The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes TRENDnet TV-IP651WI Network Camera firmware version v1.07.01 and earlier vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware image and bypass the checksum verification.

*   TWG-431BR VPN ROUTER AND TEW-740APBO V3.XR WIRELESS ACCESS POINT AUTHENTICATED COMMAND INJECTION VULNERABILITY AND KNOWN VULNERABILITIES IN CLI  
    1/26/2023
*   TRENDnet is aware of the command injection vulnerability and known vulnerabilities in CLI with TWG-431BR and TEW-740APBO hardware version 3.xR. To exploit these vulnerabilities, the attacker would need to know the device's management interface login user name and password. When exploited successfully, the attacker can compromise the device.
    
    TRENDnet has released firmware updates to address these vulnerabilities
    

*   TEW-820AP WIRELESS AC EASY-UPGRADER BUFFER OVERFLOW VULNERABILITIES  
    11/2/2022
*   TRENDnet is aware of the possible buffer overflow vulnerabilities involving the TEW-820AP Wireless AC Easy-Upgrader that could allow a malicious cyber attacker to take over the device and gain access to its operating system; however, this product has reached its End of Life (EoL) and End of Support, and TRENDnet is unable to provide support to verify or resolve these vulnerabilities.
    
    TRENDnet recommends customers to retire this product to prevent the risk of devices possibly connecting to it.
    

*   FRAGMENT and FORGE VULNERABILITIES (FRAGATTACKS) AGAINST SOME WI-FI DEVICES  
    8/17/2021
*   TRENDnet is aware of a series of published vulnerabilities known as FragAttacks in IEEE 802.11 standard Wi-Fi devices. The affected products are mainly wireless Access Points and Wireless Routers. To exploit these vulnerabilities, the attacker would need to connect to your Wi-Fi network. When exploited successfully, the attacker can extract data from the network, which can lead to additional exploits of your other network devices.
    
    TRENDnet has released firmware updates to address these vulnerabilities for the following products, please click on the link to go to the corresponding product’s download page.
    

*   TEW-714TRU TRAVEL ROUTER AUTHENTICATION BYPASS, HARD-CODED CREDENTIALS, AND UNRESTRICTED FILE WRITE VULNERABILITIES  
    8/17/2021
*   TRENDnet is aware of the vulnerabilities involving the TEW-714TRU Wireless Travel Router that could allow a malicious cyber attacker to take over the router and gain access to its operating system; however, this product has reached its End of Life (EoL) and End of Support, and TRENDnet is unable to provide support to resolve these vulnerabilities.
    
    TRENDnet recommends customers to retire this product to prevent the risk of devices possibly connecting to it.
    

*   WEB SERVER DIRECTORY TRAVERSAL ARBITRARY FILE ACCESS VULNERABILITY IN WEB SMART SWITCH TEG-30284 HARDWARE VERSION: 1.0R  
    7/22/2021
*   TRENDnet recently received a report stating a possible Web Server Directory Traversal Arbitrary File Access vulnerability in the 28-Port Gigabit Web Smart Switch, model TEG-30284, Hardware Version: 1.0R. An attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.

CVE-2023-23120: Customer Support | TRENDnet

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.  IBM X-Force ID:  249187.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers.

**Vulnerability Details**

**CVEID:**   CVE-2023-27555  
**DESCRIPTION:**   IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service when attempting to use ACR client affinity for unfenced DRDA federation wrappers.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249187 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2 V11.5 server editions on all platforms are affected. 

IBM Db2 V11.1 and 10.5 are not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  v11.5.7 and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.5

TBD

DT188887

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

 Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

Remove the unsupported options from the db2dsdriver.cfg configuration for the federated data source. If the configuration cannot be changed because it shared with other applications then provide a separate configuration for the federated data source.

**References**

Off

**Change History**

24 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF027","label":"Solaris"}\],"Version":"11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-27555: IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555)

A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Directory Plugin
*   Assembla Auth Plugin
*   Benchmark Evaluator Plugin
*   Datadog Plugin
*   ElasticBox CI Plugin
*   External Monitor Job Type Plugin
*   mabl Plugin
*   MathWorks Polyspace Plugin
*   OpenShift Login Plugin
*   Oracle Cloud Infrastructure Compute Plugin
*   Orka by MacStadium Plugin
*   Pipeline restFul API Plugin
*   Rebuilder Plugin
*   SAML Single Sign On(SSO) Plugin
*   Sumologic Publisher Plugin
*   Test Results Aggregator Plugin

**Descriptions****XXE vulnerability in External Monitor Job Type Plugin**

**SECURITY-3133 / CVE-2023-37942**  
**Severity (CVSS):** High  
**Affected plugin: external-monitor-job**  
**Description:**

External Monitor Job Type Plugin 206.v9a\_94ff0b\_4a\_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

External Monitor Job Type Plugin 207.v98a\_a\_37a\_85525 disables external entity resolution for its XML parser.

**Password transmitted in plain text by Active Directory Plugin**

**SECURITY-3059 / CVE-2023-37943**  
**Severity (CVSS):** Low  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain").

Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled.

Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.

**Missing permission check in Datadog Plugin allows capturing credentials**

**SECURITY-3130 / CVE-2023-37944**  
**Severity (CVSS):** Medium  
**Affected plugin: datadog**  
**Description:**

Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.

**Missing permission check in SAML Single Sign On(SSO) Plugin**

**SECURITY-3164 / CVE-2023-37945**  
**Severity (CVSS):** Medium  
**Affected plugin: miniorange-saml-sp**  
**Description:**

SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to download a string representation of the current security realm (Java Object#toString()), which potentially includes sensitive information.

SAML Single Sign On(SSO) Plugin 2.3.1 requires Overall/Administer permission to access the affected HTTP endpoint, and only allows downloading a string representation if the current security realm is this plugin’s.

**Session fixation vulnerability in OpenShift Login Plugin**

**SECURITY-2998 / CVE-2023-37946**  
**Severity (CVSS):** High  
**Affected plugin: openshift-login**  
**Description:**

OpenShift Login Plugin 1.1.0.227.v27e08dfb\_1a\_20 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

OpenShift Login Plugin 1.1.0.230.v5d7030b\_f5432 invalidates the existing session on login.

**Open redirect vulnerability in OpenShift Login Plugin**

**SECURITY-2999 / CVE-2023-37947**  
**Severity (CVSS):** Medium  
**Affected plugin: openshift-login**  
**Description:**

OpenShift Login Plugin 1.1.0.227.v27e08dfb\_1a\_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

OpenShift Login Plugin 1.1.0.230.v5d7030b\_f5432 only redirects to relative (Jenkins) URLs.

**Missing SSH host key validation in Oracle Cloud Infrastructure Compute Plugin**

**SECURITY-3044 / CVE-2023-37948**  
**Severity (CVSS):** Medium  
**Affected plugin: oracle-cloud-infrastructure-compute**  
**Description:**

Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds.

Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.

The Jenkins security team has been unable to confirm the exploitability and resolution of this vulnerability.

**Missing permission check in Orka by MacStadium Plugin allows capturing credentials**

**SECURITY-3128 / CVE-2023-37949**  
**Severity (CVSS):** Medium  
**Affected plugin: macstadium-orka**  
**Description:**

Orka by MacStadium Plugin 1.33 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Orka by MacStadium Plugin 1.34 requires Overall/Administer permission to access the affected HTTP endpoint.

**Missing permission check in mabl Plugin allows enumerating credentials IDs**

**SECURITY-3137 (1) / CVE-2023-37950**  
**Severity (CVSS):** Medium  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in mabl Plugin 0.0.47 requires the appropriate permissions.

**Exposure of system-scoped credentials in mabl Plugin**

**SECURITY-3137 (2) / CVE-2023-37951**  
**Severity (CVSS):** Medium  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

mabl Plugin 0.0.47 defines the appropriate context for credentials lookup.

**CSRF vulnerability and missing permission checks in mabl Plugin allow capturing credentials**

**SECURITY-3127 / CVE-2023-37952 (CSRF), CVE-2023-37953 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

mabl Plugin 0.0.47 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Rebuilder Plugin**

**SECURITY-3033 / CVE-2023-37954**  
**Severity (CVSS):** Medium  
**Affected plugin: rebuild**  
**Description:**

Rebuilder Plugin 320.v5a\_0933a\_e7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a previous build.

**CSRF vulnerability and missing permission check in Test Results Aggregator Plugin**

**SECURITY-3122 / CVE-2023-37955 (CSRF), CVE-2023-37956 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: test-results-aggregator**  
**Description:**

Test Results Aggregator Plugin 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**CSRF vulnerability in Pipeline restFul API Plugin**

**SECURITY-3126 / CVE-2023-37957**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-restful-api**  
**Description:**

Pipeline restFul API Plugin 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows impersonating the victim.

**CSRF vulnerability and missing permission checks in Sumologic Publisher Plugin**

**SECURITY-3117 / CVE-2023-37958 (CSRF), CVE-2023-37959 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: sumologic-publisher**  
**Description:**

Sumologic Publisher Plugin 2.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Arbitrary file read vulnerability in MathWorks Polyspace Plugin**

**SECURITY-3124 / CVE-2023-37960**  
**Severity (CVSS):** Medium  
**Affected plugin: mathworks-polyspace**  
**Description:**

MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step.

This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.

**CSRF vulnerability in Assembla Auth Plugin**

**SECURITY-2988 / CVE-2023-37961**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-auth**  
**Description:**

Assembla Auth Plugin 1.14 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

**CSRF vulnerability and missing permission checks in Benchmark Evaluator Plugin**

**SECURITY-3119 / CVE-2023-37962 (CSRF), CVE-2023-37963 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: benchmark-evaluator**  
**Description:**

Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**CSRF vulnerability and missing permission checks in ElasticBox CI Plugin allow capturing credentials**

**SECURITY-3131 / CVE-2023-37964 (CSRF), CVE-2023-37965 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: elasticbox**  
**Description:**

ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2988: Medium
*   SECURITY-2998: High
*   SECURITY-2999: Medium
*   SECURITY-3033: Medium
*   SECURITY-3044: Medium
*   SECURITY-3059: Low
*   SECURITY-3117: Medium
*   SECURITY-3119: Medium
*   SECURITY-3122: Medium
*   SECURITY-3124: Medium
*   SECURITY-3126: High
*   SECURITY-3127: High
*   SECURITY-3128: Medium
*   SECURITY-3130: Medium
*   SECURITY-3131: Medium
*   SECURITY-3133: High
*   SECURITY-3137 (1): Medium
*   SECURITY-3137 (2): Medium
*   SECURITY-3164: Medium

**Affected Versions**

*   **Active Directory Plugin** up to and including 2.30
*   **Assembla Auth Plugin** up to and including 1.14
*   **Benchmark Evaluator Plugin** up to and including 1.0.1
*   **Datadog Plugin** up to and including 5.4.1
*   **ElasticBox CI Plugin** up to and including 5.0.1
*   **External Monitor Job Type Plugin** up to and including 206.v9a\_94ff0b\_4a\_10
*   **mabl Plugin** up to and including 0.0.46
*   **MathWorks Polyspace Plugin** up to and including 1.0.5
*   **OpenShift Login Plugin** up to and including 1.1.0.227.v27e08dfb\_1a\_20
*   **Oracle Cloud Infrastructure Compute Plugin** up to and including 1.0.16
*   **Orka by MacStadium Plugin** up to and including 1.33
*   **Pipeline restFul API Plugin** up to and including 0.11
*   **Rebuilder Plugin** up to and including 320.v5a\_0933a\_e7d61
*   **SAML Single Sign On(SSO) Plugin** up to and including 2.3.0
*   **Sumologic Publisher Plugin** up to and including 2.2.1
*   **Test Results Aggregator Plugin** up to and including 1.2.13

**Fix**

*   **Active Directory Plugin** should be updated to version 2.30.1
*   **Datadog Plugin** should be updated to version 5.4.2
*   **External Monitor Job Type Plugin** should be updated to version 207.v98a\_a\_37a\_85525
*   **mabl Plugin** should be updated to version 0.0.47
*   **OpenShift Login Plugin** should be updated to version 1.1.0.230.v5d7030b\_f5432
*   **Oracle Cloud Infrastructure Compute Plugin** should be updated to version 1.0.17
*   **Orka by MacStadium Plugin** should be updated to version 1.34
*   **SAML Single Sign On(SSO) Plugin** should be updated to version 2.3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla Auth Plugin
*   Benchmark Evaluator Plugin
*   ElasticBox CI Plugin
*   MathWorks Polyspace Plugin
*   Pipeline restFul API Plugin
*   Rebuilder Plugin
*   Sumologic Publisher Plugin
*   Test Results Aggregator Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3117, SECURITY-3119, SECURITY-3122, SECURITY-3126, SECURITY-3127, SECURITY-3128, SECURITY-3130, SECURITY-3131
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-3164
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2988, SECURITY-3033, SECURITY-3137 (1)
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2998, SECURITY-2999
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3124, SECURITY-3133
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3044, SECURITY-3137 (2)

CVE-2023-37950: Jenkins Security Advisory 2023-07-12

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Google Compute Engine Plugin
*   Jira Plugin
*   MATLAB Plugin
*   NeuVector Vulnerability Scanner Plugin

**Descriptions****Exposure of system-scoped credentials in Jira Plugin**

**SECURITY-3225 / CVE-2023-49653**  
**Severity (CVSS):** Medium  
**Affected plugin: jira**  
**Description:**

Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Jira Plugin 3.12 defines the appropriate context for credentials lookup.

**Incorrect permission checks in Google Compute Engine Plugin**

**SECURITY-2835 / CVE-2023-49652**  
**Severity (CVSS):** Medium  
**Affected plugin: google-compute-engine**  
**Description:**

Google Compute Engine Plugin 4.550.vb\_327fca\_3db\_11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following:

*   Enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
    
*   Connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects.
    

Google Compute Engine Plugin 4.551.v5a\_4dc98f6962 requires Overall/Administer permission for the affected HTTP endpoints.

**CSRF vulnerabilities and missing permission checks in MATLAB Plugin allow XXE**

**SECURITY-3193 / CVE-2023-49654 (permission checks), CVE-2023-49655 (CSRF), CVE-2023-49656 (XXE)**  
**Severity (CVSS):** High  
**Affected plugin: matlab**  
**Description:**

MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory.

MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

**CSRF vulnerability and missing permission checks in NeuVector Vulnerability Scanner Plugin**

**SECURITY-3256 / CVE-2023-49673 (CSRF), CVE-2023-49674 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: neuvector-vulnerability-scanner**  
**Description:**

NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

**Severity**

*   SECURITY-2835: Medium
*   SECURITY-3193: High
*   SECURITY-3225: Medium
*   SECURITY-3256: Medium

**Affected Versions**

*   **Google Compute Engine Plugin** up to and including 4.550.vb\_327fca\_3db\_11
*   **Jira Plugin** up to and including 3.11
*   **MATLAB Plugin** up to and including 2.11.0
*   **NeuVector Vulnerability Scanner Plugin** up to and including 1.22

**Fix**

*   **Google Compute Engine Plugin** should be updated to version 4.551.v5a\_4dc98f6962
*   **Jira Plugin** should be updated to version 3.12
*   **MATLAB Plugin** should be updated to version 2.11.1
*   **NeuVector Vulnerability Scanner Plugin** should be updated to version 2.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3193, SECURITY-3225
*   **James Nord, CloudBees, Inc.** for SECURITY-2835
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3256

CVE-2023-49653: Jenkins Security Advisory 2023-11-29

In Veritas NetBackup, the NetBackup Client allows arbitrary command execution from any remote host that has access to a valid host-id NetBackup certificate/private key from the same domain. The affects 9.0.x through 9.0.0.1 and 9.1.x through 9.1.0.1.

**Revision History**

*   1.0: July 18, 2022: Initial Release

**Summary**

Veritas has addressed two vulnerabilities affecting NetBackup Clients.

**Issues******Issue #1: Arbitrary Command Execution**  
**

The NetBackup Client allows arbitrary command execution from any remote host that has access to a valid host-id NetBackup certificate/private key from the same domain.

*   CVE ID: TBA
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
*   Affected Versions: 9.0.x, 9.1.x
*   Recommended action:
    *   Upgrade NBU Client to 10.0 – no HotFix needed, or
    *   Upgrade NBU Client to 9.1.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.1.0.1 Clients (Etrack 4066508), or
    *   Or upgrade NBU Client to 9.0.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.0.0.1 Clients (Etrack 4067247), or
    *   For NBU Client versions 8.3.x and earlier – Not Vulnerable - Not Applicable  
        

****Issue #2: Escalation of Privileges****

An attacker with unprivileged local access to a NetBackup Client may send specific commands to escalate their privileges.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
*   Affected Versions: 9.1.x, 9.0.x, 8.3.x, 8.2 and earlier
*   Recommended Actions:
    *   Upgrade NBU Client to 10.0 – no HotFix needed, or
    *   Upgrade NBU Client to 9.1.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.1.0.1 Clients (Etrack 4066508), or
    *   Upgrade NBU Client to 9.0.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.0.0.1 Clients (Etrack 4067247), or
    *   Upgrade NBU Client to 8.3.0.2 and apply VTS22-008 - HotFix Security Advisory impacting NetBackup 8.3.0.2 Clients (Etrack 4066512), or
    *   For NBU Client version 8.2 apply VTS22-008 - Hotfix for Security Advisory impacting NetBackup 8.2 Clients (Etrack 4068828)
    *   For NBU Client version 8.1.2 apply VTS22-008 - Hotfix for Security Advisory impacting NetBackup 8.1.2 Clients (Etrack-4071637)

**Notes**

Related Primary and Media Server fixes for these vulnerabilities have already been addressed in Security Advisory portion for VTS22-004.

**Acknowledgement**

Veritas would like to thank the following Airbus Security Team members for notifying us about Issue #2: Mouad Abouhali, Benoit Camredon, Nicholas Devillers, Anais Gantet, and Jean-Romain Garnier.

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC 2625

Augustine Drive

Santa Clara, CA 95054

CVE-2022-36956: VTS22-008 - HotFix for Security Advisory Impacting NetBackup Client

In Veritas NetBackup, an attacker with unprivileged local access to a NetBackup Client may send specific commands to escalate their privileges. This affects 8.0 through 8.1.2, 8.2, 8.3 through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1.

CVE-2022-36955: VTS22-008 - HotFix for Security Advisory Impacting NetBackup Client

An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.

**Revision History**

*   1.0: End of September 2022 – Initial Public Release

**Summary**

Veritas has addressed vulnerabilities affecting NetBackup servers and clients.Issue.

**Issues**

**Issue #1: Arbitrary file delete**

An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx\_exchange registration code.

*   CVE ID: TBA
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)
*   Affected Versions: 8.2 and earlier
*   Recommended action:
    *   NetBackup Servers: upgrade to 8.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Clients: upgrade to 8.2 or 8.1.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Appliance: upgrade to 3.2 and apply appropriate Hotfix OR upgrade to 3.3.x or later.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    *   Flex Scale: Not impacted.

**Issue #2: Denial of service**

An attacker with local access can send a specially crafted packet to pbx\_exchange during registration and cause a null-pointer exception effectively crashing the pbx\_exchange process.

*   CVE ID: TBA
*   Severity: Medium
*   CVSS v3.1 Base Score: 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
*   Affected Versions: 8.2 and earlier
*   Recommended action:
    *   NetBackup Servers: upgrade to 8.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Clients: upgrade to 8.2 or 8.1.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Appliance: upgrade to 3.2 and apply appropriate Hotfix OR upgrade to 3.3.x or later.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    *   Flex Scale: Not impacted.

**Notes**

This Security Advisory, VTS22-010, also addresses the issues identified in VTS22-008, which was released earlier. If you have not already applied VTS22-008, it is not necessary to apply it prior to installing this advisory. If you have already applied VTS22-008 you can safely apply VTS22-010 on top of it.

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Acknowledgement**

Veritas would like to thank the following Airbus Security Team members for notifying us about these issues:    
Mouad Abouhali, Benoît Camredon, Nicholas Devillers, Anaïs Gantet, and Jean-Romain Garnier.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-42306: Hotfix for Security Advisory Impacting NetBackup Clients and Servers

An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx_exchange registration code.

CVE-2022-42308: Hotfix for Security Advisory Impacting NetBackup Clients and Servers

A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-34204: Jenkins Security Advisory 2022-06-22

This issue affects: Secomea GateManager All versions prior to 9.6. Improper Check of host header in web server of Secomea GateManager allows attacker to cause browser cache poisoning.

At Secomea, we are dedicated to ensuring our customers have the information they need to keep their systems up to date and protected against cybersecurity threats.

Secomea is authorized by CISA (Cybersecurity & Infrastructure Security Agency) as a CVE Numbering Authority (CNA), which is the de-facto international standard for identifying and naming cybersecurity vulnerabilities. Our support team ensures that discovered vulnerabilities are disclosed timely and in accordance with the CVE Program Standards.

Find information about:

**Advisory Process  |  Advisories  |  Subscribe for Notifications**

**SECOMEA CYBERSECURITY ADVISORY PROCESS**

**1\. Report**

If you have discovered an issue that you believe is a security vulnerability in our products or services, please email VulnerabilityReporting@secomea.com. Please include the following, as applicable:

*   A detailed description of the vulnerability
*   A Proof of Concept (POC) or instructions (e.g. screenshots, video, etc.) on how to reproduce the vulnerability or steps taken
*   Risk or exploitability assessment
*   Instructions on how to reach you with follow up questions
*   Whether the issue is subject to a Coordinated Vulnerability Disclosure (CVD) deadline CVE assignment and discovery acknowledgment regarding reports on products no longer supported will be decided on a case-by-case basis.

We strive to respond to all reports within three working days.

We acknowledge that reporting can contain sensitive information, and if so, please indicate in the email that you have sensitive data to exchange with us, and we will arrange proper exchange measures. You can submit using our PGP Public Key.

Click to show more Click to hide ![](https://www.secomea.com/wp-content/themes/secomea/images/icon_expand_collapse.svg)

**2\. Analysis**

Once reported, our support team will perform an evaluation of the issue to determine the affected products and whether the report is a valid security vulnerability. The support team will then contact the reporting entity with our analysis results. The reporter must respond within 30 days or the case may be closed. If necessary, partners or other CERTs are informed and involved in the process.

Click to show more Click to hide ![](https://www.secomea.com/wp-content/themes/secomea/images/icon_expand_collapse.svg)

**3\. Handling**

Vulnerabilities will be addressed by R&D as product fixes (remediations or mitigations). Secomea will keep the reporter informed of the status of the reported vulnerability and our approach to addressing the issue. If appropriate, a preview-release can be provided to the reporter in advance for validation.

We strive to provide fixes to vulnerabilities with CVSS (CVSS version 3.1) scores above medium within 30 business days. Generally, CVEs with medium/high CVSS scores but with a low risk/impact evaluation may have a longer timeline than CVEs with high risk/impact evaluation.

Click to show more Click to hide ![](https://www.secomea.com/wp-content/themes/secomea/images/icon_expand_collapse.svg)

**4\. Disclosure**

Secomea will release product fixes for vulnerabilities as part of normal product releases. Fixes are deployed to Secomea hosted solutions as they become available. Secomea will disclose security advice as part of the release documentation. All CVEs with a CVSS score of medium or higher will be published to the CVE list.  
Disclosure timeline of security advisories will be coordinated with customers, partners and the reporter.

Our Security Advisory usually contains the following information:

*   CVE reference, CVSS score and description of the vulnerability including risk/impact evaluation
*   Available mitigations and workarounds
*   Reporter credit optionally

Click to show more Click to hide ![](https://www.secomea.com/wp-content/themes/secomea/images/icon_expand_collapse.svg)

**5\. Third-Party software vulnerabilities** 

Vulnerabilities in third-party party software components used in supported Secomea products are assessed according to the risk/impact in relation to the product’s security context. Secomea may adjust the CVSS score to reflect such impact. As for Secomea developed software, a fix is released as part of the normal product releases. Third-Party vulnerabilities with assessed CVSS score above medium will be disclosed as part of release documentation.

Click to show more Click to hide ![](https://www.secomea.com/wp-content/themes/secomea/images/icon_expand_collapse.svg)

**SECOMEA SECURITY ADVISORIES**

**SIGN UP FOR VULNERABILITY NOTIFICATIONS****Sign up to receive timely notifications about security issues, vulnerabilities, and exploits directly in your mailbox.**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us