Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

CVE-2023-35001: prevent OOB access in nft_byteorder_eval


AMI SPx contains a vulnerability in the BMC where a valid user may cause a use of hard-coded credentials. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity, and availability. 



%PDF-1.7 %���� 1 0 obj <>/Metadata 231 0 R/ViewerPreferences 232 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 27 0 R 28 0 R 29 0 R 30 0 R 31 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\]���8����!?v�nB�� �4��1'�v�{\_�zu�a����vO��\_�?��\]N'�9�z3I�Oٮ\*�c��z�C��у�g�U��q���������n��USi�5�����������{O�ܿ���8��������5���ok w���\_.M���S �>�;���\_����U�����\_��{ ��x�^���YU �bG��+��)Ź���tgj�kP������8�\`:�fu��.7��~^������Z�>|���7�xk��B:�F�&���-��Z2V6(T~䠊 ����vY��hxq$�Lٺ����ԉ�?j���4����.Z�x�ࢃ��.\\�s��pѝz�3�x�P�4e���j#��Ru�Xҷ��v�/����>���ϒm�X� �$��B M��|�͹���$�H�-�-ܘ�aw�-��"�ň�'\\ MB?�\`t0��Ǡ8^4�H�xvh?}�=�Rbx����Tj�&K��6�da��X\]�C)�a R�d!}h-9�l��qg��-�2m@�>l��!�R�{L�Yy|��q���J7������엉Z�T\]�b .��r��:}�>iW�g�U�Z��ɒ@چ�P���z�җ�!uW�;i�?��� \_5�.�C�9���X�@�r@�53w�@zA �j�倦��(v �f\[T�@��i�\\�����&����B�jV���\\��>1����S��CN̳#��Bќh�Cі�,j$1��r"|���o&���S~�&�'�r���e�4o�#�mUA���MS��hps$�N5\_WʨZ�8a@�� ��7x�zݭ��>Q��֌��\`6��/���5mHR:���\]N�R��GgRш�d�p \]\[w������@��kj#s\`��3ơ�^@F�id�� ���\`ޫ8$Ð��Է}��%1N\\��v�d��lUAk���챭�����I�Ł�t��yIm��i\\�����P;<��̽��acM�}�k��ɀU��{���z �j -�g�j�?y�����.�)�7Cy����b��2ê};��8蕉3rd�\\�X��� ӫ�k�z�>ѫ\[��Ƽ�+�f�ny��cV�x�y�>0����@�\*\`0�za�us�N�B��79��z�T8�� �>�?NW� l�'�߻k���g��l�\_���m�k|~z�֮%����S�3�i�͝�3���~���H�c�M�,"��u�\`Mݪ�� �?uu�њ�f\[ao\_���\[�!�����7���W4��h� �'kC������5DB��y�!�$������ ��%q yb>���e1Ė�rs�e�"���>����awQ�gx7����jm"�� �"�A0.d�~��X���O:����n��!מּ�v��Z�-Ā-����m�����:�S\[F�U���U:���-�M���5ym��5�NY���ym�.6���R�����R���n��f��Gֶ�f����p�B��cQ�";�?�&t��И�f���)��,����~D'��{��n?xu W�����|^N;f�d�{�~aG���r�\]g��4d���Z�N��t�� r����Ύ�L�PH�om�|�&w�p���I��M:��$��ū��׬Y�>�� ^���� ت�x��.'Zc�b���d�>}u�$Vkp\[3���)�F�Oϡ�.����ھ4��JԲ˩�\`��Rx� �//<���\_������XM\\ԝ�^�!N���?^�����\_ .��9\]!Ug�JCL�m%�ƪ\[Oe�JZ���?��~-I:��\\2�#�ϧݮEW����pAX�C�W�v��9��9����vs\]���0���گM��ޅ �Y4>.2K/ֈ��9��2=��ى�+�A!2CWM�\]8����D�s�˥��B�B��G"��z����%Rݷ!�n}���6��jh��sK(���|�snFJ&�\*� ��9��C�j+�+�#5X����!�CP��� �J�6T�wϲ�kŰj ��"�.!A�Fs��#��&v�Y�-��&�?�npwS|�"c7�d�n¢��4f\\��!X�/y�\`mzn��dc(����x@f�q\]�,ܨ���\]�a6�:7aDCRh� ���'J|�2�Q��^R-�&ez�5Βv��f�g{繵a��@Z�=����gꬍ�9�j7��7�����zhV3��(�,GW�Y�p�r�NK�V�C�������u�~�i��|ƙ�N�Գ�0;�n�qoK7xǚV�;O��Ud\\H�⸣' ������X|l�F'��C����0K�#q�p� ��W\_�麄F V�@?k�n�&�R=XB��h����XJ�^���0�m�T0Z)��d\_CC�d�m��QR�7M;p�>��l$�bCK��=?��v�u�"�Md�|@s� �h�J��~ W�}b�����\*� V7>�6U���", 9ig6f���.w�u�17+�'�YIixa ��)Ɨ8G���P��:�N�\`��f\]a��qL7C��1���GPK c��OŴ�,�\_���Z��O� <\[����~��!��v;�����!���O�p�D��l~x�0���Ӌ9}\_,�ٰ��\[�6��!$ �l?�=e�n8Õ��$.p� �|�wԩ}:G��!(ipu.�}&�Mfa���5&�;U�8�e��e� Z�����Lg3�Q��cLoY�-�^�LLQ��y����Y�)�: 7<�Ñ�f��c}&1�͂�����y���4�6��d�ʊ�5дʯ<�\]�-t��\\���Q�a��穣a�ӱ=�e�Оo��Dv1������MwI�/����Y|�v(���iP<�"�I�:>"=U�p�������?:�$� �щ�c\_���5y��h��k��T�?�J��"�c�y�U�!�\_{ U�������D\]��M��'�&�d�lѓ�\]W�yr֥�a����=�OR�0��1G�1�t����G+���YU\_M֪�n�h��a�@�����z�Y�� �!壋���;�q�z�D\\��P��Qa��\[Xo�����a��ۯ7��z����ьXoj6~��1��� ^�� BD� tab�A�)���C��7

CVE-2023-34473

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

\* **\[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id**
**@ 2023-07-05 12:12 Thadeu Lima de Souza Cascardo**
  2023-07-05 12:16 \` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2023-07-05 12:12 UTC (permalink / raw)
  To: netfilter-devel; **+Cc:** cascardo, netdev, Pablo Neira Ayuso

When adding a rule to a chain referring to its ID, if that chain had been
deleted on the same batch, the rule might end up referring to a deleted
chain.

This will lead to a WARNING like following:

\[   33.098431\] ------------\[ cut here \]------------
\[   33.098678\] WARNING: CPU: 5 PID: 69 at net/netfilter/nf\_tables\_api.c:2037 nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.099217\] Modules linked in:
\[   33.099388\] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409
\[   33.099726\] Workqueue: events nf\_tables\_trans\_destroy\_work
\[   33.100018\] RIP: 0010:nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.100306\] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7
\[   33.101271\] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202
\[   33.101546\] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000
\[   33.101920\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
\[   33.102649\] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000
\[   33.103018\] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500
\[   33.103385\] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10
\[   33.103762\] FS:  0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000
\[   33.104184\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[   33.104493\] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0
\[   33.104872\] PKRU: 55555554
\[   33.104999\] Call Trace:
\[   33.105113\]  <TASK>
\[   33.105214\]  ? show\_regs+0x72/0x90
\[   33.105371\]  ? \_\_warn+0xa5/0x210
\[   33.105520\]  ? nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.105732\]  ? report\_bug+0x1f2/0x200
\[   33.105902\]  ? handle\_bug+0x46/0x90
\[   33.106546\]  ? exc\_invalid\_op+0x19/0x50
\[   33.106762\]  ? asm\_exc\_invalid\_op+0x1b/0x20
\[   33.106995\]  ? nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.107249\]  ? nf\_tables\_chain\_destroy+0x30/0x260
\[   33.107506\]  nf\_tables\_trans\_destroy\_work+0x669/0x680
\[   33.107782\]  ? mark\_held\_locks+0x28/0xa0
\[   33.107996\]  ? \_\_pfx\_nf\_tables\_trans\_destroy\_work+0x10/0x10
\[   33.108294\]  ? \_raw\_spin\_unlock\_irq+0x28/0x70
\[   33.108538\]  process\_one\_work+0x68c/0xb70
\[   33.108755\]  ? lock\_acquire+0x17f/0x420
\[   33.108977\]  ? \_\_pfx\_process\_one\_work+0x10/0x10
\[   33.109218\]  ? do\_raw\_spin\_lock+0x128/0x1d0
\[   33.109435\]  ? \_raw\_spin\_lock\_irq+0x71/0x80
\[   33.109634\]  worker\_thread+0x2bd/0x700
\[   33.109817\]  ? \_\_pfx\_worker\_thread+0x10/0x10
\[   33.110254\]  kthread+0x18b/0x1d0
\[   33.110410\]  ? \_\_pfx\_kthread+0x10/0x10
\[   33.110581\]  ret\_from\_fork+0x29/0x50
\[   33.110757\]  </TASK>
\[   33.110866\] irq event stamp: 1651
\[   33.111017\] hardirqs last  enabled at (1659): \[<ffffffffa206a209>\] \_\_up\_console\_sem+0x79/0xa0
\[   33.111379\] hardirqs last disabled at (1666): \[<ffffffffa206a1ee>\] \_\_up\_console\_sem+0x5e/0xa0
\[   33.111740\] softirqs last  enabled at (1616): \[<ffffffffa1f5d40e>\] \_\_irq\_exit\_rcu+0x9e/0xe0
\[   33.112094\] softirqs last disabled at (1367): \[<ffffffffa1f5d40e>\] \_\_irq\_exit\_rcu+0x9e/0xe0
\[   33.112453\] ---\[ end trace 0000000000000000 \]---

This is due to the nft\_chain\_lookup\_byid ignoring the genmask. After this
change, adding the new rule will fail as it will not find the chain.

Fixes: 837830a4b439 ("netfilter: nf\_tables: add NFTA\_RULE\_CHAIN\_ID attribute")
Cc: stable@vger.kernel.org
Reported-by: Mingi Cho of Theori working with ZDI
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/netfilter/nf\_tables\_api.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf\_tables\_api.c b/net/netfilter/nf\_tables\_api.c
index 9573a8fcad79..3701493e5401 100644
--- a/net/netfilter/nf\_tables\_api.c
+++ b/net/netfilter/nf\_tables\_api.c
@@ -2694,7 +2694,7 @@ static int nf\_tables\_updchain(struct nft\_ctx \*ctx, u8 genmask, u8 policy,
 
 static struct nft\_chain \*nft\_chain\_lookup\_byid(const struct net \*net,
 					       const struct nft\_table \*table,
\-					       const struct nlattr \*nla)
+					       const struct nlattr \*nla, u8 genmask)
 {
 	struct nftables\_pernet \*nft\_net = nft\_pernet(net);
 	u32 id = ntohl(nla\_get\_be32(nla));
@@ -2705,7 +2705,8 @@ static struct nft\_chain \*nft\_chain\_lookup\_byid(const struct net \*net,
 
 		if (trans->msg\_type == NFT\_MSG\_NEWCHAIN &&
 		    chain->table == table &&
\-		    id == nft\_trans\_chain\_id(trans))
+		    id == nft\_trans\_chain\_id(trans) &&
+		    nft\_active\_genmask(chain, genmask))
 			return chain;
 	}
 	return ERR\_PTR(-ENOENT);
@@ -3809,7 +3810,8 @@ static int nf\_tables\_newrule(struct sk\_buff \*skb, const struct nfnl\_info \*info,
 			return -EOPNOTSUPP;
 
 	} else if (nla\[NFTA\_RULE\_CHAIN\_ID\]) {
\-		chain = nft\_chain\_lookup\_byid(net, table, nla\[NFTA\_RULE\_CHAIN\_ID\]);
+		chain = nft\_chain\_lookup\_byid(net, table, nla\[NFTA\_RULE\_CHAIN\_ID\],
+					      genmask);
 		if (IS\_ERR(chain)) {
 			NL\_SET\_BAD\_ATTR(extack, nla\[NFTA\_RULE\_CHAIN\_ID\]);
 			return PTR\_ERR(chain);
@@ -10502,7 +10504,8 @@ static int nft\_verdict\_init(const struct nft\_ctx \*ctx, struct nft\_data \*data,
 						 genmask);
 		} else if (tb\[NFTA\_VERDICT\_CHAIN\_ID\]) {
 			chain = nft\_chain\_lookup\_byid(ctx->net, ctx->table,
\-						      tb\[NFTA\_VERDICT\_CHAIN\_ID\]);
+						      tb\[NFTA\_VERDICT\_CHAIN\_ID\],
+						      genmask);
 			if (IS\_ERR(chain))
 				return PTR\_ERR(chain);
 		} else {
-- 
2.34.1

^ permalink raw reply related	\[**flat**|nested\] 2+ messages in thread

\* **Re: \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id**
  2023-07-05 12:12 \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id Thadeu Lima de Souza Cascardo
**@ 2023-07-05 12:16 \` Florian Westphal**
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2023-07-05 12:16 UTC (permalink / raw)
  To: Thadeu Lima de Souza Cascardo; **+Cc:** netfilter-devel, netdev, Pablo Neira Ayuso

Thadeu Lima de Souza Cascardo <cascardo@canonical.com> wrote:
\> When adding a rule to a chain referring to its ID, if that chain had been
> deleted on the same batch, the rule might end up referring to a deleted
> chain.
Reviewed-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

end of thread, other threads:\[~2023-07-05 12:16 UTC | newest\]

**Thread overview:** 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-05 12:12 \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id Thadeu Lima de Souza Cascardo
2023-07-05 12:16 \` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-31248: do not ignore genmask when looking up chain by id

In MADEFORNET HTTP Debugger through 9.12, the Windows service does not set the seclevel registry key before launching the driver. Thus, it is possible for an unprivileged application to obtain a handle to the NetFilterSDK wrapper before the service obtains exclusive access.

CVE-2023-35863

Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was December 31st 2020) in grpname parameter that allows arbitrary script to be executed.

Vendor: Sophos

Product: Sophos iView (The EOL was December 31st 2020)

**Product description:**

Reflected XSS in the privileged user area, where i was able to set parameter ‘json->”grpname”’s value to ‘ww;</script>/</script/>/<svg/onload=alert(‘Sophos’) width=100//>’

That successfully embedded a script in the response, which was executed when the page loads in the user’s browser.

*   CVE ID: CVE-2023-33335
*   CWE ID: CWE-79

**#Proof of Concept**

Reflected cross-site scripting (XSS) vulnerability was discovered in the product.

A cross-site scripting vulnerability was identified.

It was possible to inject malicious code, I’ve successfully embedded a script in the response, which allowed me to execute it when the page loaded in the browser.

The following Proof of Concept (PoC) demonstrates the attack as well as displaying evidence of the script payload being returned in the response.

**PoC:**

    POST /iview
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Referer: https://10.0.0.112/webpages/index.jsp?empty=1_1&watermarkmsg=0
    Cookie: JSESSIONID=189B80C28A886E98BBD17B7AEFF1B63C
    Connection: Keep-Alive
    Host: 10.0.0.112
    X-Requested-With: XMLHttpRequest
    Content-Length: 170
    Cache-Control: no-cache
    Accept: text/plain, */*; q=0.01
    Accept-Language: en-US
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    
    mode=28&deviceprofile=123&json={"selecteddevices":"1","grpname":"ww;</script>/</script/>/<svg/onload=alert('Sophos') width=100//>","description":"www"}&__RequestType=ajax
    
    HTTP/1.1 200 200
    Connection: Keep-Alive
    Server: xxxx
    Content-Length: 173
    X-Frame-Options: SAMEORIGIN
    Keep-Alive: timeout=5, max=100
    Cache-Control: max-age=2592000
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Date: Thu, 09 Jan 2020 14:54:39 GMT
    Expires: Sat, 08 Feb 2020 14:54:39 GMT
    
    {"reurl":"managedevicegroup.html?action=71020","message":"Device Group ww;<\/script>/<\/script/>/<svg/onload=alert('Sophos') width=100//> is already exists.","status":"500"}

Reply from Sophos via Bugcrowd:

“We are divesting the Sophos iView product, meaning that this particular vulnerability is accepted business risk. I will close this issue as Won’t Fix”

**References:**

1.  https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
2.  https://www.firewalls.com/pub/media/wysiwyg/datasheets/Sophos/iView.pdf
3.  https://vimeo.com/107872566
4.  https://docs.sophos.com/nsg/sophos-iview/v03012/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/AccessDevice.html

CVE-2023-33335: Reflected Cross-Site scripting in Sophos iView

icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds.

Expand Up @@ -31,9 +31,6 @@ class FieldConfigForm extends CompatForm /\*\* @var string \*/ protected $templateName;  
/\*\* @var bool Hack used for delete button \*/ protected $callOnSuccess;  
/\*\* @var string \*/ protected $fieldId;  
Expand All @@ -47,8 +44,9 @@ public function \_\_construct(RestApi $jira, string $templateName, $fieldId = null $this\->templateName = $templateName;  
if ($fieldId !== null) { // obtain field key in case the fieldId is field label if (! array\_key\_exists($fieldId, $this\->fields)) { $this\->fieldId = array\_search($fieldId, $this\->fields); $this\->fieldId = array\_search($fieldId, $this\->fields) ?: $fieldId; } else { $this\->fieldId = $fieldId; } Expand Down Expand Up @@ -118,6 +116,7 @@ protected function assemble() 'Callback' => function ($value, $validator) { /\*\* @var CallbackValidator $validator \*/ $templateFieldKeys = $this\->templateConfig\->getSection($this\->templateName)->keys();  
$selected = $this\->fields\[$value\];  
if ( Expand Down Expand Up @@ -337,23 +336,31 @@ protected function assemble() $this\->getElement('submit') \->getWrapper() \->prepend($deleteButton); } }  
if ($deleteButton\->hasBeenPressed()) { $templateFields = $this\->templateConfig\->getSection($this\->templateName)->toArray();  
$field = isset($templateFields\[$this\->fieldId\]) ? $this\->fieldId : $this\->fields\[$this\->fieldId\];  
unset($templateFields\[$field\]); public function hasBeenSubmitted() { if ($this\->getPressedSubmitElement() !== null && $this\->getPressedSubmitElement()->getName() === 'delete') { return true; }  
$this\->templateConfig\->setSection($this\->templateName, $templateFields); $this\->templateConfig\->saveIni(); $this\->getSubmitButton()->setValue($this\->getSubmitButton()->getButtonLabel()); return parent::hasBeenSubmitted(); }  
$this\->callOnSuccess = false; public function isValid() { if ($this\->getPressedSubmitElement()->getName() === 'delete') { $csrfElement = $this\->getElement('CSRFToken');  
return; if (! $csrfElement\->isValid()) { return false; }  
return true; }  
return parent::isValid(); }  
/\*\* Expand All @@ -375,8 +382,15 @@ public function optionalEnum($enum, $nullLabel = null)  
public function onSuccess() { if ($this\->callOnSuccess === false) { $this\->getPressedSubmitElement()->setValue($this\->getElement('delete')->getLabel()); if ($this\->getPressedSubmitElement()->getName() === 'delete') { $templateFields = $this\->templateConfig\->getSection($this\->templateName)->toArray();  
$field = isset($templateFields\[$this\->fieldId\]) ? $this\->fieldId : $this\->fields\[$this\->fieldId\];  
unset($templateFields\[$field\]);  
$this\->templateConfig\->setSection($this\->templateName, $templateFields); $this\->templateConfig\->saveIni();  
return; } Expand Down

CVE-2023-30607: Do not perform deletion before user input is validated in `FieldConfi… · Icinga/icingaweb2-module-jira@7f0c53b

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

Moderate

trasher published GHSA-923r-hqh4-wj7c

Jul 5, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 0.68

**Patched versions**

10.0.8

**Description**

**Impact**

Incorrect rights check on a file allows access by an authenticated user to the list of all users and their personal information.

**Patches**

Upgrade to 10.0.8.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-34106

**Weaknesses**

CWE-284

**Credits**

*    flegastelois Finder

CVE-2023-34106: Unauthorized access to user data

A cross-site scripting (XSS) vulnerability in Selenium Grid v3.141.59 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hub parameter under the /grid/console page.

**🐛 Bug Report**

A cross-site scripting (XSS) vulnerability exists in Selenium Grid hub's web interface. The vulnerability is located in /grid/console page where unvalidated user input from node's configuration is displayed back to the users.

**To Reproduce**

A node can register to a hub using the following configuration file, where an XSS payload is given in the hub parameter. Since the payload is written as a URL GET parameter value, the node is still be able to register to the hub.  
  
Once the hub's web interface is opened, injected JavaScript code is executed on the user's browser, as shown below.  
  
Also, injected JavaScript code can be seen by inspecting the page source.  

**Expected behavior**

The contents of configuration file should be encoded before being displayed to users.

**Environment**

The vulnerability exists regardless of the environment.  
The test is done using Selenium Grid v3.141.59.

CVE-2020-23452: Cross-Site Scripting (XSS) in hub's web interface · Issue #8259 · SeleniumHQ/selenium

gnuplot v5.5 was discovered to contain a buffer overflow via the function plotrequest().

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Feature Requests
    *   Patches
    *   Support Requests
*   gnuplot-main
*   Mailing Lists
*   Discussion
*   News
*   Code

Menu ▾ ▴

**#2311 global-buffer-overflow**

Milestone: None

Status: closed-fixed

Owner: nobody

Labels: None

Priority:

Updated: 2020-12-07

Created: 2020-09-09

Private: No

1.  install the latest gnuplot
2.  run the command gnuplot < poc6, where poc6 is the attached file
3.  stacktrace

#2  0x000000000081da19 in do\_enh\_writec ()
#3  0x000000000081e1fa in enhanced\_recursion ()
#4  0x0000000000895597 in ENHemf\_put\_text ()
#5  0x000000000080f868 in write\_multiline ()
#6  0x0000000000549844 in do\_key\_sample ()
#7  0x000000000062cc69 in do\_plot ()
#8  0x00000000006fae52 in eval\_plots ()
#9  0x00000000006e63e2 in plotrequest ()
#10 0x0000000000564587 in plot\_command ()
#11 0x000000000055bb98 in command ()
#12 0x000000000055b4fb in do\_line ()
#13 0x0000000000559d91 in com\_line ()
#14 0x00000000006e3a5d in main ()
#15 0x00007ffff687eb97 in \_\_libc\_start\_main (main\=0x6e2440 <main\>, argc\=0x1, argv\=0x7fffffffe398, init\=<optimized out\>,
    fini\=<optimized out\>, rtld\_fini\=<optimized out\>, stack\_end\=0x7fffffffe388) at ../csu/libc\-start.c:310
#16 0x000000000041b8aa in \_start ()

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-25969: gnuplot / Bugs

A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function.

**Comments**

 rgommers added the defect

A clear bug or issue that prevents SciPy from being installed or used as expected

label

Jun 13, 2022

rgommers added a commit to rgommers/scipy that referenced this issue

Jun 13, 2022

Closes scipygh-16235

Note: also change \`Py\_XDECREF\`s for start/end variables to \`Py\_DECREF\`,
because it's already checked higher up that those variables are not
NULL.

CVE-2023-25399: BUG: Memory leak in function `Py_FindObjects` due to new reference is not decreased (static analyzer report) · Issue #16235 · scipy/scipy

Source

CVE