ghsa

### Impact A vulnerability in Rancher has been discovered, leading to a local user impersonation through SAML Authentication on first login. The issue occurs when a SAML authentication provider (AP) is configured (e.g. Keycloak). A newly created AP user can impersonate any user on Rancher by manipulating cookie values during their initial login to Rancher. This vulnerability could also be exploited if a Rancher user (present on the AP) is removed, either manually or automatically via the [User Retention feature](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-user-retention) with delete-inactive-user-after. More precisely, Rancher validates only a subset of input from the SAML assertion request; however, it trusts and uses values that are not properly validated. An attacker could then configure the saml_Rancher_UserID cookie and the saml_Rancher_Action cookie so that the user principal from the AP will be added to the user specified by the attacker (...

### Impact An unauthenticated stack overflow crash, leading to a denial of service (DoS), was identified in Rancher’s `/v3-public/authproviders` public API endpoint. A malicious user could submit data to the API which would cause the Rancher server to crash, but no malicious or incorrect data would actually be written in the API. The downstream clusters, i.e., the clusters managed by Rancher, are not affected by this issue. This vulnerability affects those using external authentication providers as well as Rancher’s local authentication. ### Patches The patch includes the removal of unnecessary HTTP methods of the specific API. Patched versions include releases `v2.8.13`, `v2.9.7` and `v2.10.3`. ### Workarounds There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of Rancher Manager that contains the fix. ### References If you have any questions or comments about this advisory: - Reach out to the [SUSE Rancher Security team](h...

### Impact A vulnerability has been identified within Rancher where it is possible for an unauthenticated user to list all CLI authentication tokens and delete them before the CLI is able to get the token value. This effectively prevents users from logging in via the CLI when using rancher token as the execution command (instead of the token directly being in the kubeconfig). Note that this token is not the kubeconfig token and if an attacker is able to intercept it they can't use it to impersonate a real user since it is encrypted. This happens because for SAML-based authentication providers, the login flow from the CLI works by generating a link to be pasted in the browser, and then polling every 10 seconds for the `/v3-public/authTokens/<token name>` endpoint. The `<token name>` is randomly generated by the CLI. Once the login flow succeeds, Rancher creates an auth token (with an encrypted token value). The CLI then deletes the authToken. Rancher deployments using only the loc...

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9.

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9.

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.  The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

### Summary This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the server. * **Improper Limitation of a Pathname to a Restricted Directory:** A vulnerability exists in the asset upload functionality that allows users to upload files to directories outside of the intended temporary directory. ### Mitigation Please update to 5.2.3 or later. ### Workarounds None ### References If you have any questions or comments about this advisory: Email us at [[email protected]](mailto:[email protected])

### Summary This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. * **Improper Authorization:** An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the "Reporting Permissions > View Own" and "Reporting Permissions > View Others" permissions, which should restrict access to non-System Reports. ### Mitigation Please update to Mautic 5.2.3 or later ### Workarounds Disable the API in Mautic. See [documentation](https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings). ### References https://cwe.mitre.org/data/definitions/285.html https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings If you have any questions or comments...

### Summary This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * **Remote Code Execution (RCE) via Asset Upload:** A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. * **Path Traversal File Deletion:** A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. ### Mitigation Please update to 5.2.3 or later. ### Workarounds None ### References https://owasp.org/www-community/attacks/Code_Injection https://owasp.org/www-community/attacks/Path_Traversal If you have any questions or comments about this advisory: Ema...

## Summary A [DOM-Based XSS](https://capec.mitre.org/data/definitions/588.html) was discovered in [copyparty](https://github.com/9001/copyparty), a portable fileserver. The vulnerability is considered low-risk. ## Details By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note: As a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `<script>` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. ## Proof of Conce...