CTX561482

{{tooltipText}}

Security Bulletin | Severity: Critical | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}} | Status: Final

**Description of Problem**

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 
*   NetScaler ADC 13.1-FIPS before 13.1-37.159
*   NetScaler ADC 12.1-FIPS before 12.1-55.297
*   NetScaler ADC 12.1-NDcPP before 12.1-55.297

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. 

CVE ID

Affected Products

Description

Pre-requisites

CWE

CVSS

CVE-2023-3466

Citrix ADC, Citrix Gateway

Reflected Cross-Site Scripting (XSS)

Requires victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP

Improper Input ValidationCWE-20

8.3

CVE-2023-3467

Citrix ADC, Citrix Gateway

Privilege Escalation to root administrator (nsroot)

Authenticated access to NSIP or SNIP with management interface access

Improper Privilege ManagementCWE-269

8

CVE-2023-3519

Citrix ADC, Citrix Gateway

Unauthenticated remote code execution

Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Improper Control of Generation of Code ('Code Injection')CWE-94

9.8

**What Customers Should Do**

Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

*   NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
*   NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  
*   NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  
*   NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  
*   NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

**Acknowledgements**

Citrix thanks Wouter Rijkbost and Jorren Geurts of Resillion for working with us to protect Citrix customers.

**What Citrix is Doing**

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

**Obtaining Support on This Issue**

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

**Subscribe to Receive Alerts**

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

**Reporting Security Vulnerabilities to Citrix**

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

**Changelog**

2023-07-18 T 11:15:00Z

Updated acknowledgment

2023-07-18 T 11:00:00Z

Updated table to accurately represent affected products

2023-07-18 T 10:30:00Z

Initial Publication

2023-07-18 T 13:30:00Z

Updated 12.1 FIPs and NDcPP build details

CVE-2023-3519: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

ngiflib commit 5e7292 was discovered to contain an infinite loop via the function DecodeGifImg at ngiflib.c.

**Desctiption**

Infinite loop has occurred when running program gif2tga in function DecodeGifImg at ngiflib.c:556

**Version**

    commit 5e7292bfabbeeee8dca0bf4c9a77ff10c8e3bf28 (HEAD -> master, origin/master, origin/HEAD)
    Author: Thomas Bernard <miniupnp@free.fr>
    Date:   Thu Jun 29 01:57:28 2023 +0200
    

**Steps to reproduce**

    git clone https://github.com/miniupnp/ngiflib.git
    cd ngiflib
    CC="clang -fsanitize=address -g" CFLAGS+=-DNGIFLIB_NO_FILE make
    ./gif2tga -i ./poc2
    

**POC**

https://github.com/GGb0ndQAQ/POC/blob/main/ngiflib/poc2

**Code in ngiflib.c:556**

    for(;;) { // here
    		act_code = GetGifWord(i, &context);
    		printf("%d - %d - %d\n",act_code, i->parent->input.buffer.count, npix);
    		if(act_code==eof) {
    #if !defined(NGIFLIB_NO_FILE)
    			if(i->parent && i->parent->log) fprintf(i->parent->log, "End of image code 0x%x (nbbit=%u)\n", eof, context.nbbit);
    #endif /* !defined(NGIFLIB_NO_FILE) */
    			return 0;
    		}
    		if(npix==0) {
    #if !defined(NGIFLIB_NO_FILE)
    			if(i->parent && i->parent->log) fprintf(i->parent->log, "assez de pixels, On se casse !\n");
    #endif /* !defined(NGIFLIB_NO_FILE) */
    			return 1;
    		}	
    		if(act_code==clr) {
    #if !defined(NGIFLIB_NO_FILE)
    			if(i->parent && i->parent->log) fprintf(i->parent->log, "Code clear (%hu) (free=%hu) npix=%ld\n", clr, free, npix);
    #endif /* !defined(NGIFLIB_NO_FILE) */
    			/* clear */
    			free = clr + 2;
    			context.nbbit = i->imgbits + 1;
    			context.max = clr + clr - 1; /* (1 << context.nbbit) - 1 */
    			act_code = GetGifWord(i, &context);	/* the first code after the clear code is concrete */
    			if (act_code >= clr)
    			{
    #if !defined(NGIFLIB_NO_FILE)
    				if(i->parent && i->parent->log) fprintf(i->parent->log, "Invalid code %hu just after clear(%hu) !\n", act_code, clr);
    #endif /* !defined(NGIFLIB_NO_FILE) */
    				return -1;
    			}
    			casspecial = (u8)act_code;
    			old_code = act_code;
    			if(npix > 0) WritePixel(i, &context, casspecial);
    			npix--;
    		} else if(act_code > free) {
    #if !defined(NGIFLIB_NO_FILE)
    			if(i->parent && i->parent->log) fprintf(i->parent->log, "Invalid code %hu (free=%hu) !\n", act_code, free);
    #endif /* !defined(NGIFLIB_NO_FILE) */
    			return -1;
    		} else {
    			read_byt = act_code;
    			if(act_code == free) {	/* code pas encore dans alphabet */
    /*				printf("Code pas dans alphabet : %d>=%d push %d\n", act_code, free, casspecial); */
    				*(--stackp) = casspecial; /* dernier debut de chaine ! */
    				act_code = old_code;
    			}
    /*			printf("actcode=%d\n", act_code); */
    			while(act_code > clr) { /* code non concret */
    				/* fillstackloop empile les suffixes ! */
    				*(--stackp) = ab_suffx[act_code];
    				act_code = ab_prfx[act_code];	/* prefixe */
    			}
    			/* act_code est concret */
    			casspecial = (u8)act_code;	/* dernier debut de chaine ! */
    			*(--stackp) = casspecial;	/* push on stack */
    			if(npix >= (stack_top - stackp)) {
    				WritePixels(i, &context, stackp, stack_top - stackp);	/* unstack all pixels at once */
    			} else if(npix > 0) {	/* "pixel overflow" */
    				WritePixels(i, &context, stackp, npix);
    			}
    			npix -= (stack_top - stackp);
    			stackp = stack_top;
    /*			putchar('\n'); */
    			if(free < 4096) { /* la taille du dico est 4096 max ! */
    				ab_prfx[free] = old_code;
    				ab_suffx[free] = (u8)act_code;
    				free++;
    				if((free > context.max) && (context.nbbit < 12)) {
    					context.nbbit++;	/* 1 bit de plus pour les codes LZW */
    					context.max += context.max + 1;
    				}
    			}
    			old_code = read_byt;
    		}
    			
    	}
    

**Impact**

Potentially causing DoS

CVE-2023-37748: Infinite loop has occurred when running program gif2tga in function DecodeGifImg at ngiflib.c · Issue #25 · miniupnp/ngiflib


A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability could be exploited to retrieve a login certificate if an authenticated user is duped into using an attacker-controlled Dimensions CM server.  This vulnerability only applies when the Jenkins plugin is configured to use login certificate credentials.


  https://www.jenkins.io/security/advisory/2023-06-14/ 



Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-32263: Portal


A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
See the following Jenkins security advisory for details:  *   https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/ 






This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   AWS CodeCommit Trigger Plugin
*   Checkmarx Plugin
*   Digital.ai App Management Publisher Plugin
*   Dimensions Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Team Concert Plugin
*   Template Workflows Plugin

**Descriptions****CSRF protection bypass vulnerability**

**SECURITY-3135 / CVE-2023-35141**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.

As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.

Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.

**SSL/TLS certificate validation disabled by default in Checkmarx Plugin**

**SECURITY-2870 / CVE-2023-35142**  
**Severity (CVSS):** Medium  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.

Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.

**Missing permission checks in Team Concert Plugin**

**SECURITY-2932 / CVE-2023-3315**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

**Missing permission check in Dimensions Plugin allows enumerating credentials IDs**

**SECURITY-3138 / CVE-2023-32261**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.

**Exposure of system-scoped credentials in Dimensions Plugin**

**SECURITY-3143 / CVE-2023-32262**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-3156 / CVE-2023-35143**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-2951 / CVE-2023-35144**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.

**Stored XSS vulnerability in Sonargraph Integration Plugin**

**SECURITY-3155 / CVE-2023-35145**  
**Severity (CVSS):** High  
**Affected plugin: sonargraph-integration**  
**Description:**

Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Stored XSS vulnerability in Template Workflows Plugin**

**SECURITY-3166 / CVE-2023-35146**  
**Severity (CVSS):** High  
**Affected plugin: template-workflows**  
**Description:**

Template Workflows Plugin 41.v32d86a\_313b\_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

**Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin**

**SECURITY-3099 / CVE-2023-35147**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

**CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin**

**SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ease-plugin**  
**Description:**

Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2870: Medium
*   SECURITY-2911: Medium
*   SECURITY-2932: Medium
*   SECURITY-2951: High
*   SECURITY-3099: Medium
*   SECURITY-3135: High
*   SECURITY-3138: Medium
*   SECURITY-3143: Medium
*   SECURITY-3155: High
*   SECURITY-3156: High
*   SECURITY-3166: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.399
*   **Jenkins LTS** up to and including 2.387.3
*   **AWS CodeCommit Trigger Plugin** up to and including 3.0.12
*   **Checkmarx Plugin** up to and including 2022.4.3
*   **Digital.ai App Management Publisher Plugin** up to and including 2.6
*   **Dimensions Plugin** up to and including 0.9.3
*   **Maven Repository Server Plugin** up to and including 1.10
*   **Sonargraph Integration Plugin** up to and including 5.0.1
*   **Team Concert Plugin** up to and including 2.4.1
*   **Template Workflows Plugin** up to and including 41.v32d86a\_313b\_4a

**Fix**

*   **Jenkins weekly** should be updated to version 2.400
*   **Jenkins LTS** should be updated to version 2.401.1
*   **Checkmarx Plugin** should be updated to version 2023.2.6
*   **Dimensions Plugin** should be updated to version 0.9.3.1
*   **Team Concert Plugin** should be updated to version 2.4.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AWS CodeCommit Trigger Plugin
*   Digital.ai App Management Publisher Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Template Workflows Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3143, SECURITY-3155, SECURITY-3156, SECURITY-3166
*   **CC Bomber, Kitri BoB** for SECURITY-2951
*   **Daniel Beck, CloudBees Inc.** for SECURITY-2870
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2932
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3135, SECURITY-3138
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2911
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3099

CVE-2023-32261: Jenkins Security Advisory 2023-06-14


There is SQL injection vulnerability in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.



Esri has released ArcGIS Insights Security Patches for ArcGIS Insights 2022.1. These patches resolve high severity security vulnerabilities in ArcGIS Insights Desktop (Windows and Mac), ArcGIS Enterprise on Windows, ArcGIS Server and Portal for ArcGIS on Linux either as the base deployment or the primary ArcGIS connection.

These patches were released on June 23, 2023 and are available here.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

****Vulnerabilities fixed by this patch:****

**There is SQL injection vulnerability** in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.

*   **CVE Details:**CVE-2023-25838
*   **Esri BUG ID: \[**BUG-000157278 **– ArcGIS Insights has a security vulnerability.\]**
*   CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
*   Base CVSSv31: 7.5 /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*   Environmentally Modified CVSSv3.1: 7.2  /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/

**There is SQL injection vulnerability** in Esri ArcGIS Insights Desktop for Mac and Windows version 2022.1  that may allow a local, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.

*   **CVE Details:**CVE-2023-25839
*   **Esri BUG ID: \[**BUG-000157278 **– ArcGIS Insights has a security vulnerability.\]**
*   CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
*   Base CVSSv31: 7.0 /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*   Environmentally Modified CVSSv3.1: 6.7  /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:O

Install the provided patches to remediate these issues.

CVE-2023-25838: ArcGIS Insights Security Patches for ArcGIS Insights 2022.1 are now available

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

**Project description**

Pygments is a syntax highlighting package written in Python.

It is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code. Highlights are:

*   a wide range of over 500 languages and other text formats is supported
    
*   special attention is paid to details, increasing quality by a fair amount
    
*   support for new languages and formats are added easily
    
*   a number of output formats, presently HTML, LaTeX, RTF, SVG, all image formats that PIL supports and ANSI sequences
    
*   it is usable as a command-line tool and as a library
    

Copyright 2006-2023 by the Pygments team, see AUTHORS. Licensed under the BSD, see LICENSE for details.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-40896: Pygments

In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.



CVE-2023-3638

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.



ProductsResourcesCommunityCompany

Go back

MikroTik RouterOS Administrator Privilege Escalation

severity

critical

date

July 19, 2023

Affecting

*   MikroTik RouterOS stable through 6.49.6
    
*   MikroTik RouterOS long-term through 6.48.7
    

CVE

CVE-2023-30799

CVE type

Improper Privilege Management

CVSS

9.1

CVSS V3 Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

*   Exploit

CVE-2023-30799: MikroTik RouterOS Administrator Privilege Escalation | VulnCheck Advisories

Using "**" as a pattern in Spring Security configuration 
for WebFlux creates a mismatch in pattern matching between Spring 
Security and Spring WebFlux, and the potential for a security bypass.



**Description**

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

**Affected Spring Products and Versions**

Spring Security:

*   6.1.0 to 6.1.1
*   6.0.0 to 6.0.4
*   5.8.0 to 5.8.4
*   5.7.0 to 5.7.9
*   5.6.0 to 5.6.11

**Mitigation**

The following Spring Security versions contain fixes for this vulnerability:

*   6.1.2+
*   6.0.5+
*   5.8.5+
*   5.7.10+
*   5.6.12+

The above require Spring Framework versions:

*   6.0.11+
*   5.3.29+
*   5.2.25+

**Credit**

This vulnerability was disclosed responsibly by tkswifty and Ha1c9on.

**References**

*   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1

CVE-2023-34034: CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern


All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer overflows, uninitialized pointers, and a heap-based buffer overflow. Successful exploitation could allow an attacker to execute arbitrary code.

