An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Palo Alto Networks Security Advisories / CVE-2023-6794

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **HIGH**

Product Integrity **LOW**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-139152 and PAN-131835**

Discovered **internally**

**Description**

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

None

All

PAN-OS 9.1

< 9.1.14

\>= 9.1.14

PAN-OS 9.0

< 9.0.17-h1

\>= 9.0.17-h1

PAN-OS 8.1

< 8.1.26

\>= 8.1.26

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-434 Unrestricted Upload of File with Dangerous Type

**Solution**

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h1, PAN-OS 9.1.14, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

This issue was found by Palo Alto Networks during an internal security review.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6794: CVE-2023-6794 PAN-OS: File Upload Vulnerability in the Web Interface

An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.

Palo Alto Networks Security Advisories / CVE-2023-6793

Urgency **REDUCED**

Response Effort **LOW**

Recovery **USER**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **NONE**

Automatable **YES**

User Interaction **NONE**

Product Confidentiality **NONE**

Product Integrity **NONE**

Product Availability **LOW**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-220267 and PAN-220269**

Discovered **externally**

**Description**

An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.2

\>= 11.0.2

PAN-OS 10.2

< 10.2.5

\>= 10.2.5

PAN-OS 10.1

< 10.1.11

\>= 10.1.11

PAN-OS 10.0

All

None

PAN-OS 9.1

< 9.1.17

\>= 9.1.17

PAN-OS 9.0

< 9.0.17-h4

\>= 9.0.17-h4

PAN-OS 8.1

None

All

Prisma Access

None

All

**Required Configuration for Exposure**

This issue is applicable only to PAN-OS configurations that have XML API access enabled.

You can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-269 Improper Privilege Management

**Solution**

This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6793: CVE-2023-6793 PAN-OS: XML API Keys Revoked by Read-Only PAN-OS Administrator

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Skip to content

Sign in

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

glpi-project / **glpi** Public

*   Notifications
*   Fork 1.2k
*   Star 3.5k
    

*   Code
*   Issues 137
*   Pull requests 62
*   Actions
*   Projects 1
*   Security
*   Insights

Additional navigation options

Moderate

trasher published GHSA-94c3-fw5r-3362

Dec 13, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.11

**Description**

**Impact**

The saved search feature can be used to perform a SQL injection.

**Patches**

Upgrade to 10.0.11.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-43813

**Weaknesses**

CWE-89

**Credits**

*    bhopkins0 Reporter

CVE-2023-43813: Authenticated SQL Injection

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

High

trasher published GHSA-qc92-gxc6-5f95

Dec 13, 2023

**Affected versions**

\>= 10.0.0

**Description**

**Impact**

On PHP 7.4 only, the LDAP server configuration form can be use to execute arbitrary code previously uploaded as a GLPI document.

**Patches**

Upgrade to 10.0.11.

**Workarounds**

Upgrade to PHP 8.x.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Credits**

This vulnerability was discovered by Nikita Petrov (Positive Technologies).

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-46726: Remote code execution from LDAP server configuration form on PHP 7.4

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

High

trasher published GHSA-v799-2mp3-wgfr

Dec 13, 2023

**Affected versions**

\>= 10.0.0

**Description**

**Impact**

GLPI inventory endpoint can be used to drive a SQL injection attack.

**Patches**

Upgrade to 10.0.11

**Workarounds**

Disable native inventory.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Credits**

This vulnerability was discovered by Nikita Petrov (Positive Technologies).

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**Weaknesses**

CVE-2023-46727: SQL injection through inventory agent request

A vulnerability, which was classified as critical, was found in OTCMS 7.01. Affected is an unknown function of the file /admin/ind_backstage.php. The manipulation of the argument sqlContent leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247908.

CVE-2023-6772

A vulnerability, which was classified as critical, has been found in SourceCodester Simple Student Attendance System 1.0. This issue affects the function save_attendance of the file actions.class.php. The manipulation of the argument sid leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247907.

CVE-2023-6771

Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Analysis Model API Plugin
*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   Nexus Platform Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin
*   Scriptler Plugin

**Descriptions****DoS vulnerability in Analysis Model API Plugin**

**SECURITY-3327 / CVE-2023-5072**  
**Severity (CVSS):** Medium  
**Affected plugin: analysis-model-api**  
**Description:**

Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.

This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.

As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.

Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.

**Arbitrary file deletion vulnerability in Scriptler Plugin**

**SECURITY-3205 / CVE-2023-50764**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 ensures that the file being deleted is located in the expected directory.

**Missing permission check in Scriptler Plugin**

**SECURITY-3206 / CVE-2023-50765**  
**Severity (CVSS):** Medium  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 requires the appropriate permission to read the contents of a Groovy script.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE**

**SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials**

**SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**Password stored in a recoverable format by OpenId Connect Authentication Plugin**

**SECURITY-3168 / CVE-2023-50770**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.

In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.

This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

**Open redirect vulnerability in OpenId Connect Authentication Plugin**

**SECURITY-2979 / CVE-2023-50771**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

**Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin**

**SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: dingding-json-pusher**  
**Description:**

Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files**

**SECURITY-3183 / CVE-2023-50774**  
**Severity (CVSS):** High  
**Affected plugin: htmlresource**  
**Description:**

HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.

**CSRF vulnerability in Deployment Dashboard Plugin**

**SECURITY-3092 / CVE-2023-50775**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2-deployment-dashboard**  
**Description:**

Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy jobs.

**Tokens stored and displayed in plain text by PaaSLane Estimate Plugin**

**SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin**

**SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2979: Medium
*   SECURITY-3092: Medium
*   SECURITY-3168: Medium
*   SECURITY-3179: Medium
*   SECURITY-3182: Medium
*   SECURITY-3183: High
*   SECURITY-3184: Medium
*   SECURITY-3203: Medium
*   SECURITY-3204: High
*   SECURITY-3205: High
*   SECURITY-3206: Medium
*   SECURITY-3327: Medium

**Affected Versions**

*   **Analysis Model API Plugin** up to and including 11.11.0
*   **Deployment Dashboard Plugin** up to and including 1.0.10
*   **Dingding JSON Pusher Plugin** up to and including 2.0
*   **HTMLResource Plugin** up to and including 1.02
*   **Nexus Platform Plugin** up to and including 3.18.0-03
*   **OpenId Connect Authentication Plugin** up to and including 2.6
*   **PaaSLane Estimate Plugin** up to and including 1.0.4
*   **Scriptler Plugin** up to and including 342.v6a\_89fd40f466

**Fix**

*   **Analysis Model API Plugin** should be updated to version 11.13.0
*   **Nexus Platform Plugin** should be updated to version 3.18.1-01
*   **Scriptler Plugin** should be updated to version 344.v5a\_ddb\_5f9e685

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2979, SECURITY-3092
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-3168

CVE-2023-50777: Jenkins Security Advisory 2023-12-13

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-50773: Jenkins Security Advisory 2023-12-13

Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.