chaskiq is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Valid

Reported on

Jan 12th 2022

**Description**

`chaskid` is a Open Source Messaging Platform for Marketing, Support & Sales this package is vulnerable for xss

**Proof of Concept**

**Impact**

This vulnerability is capable of stored XSS

We are processing your report and will contact the chaskiq team within 24 hours. 5 days ago

We created a GitHub Issue asking the maintainers to create a `SECURITY.md` 4 days ago

![](https://avatars.githubusercontent.com/u/11976?v=4)

Hello, not sure how to reproduce the security issue, can you guide us?

![](https://avatars.githubusercontent.com/u/36979660?v=4)

Hey , really sorry for that , my link got broken or something happened with Imgur

Here is the gdrive for poc : https://drive.google.com/file/d/1bzuZZowCtn4yF5JoQwpJNQp1RzAFk6jL/view?usp=drivesdk

Thank you

![](https://avatars.githubusercontent.com/u/11976?v=4)

Thanks, Abdul, I will take care of this issue asap!

![](https://avatars.githubusercontent.com/u/36979660?v=4)

![](https://avatars.githubusercontent.com/u/11976?v=4)

how can we help you back?

![](https://avatars.githubusercontent.com/u/11976?v=4)

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/36979660?v=4)

![](https://avatars.githubusercontent.com/u/11976?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/11976?v=4)

Hey @admin, Can you assign a CVE?

We are processing your report and will contact the chaskiq team within 24 hours. 5 days ago

We created a GitHub Issue asking the maintainers to create a `SECURITY.md` 4 days ago

![](https://avatars.githubusercontent.com/u/11976?v=4)

Hello, not sure how to reproduce the security issue, can you guide us?

![](https://avatars.githubusercontent.com/u/36979660?v=4)

Hey , really sorry for that , my link got broken or something happened with Imgur

Here is the gdrive for poc : https://drive.google.com/file/d/1bzuZZowCtn4yF5JoQwpJNQp1RzAFk6jL/view?usp=drivesdk

Thank you

![](https://avatars.githubusercontent.com/u/11976?v=4)

Thanks, Abdul, I will take care of this issue asap!

![](https://avatars.githubusercontent.com/u/36979660?v=4)

![](https://avatars.githubusercontent.com/u/11976?v=4)

how can we help you back?

![](https://avatars.githubusercontent.com/u/11976?v=4)

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/36979660?v=4)

![](https://avatars.githubusercontent.com/u/11976?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/11976?v=4)

Hey @admin, Can you assign a CVE?

CVE-2021-3853: Cross-site Scripting (XSS) - Stored in chaskiq

Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

CVE-2021-42555: Pexip security bulletins | Pexip Infinity Docs

In ipcSetDataReference of Parcel.cpp, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-203847542

_Published January 4, 2022 | January 10, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-01-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Android runtime component that could enable a local attacker to bypass memory restrictions in order to gain access to additional permissions. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-01-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-01-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39630

A-202768292

EoP

High

12

CVE-2021-39632

A-202159709

EoP

High

11, 12

CVE-2020-0338

A-123700107

ID

High

9, 10

**Media Framework**

The vulnerability in this section could lead to remote escalation of privilege with no additional execution privileges or user interaction needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39623

A-194105348

EoP

High

9, 10, 11, 12

**System**

The most severe vulnerability in this section could enable a local privileged attacker to install existing packages without requiring user consent.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39618

A-196855999

EoP

High

9, 10, 11, 12

CVE-2021-39620

A-203847542

EoP

High

11, 12

CVE-2021-39621

A-185126319

EoP

High

9, 10, 11, 12

CVE-2021-39622

A-192663648

EoP

High

10, 11, 12

CVE-2021-39625

A-194695347

EoP

High

9, 10, 11, 12

CVE-2021-39626

A-194695497

EoP

High

9, 10, 11, 12

CVE-2021-39627

A-185126549

EoP

High

9, 10, 11, 12

CVE-2021-39629

A-197353344

EoP

High

9, 10, 11, 12

CVE-2021-0643

A-183612370

ID

High

10, 11, 12

CVE-2021-39628

A-189575031

ID

High

10, 11

CVE-2021-39659

A-208267659

DoS

High

10, 11, 12

**Google Play system updates**

There are no security issues addressed in Google Play system updates (Project Mainline) this month.

**2022-01-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-01-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Android runtime**

The vulnerability in this section could enable a local attacker to bypass memory restrictions in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0959

A-200284993

EoP

High

12

**Kernel components**

The most severe vulnerability in this section could lead to a local escalation of privilege due to a race condition, with no additional execution privileges or user interaction needed.

    

CVE

References

Type

Severity

Component

CVE-2021-39634

A-204450605  
Upstream kernel

EoP

High

Kernel

CVE-2021-39633

A-150694665  
Upstream kernel

ID

High

Kernel

**Kernel LTS**

The following kernel versions have been updated.

References

Android Launch Version

Kernel Launch Version

Minimum Launch Version

A-182179492

11

5.4

5.4.86

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2021-31345

A-207693368  
M- MOLY00756840 \*

High

Modem (Nucleus NET TCP/IP)

CVE-2021-31346

A-207646334  
M-MOLY00756840 \*

High

Modem (Nucleus NET TCP/IP)

CVE-2021-31890

A-207646336  
M-MOLY00756840 \*

High

Modem (Nucleus NET TCP/IP)

CVE-2021-40148

A-204728248  
M-MOLY00716585 \*

High

Modem EMM

CVE-2021-31889

A-207646335  
M-MOLY00756840 \*

High

Modem (Nucleus NET TCP/IP)

**Unisoc components**

This vulnerability affects Unisoc components and further details are available directly from Unisoc. The severity assessment of this issue is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2021-1049

A-204256722  
U-1733219 \*

High

slogmodem

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-30319

A-202025735  
QC-CR#2960714

High

WLAN

CVE-2021-30353

A-202025599  
QC-CR#2993069 \[2\]

High

Audio

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-30285

A-193070555 \*

Critical

Closed-source component

CVE-2021-30287

A-193070556 \*

High

Closed-source component

CVE-2021-30300

A-193071116 \*

High

Closed-source component

CVE-2021-30301

A-193070342 \*

High

Closed-source component

CVE-2021-30307

A-193070700 \*

High

Closed-source component

CVE-2021-30308

A-193070594 \*

High

Closed-source component

CVE-2021-30311

A-193070557 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-01-01 or later address all issues associated with the 2022-01-01 security patch level.
*   Security patch levels of 2022-01-05 or later address all issues associated with the 2022-01-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-01-01\]
*   \[ro.build.version.security\_patch\]:\[2022-01-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-01-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-01-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-01-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

January 4, 2022

Bulletin Released

2.0

January 10, 2022

Revised CVE table

CVE-2021-39620: Android Security Bulletin—January 2022  |  Android Open Source Project

In setLaunchIntent of BluetoothDevicePickerPreferenceController.java, there is a possible way to invoke an arbitrary broadcast receiver due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-12Android ID: A-195668284

_Published January 4, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-01-05 or later from the January 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The most severe of these issues is a high security vulnerability in the AAOS component that could enable a local malicious application to gain access to additional privileges due to a confused deputy. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

****Announcements****

*   In addition to the security vulnerabilities described in the January 2022 Android Security Bulletin, the January 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

****2022-01-01 security patch level vulnerability details****

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-01-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

****AAOS****

The most severe vulnerability in this section could enable a local malicious application to gain access to additional privileges due to a confused deputy.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-1035

A-195668284

EoP

High

10, 12

CVE-2021-1036

A-182812255

EoP

High

9, 10, 11, 12

CVE-2021-1037

A-162951906

ID

High

9, 10, 11, 12

****Common questions and answers****

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-01-01 or later address all issues associated with the 2022-01-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-01-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-01-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

**Abbreviation**

**Definition**

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

****Versions****

  

Version

Date

Notes

1.0

January 4, 2022

Bulletin Released

CVE-2021-1035: Android Automotive OS Update Bulletin—January 2022  |  Android Open Source Project

In copy_from_mbox of sss_ice_util.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-202003354References: N/A

_Published January 4, 2022_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2022-01-05 or later address all issues in this bulletin and all issues in the January 2022 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2022-01-05 patch level. We encourage all customers to accept these updates to their devices.

****Announcements****

*   In addition to the security vulnerabilities described in the January 2022 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

****Security patches****

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

****Pixel****

    

CVE

References

Type

Severity

Component

CVE-2021-39678

A-171742549 \*

EoP

High

Gboard

CVE-2021-39679

A-188745089 \*

EoP

High

Display/graphics

CVE-2021-39682

A-201677538 \*

EoP

High

Display/graphics

CVE-2021-39683

A-202003354 \*

EoP

High

Titan M2

CVE-2021-39684

A-203250788 \*

EoP

High

Bootloader

CVE-2021-40490

A-199579676 \*

EoP

High

Kernel

CVE-2021-39680

A-197965864 \*

ID

High

Titan M2

CVE-2021-39681

A-200251074 \*

EoP

Moderate

Telephony

****Qualcomm components****

    

CVE

References

Severity

Component

CVE-2021-30313

A-178720043

QC-CR#2878995

Moderate

Kernel

****Qualcomm closed-source components****

    

CVE

References

Severity

Component

CVE-2021-30314

A-193072178 \*

Moderate

Closed-source component

****Functional patches****

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

****Common questions and answers****

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2022-01-05 or later address all issues associated with the 2022-01-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

****Versions****

  

Version

Date

Notes

1.0

January 4, 2022

Bulletin Released

CVE-2021-39683: Pixel Update Bulletin—January 2022  |  Android Open Source Project

Improper validation of function pointer type with actual function signature can lead to assertion in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables

CVE-2021-30353: January 2022 Security Bulletin | Qualcomm

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 12 Jan 2022 19:10:44 +0100
From: Wadeck Follonier <wfollonier@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Jenkins 2.330
\* Jenkins LTS 2.319.2
\* Active Directory Plugin 2.25.1
\* Badge Plugin 1.9.1
\* Bitbucket Branch Source Plugin 746.v350d2781c184
\* Configuration as Code Plugin 1.55.1
\* Credentials Binding Plugin 1.27.1
\* Docker Commons Plugin 1.18
\* HashiCorp Vault Plugin 3.8.0
\* Mailer Plugin 408.vd726a\_1130320
\* Matrix Project Plugin 1.20
\* Metrics Plugin 4.0.2.8.1
\* SSH Agent Plugin 1.23.2
\* Warnings Next Generation Plugin 9.10.3

Additionally, we announce unresolved security issues in the following
plugins:

\* batch task Plugin
\* Conjur Secrets Plugin
\* Debian Package Builder Plugin
\* Publish Over SSH Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-01-12/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2558 / CVE-2022-20612
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST
requests for the HTTP endpoint handling manual build requests when no
security realm is set, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to trigger build of job without
parameters.


SECURITY-2163 / CVE-2022-20613 (CSRF) & CVE-2022-20614 (missing permission
check)
Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the
Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2017 / CVE-2022-20615
Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters
in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Agent/Configure permission.


SECURITY-2342 / CVE-2022-20616
Credentials Binding Plugin 1.27 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential
ID refers to a secret file credential and whether it's a zip file.


SECURITY-1878 / CVE-2022-20617
Docker Commons Plugin 1.17 and earlier does not sanitize the name of an
image or a tag.

This results in an OS command execution vulnerability exploitable by
attackers with Item/Configure permission or able to control the contents of
a previously configured job's SCM repository.


SECURITY-2033 / CVE-2022-20618
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2467 / CVE-2022-20619
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-2189 / CVE-2022-20620
SSH Agent Plugin 1.23 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-1624 / CVE-2022-20621
Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its
global configuration file \`jenkins.metrics.api.MetricsAccessKey.xml\` on the
Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins
controller file system.


SECURITY-1389 / CVE-2022-23105
Active Directory Plugin implements two separate modes: integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission
of data between the Jenkins controller and Active Directory servers unless
it is configured to use the OS agnostic LDAP mode and the system property
\`hudson.plugins.active\_directory.ActiveDirectorySecurityRealm.forceLdaps\`
is set to \`true\`.

This allows attackers able to capture network traffic between the Jenkins
controller and Active Directory servers to obtain credentials of users
logging into Jenkins, as well as credentials of the manager DN (LDAP mode)
or the Windows/Active Directory user Jenkins is running as (ADSI mode).


SECURITY-2141 / CVE-2022-23106
Configuration as Code Plugin 1.55 and earlier does not use a constant-time
comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid authentication token.


SECURITY-2090 / CVE-2022-23107
Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the
name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read
specific files with a hard-coded suffix on the Jenkins controller file
system.


SECURITY-2547 / CVE-2022-23108
Badge Plugin allows adding custom build badges with a custom description
and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not
check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2213 / CVE-2022-23109
Pipelines display commands executed in their Pipeline step descriptions and
their output in build logs. To mask sensitive output,
Pipeline: Groovy Plugin 2.84 and earlier specified an
allowlist of known non-sensitive variables and masked everything else. This
caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline
steps to explicitly specify that variables are to be treated as sensitive
and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior
and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and
Pipeline step descriptions.


SECURITY-2287 / CVE-2022-23110
Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server
name.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Overall/Administer permission.

As of publication of this advisory, there is no fix.


SECURITY-2290 / CVE-2022-23111 (CSRF) & CVE-2022-23112 (missing permission
check)
Publish Over SSH Plugin 1.22 and earlier does not perform permission checks
in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an
attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2307 / CVE-2022-23113
Publish Over SSH Plugin 1.22 and earlier performs a validation of the file
name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with
Item/Configure permission to discover the name of the Jenkins controller
files.

As of publication of this advisory, there is no fix.


SECURITY-2291 / CVE-2022-23114
Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its
global configuration file
\`jenkins.plugins.publish\_over\_ssh.BapSshPublisherPlugin.xml\` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-1025 / CVE-2022-23115
batch task Plugin 1.19 and earlier does not require POST requests for
several HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve
logs, build or delete a batch task.

As of publication of this advisory, there is no fix.


SECURITY-2522 (1) / CVE-2022-23116
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain the plain text of any attacker-provided
encrypted secret.

This allows attackers able to control agent processes to decrypt secrets
stored in Jenkins obtained through another method.

As of publication of this advisory, there is no fix.


SECURITY-2522 (2) / CVE-2022-23117
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain all username/password credentials
(Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those
credentials.

As of publication of this advisory, there is no fix.


SECURITY-2546 / CVE-2022-23118
Debian Package Builder Plugin 1.6.11 and earlier implements functionality
that allows agent processes to invoke command-line \`git\` at an
attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary
OS commands on the controller.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-23116: security - Multiple vulnerabilities in Jenkins and Jenkins plugins

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

Compatibility : WordPress 6.0  
Compatibility : Elementor Pro 3.7  
Added : Heading Title : Animated Split by Word

Added : Heading Title : Animated Split by Character

Added : Heading Title : Animated Split by Line

Added : Display Rules : Image Selector(Advanced Custom Fields: Extended)

Added : Display Rules : Visitor Location (IP Based - Based on Geoplugin )

Added : Display Rules : WordPress Site Language

Added : Display Rules : Visitor Browser Language

Added : Display Rules : String in URL (Exact match from URL value )

Added : Display Rules : Parameter in URL 

Added : Display Rules : Shortcode based visibility (Advanced Custom PHP function based Shortcode)

Added : Display Rules : Cart Product Category (WooCommerce)

Added : Display Rules : Category In Cart (WooCommerce)

Added : Display Rules : Cart Subtotal (WooCommerce)

Added : Display Rules : Cart Total (WooCommerce)

Added : Display Rules : Items in Cart (WooCommerce)

Added : Display Rules : Purchase Date (WooCommerce)

Added : Display Rules : In Purchase Product Category (WooCommerce)

Added : Display Rules : Order(s) Placed (WooCommerce)

Added : Display Rules : Current Product Category (WooCommerce)

Added : Display Rules : Current Product Price (WooCommerce)

Added : Display Rules : Current Product Stock (WooCommerce)

Added : Display Rules : Cart Product (WooCommerce)

Added : Display Rules : Text field (Toolset)

Added : Display Rules : Number field (Toolset)

Added : Display Rules : Radio field (Toolset)

Added : Display Rules : Checkbox field (Toolset)

Added : Display Rules : Checkboxes field (Toolset)

Added : Display Rules : Select field (Toolset)

Added : Display Rules : Text field (PODS)

Added : Display Rules : Date field (PODS)

Added : Display Rules : Number field (PODS)

Added : Display Rules : Boolean field (PODS)

Added : Display Rules : Text field (Jet Engine)

Added : Display Rules : Text Area field (Jet Engine)

Added : Display Rules : Switcher field (Jet Engine)

Added : Display Rules : Checkbox field (Jet Engine)

Added : Display Rules : Radio field (Jet Engine)

Added : Display Rules : Select field (Jet Engine)

Added : Display Rules : Number field (Jet Engine)

Added : Mouse Cursor : Container

Added : Unfold : Container

Added : Post Feature Image : Container

Update : Display Rules : Display Field Name with Group Label

Update : Dynamic Listing : Category Listout improvement

Update : Product Listing : Upsell Listing

Update : Product Listing : Cross-Sell Listing

Update : Accordion : Title Empty condition for Dynamic Value

Update : Accordion : Scroll Top Offset

Update : Tabs & Tours : Title Empty condition for Dynamic Value

Update : Scroll Navigation : Section Top Offset after click

Update : Post Meta : Taxonomies Type option (Category/Tag)

Update : Woo Single Basic : Next/Previous related to current Product Category

Update : Search bar : Search by Word Match

Update : Search bar : Related Search Tag

Update : Search Filter : Category show based on Archive page option

Update : Search Filter : Sorting value option for Tab, Radio, Checkbox and Dropdown

Update : Hotspot : Hover Pin Image with flip effect

Update : Audio Player : Loop Disable option

Update : LottieFiles Animation : JSON File Upload

Update : Dynamic Listing : Slide Animation option

Update : Infobox : Slide Animation option

Update : Gallery Listing : Slide Animation option

Update : Search bar : Animation option

Update : Number Counter : Dynamic Tag option for Number Value, Animation Starting Value and Gap

Update : Navigation Menu : Sticky support Container

Update : Navigation Menu : Accessibility

Update : Animated Service Boxes : Lottie Animations option

Update : Hotspot : Lottie Animations option

Update : Image Cascading : Lottie Animations option

Update : Number Counter : Lottie Animations option

Update : Popup Builder : Lottie Animations option

Update : Pricing List : Lottie Animations option

Update : Pricing Table : Lottie Animations option

Update : Process/Steps : Lottie Animations option

Update : Progress Bar : Lottie Animations option

Update : Unfold : Lottie Animations option

Update : Live Copy : Container Compatibility

Update : Plus Extras : Container Compatibility

Update : Display Rules : Container Compatibility

Update : Page Scroll : Container Compatibility

Update : Row Background : Container Compatibility

Update : Shape Divider : Container Compatibility

Update : Morphing Layouts : Container Compatibility

Update : Dynamic Smart Showcase : Container Compatibility

Update : Global Tilt Effect : Container Compatibility

Update : Carousel Slider : Container Compatibility

Update : Advanced Shadow : Container Compatibility

Update : Equal Height : Container Compatibility

Update : Glass Morphism : Container Compatibility

Update : Wrapper Link : Container Compatibility

Update : Animated Service Box : Container Compatibility

Update : Animated Service box Text (Stroke and Shadow)

Update : Animated Service box Height (EM,%,VH)

Update : Countdown : Label HTML Tag option (h1 - h6)

Update : Coupon Code : Title HTML Tag option (h1 - h6)

Update : Coupon Code : Content HTML Tag option (h1 - h6)

Update : Coupon Code : JS improvement for Copy button

Update : Woo MyAccount : No order Found Styling

Update : Woo MyAccount : Order tab Individual improvement

Update : Process Step : Margin option for Description

Update : Listing Widget : Post Excerpt empty value validation

Update : Infobox : Top margin option

Update : Social Feed : Instagram Business Account condition improvement

Update : Dynamic Listing : Author Prefix text dynamic

Update : Blog Listing : Author Prefix text dynamic

Fix : Google Map : HTML display bug with Filter

Fix : Table : Tooltip Field

Fix : Listing Widget : On Load more / Lazy load animation

Fix : Mouse Cursor : Column Cursor icon

Fix : LottieFiles Animation : Animation Play Speed

Fix : Countdown : Fake Number

Fix : Sticky Column

Fix : Design Tool : Background Visibility

Fix : Navigation Menu : CSS based effect bug on click

Fix : Slick Carousel : Draggable Disable bug on Mobile

CVE-2021-24948: Give feedback and suggest new ideas for The Plus Addons for Elementor. Powered by FeedBear.

CVE-2021-24948: The Plus Addons for Elementor

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used,

Edit this page

Toggle table of contents sidebar

**Fredrik Lundh#**

This release is dedicated to the memory of Fredrik Lundh, aka Effbot, who died in November 2021. Fredrik created PIL in 1995 and he was instrumental in the early success of Python.

Guido wrote:

> Fredrik was an early Python contributor (e.g. Elementtree and the ‘re’ module) and his enthusiasm for the language and community were inspiring for all who encountered him or his work. He spent countless hours on comp.lang.python answering questions from newbies and advanced users alike.
> 
> He also co-founded an early Python startup, Secret Labs AB, which among other software released an IDE named PythonWorks. Fredrik also created the Python Imaging Library (PIL) which is still THE way to interact with images in Python, now most often through its Pillow fork. His effbot.org site was a valuable resource for generations of Python users, especially its Tkinter documentation.

Thank you, Fredrik.

**Backwards Incompatible Changes#**

**Python 3.6#**

Pillow has dropped support for Python 3.6, which reached end-of-life on 2021-12-23.

**PILLOW\_VERSION constant#**

PILLOW_VERSION has been removed. Use __version__ instead.

**FreeType 2.7#**

Support for FreeType 2.7 has been removed; FreeType 2.8 is the minimum supported.

We recommend upgrading to at least FreeType 2.10.4, which fixed a severe vulnerability introduced in FreeType 2.6 (CVE-2020-15999).

**Image.show command parameter#**

The command parameter has been removed. Use a subclass of PIL.ImageShow.Viewer instead.

**Image.\_showxv#**

Image._showxv has been removed. Use show() instead. If custom behaviour is required, use register() to add a custom Viewer class.

**ImageFile.raise\_ioerror#**

IOError was merged into OSError in Python 3.3. So, ImageFile.raise_ioerror has been removed. Use ImageFile.raise_oserror instead.

**API Changes#**

**Added line width parameter to ImageDraw polygon#**

An optional line width parameter has been added to ImageDraw.Draw.polygon.

**API Additions#**

**ImageShow.XDGViewer#**

If xdg-open is present on Linux, this new PIL.ImageShow.Viewer subclass will be registered. It displays images using the application selected by the system.

It is higher in priority than the other default PIL.ImageShow.Viewer instances, so it will be preferred by im.show() or ImageShow.show().

**Added support for “title” argument to DisplayViewer#**

Support has been added for the “title” argument in DisplayViewer, so that when im.show() or ImageShow.show() use the display command line tool, the “title” argument will also now be supported, e.g. im.show(title="My Image") and ImageShow.show(im, title="My Image").

**Security#**

**Ensure JpegImagePlugin stops at the end of a truncated file#**

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

**Remove consecutive duplicate tiles that only differ by their offset#**

To prevent attempts to slow down loading times for images, if an image has consecutive duplicate tiles that only differ by their offset, only load the last tile. Credit to Google’s OSS-Fuzz project for finding this issue.

**Restrict builtins available to ImageMath.eval#**

CVE-2022-22817: To limit PIL.ImageMath to working with images, Pillow will now restrict the builtins available to PIL.ImageMath.eval(). This will help prevent problems arising if users evaluate arbitrary expressions, such as ImageMath.eval("exec(exit())").

**Fixed ImagePath.Path array handling#**

CVE-2022-22815 (CWE-126) and CVE-2022-22816 (CWE-665) were found when initializing ImagePath.Path.

**Other Changes#**

**Convert subsequent GIF frames to RGB or RGBA#**

Since each frame of a GIF can have up to 256 colors, after the first frame it is possible for there to be too many colors to fit in a P mode image. To allow for this, seeking to any subsequent GIF frame will now convert the image to RGB or RGBA, depending on whether or not the first frame had transparency.

**Switched to libjpeg-turbo in macOS and Linux wheels#**

The Pillow wheels from PyPI for macOS and Linux have switched from libjpeg to libjpeg-turbo. It is a fork of libjpeg, popular for its speed.

Because different JPEG decoders load images differently, JPEG pixels may be altered slightly with this change.

**Added support for pickling TrueType fonts#**

TrueType fonts may now be pickled and unpickled. For example:

import pickle
from PIL import ImageFont

font \= ImageFont.truetype("arial.ttf", size\=30)
pickled\_font \= pickle.dumps(font, protocol\=pickle.HIGHEST\_PROTOCOL)

\# Later...
unpickled\_font \= pickle.loads(pickled\_font)

**Added support for additional TGA orientations#**

TGA images with top right or bottom right orientations are now supported.

Tag

#google