There is a traffic hijacking vulnerability in WS7200-10 11.0.2.13. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.

There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers. (Vulnerability ID: HWPSIRT-2021-21766)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2021-46835.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220831-01-5370a6df-en

  

Affected Product

Affected Version

Resolved Version

WS7200-10

11.0.2.13

11.0.5.15

  

Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.

  

Vulnerability Scoring Details

The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).

Base Score: 6.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Temporal Score: 5.9 (E:F/RL:O/RC:C)

  

This vulnerability can be exploited only when the following conditions are present:

Attackers can access devices within the LAN.

Vulnerability details:

There is a traffic hijacking vulnerability in Huawei routers due to improper ICMP packet processing. An attacker who can access the device on a LAN can construct malicious ICMP packets and send them to the victim to exploit this vulnerability. Successful exploitation of this vulnerability can lead to packet hijacking.

  

This vulnerability was discovered by Huawei internal tester.

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2021-46835: Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers

There is an insufficient authentication vulnerability in some Huawei band products. Successful exploit could allow the attacker to spoof then connect to the band.

There is an insufficient authentication vulnerability in some Huawei band products. Successful exploit could allow the attacker to spoof then connect to the band. (Vulnerability ID: HWPSIRT-2022-85585)

This vulnerability has been assigned a (CVE) ID: CVE-2022-41579

  

Affected Product

Affected Version

Resolved Version

HOTA-Fara-B19

11.1.2.40-fullpackage-OTA

Fara-B19 11.1.5.8

Successful exploit could allow the attacker to spoof then connect to the band.  

The severity of the vulnerability in this advisory has been assessed by the Common Vulnerability Scoring System Version 3.0 (CVSS v3 Specification Document).

Base Score: 7.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)

Temporal Score: 6.6 (E:F/RL:O/RC:C)

Overall Score: 6.6  

This vulnerability can be exploited only when the following conditions are present:

The attacker could fake certain credential then spoof the band.

Vulnerability details:

There is an insufficient authentication vulnerability in some Huawei band products. The band does not sufficiently authenticate the device try to connect to it in certain scenario. Successful exploit could allow the attacker to spoof then connect to the band.  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

The vulnerability was discovered by an external researcher.  

2022-11-23 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-41579: huawei-sa-20221130-01-c7f72ffb-en

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

There is a buffer overflow vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation could lead to device service exceptions.

A Huawei printer product has a buffer overflow vulnerability. Successful exploitation could lead to device service exceptions. (Vulnerability ID:HWPSIRT-2022-17649)   
This vulnerability has been assigned a (CVE) ID: CVE-2022-48260

Affected Product

Affected Version

Resolved Versions

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

HWPSIRT-2022-17649:  
Successful exploitation could lead to device service exceptions.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-17649:  
Base score:7.5  
Temporary score:7.0  
Environmental Score:NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-17649:  
This vulnerability can be exploited only when the following conditions are present:   
Attackers can access device network ports.  
Technical details:  
A Huawei printer product has a buffer overflow vulnerability. Attackers who can access network ports can construct malicious packets to exploit this vulnerability. Successful exploitation could lead to device service exceptions.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-17649:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48260: Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product

There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication.

A Huawei band has a data processing error vulnerability. Successful exploitation could bypass lock screen authentication.(Vulnerability ID:HWPSIRT-2022-11965) This vulnerability has been assigned a (CVE)ID:CVE-2022-48254

Affected Product

Affected Version

Repair Version

Leia-B29

Leia-B29 2.0.0.49(M03)

Leia-B19 2.0.0.56(M04)

HWPSIRT-2022-11965:

Successful exploitation could bypass lock screen authentication.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-11965

Base Score: 6.2

Temporary Score: 5.8

Environmental Score: NA

CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

  

HWPSIRT-2022-11965:

This vulnerability can be exploited only when the following conditions are present:

The attacker needs to perform operations on the affected device.

Technical details:

The lock screen function of a Huawei band has a data processing error vulnerability. This vulnerability is caused by improper implementation in certain lock screen scenarios. An attacker can exploit this vulnerability by following specific operations. Successful exploitation may bypass screen lock authentication.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-11965:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48254: Security Advisory - Data Processing Error Vulnerability in a Huawei Band

There is a misinterpretation of input vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation could lead to DoS.

A Huawei printer product is vulnerable to misinterpretation of input. Successful exploitation could lead to DoS. (Vulnerability ID:HWPSIRT-2022-44321)

This vulnerability has been assigned a (CVE) ID: CVE-2022-48230

Affected Product

Affected Version

Resolved Versions

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

Successful exploitation could lead to DoS.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-44321:  
Base score:7.5  
Temporary score:7.0  
Environmental Score:NA  
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-44321:

This vulnerability can be exploited only when the following conditions are present:

Attackers can send abnormal packets to affected devices.

Technical details:

A Huawei printer product is vulnerable to misinterpretation of input. This vulnerability is caused by improper input validation. An attacker who has network access to the printer product can exploit this vulnerability by constructing malicious packets. Successful exploitation could lead to DoS.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-44321:

This vulnerability was discovered by Huawei internal tester.

2023-01-18 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48230: Security Advisory - Misinterpretation of Input in a Huawei Printer Product

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

@@ -19,6 +19,7 @@  
import { platform } from "os"; import { exec } from "child\_process"; import { domainToASCII } from "url";  
export interface PingResult { packetsTransmitted: number; @@ -30,11 +31,23 @@ export interface PingResult { mdev: number; }  
function isValidHost(host: string): boolean { // Valid chars in IPv4, IPv6, domain names if (/^\[a-zA-Z0-9\\-.:\[\\\]\-\]+$/.test(host)) return true;  
// Check if input is an IDN convert to Punycode // Can't merge with above because domainToASCII doesn't accept IP addresses return /^\[a-zA-Z0-9\\-.:\[\\\]\-\]+$/.test(domainToASCII(host)); }  
export function ping( host: string, callback: (err: Error, res?: PingResult, stdout?: string) \=> void ): void { let cmd: string, parseRegExp1: RegExp, parseRegExp2: RegExp; // Validate input to prevent possible remote code execution // Credit to Alex Hordijk for reporting this vulnerability if (!isValidHost(host)) return callback(new Error("Invalid host")); host \= host.replace("\[", "").replace("\]", ""); switch (platform()) { case "linux":

CVE-2021-46704: Validate host arg passed to ping · genieacs/genieacs@7f295be

Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in order to obtain the user´s credentials.

Description: 

INCIBE has coordinated the publication of a vulnerability in Velneo vClient, which has been discovered by Jesús Ródenas Huerta 'Marmeus'.

CVE-2021-45035 has been assigned to this vulnerability. A CVSS v3.1 base score of 6,3  has been calculated; the CVSS vector string is AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N.

Solution: 

This vulnerability has been fixed by Velneo team in the 29.2 version, released on 29/06/2021.

Detail: 

Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in order to obtain the user´s credentials.

**CWE-287:** Improper Authentication.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication.

CVE-2021-45035: Velneo vClient Improper authentication

One of our researchers was targeted by a scammer advertising on Airbnb and hosting a fake Tripadvisor website.

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.

Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.

> “The property is listed on several websites so contact me directly by mail to check for availability.”

So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.

> “My name is Carla Taddei, I am a co-host of this property, your dates are available.
> 
> The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.
> 
> Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com
> 
> If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”

Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.

However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.

Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.

The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.

> “Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.
> 
> Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.
> 
> Please forward and the payment confirmation once done so I can validate your booking.”

The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.

One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.

Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.

We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.

**How to recognize and avoid scams**

There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.

*   When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
*   Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
*   Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
*   In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
*   Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
*   Double check the website again before entering personal details or financial information.
*   Keep your software updated and use a web filter that will alert you to suspicious sites.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Airbnb scam sends you to a fake Tripadvisor site, takes your money 

A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Next Generation Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Next Generation Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Next Generation Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   Jenkins weekly up to and including 2.329
*   Jenkins LTS up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Next Generation Plugin** up to and including 9.10.2

**Fix**

*   Jenkins weekly should be updated to version 2.330
*   Jenkins LTS should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Next Generation Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

Search

lenovo warranty check/lookup | check warranty status | lenovo support us