Source
ghsa
### Impact It's possible to store Javascript or groovy scripts in an mention macro anchor or reference field. The stored code is executed by anyone visiting the page with the mention. For example, the example below will create a file at `/tmp/exploit.txt`: ``` {{mention reference="XWiki.Translation" anchor="{{/html~}~}{{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"owned!~"); }{{/groovy~}~}{{/async~}~}"/}} ``` ### Patches This issue has been patched on XWiki 14.4 and 13.10.6. ### Workarounds It's possible to fix the vulnerability by updating `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject. ```velocity <a id="$anchor" class="$stringtool.join($cssClasses, ' ')" data-reference="$services.model.serialize($reference.reference, 'default')" href="$link">$content</a> ``` Must be replaced by ```velocity <a id="$escapetool.xml($anchor)" cl...
### Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request (URL parameter) using the `XWikiServerClassSheet` if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a public read-only XWiki installation or a private XWiki installation where the user has an account. This allows arbitrary Groovy/Python/Velocity code execution which allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. On current versions (e.g., 14.3), this can be triggered by opening the URL `/xwiki/bin/view/Main/?sheet=XWiki.XWikiServerClassSheet&form_token=<form_token>&action=delete&domain=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%2...
### Impact The tags document `Main.Tags` in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. Some versions of XWiki XML-escaped the tag (e.g., version 3.1) but this isn't a serious limitation as string literals can be delimited by `/` in Groovy and `<` and `>` aren't necessary, e.g., to elevate privileges of the current user. On XWiki versions before 13.10.4 and 14.2, this can be combined with the [authentication bypass using the login action](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm), meaning that no rights are required to perform the attack. The following URL dem...
### Impact Talos worker nodes use a join token to get accepted into the Talos cluster. A misconfigured Kubernetes environment may allow workloads to access the join token of the worker node. A malicious workload could then use the join token to construct a Talos CSR (certificate signing request). Due to improper validation while signing a worker node CSR, a Talos control plane node might issue a Talos certificate which allows full access to the Talos API to a worker node that presented a maliciously constructed CSR. Accessing the Talos API with full access on a control plane node might reveal sensitive information, which could allow full-level access to the cluster (Kubernetes and Talos PKI, etc.) In order to exploit the weakness, a Kubernetes workload would need to access the join token, and then construct a specific kind of Talos CSR in order to obtain a privileged certificate. The Talos API join token is stored in the machine configuration on the worker node. When configured corre...
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
Two of the maintainers have indicated that the crate may not be maintained. The crate has open issues including memory leaks and may not be suitable for production use. It may be best to switch to the default Rust standard allocator on wasm32 targets. Last release seems to have been three years ago.
### Impact An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel. A denial of service can occur upon binding to an already bound chain. Affected by this vulnerability is the function nft_verdict_init of the file net/netfilter/nf_tables_api.c. The manipulation with an unknown input leads to a denial of service vulnerability. The program does not release or incorrectly releases a resource before it is made available for re-use. ### Patches The fix has been backported to [5.15.64](https://www.linuxkernelcves.com/cves/CVE-2022-39190) version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.2.0 is shipped with Linux Kernel 5.15.64 fixing the above issue. ### Workarounds It's recommended to upgrade ### References - https://www.sesin.at/2022/09/02/cve-2022-39190-linux-kernel-up-to-5-19-5-nf_tables_api-c-nft_verdict_init-denial-of-service/ - https://nvd.nist.gov/vuln/detail/CVE-2022-39190 ### For more informa...
### Impact A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. ### Patches The fix has been backported to [5.15.64](https://www.linuxkernelcves.com/cves/CVE-2022-3028) version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.2.0 is shipped with Linux Kernel 5.15.64 fixing the above issue. Kubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAP_NET_ADMIN by unsharing. However untrusted workloads that run with privileged: true or having NET_ADMIN capability poses a risk. ### Workarounds Audit kubernetes workloads running in the cluster with ...
### Issue If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then go-tuf [clients](https://github.com/theupdateframework/go-tuf#client) < [0.3.2](https://github.com/theupdateframework/go-tuf/releases/tag/v0.3.2) are susceptible to an attack where attackers can cause the same signature from the same public key to be counted more than once against the threshold of signatures because they were mistakenly distinguished due to having different key IDs. For example, suppose that in the root metadata file, there were a threshold of 2 self-signatures required from 2 different keys $K_A$ and $K_B$ belonging to Alice and Bob respectively. Bob has either mistakenly or maliciously produced a signed a malicious version of the root metadata file where Alice's key is listed once with the keyid $SHA2_{256}(K_A)$, but his public key is listed twice, once with the keyid $SHA2_{256}...
> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5) ### Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is the same as described in [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005) ([CVE-2021-21359](https://nvd.nist.gov/vuln/detail/CVE-2021-21359)). A regression, introduced during TYPO3 v11 development, led to this situation. ### Solution Update to TYPO3 version 11.5.16 that fixes the problem described above. ### Credits Thanks to Rik Willems who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-006](https://...