Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.

    ~/fuzz/poppler/utils]$ ./pdftohtml ./in/poc -f 1 /dev/null                                              *[master] 
    Syntax Error (738): Dictionary key must be a name object
    Syntax Error (751): Dictionary key must be a name object
    Syntax Error (758): Illegal character '>'
    Syntax Error (763): Dictionary key must be a name object
    Syntax Error (769): Dictionary key must be a name object
    Syntax Error (798): Illegal character ')'
    Syntax Error (798): Dictionary key must be a name object
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (820): Illegal character '{'
    Syntax Error (820): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (846): Dictionary key must be a name object
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (849): Illegal character '{'
    Syntax Error (849): Dictionary key must be a name object
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (899): Illegal character ')'
    Syntax Error (899): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (905): Dictionary key must be a name object
    Syntax Error (916): Dictionary key must be a name object
    Syntax Error (926): Dictionary key must be a name object
    Syntax Error (933): Dictionary key must be a name object
    Syntax Error (935): Dictionary key must be a name object
    Syntax Error (937): Dictionary key must be a name object
    Syntax Error (941): Dictionary key must be a name object
    Syntax Error (943): Dictionary key must be a name object
    Syntax Error (950): Dictionary key must be a name object
    I/O Error: Couldn't open html file '/dev/null.html'
    I/O Error: Couldn't open html file '/dev/null_ind.html'
    ASAN:SIGSEGV
    =================================================================
    ==49519==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f849ee7c6f8 bp 0x611000009950 sp 0x7
    ffc717cbd00 T0)
        #0 0x7f849ee7c6f7 in _IO_fwrite (/lib/x86_64-linux-gnu/libc.so.6+0x6e6f7)
        #1 0x52d565 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
        #2 0x52d860 in HtmlOutputDev::~HtmlOutputDev() /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
        #3 0x50543f in main /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
        #4 0x7f849ee2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #5 0x508818 in _start (/home/greydog/fuzz/poppler/utils/pdftohtml+0x508818)
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV ??:0 _IO_fwrite
    ==49519==ABORTING 

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x10 
    RCX: 0xbebebebebebebebe 
    RDX: 0x10 
    RSI: 0x1 
    RDI: 0xacd440 ("</body>\n</html>\n")
    RBP: 0x611000009950 --> 0xbebebebebebebebe 
    RSP: 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    RIP: 0x7ffff47d56f8 (<__GI__IO_fwrite+24>:      mov    eax,DWORD PTR [rcx])
    R8 : 0x0 
    R9 : 0xc220000132a --> 0x0 
    R10: 0x62c 
    R11: 0x7ffff47d56e0 (<__GI__IO_fwrite>: push   r14)
    R12: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R13: 0xc2200001329 --> 0x0 
    R14: 0x611000009948 --> 0x0 
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff47d56eb <__GI__IO_fwrite+11>: imul   rbx,rdx
       0x7ffff47d56ef <__GI__IO_fwrite+15>: test   rbx,rbx
       0x7ffff47d56f2 <__GI__IO_fwrite+18>: je     0x7ffff47d57e8 <__GI__IO_fwrite+264>
    => 0x7ffff47d56f8 <__GI__IO_fwrite+24>: mov    eax,DWORD PTR [rcx]
       0x7ffff47d56fa <__GI__IO_fwrite+26>: mov    r12,rdi
       0x7ffff47d56fd <__GI__IO_fwrite+29>: mov    r10,rsi
       0x7ffff47d5700 <__GI__IO_fwrite+32>: mov    r9,rcx
       0x7ffff47d5703 <__GI__IO_fwrite+35>: and    eax,0x8000
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd3d0 --> 0x60300001dce0 --> 0x606023800004 --> 0x0 
    0008| 0x7fffffffd3d8 --> 0x611000009950 --> 0xbebebebebebebebe 
    0016| 0x7fffffffd3e0 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0024| 0x7fffffffd3e8 --> 0xc2200001329 --> 0x0 
    0032| 0x7fffffffd3f0 --> 0x611000009948 --> 0x0 
    0040| 0x7fffffffd3f8 --> 0x52d566 (<HtmlOutputDev::~HtmlOutputDev()+1814>:      mov    rcx,rbp)
    0048| 0x7fffffffd400 --> 0x60600000d488 --> 0xbebebebebebebebe 
    0056| 0x7fffffffd408 --> 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    37      iofwrite.c: No such file or directory.
    gdb-peda$ bt 10
    #0  __GI__IO_fwrite (buf=buf@entry=0xacd440, size=size@entry=0x1, count=count@entry=0x10, fp=0xbebebebebebebebe)
        at iofwrite.c:37
    #1  0x000000000052d566 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1221
    #2  0x000000000052d861 in HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1227
    #3  0x0000000000505440 in main (argc=0x3, argc@entry=0x5, argv=argv@entry=0x7fffffffd7e8)
        at /home/greydog/fuzz/poppler/utils/pdftohtml.cc:457
    #4  0x00007ffff4787830 in __libc_start_main (main=0x503bf0 <main(int, char**)>, argc=0x5, argv=0x7fffffffd7e8, 
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7d8)
        at ../csu/libc-start.c:291
    #5  0x0000000000508819 in _start ()
    
    
    [----------------------------------registers-----------------------------------]                           [23/9786]
    RAX: 0x0 
    RBX: 0xffffffffaa2 --> 0x0 
    RCX: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RDX: 0xc2200001318 --> 0x0 
    RSI: 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98])
    RDI: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    RBP: 0x7fffffffd510 --> 0x41b58ab3 
    RSP: 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:     mov    DWORD PTR [rsp+0x18],0x0)
    RIP: 0x52d820 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R8 : 0x1c77ea 
    R9 : 0x1c80b 
    R10: 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:       lea    rsp,[rsp-0x98])
    R11: 0x1c7856 
    R12: 0x60300001e730 --> 0x60300001e740 ("/dev/null")
    R13: 0xef4140 --> 0x0 
    R14: 0x610000007d40 --> 0x603000001090 --> 0x6030000010a0 ("./in/poc")
    R15: 0x603000001120 --> 0x603000001130 ("./in/poc")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    
      0x52d810 <HtmlOutputDev::~HtmlOutputDev()+2496>:     call   0x5007f0 <__stack_chk_fail@plt>
       0x52d815 <HtmlOutputDev::~HtmlOutputDev()+2501>:     call   0x501640 <__asan_report_load8@plt>
       0x52d81a:    nop    WORD PTR [rax+rax*1+0x0]
    => 0x52d820 <HtmlOutputDev::~HtmlOutputDev()>:  lea    rsp,[rsp-0x98]
       0x52d828 <HtmlOutputDev::~HtmlOutputDev()+8>:        mov    QWORD PTR [rsp],rdx
       0x52d82c <HtmlOutputDev::~HtmlOutputDev()+12>:       mov    QWORD PTR [rsp+0x8],rcx
       0x52d831 <HtmlOutputDev::~HtmlOutputDev()+17>:       mov    QWORD PTR [rsp+0x10],rax
       0x52d836 <HtmlOutputDev::~HtmlOutputDev()+22>:       mov    rcx,0xee1
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd458 --> 0x505440 (<main(int, char**)+6224>:    mov    DWORD PTR [rsp+0x18],0x0)
    0008| 0x7fffffffd460 --> 0x7ffff53d5ac8 (:wcout+8>:     0x00007ffff53d0a10)
    0016| 0x7fffffffd468 --> 0x7fffffffd6d0 --> 0x0 
    0024| 0x7fffffffd470 --> 0x7fffffffd510 --> 0x41b58ab3 
    0032| 0x7fffffffd478 --> 0x6110000098c0 --> 0xe3bf48 --> 0x52ce50 (<HtmlOutputDev::~HtmlOutputDev()>:   lea    rsp,[rsp-0x98])
    0040| 0x7fffffffd480 --> 0xef3fc0 --> 0x0 
    0048| 0x7fffffffd488 --> 0x60300001e250 --> 0x60307a800001 --> 0x0 
    0056| 0x7fffffffd490 --> 0x60300001e1f0 --> 0x60607b800002 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    
    Breakpoint 1, HtmlOutputDev::~HtmlOutputDev (this=0x6110000098c0, __in_chrg=<optimized out>)
        at /home/greydog/fuzz/poppler/utils/HtmlOutputDev.cc:1201
    1201    HtmlOutputDev::~HtmlOutputDev() {
    gdb-peda$ p page
    $1 = (FILE *) 0xbebebebebebebebe
    gdb-peda$ list
    1196        delete htmlEncoding;
    1197      }
    1198      ok = true; 
    1199    }
    1200
    1201    HtmlOutputDev::~HtmlOutputDev() {
    1202        delete Docname;
    1203        delete docTitle;
    1204
    1205        for (auto entry : *glMetaVars) {

CVE-2020-18839: pdftohtml memory crash (#742) · Issues · poppler / poppler · GitLab

Heap buffer overflow vulnerability in FilePOSIX::read in File.cpp in audiofile 0.3.6 may cause denial-of-service via a crafted wav file, this bug can be triggered by the executable sfconvert.

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.  
poc.zip

$uname -a  
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86\_64 GNU/Linux

**$./sfconvert poc.wav output format wave  
asan:**

\==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38  
WRITE of size 2 at 0x61a00001f708 thread T0  
#0 0x7f64fd42ee54 (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x45e54)  
#1 0x7f64fd14b8cb in FilePOSIX::read(void\*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126  
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353  
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375  
#4 0x7f64fd14ee93 in \_AFfilehandle::readS16(short\*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397  
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289  
#6 0x7f64fd171751 in WAVEFile::readInit(\_AFfilesetup\*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733  
#7 0x7f64fd18067e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356  
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#10 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#11 0x401568 in \_start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region \[0x61a00001f280,0x61a00001f708)  
allocated by thread T0 here:  
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x7f64fd14c4f1 in \_AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80  
#2 0x7f64fd18042e in \_afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337  
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217  
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195  
#5 0x7f64fcd7982f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??  
Shadow bytes around the buggy address:  
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c347fffbee0: 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==90086==ABORTING

CVE-2020-18781: one heap buffer overflow in FilePOSIX::read in File.cpp · Issue #56 · mpruett/audiofile

Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file.

CVE-2020-18831

Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame.

poc

**0x00 Introduction**

In exempi 2.5.0, I found a heap-based buffer over-read bug in function ID3\_Support::ID3v2Frame::getFrameValue, the ASAN report is as below.

    liwc@ubuntu:~/exempi-master_asan/exempi$ ./exempi -x poc
    processing file poc
    dump_xmp for file poc
    =================================================================
    ==79549==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed1 at pc 0x0000004be2ae bp 0x7fffc062ec30 sp 0x7fffc062ec20
    READ of size 4 at 0x60200000eed1 thread T0
        #0 0x4be2ad in GetUns32BE ../../../source/EndianUtils.hpp:152
        #1 0x4c2256 in ID3_Support::ID3v2Frame::getFrameValue(unsigned char, unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/liwc/exempi-master/XMPFiles/source/FormatSupport/ID3_Support.cpp:702
        #2 0x4de2a0 in MP3_MetaHandler::ProcessXMP() /home/liwc/exempi-master/XMPFiles/source/FileHandlers/MP3_Handler.cpp:334
        #3 0x48aafd in XMPFiles::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, char const**, unsigned int*, XMP_PacketInfo*) /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1471
        #4 0x47fac8 in WXMPFiles_GetXMP_1 /home/liwc/exempi-master/XMPFiles/source/WXMPFiles.cpp:331
        #5 0x41e353 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, XMP_PacketInfo*) (/home/liwc/exempi-master_asan/exempi/exempi+0x41e353)
        #6 0x40c0f1 in xmp_files_get_new_xmp /home/liwc/exempi-master/exempi/exempi.cpp:346
        #7 0x408d07 in get_xmp_from_file /home/liwc/exempi-master/exempi/main.cpp:244
        #8 0x408ece in dump_xmp /home/liwc/exempi-master/exempi/main.cpp:257
        #9 0x409b54 in process_file /home/liwc/exempi-master/exempi/main.cpp:348
        #10 0x408728 in main /home/liwc/exempi-master/exempi/main.cpp:194
        #11 0x7f7b7b20482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #12 0x407a58 in _start (/home/liwc/exempi-master_asan/exempi/exempi+0x407a58)
    
    0x60200000eed3 is located 0 bytes to the right of 3-byte region [0x60200000eed0,0x60200000eed3)
    allocated by thread T0 here:
        #0 0x7f7b7c53b712 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99712)
        #1 0x4c10c6 in ID3_Support::ID3v2Frame::read(XMP_IO*, unsigned char) /home/liwc/exempi-master/XMPFiles/source/FormatSupport/ID3_Support.cpp:579
        #2 0x4dd4ae in MP3_MetaHandler::CacheFileData() /home/liwc/exempi-master/XMPFiles/source/FileHandlers/MP3_Handler.cpp:220
        #3 0x48874f in DoOpenFile /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1076
        #4 0x488f8a in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /home/liwc/exempi-master/XMPFiles/source/XMPFiles.cpp:1179
        #5 0x47e415 in WXMPFiles_OpenFile_1 /home/liwc/exempi-master/XMPFiles/source/WXMPFiles.cpp:233
        #6 0x41dab4 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/home/liwc/exempi-master_asan/exempi/exempi+0x41dab4)
        #7 0x40bd79 in xmp_files_open_new /home/liwc/exempi-master/exempi/exempi.cpp:294
        #8 0x408ccb in get_xmp_from_file /home/liwc/exempi-master/exempi/main.cpp:242
        #9 0x408ece in dump_xmp /home/liwc/exempi-master/exempi/main.cpp:257
        #10 0x409b54 in process_file /home/liwc/exempi-master/exempi/main.cpp:348
        #11 0x408728 in main /home/liwc/exempi-master/exempi/main.cpp:194
        #12 0x7f7b7b20482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../source/EndianUtils.hpp:152 GetUns32BE
    Shadow bytes around the buggy address:
      0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
      0x0c047fff9dc0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
    =>0x0c047fff9dd0: fa fa 01 fa fa fa 04 fa fa fa[03]fa fa fa 03 fa
      0x0c047fff9de0: fa fa 00 04 fa fa 05 fa fa fa 00 04 fa fa fd fd
      0x0c047fff9df0: fa fa 00 05 fa fa fd fa fa fa 05 fa fa fa 00 00
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==79549==ABORTING

**0x01 Analysis**

I debugged the poc with gdb so that I found the key of this issue.

    bool ID3v2Frame::getFrameValue ( XMP_Uns8 /*majorVersion*/, XMP_Uns32 logicalID, std::string* utf8string )
    {
    
    	XMP_Assert ( (this->content != 0) && (this->contentSize >= 0) && (this->contentSize < 20*1024*1024) );
    
    	if ( this->contentSize == 0 ) {
    		utf8string->erase();
    		return true; // ...it is "of interest", even if empty contents.
    	}
    
    	XMP_Int32 pos = 0;
    	XMP_Uns8 encByte = 0;
    	// WCOP does not have an encoding byte, for all others: use [0] as EncByte, advance pos
    	if ( logicalID != 0x57434F50 ) { // pos1
    		encByte = this->content[0];
    		pos++;
    	}
    
    	// mode specific forks, COMM or USLT
    	bool commMode = ( (logicalID == 0x434F4D4D) || (logicalID == 0x55534C54) );
    
    	switch ( encByte ) { // pos2
    
    		case 0: //ISO-8859-1, 0-terminated
    		{
    			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
    
    			char* localPtr  = &this->content[pos];
    			size_t localLen = this->contentSize - pos;
    			ReconcileUtils::Latin1ToUTF8 ( localPtr, localLen, utf8string );
    			break;
    
    		}
    
    		case 1: // Unicode, v2.4: UTF-16 (undetermined Endianess), with BOM, terminated 0x00 00
    		case 2: // UTF-16BE without BOM, terminated 0x00 00
    		{
    			...
    		}
    
    		case 3: // UTF-8 unicode, terminated \0
    		{
    			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
    		
    			if ( (GetUns32BE ( &this->content[pos]) & 0xFFFFFF00 ) == 0xEFBBBF00 ) { // pos3
    				pos += 3;	// swallow any BOM, just in case
    			}
    
    			utf8string->assign ( &this->content[pos], (this->contentSize - pos) );
    			break;
    		}
    
    		default:
    			XMP_Throw ( "unknown text encoding", kXMPErr_BadFileFormat ); //COULDDO assume latin-1 or utf-8 as best-effort
    			break;
    
    	}
    
    	return true;
    
    }	// ID3v2Frame::getFrameValue

At pos1, the logicalID did not equal 0x57434f50，so the if branch was satisfied and pos would incremented. Now the encByte was 0x3, the case 3 of switch statement at pos2 was satisfied. We noticed the size of heap buffer this->content was only 3 bytes and it started from 0x60200000eed0.

     →  655	 	if ( logicalID != 0x57434F50 ) {
        656	 		encByte = this->content[0];
        657	 		pos++;
        658	 	}
        659	 
        660	 	// mode specific forks, COMM or USLT
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "exempi", stopped, reason: SINGLE STEP
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    ...
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    gef➤  p logicalID 
    $1 = 0x54504f53
    gef➤  p this->content
    $2 = 0x60200000eed0 "\003\062\061"
    

Then it called the inline function GetUns32BE in EndianUtils.hpp:150 at pos3, and GetUns32BE read 4 bytes from the given addr. At this call site the given addr was 0x60200000eed1, so a 2-bytes heap-based buffer over-read happened.

We can patch this issue by check the length of this->content firstly.

**0x02 Reproduce**

    OS:Ubuntu 16.04 x86_64
    export CFLAGS="-fsanitize=address -ggdb"
    export CXXFLAGS="-fsanitize=address -ggdb"
    export LDFLAGS="-fsanitize=address -ggdb"
    sudo apt install libboost-dev
    sudo apt install libboost-test-dev
    ./autogen.sh
    ./configure --disable-shared
    make
    
    ./exampi/exempi -x POC -o out

**0x03 Discoverer**

WenChao Li of VARAS@IIE

CVE-2020-18651: A heap-based buffer over-read was found in ID3_Support.cpp (#13) · Issues · libopenraw / exempi · GitLab

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the IV component in the AES128-CBC function.

%PDF-1.5 %� 150 0 obj << /Filter /FlateDecode /Length 4293 >> stream xڍZKs����W���D���w�M)�I�X�j7��A����\_���{�!nR�����{�=n�o��?�.ʐ����&�?N�4M�4�o�û\_��1�j��8�Y4#o��w���nk��:~����?삛���Ax��t;���4��,Jnꛟ��g�v��R����7�x�-�<�R�)���������o��=�i>$���wY�a�-Vioq�A,�NM�6c95�\* C��m�z���a�/A��qM-�㫔6 \`�(j��@W/i���m��4�M��r��G{��Q���G�"���ǉ�Xm��֔�^��?N\]SكP�ь#\*+�� F!\\)��tϭ�H� ��1jA����uh����gt��?ʳ�E��Y���\]���<�#wf(�����y�y OJw;wX��p��h��OO�a�\[��M2�wu�3�� ���8�̸�U�v�#�v~B̨sodT��L�m$��|�L:}���'"DNT�0O�?߆D��t��hn�T�j����e�\_LC,1H���o��z��7����� ՚ñ5��(u�q�CSN�4% ��i0�<�RV{S}Y\[h���4X��=���b�}9Y��دRLe����x%��z�����<� ��;�}3Y֎r�%j�3RW��xb��n\_�j�v�͡ﶫԜ�\]�P��Fj�j�Ө�i\*�T�A0/�^ծeT� ����90k�J\[�F�xt"�)�����7 �����ۛ��q�P�D��M������\*�94����{����}:�DG�/r��f,�O�����:�껎t��7���N��^�Ӳ����e�8���(����An$�b��Q�����(�C)�e��JHar�.w�4$\]f�����%��,�XQ�Ax����H��%����Q�LMlN�j\\�M�,�b�V�s�L�����t����x����e ��{���d#G��#7�Fڅ�p��j��8I�GmǕ��t:j��6��B����-)��l�drR���^ �E�}�t��};��.׹����F'x�RhS��^4��e;��~\]��,�3i\`X�l�&�f�~�By#�����R�Pӡ?�"�\\R�l�$ʽ~rjS�����\]C��\[:OӍ��e#gW��%\`��)y;�\]��n�.F����%�d���u����8�q���qd�ȝ��$��k�Y�^�4��o���(\_��{A��$��֔؃�r4�\]�f= ��iz�yZ�)�x1I\[�-W���h�N51�3���,6��ǉ(�\*U;�Bi��1�W�d���F ��.bH ��-rE9U��\[���v>�S�"D�a�kT1E�j!dSA!����÷ǣ�¨-�^'�����Q8>�9\[�i��q\[S{t��I�(U���:c$4�'l����z�F+�

CVE-2023-38909

An issue in TPLink Smart bulb Tapo series L530 v.1.0.0 and Tapo Application v.2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message.

Download PDF

> Abstract: The IoT is getting more and more pervasive. Even the simplest devices, such as a light bulb or an electrical plug, are made "smart" and controllable by our smartphone. This paper describes the findings obtained by applying the PETIoT kill chain to conduct a Vulnerability Assessment and Penetration Testing session on a smart bulb, the Tapo L530E by Tp-Link, currently best seller on Amazon Italy. We found that four vulnerabilities affect the bulb, two of High severity and two of Medium severity according to the CVSS v3.1 scoring system. In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures. In consequence, an attacker who is nearby the bulb can operate at will not just the bulb but all devices of the Tapo family that the user may have on her Tapo account. Moreover, the attacker can learn the victim's Wi-Fi password, thereby escalating his malicious potential considerably. The paper terminates with an outline of possible fixes.

**Submission history**

From: Davide Bonaventura \[view email\]  
**\[v1\]** Thu, 17 Aug 2023 14:48:04 UTC (990 KB)

CVE-2023-38906: Smart Bulbs can be Hacked to Hack into your Household

A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.



This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Blue Ocean Plugin
*   Config File Provider Plugin
*   Delphix Plugin
*   Docker Swarm Plugin
*   Favorite View Plugin
*   Flaky Test Handler Plugin
*   Folders Plugin
*   Fortify Plugin
*   Gogs Plugin
*   Maven Artifact ChoiceListProvider (Nexus) Plugin
*   NodeJS Plugin
*   Shortcut Job Plugin
*   Tuleap Authentication Plugin

**Descriptions****CSRF vulnerability in Folders Plugin may approve unsandboxed scripts**

**SECURITY-3106 / CVE-2023-40336**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.

An improvement added in Script Security Plugin 1265.va\_fb\_290b\_4b\_d34 and 1251.1253.v4e638b\_e3b\_221 prevents automatic approval of unsandboxed scripts when administrators copy jobs, significantly reducing the impact of this vulnerability.

Folders Plugin 6.848.ve3b\_fd7839a\_81 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability in Folders Plugin**

**SECURITY-3105 / CVE-2023-40337**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy a view inside a folder.

Folders Plugin 6.848.ve3b\_fd7839a\_81 requires POST requests for the affected HTTP endpoint.

**Information disclosure in Folders Plugin**

**SECURITY-3109 / CVE-2023-40338**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-folder**  
**Description:**

Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available.

In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system.

Folders Plugin 6.848.ve3b\_fd7839a\_81 does not display the absolute path of a log file in the error message.

**Improper masking of credentials in Config File Provider Plugin**

**SECURITY-3090 / CVE-2023-40339**  
**Severity (CVSS):** Medium  
**Affected plugin: config-file-provider**  
**Description:**

Config File Provider Plugin 952.va\_544a\_6234b\_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they’re written to the build log.

Config File Provider Plugin 953.v0432a\_802e4d2 masks credentials configured in configuration files if they appear in the build log.

**Improper masking of credentials in NodeJS Plugin**

**SECURITY-3196 / CVE-2023-40340**  
**Severity (CVSS):** Medium  
**Affected plugin: nodejs**  
**Description:**

NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file.

NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

NodeJS Plugin 1.6.0.1 masks credentials specified in the Npm config file in Pipeline build logs.

**CSRF vulnerability in Blue Ocean Plugin allows capturing credentials**

**SECURITY-3116 / CVE-2023-40341**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

This issue is due to an incomplete fix of SECURITY-2502.

Blue Ocean Plugin 1.27.5.1 uses the configured SCM URL, instead of a user-specified URL provided as a parameter to the HTTP endpoint.

**CSRF vulnerability and missing permission checks in Fortify Plugin allow capturing credentials**

**SECURITY-3115 / CVE-2023-4301 (CSRF), CVE-2023-4302 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify**  
**Description:**

Fortify Plugin 22.1.38 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Fortify Plugin 22.2.39 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**HTML injection vulnerability in Fortify Plugin**

**SECURITY-3140 / CVE-2023-4303**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify**  
**Description:**

Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability.

Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected.

Fortify Plugin 22.2.39 removes HTML tags from the error message.

**Stored XSS vulnerability in Flaky Test Handler Plugin**

**SECURITY-3223 / CVE-2023-40342**  
**Severity (CVSS):** High  
**Affected plugin: flaky-test-handler**  
**Description:**

Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

Flaky Test Handler Plugin 1.2.3 escapes JUnit test contents when showing them on the Jenkins UI.

**Non-constant time token comparison in Tuleap Authentication Plugin**

**SECURITY-3229 / CVE-2023-40343**  
**Severity (CVSS):** Low  
**Affected plugin: tuleap-oauth**  
**Description:**

Tuleap Authentication Plugin 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Tuleap Authentication Plugin 1.1.21 uses a constant-time comparison when validating authentication tokens.

**Missing permission check in Delphix Plugin allows enumerating credentials IDs**

**SECURITY-3214 (1) / CVE-2023-40344**  
**Severity (CVSS):** Medium  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin 3.0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Delphix Plugin 3.0.3 requires the appropriate permissions.

**Exposure of system-scoped credentials in Delphix Plugin**

**SECURITY-3214 (2) / CVE-2023-40345**  
**Severity (CVSS):** Medium  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to.

Delphix Plugin 3.0.3 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Shortcut Job Plugin**

**SECURITY-3071 / CVE-2023-40346**  
**Severity (CVSS):** High  
**Affected plugin: shortcut-job**  
**Description:**

Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.

Shortcut Job Plugin 0.5 escapes the shortcut redirection URL.

**Exposure of system-scoped credentials in Maven Artifact ChoiceListProvider (Nexus) Plugin**

**SECURITY-3153 / CVE-2023-40347**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-artifact-choicelistprovider**  
**Description:**

Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

**Unsafe default behavior and information disclosure in Gogs Plugin webhook**

**SECURITY-2894 / CVE-2023-40348 (information disclosure), CVE-2023-40349 (insecure default)**  
**Severity (CVSS):** Medium  
**Affected plugin: gogs-webhook**  
**Description:**

Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name.

Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

**Stored XSS vulnerability in Docker Swarm Plugin**

**SECURITY-2811 / CVE-2023-40350**  
**Severity (CVSS):** High  
**Affected plugin: docker-swarm**  
**Description:**

Docker Swarm Plugin processes Docker responses to generate the Docker Swarm Dashboard view.

Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

**CSRF vulnerability in Favorite View Plugin**

**SECURITY-3201 / CVE-2023-40351**  
**Severity (CVSS):** Medium  
**Affected plugin: favorite-view**  
**Description:**

Favorite View Plugin 5.v77a\_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar.

**Severity**

*   SECURITY-2811: High
*   SECURITY-2894: Medium
*   SECURITY-3071: High
*   SECURITY-3090: Medium
*   SECURITY-3105: Medium
*   SECURITY-3106: High
*   SECURITY-3109: Medium
*   SECURITY-3115: Medium
*   SECURITY-3116: Medium
*   SECURITY-3140: Medium
*   SECURITY-3153: Medium
*   SECURITY-3196: Medium
*   SECURITY-3201: Medium
*   SECURITY-3214 (1): Medium
*   SECURITY-3214 (2): Medium
*   SECURITY-3223: High
*   SECURITY-3229: Low

**Affected Versions**

*   **Blue Ocean Plugin** up to and including 1.27.5
*   **Config File Provider Plugin** up to and including 952.va\_544a\_6234b\_46
*   **Delphix Plugin** up to and including 3.0.2
*   **Docker Swarm Plugin** up to and including 1.11
*   **Favorite View Plugin** up to and including 5.v77a\_37f62782d
*   **Flaky Test Handler Plugin** up to and including 1.2.2
*   **Folders Plugin** up to and including 6.846.v23698686f0f6
*   **Fortify Plugin** up to and including 22.1.38
*   **Gogs Plugin** up to and including 1.0.15
*   **Maven Artifact ChoiceListProvider (Nexus) Plugin** up to and including 1.14
*   **NodeJS Plugin** up to and including 1.6.0
*   **Shortcut Job Plugin** up to and including 0.4
*   **Tuleap Authentication Plugin** up to and including 1.1.20

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.27.5.1
*   **Config File Provider Plugin** should be updated to version 953.v0432a\_802e4d2
*   **Delphix Plugin** should be updated to version 3.0.3
*   **Flaky Test Handler Plugin** should be updated to version 1.2.3
*   **Folders Plugin** should be updated to version 6.848.ve3b\_fd7839a\_81
*   **Fortify Plugin** should be updated to version 22.2.39
*   **NodeJS Plugin** should be updated to version 1.6.0.1
*   **Shortcut Job Plugin** should be updated to version 0.5
*   **Tuleap Authentication Plugin** should be updated to version 1.1.21

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Docker Swarm Plugin
*   Favorite View Plugin
*   Gogs Plugin
*   Maven Artifact ChoiceListProvider (Nexus) Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3116, SECURITY-3153
*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3201, SECURITY-3223
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-3214 (1), SECURITY-3214 (2)
*   **James Nord, CloudBees, Inc.** for SECURITY-3090, SECURITY-3196
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3071, SECURITY-3105, SECURITY-3106, SECURITY-3109, SECURITY-3140
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2811
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3229
*   **Kevin Guerroudj, CloudBees, Inc. and, independently, Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3115
*   **anhnm99** for SECURITY-2894

CVE-2023-4302: Jenkins Security Advisory 2023-08-16

Jenkins Fortify Plugin 22.1.38 and earlier does not escape the error message for a form validation method, resulting in an HTML injection vulnerability.



CVE-2023-4303: Jenkins Security Advisory 2023-08-16

Due to improper input validation, a remote attacker could execute arbitrary commands on the target system.

CVE-2023-25915: Redirecting…

Due to improper restriction, attackers could retrieve and read system files of the underlying server through the XML interface.

Source

CVE