

FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service.

**Details**

This section summarizes the potential impact that this security update addresses. Descriptions use CWE™, and base scores and vectors use CVSS V3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2021‑1106

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap`, where writes may be allowed to read-only buffers, which may result in escalation of privileges, denial of service, information disclosure, or data tampering.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑1107

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap` `NVMAP_IOC_WRITE*` paths, where improper access controls may lead to code execution, denial of service, or compromised integrity of system components.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑34401

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap` `NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER`, where improper access control may lead to code execution, compromised integrity, or denial of service.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑1108

NVIDIA Linux kernel distributions contain a vulnerability in FuSa Capture (VI/ISP), where integer underflow caused by lack of input validation may lead to complete denial of service, partial integrity, and serious confidentiality loss for all processes in the system.

7.3

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

CVE‑2021‑34402

NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service, Information disclosure, loss of Integrity, or possible escalation of privileges.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑34403

NVIDIA Linux distributions contain a vulnerability in nvmap ioctl, which allows any user with a local account to exploit a use-after-free condition, leading to code privilege escalation, loss of confidentiality and integrity, or denial of service.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2021‑34404

Android images for T210 provided by NVIDIA contain a vulnerability in BROM, where failure to limit access to AHB-DMA when BROM fails may allow an unprivileged attacker with physical access to cause denial of service or impact integrity and confidentiality beyond the security scope of BROM.

7.1

AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE‑2021‑34405

NVIDIA Linux distributions contain a vulnerability in TrustZone’s `TEE_Malloc` function, where an unchecked return value causing a null pointer dereference may lead to denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2021‑1112

NVIDIA Linux kernel distributions contain a vulnerability in `nvmap`, where a null pointer dereference may lead to denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2021‑34406

NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a specific race condition can lead to a null pointer dereference, which may lead to a system reboot.

4.7

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

SHIELD TV update includes Android™ Security Patch level **2021-09-05**. For more information about what is included in Android security patch levels, refer to the Android Security Bulletins.

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update. Download the update through Settings\>About\>System update.

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

SHIELD TV

Android-P

Shield Experience prior to SE 9.0

Shield Experience Upgrade SE 9.0

**Note:**

*   Earlier releases of this product are also affected. If you are using an earlier release, upgrade to the latest release.

**Mitigations**

See Security Updates for the version to install.

**Acknowledgements**

CVE‑2021‑34406: NVIDIA thanks Billy Laws for reporting this issue.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

January 12, 2022

Initial release

**Support**

If you have any questions about this Security Bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2021-34401: Security Bulletin: NVIDIA SHIELD TV - January 2022

uppy is vulnerable to Server-Side Request Forgery (SSRF)

@@ -1,83 +1,19 @@ // eslint-disable-next-line max-classes-per-file const http \= require('http') const https \= require('https') const { URL } \= require('url') const dns \= require('dns') const ipAddress \= require('ip-address') const request \= require('request') const ipaddr \= require('ipaddr.js')  
const logger \= require('../logger')  
const FORBIDDEN\_IP\_ADDRESS \= 'Forbidden IP address'  
function isIPAddress (address) { const addressAsV6 \= new ipAddress.Address6(address) const addressAsV4 \= new ipAddress.Address4(address) return addressAsV6.isValid() || addressAsV4.isValid() }  
/\* eslint-disable max-len \*/ /\*\* \* Determine if a IP address provided is a private one. \* Return TRUE if it's the case, FALSE otherwise. \* Excerpt from: \* https://cheatsheetseries.owasp.org/cheatsheets/Server\_Side\_Request\_Forgery\_Prevention\_Cheat\_Sheet.html#case-2---application-can-send-requests-to-any-external-ip-address-or-domain-name \* \* @param {string} ipAddress the ip address to validate \* @returns {boolean} \*/ /\* eslint-enable max-len \*/ function isPrivateIP (ipAddress) { let isPrivate \= false // Build the list of IP prefix for V4 and V6 addresses const ipPrefix \= \[\] // Add prefix for loopback addresses ipPrefix.push('127.') ipPrefix.push('0.') // Add IP V4 prefix for private addresses // See https://en.wikipedia.org/wiki/Private\_network ipPrefix.push('10.') ipPrefix.push('172.16.') ipPrefix.push('172.17.') ipPrefix.push('172.18.') ipPrefix.push('172.19.') ipPrefix.push('172.20.') ipPrefix.push('172.21.') ipPrefix.push('172.22.') ipPrefix.push('172.23.') ipPrefix.push('172.24.') ipPrefix.push('172.25.') ipPrefix.push('172.26.') ipPrefix.push('172.27.') ipPrefix.push('172.28.') ipPrefix.push('172.29.') ipPrefix.push('172.30.') ipPrefix.push('172.31.') ipPrefix.push('192.168.') ipPrefix.push('169.254.') // Add IP V6 prefix for private addresses // See https://en.wikipedia.org/wiki/Unique\_local\_address // See https://en.wikipedia.org/wiki/Private\_network // See https://simpledns.com/private-ipv6 ipPrefix.push('fc') ipPrefix.push('fd') ipPrefix.push('fe') ipPrefix.push('ff') ipPrefix.push('::1') // Verify the provided IP address // Remove whitespace characters from the beginning/end of the string // and convert it to lower case // Lower case is for preventing any IPV6 case bypass using mixed case // depending on the source used to get the IP address const ipToVerify \= ipAddress.trim().toLowerCase() // Perform the check against the list of prefix for (const prefix of ipPrefix) { if (ipToVerify.startsWith(prefix)) { isPrivate \= true break } }  
return isPrivate } // Example scary IPs that should return false (ipv6-to-ipv4 mapped): // ::FFFF:127.0.0.1 // ::ffff:7f00:1 const isDisallowedIP \= (ipAddress) \=> ipaddr.parse(ipAddress).range() !== 'unicast'  
module.exports.FORBIDDEN\_IP\_ADDRESS \= FORBIDDEN\_IP\_ADDRESS  
@@ -115,7 +51,7 @@ function dnsLookup (hostname, options, callback) {  
const toValidate \= Array.isArray(addresses) ? addresses : \[{ address: addresses }\] for (const record of toValidate) { if (isPrivateIP(record.address)) { if (isDisallowedIP(record.address)) { callback(new Error(FORBIDDEN\_IP\_ADDRESS), addresses, maybeFamily) return } @@ -127,7 +63,7 @@ function dnsLookup (hostname, options, callback) {  
class HttpAgent extends http.Agent { createConnection (options, callback) { if (isIPAddress(options.host) && isPrivateIP(options.host)) { if (ipaddr.isValid(options.host) && isDisallowedIP(options.host)) { callback(new Error(FORBIDDEN\_IP\_ADDRESS)) return undefined } @@ -138,7 +74,7 @@ class HttpAgent extends http.Agent {  
class HttpsAgent extends https.Agent { createConnection (options, callback) { if (isIPAddress(options.host) && isPrivateIP(options.host)) { if (ipaddr.isValid(options.host) && isDisallowedIP(options.host)) { callback(new Error(FORBIDDEN\_IP\_ADDRESS)) return undefined }

CVE-2022-0086: improve private ip check (#3403) · transloadit/uppy@fc137e3

PCManager versions 11.1.1.95 has a privilege escalation vulnerability. Successful exploit could allow the attacker to access certain resource beyond its privilege.

*   SA No:huawei-sa-20220216-01-priesc
*   Initial Release Date: Feb 15, 2022
*   Last Release Date: Feb 15, 2022

  

A Huawei product has a privilege escalation vulnerability. Successful exploit could allow the attacker to access certain resource beyond its privilege. (Vulnerability ID: HWPSIRT-2021-49498)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2021-40046.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220216-01-priesc-en

  

Product Name

Affected Version

Resolved Product and Version

PCManager

11.1.1.95

12.0.1.20（SP1）

  

Successful exploit could allow the attacker to access certain resource beyond its privilege.

  

This vulnerability can be exploited only when the following conditions are present:

An attacker could send a crafted message to the system.

Vulnerability details:

A privilege escalation vulnerability exists in a Huawei product. A module fails to fully verify external input, allowing attackers to perform malicious operations to obtain high permissions. Successful exploit could allow the attacker to access certain resource beyond its privilege.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

This vulnerability was discovered by Huawei internal tester.

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2021-40046: Security Advisory - Privilege Escalation Vulnerability in Huawei Product

There is a denial of service vulnerability in CV81-WDM FW versions 01.70.49.29.46. Successful exploitation could cause denial of service.

There is a denial of service vulnerability in some Huawei products. Successful exploitation could cause denial of service. (Vulnerability ID: HWPSIRT-2022-27465)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-29798.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220601-01-f75b152f-en

Product Name

Affected Version

Resolved Product and Version

CV81-WDM FW

01.70.49.29.46

01.94.59.32.46

Successful exploitation could cause denial of service.

The severity of the vulnerability in this advisory has been assessed by the Common Vulnerability Scoring System Version 3.0 (CVSS v3 Specification Document).

Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Temporal Score: 7.0 (E:F/RL:O/RC:C)

Overall Score: 7.0  

This vulnerability can be exploited only when the following conditions are present:  
An attacker could send a crafted message to the device.

Vulnerability details:  
There is a denial of service vulnerability in some Huawei products. The device does not handle a specific message correctly in an abnormal scenario, which causes memory unreleased. Successful exploitation could cause denial of service.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

This vulnerability was discovered by Huawei internal tester.  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-29798: huawei-sa-20220601-01-f75b152f-en

There is an improper authentication vulnerability in FLMG-10 10.0.1.0(H100SP22C00). Successful exploitation of this vulnerability may lead to a control of the victim device.

**Security Advisory - Improper Authentication Management Vulnerability in some Huawei Products**

*   SA No:huawei-sa-20220406-01-bdb62b17
*   Initial Release Date: Apr 06, 2022
*   Last Release Date: Apr 06, 2022

  

There is an improper authentication vulnerability in some huawei products.Successful exploitation of this vulnerability may lead to a control of the victim device. (Vulnerability ID: HWPSIRT-2021-30580)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-22259.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220406-01-bdb62b17-en

  

Product Name

Affected Version

Resolved Product and Version

FLMG-10

10.0.1.0(H100SP22C00)

10.0.1.0(H100SP30C00)

  

Successful exploitation of this vulnerability may lead to a control of the victim device.

  

This vulnerability can be exploited only when the following conditions are present:

Attackers have local access to the affected device.

Vulnerability details:

There is an improper authentication vulnerability in some huawei products. An attacker can exploit this vulnerability by installing persistent and stealthy bootkits or malicious bootloaders.Successful exploitation of this vulnerability may lead to a control of the victim device.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

This vulnerability was discovered by Huawei internal tester.

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us