Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

CVE-2022-2422: Redirecting…

CVE-2022-2422

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

CVE-2022-2421: Redirecting…

CVE-2022-2421

drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.

commit fbd56ddcecab5a3623a89c8e941fdbcc55b41045 Author: Greg Kroah-Hartman Date: Wed Oct 12 09:39:05 2022 +0200 Linux 6.0.1 Link: https://lore.kernel.org/r/20221010070330.159911806@linuxfoundation.org Tested-by: Luna Jernberg Tested-by: Fenil Jain Tested-by: Linux Kernel Functional Testing Tested-by: Justin M. Forbes Tested-by: Florian Fainelli Tested-by: Ronald Warsow Tested-by: Shuah Khan Tested-by: Zan Aziz Tested-by: Slade Watkins Tested-by: Guenter Roeck Tested-by: Rudi Heitbaum Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit 3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 Author: Tetsuo Handa Date: Fri Sep 2 20:23:48 2022 +0900 Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}\_timer works commit deee93d13d385103205879a8a0915036ecd83261 upstream. syzbot is reporting attempt to schedule hdev->cmd\_work work from system\_wq WQ into hdev->workqueue WQ which is under draining operation \[1\], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation. The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}\_timer works because hci\_{cmd,ncmd}\_timeout() calls queue\_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue\_delayed\_work() after cancel\_delayed\_work() completed. Link: https://syzkaller.appspot.com/bug?extid=243b7d89777f90f7613b \[1\] Reported-by: syzbot Signed-off-by: Tetsuo Handa Fixes: 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman commit 390ba6a7755d6db79e8000d5501096c24f3b8bfd Author: Jules Irenge Date: Wed Sep 7 16:24:20 2022 +0100 bpf: Fix resetting logic for unreferenced kptrs commit 9fad7fe5b29803584c7f17a2abe6c2936fec6828 upstream. Sparse reported a warning at bpf\_map\_free\_kptrs() "warning: Using plain integer as NULL pointer" During the process of fixing this warning, it was discovered that the current code erroneously writes to the pointer variable instead of deferencing and writing to the actual kptr. Hence, Sparse tool accidentally helped to uncover this problem. Fix this by doing WRITE\_ONCE(\*p, 0) instead of WRITE\_ONCE(p, 0). Note that the effect of this bug is that unreferenced kptrs will not be cleared during check\_and\_free\_fields. It is not a problem if the clearing is not done during map\_free stage, as there is nothing to free for them. Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr") Signed-off-by: Jules Irenge Link: https://lore.kernel.org/r/Yxi3pJaK6UDjVJSy@playground Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 448faed285b9a0dc4101ffb6a256aa261fcd0979 Author: Daniel Golle Date: Fri Sep 30 01:56:53 2022 +0100 net: ethernet: mtk\_eth\_soc: fix state in \_\_mtk\_foe\_entry\_clear commit ae3ed15da5889263de372ff9df2e83e16acca4cb upstream. Setting ib1 state to MTK\_FOE\_STATE\_UNBIND in \_\_mtk\_foe\_entry\_clear routine as done by commit 0e80707d94e4c8 ("net: ethernet: mtk\_eth\_soc: fix typo in \_\_mtk\_foe\_entry\_clear") breaks flow offloading, at least on older MTK\_NETSYS\_V1 SoCs, OpenWrt users have confirmed the bug on MT7622 and MT7621 systems. Felix Fietkau suggested to use MTK\_FOE\_STATE\_INVALID instead which works well on both, MTK\_NETSYS\_V1 and MTK\_NETSYS\_V2. Tested on MT7622 (Linksys E8450) and MT7986 (BananaPi BPI-R3). Suggested-by: Felix Fietkau Fixes: 0e80707d94e4c8 ("net: ethernet: mtk\_eth\_soc: fix typo in \_\_mtk\_foe\_entry\_clear") Fixes: 33fc42de33278b ("net: ethernet: mtk\_eth\_soc: support creating mac address based offload entries") Signed-off-by: Daniel Golle Link: https://lore.kernel.org/r/YzY+1Yg0FBXcnrtc@makrotopia.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 50fe01fa7640bc216bb1a47754a1f799c20eff8e Author: Kumar Kartikeya Dwivedi Date: Wed Sep 21 16:35:50 2022 +0200 bpf: Gate dynptr API behind CAP\_BPF commit 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb upstream. This has been enabled for unprivileged programs for only one kernel release, hence the expected annoyances due to this move are low. Users using ringbuf can stick to non-dynptr APIs. The actual use cases dynptr is meant to serve may not make sense in unprivileged BPF programs. Hence, gate these helpers behind CAP\_BPF and limit use to privileged BPF programs. Fixes: 263ae152e962 ("bpf: Add bpf\_dynptr\_from\_mem for local dynptrs") Fixes: bc34dee65a65 ("bpf: Dynptr support for ring buffers") Fixes: 13bbbfbea759 ("bpf: Add bpf\_dynptr\_read and bpf\_dynptr\_write") Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20220921143550.30247-1-memxor@gmail.com Acked-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 64517c21fd0f28b40a75d0d3121276b31399278e Author: Palmer Dabbelt Date: Tue Sep 20 13:45:18 2022 -0700 RISC-V: Print SSTC in canonical order commit 61a41d16ad20657f93613229a8b17766c51dc849 upstream. This got out of order during a merge conflict, fix it by putting the entries in the correct order. Fixes: 7ab52f75a9cf ("RISC-V: Add Sstc extension support") Signed-off-by: Palmer Dabbelt Reviewed-by: Conor Dooley Reviewed-by: Heiko Stuebner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220920204518.10988-1-palmer@rivosinc.com/ Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit d3b5e30e87b52404765b25d9ee156a85c3d8caf6 Author: Mario Limonciello Date: Tue Aug 2 23:25:00 2022 -0500 gpiolib: acpi: Add a quirk for Asus UM325UAZ commit 0ea76c401f9245ac209f1b1ce03a7e1fb9de36e5 upstream. Asus UM325UAZ has GPIO 18 programmed as both an interrupt and a wake source, but confirmed with internal team on this design this pin is floating and shouldn't have been programmed. This causes lots of spurious IRQs on the system and horrendous battery life. Add a quirk to ignore attempts to program this pin on this system. Reported-by: Pavel Krc Link: https://bugzilla.kernel.org/show\_bug.cgi?id=216208 Reviewed-by: Hans de Goede Signed-off-by: Mario Limonciello Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 359e1b7a7f79738e00a59f367dbe0d3a819d1754 Author: Mario Limonciello Date: Tue Aug 2 23:24:59 2022 -0500 gpiolib: acpi: Add support to ignore programming an interrupt commit 6b6af7bd5718f4e45a9b930533aec1158387d552 upstream. gpiolib-acpi already had support for ignoring a pin for wakeup, but if an OEM configures a floating pin as an interrupt source then stopping it from being a wakeup won't do much good to stop the interrupt storm. Add support for a module parameter and quirk infrastructure to ignore interrupts as well. Signed-off-by: Mario Limonciello Reviewed-by: Hans de Goede Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 94e14d5193c5692faa589b733e9a360154d4696b Author: Johan Hovold Date: Tue Sep 13 16:53:12 2022 +0200 USB: serial: ftdi\_sio: fix 300 bps rate for SIO commit 7bd7ad3c310cd6766f170927381eea0aa6f46c69 upstream. The 300 bps rate of SIO devices has been mapped to 9600 bps since 2003... Let's fix the regression. Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 08e2c70e549b77f5f3af9c76da00779d5756f997 Author: Tadeusz Struk Date: Mon Sep 19 14:59:57 2022 -0700 usb: mon: make mmapped memory read only commit a659daf63d16aa883be42f3f34ff84235c302198 upstream. Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc. The reproducer mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which causes all kinds of issues. Return an -EPERM error from mon\_bin\_mmap() if the flag VM\_WRTIE is set. Also clear VM\_MAYWRITE to make it impossible to change it to writable later. Cc: "Dmitry Vyukov" Cc: stable Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Suggested-by: PaX Team # for the VM\_MAYRITE portion Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman commit 3a93bbb581f85367b3227a685aa24a051230229c Author: Aleksa Savic Date: Wed Sep 14 13:43:27 2022 +0200 hwmon: (aquacomputer\_d5next) Fix Quadro fan speed offsets commit b7f3e9650f12d1e06b94a0257bcb90279f691bf5 upstream. The offsets for setting speeds of fans connected to Quadro are off by one. Set them to their correct values. The offsets as shown point to registers for setting the fan control mode, which will be explored in future patches, but slipped in here. When setting fan speeds, the resulting values were overlapping, which made the fans still run in my initial testing. Fixes: cdbe34da01e3 ("hwmon: (aquacomputer\_d5next) Add support for Aquacomputer Quadro fan controller") Signed-off-by: Aleksa Savic Link: https://lore.kernel.org/r/20220914114327.6941-1-savicaleksa83@gmail.com Cc: stable@vger.kenrel.org Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 4ec318d06084a807df8eb212e321120236915fd6 Author: Shuah Khan Date: Thu Sep 1 15:23:19 2022 -0600 docs: update mediator information in CoC docs commit 8bfdfa0d6b929ede7b6189e0e546ceb6a124d05d upstream. Update mediator information in the CoC interpretation document. Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20220901212319.56644-1-skhan@linuxfoundation.org Cc: stable@vger.kernel.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 49a49d65e21085c088d2a96e583282d59769926b Author: Kees Cook Date: Thu Sep 29 22:57:43 2022 -0700 hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero commit 607e57c6c62c00965ae276902c166834ce73014a upstream. Now that Clang's -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang option is no longer required, remove it from the command line. Clang 16 and later will warn when it is used, which will cause Kconfig to think it can't use -ftrivial-auto-var-init=zero at all. Check for whether it is required and only use it when so. Cc: Nathan Chancellor Cc: Masahiro Yamada Cc: Nick Desaulniers Cc: linux-kbuild@vger.kernel.org Cc: llvm@lists.linux.dev Cc: stable@vger.kernel.org Fixes: f02003c860d9 ("hardening: Avoid harmless Clang option under CONFIG\_INIT\_STACK\_ALL\_ZERO") Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit a3c72efe3d6143b0964642435d8d8bf42e4fbf75 Author: Sami Tolvanen Date: Fri Sep 30 20:33:10 2022 +0000 Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 commit 2120635108b35ecad9c59c8b44f6cbdf4f98214e upstream. We enable -Wcast-function-type globally in the kernel to warn about mismatching types in function pointer casts. Compilers currently warn only about ABI incompability with this flag, but Clang 16 will enable a stricter version of the check by default that checks for an exact type match. This will be very noisy in the kernel, so disable -Wcast-function-type-strict without W=1 until the new warnings have been addressed. Cc: stable@vger.kernel.org Link: https://reviews.llvm.org/D134831 Link: https://github.com/ClangBuiltLinux/linux/issues/1724 Suggested-by: Nathan Chancellor Signed-off-by: Sami Tolvanen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220930203310.4010564-1-samitolvanen@google.com Signed-off-by: Greg Kroah-Hartman commit df3d15181e00f1e63d778c29d252a25e04f6b046 Author: Bart Van Assche Date: Tue Aug 30 13:58:42 2022 -0700 sparc: Unbreak the build commit 17006e86a7641fa3c50324cfb602f0e74dac8527 upstream. Fix the following build errors: arch/sparc/mm/srmmu.c: In function ‘smp\_flush\_page\_for\_dma’: arch/sparc/mm/srmmu.c:1639:13: error: cast between incompatible function types from ‘void (\*)(long unsigned int)’ to ‘void (\*)(long unsigned int, long unsigned int, long unsigned int, long unsigned int, long unsigned int)’ \[-Werror=cast-function-type\] 1639 | xc1((smpfunc\_t) local\_ops->page\_for\_dma, page); | ^ arch/sparc/mm/srmmu.c: In function ‘smp\_flush\_cache\_mm’: arch/sparc/mm/srmmu.c:1662:29: error: cast between incompatible function types from ‘void (\*)(struct mm\_struct \*)’ to ‘void (\*)(long unsigned int, long unsigned int, long unsigned int, long unsigned int, long unsigned int)’ \[-Werror=cast-function-type\] 1662 | xc1((smpfunc\_t) local\_ops->cache\_mm, (unsigned long) mm); | \[ ... \] Compile-tested only. Fixes: 552a23a0e5d0 ("Makefile: Enable -Wcast-function-type") Cc: stable@vger.kernel.org Signed-off-by: Bart Van Assche Tested-by: Andreas Larsson Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220830205854.1918026-1-bvanassche@acm.org Signed-off-by: Greg Kroah-Hartman commit 79bc9ee841abf982affb75c8417abe9091e64304 Author: Al Viro Date: Mon Oct 3 20:26:08 2022 -0400 fix coredump breakage commit 4f526fef91b24197d489ff86789744c67f475bb4 upstream. Let me count the ways in which I'd screwed up: \* when emitting a page, handling of gaps in coredump should happen before fetching the current file position. \* fix for a problem that occurs on rather uncommon setups (and hadn't been observed in the wild) had been sent very late in the cycle. \* ... with badly insufficient testing, introducing an easily reproducible breakage. Without giving it time to soak in -next. Fucked-up-by: Al Viro Reported-by: "J. R. Okajima" Tested-by: "J. R. Okajima" Fixes: 06bbaa6dc53c "\[coredump\] don't use \_\_kernel\_write() on kmap\_local\_page()" Cc: stable@kernel.org # v6.0-only Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 2a96b532098284ecf8e4849b8b9e5fc7a28bdee9 Author: Dongliang Mu Date: Tue Aug 16 12:08:58 2022 +0800 fs: fix UAF/GPF bug in nilfs\_mdt\_destroy commit 2e488f13755ffbb60f307e991b27024716a33b29 upstream. In alloc\_inode, inode\_init\_always() could return -ENOMEM if security\_inode\_alloc() fails, which causes inode->i\_private uninitialized. Then nilfs\_is\_metadata\_file\_inode() returns true and nilfs\_free\_inode() wrongly calls nilfs\_mdt\_destroy(), which frees the uninitialized inode->i\_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security\_inode\_alloc just prior to this\_cpu\_inc(nr\_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck Reported-by: Hao Sun Reported-by: Jiacheng Xu Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Dongliang Mu Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit a53f14b0a934de4c0ee6935c7ee224e979460a7b Author: Jalal Mostafa Date: Wed Sep 21 13:57:01 2022 +0000 xsk: Inherit need\_wakeup flag for shared sockets commit 60240bc26114543fcbfcd8a28466e67e77b20388 upstream. The flag for need\_wakeup is not set for xsks with \`XDP\_SHARED\_UMEM\` flag and of different queue ids and/or devices. They should inherit the flag from the first socket buffer pool since no flags can be specified once \`XDP\_SHARED\_UMEM\` is specified. Fixes: b5aea28dca134 ("xsk: Add shared umem support between queue ids") Signed-off-by: Jalal Mostafa Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/20220921135701.10199-1-jalal.a.mostapha@gmail.com Signed-off-by: Greg Kroah-Hartman

CVE-2022-43750

### Description

Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library [Showdown](https://github.com/showdownjs/showdown). Showdown [does not have any XSS countermeasures built in](https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)), and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend.

### Impact

Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields:

* Description
* Details
* Recommendation
* References

The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page, for example: 

```
https://dtrack.example.com/vulnerabilities/INTERNAL/INT-jd8u-e8tl-8lwu
```

Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track (NVD, GitHub Advisories, OSV, OSS Index, VulnDB). However, this attack vector is highly unlikely, and the team is not aware of any occurrence of this happening.

> **Note**
> The *Vulnerability Details* element of the *Audit Vulnerabilities* tab in the project view is **not** affected.

### Patches

The issue has been fixed in frontend version 4.6.1.

### Credit

Thanks to GitHub user **Waterstraal** for finding and responsibly disclosing the issue.

**Description**

Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend.

**Impact**

Actors with the VULNERABILITY_MANAGEMENT permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields:

*   Description
*   Details
*   Recommendation
*   References

The payload will be executed for users with the VIEW_PORTFOLIO permission when browsing to the modified vulnerability's page, for example:

    https://dtrack.example.com/vulnerabilities/INTERNAL/INT-jd8u-e8tl-8lwu
    

Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track (NVD, GitHub Advisories, OSV, OSS Index, VulnDB). However, this attack vector is highly unlikely, and the team is not aware of any occurrence of this happening.

> **Note**  
> The _Vulnerability Details_ element of the _Audit Vulnerabilities_ tab in the project view is **not** affected.

**Patches**

The issue has been fixed in frontend version 4.6.1.

**Credit**

Thanks to GitHub user **Waterstraal** for finding and responsibly disclosing the issue.

**References**

*   GHSA-c33w-pm52-mqvf
*   https://nvd.nist.gov/vuln/detail/CVE-2022-39350
*   https://docs.dependencytrack.org/changelog/
*   https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)

GHSA-c33w-pm52-mqvf: @dependencytrack/frontend vulnerable to  Persistent Cross-Site-Scripting via Vulnerability Details

An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

**Security Announcements**

**\[20221002\] - Core - RXSS through reflection of user input in headings**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Low
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 4.0.0-4.2.3
*   **Exploit type:** Reflexted XSS
*   **Reported Date:** 2022-10-07
*   **Fixed Date:** 2022-10-25
*   **CVE Number:** CVE-2022-27913

**Description**

Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.

**Affected Installs**

Joomla! CMS versions 4.0.0-4.2.3

**Solution**

Upgrade to version 4.2.4

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Ajith Menon

*

CVE-2022-27913: Joomla! Developer Network

An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.

**Security Announcements**

**\[20221001\] - Core - Disclosure of critical information in debug mode**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Critical
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 4.0.0-4.2.3
*   **Exploit type:** Information Disclosure
*   **Reported Date:** 2022-10-13
*   **Fixed Date:** 2022-10-25
*   **CVE Number:** CVE-2022-27912

**Description**

Joomla 4 sites with publicly enabled debug mode exposed data of previous requests.

**Affected Installs**

Joomla! CMS versions 4.0.0-4.2.3

**Solution**

Upgrade to version 4.2.4

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Peter Martin

*   
*

CVE-2022-27912: Joomla! Developer Network

OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.

Product: OX App Suite  
Vendor: OX Software GmbH

Internal reference: MWB-1540  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 8.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.324  
Vendor notification: 2022-03-30  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-29852  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:  
The output filter mechanism for binary data can be confused by using unknown media-types. Some valid image formats were not part of our deny-list that handles potentially harmful content. Attackers can generate, upload and share malicious JS code, disguised as the BMFreehand10 or image/x-freehand image file format. This format is not detected and therefore no download gets enforced. Some browsers may attempt to render its content "inline".

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:  
We improved content detection to include previously unknown media-types.

---

Internal reference: MWB-1572  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 8.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0  
Vendor notification: 2022-04-20  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-29853  
CVSS: 4.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Malicious HTML content at E-Mail can be abused to bypass existing content sanitization mechanisms. In this case an attacker adds junk code to force the "Show entire message" feature for huge HTML mails to generate malicious output. This involves a complex hierarchy of HTML elements and event handlers that confuse existing sanitization logic.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:  
We improved detection and handling of such huge HTML blocks to make sure no malicious content is returned to the client.

---

Internal reference: MWB-1602  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 8.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0  
Vendor notification: 2022-04-20  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-31468  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:  
Content stored in attachments or OX Drive content can be requested by the client using "len" and "off" parameters. Malicious HTML content is filtered however this filter does not apply to all kind of HTML tags and allows to extract malicious code using the mentioned parameters.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:  
We improved detection and handling of malicious HTML content that is requested via offset and length parameters.

---

Internal reference: DOCS-4428  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev5, 7.10.6-rev5  
Vendor notification: 2022-04-19  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-29851  
CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:  
In case an instance running documentconverter (readerengine) has non-default ghostscript (gs) utility installed, it may get invoked when converting EPS files that are disguised as PDF files. Ghostscript suffers from a range of vulnerabilities, some of which could be exploited via readerengine. While most are non-deterministic and cannot be used to inflict relevant damage, few may be used to execute code fragments, embedded in EPS files, on the target instance.

Risk:  
Unauthorized code may be executed with persmissions of the "open-xchange" user on readerengine instances if additional software packages like gs are installed. We urge customers to apply best-practice system hardening, which includes removal of unused components.

Solution:  
We removed a fallback to use external commands for processing EPS and other file formats.

CVE-2022-31468: OX App Suite Cross Site Scripting

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

from logging import getLogger from django.conf import settings from django.db import models from django.db.models import UniqueConstraint, Q from django.contrib.postgres import fields as psql\_fields from django.contrib.postgres import search as psql\_search from django\_lifecycle import AFTER\_UPDATE, BEFORE\_UPDATE, hook from pulpcore.plugin.models import ( BaseModel, Content, Remote, Repository, RepositoryVersion, Distribution, SigningService, Task, EncryptedTextField, ) from .downloaders import AnsibleDownloaderFactory log \= getLogger(\_\_name\_\_) class Role(Content): """ A content type representing a Role. """ TYPE \= "role" namespace \= models.CharField(max\_length\=64) name \= models.CharField(max\_length\=64) version \= models.CharField(max\_length\=128) @property def relative\_path(self): """ Return the relative path of the ContentArtifact. """ return self.contentartifact\_set.get().relative\_path class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("version", "name", "namespace") class Collection(BaseModel): """A model representing a Collection.""" namespace \= models.CharField(max\_length\=64, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) def \_\_str\_\_(self): """Return a representation.""" return f"<{self.\_\_class\_\_.\_\_name\_\_}: {self.namespace}.{self.name}\>" class Meta: unique\_together \= ("namespace", "name") class CollectionImport(models.Model): """A model representing a collection import task details.""" task \= models.OneToOneField( Task, on\_delete\=models.CASCADE, editable\=False, related\_name\="+", primary\_key\=True ) messages \= models.JSONField(default\=list, editable\=False) class Meta: ordering \= \["task\_\_pulp\_created"\] def add\_log\_record(self, log\_record): """ Records a single log message but does not save the CollectionImport object. Args: log\_record(logging.LogRecord): The logging record to record on messages. """ self.messages.append( {"message": log\_record.msg, "level": log\_record.levelname, "time": log\_record.created} ) class Tag(BaseModel): """A model representing a Tag. Fields: name (models.CharField): The Tag's name. """ name \= models.CharField(max\_length\=64, unique\=True, editable\=False) def \_\_str\_\_(self): """Returns tag name.""" return self.name class CollectionVersion(Content): """ A content type representing a CollectionVersion. This model is primarily designed to adhere to the data format for Collection content. That spec is here: https://docs.ansible.com/ansible/devel/dev\_guide/collections\_galaxy\_meta.html Fields: authors (psql\_fields.ArrayField): A list of the CollectionVersion content's authors. contents (models.JSONField): A JSON field with data about the contents. dependencies (models.JSONField): A dict declaring Collections that this collection requires to be installed for it to be usable. description (models.TextField): A short summary description of the collection. docs\_blob (models.JSONField): A JSON field holding the various documentation blobs in the collection. manifest (models.JSONField): A JSON field holding MANIFEST.json data. files (models.JSONField): A JSON field holding FILES.json data. documentation (models.CharField): The URL to any online docs. homepage (models.CharField): The URL to the homepage of the collection/project. issues (models.CharField): The URL to the collection issue tracker. license (psql\_fields.ArrayField): A list of licenses for content inside of a collection. name (models.CharField): The name of the collection. namespace (models.CharField): The namespace of the collection. repository (models.CharField): The URL of the originating SCM repository. version (models.CharField): The version of the collection. requires\_ansible (models.CharField): The version of Ansible required to use the collection. is\_highest (models.BooleanField): Indicates that the version is the highest one in the collection. Relations: collection (models.ForeignKey): Reference to a collection model. tag (models.ManyToManyField): A symmetric reference to the Tag objects. """ TYPE \= "collection\_version" \# Data Fields authors \= psql\_fields.ArrayField(models.CharField(max\_length\=64), default\=list, editable\=False) contents \= models.JSONField(default\=list, editable\=False) dependencies \= models.JSONField(default\=dict, editable\=False) description \= models.TextField(default\="", blank\=True, editable\=False) docs\_blob \= models.JSONField(default\=dict, editable\=False) manifest \= models.JSONField(default\=dict, editable\=False) files \= models.JSONField(default\=dict, editable\=False) documentation \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) homepage \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) issues \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) license \= psql\_fields.ArrayField(models.CharField(max\_length\=32), default\=list, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) namespace \= models.CharField(max\_length\=64, editable\=False) repository \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) version \= models.CharField(max\_length\=128, editable\=False) requires\_ansible \= models.CharField(null\=True, max\_length\=255) is\_highest \= models.BooleanField(editable\=False, default\=False) \# Foreign Key Fields collection \= models.ForeignKey( Collection, on\_delete\=models.PROTECT, related\_name\="versions", editable\=False ) tags \= models.ManyToManyField(Tag, editable\=False) \# Search Fields search\_vector \= psql\_search.SearchVectorField(default\="") @property def relative\_path(self): """ Return the relative path for the ContentArtifact. """ return "{namespace}-{name}-{version}.tar.gz".format( namespace\=self.namespace, name\=self.name, version\=self.version ) def \_\_str\_\_(self): """Return a representation.""" return f"<{self.\_\_class\_\_.\_\_name\_\_}: {self.namespace}.{self.name} {self.version}\>" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("namespace", "name", "version") constraints \= \[ UniqueConstraint( fields\=("collection", "is\_highest"), name\="unique\_is\_highest", condition\=Q(is\_highest\=True), ) \] class CollectionVersionSignature(Content): """ A content type representing a signature that is attached to a content unit. Fields: data (models.BinaryField): A signature, base64 encoded. # Not sure if it is base64 encoded digest (models.CharField): A signature sha256 digest. pubkey\_fingerprint (models.CharField): A fingerprint of the public key used. Relations: signed\_collection (models.ForeignKey): A collection version this signature is relevant to. signing\_service (models.ForeignKey): An optional signing service used for creation. """ PROTECTED\_FROM\_RECLAIM \= False TYPE \= "collection\_signature" signed\_collection \= models.ForeignKey( CollectionVersion, on\_delete\=models.CASCADE, related\_name\="signatures" ) data \= models.TextField() digest \= models.CharField(max\_length\=64) pubkey\_fingerprint \= models.CharField(max\_length\=64) signing\_service \= models.ForeignKey( SigningService, on\_delete\=models.SET\_NULL, related\_name\="signatures", null\=True ) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("pubkey\_fingerprint", "signed\_collection") class DownloadLog(BaseModel): """ A download log for content units by user, IP and org\_id. """ content\_unit \= models.ForeignKey( Content, on\_delete\=models.CASCADE, related\_name\="download\_logs" ) user \= models.ForeignKey( settings.AUTH\_USER\_MODEL, on\_delete\=models.CASCADE, null\=True, related\_name\="download\_logs", ) ip \= models.GenericIPAddressField() extra\_data \= models.JSONField(null\=True) user\_agent \= models.TextField() repository \= models.ForeignKey( Repository, on\_delete\=models.CASCADE, related\_name\="download\_logs" ) repository\_version \= models.ForeignKey( RepositoryVersion, null\=True, on\_delete\=models.SET\_NULL, related\_name\="download\_logs" ) class RoleRemote(Remote): """ A Remote for Ansible content. """ TYPE \= "role" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class CollectionRemote(Remote): """ A Remote for Collection content. """ TYPE \= "collection" requirements\_file \= models.TextField(null\=True) auth\_url \= models.CharField(null\=True, max\_length\=255) token \= EncryptedTextField(null\=True) sync\_dependencies \= models.BooleanField(default\=True) signed\_only \= models.BooleanField(default\=False) @property def download\_factory(self): """ Return the DownloaderFactory which can be used to generate asyncio capable downloaders. Upon first access, the DownloaderFactory is instantiated and saved internally. Plugin writers are expected to override when additional configuration of the DownloaderFactory is needed. Returns: DownloadFactory: The instantiated DownloaderFactory to be used by get\_downloader() """ try: return self.\_download\_factory except AttributeError: self.\_download\_factory \= AnsibleDownloaderFactory(self) return self.\_download\_factory @hook( AFTER\_UPDATE, when\_any\=\["url", "requirements\_file", "sync\_dependencies", "signed\_only"\], has\_changed\=True, ) def \_reset\_repository\_last\_synced\_metadata\_time(self): AnsibleRepository.objects.filter( remote\_id\=self.pk, last\_synced\_metadata\_time\_\_isnull\=False ).update(last\_synced\_metadata\_time\=None) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class GitRemote(Remote): """ A Remote for Collection content hosted in Git repositories. """ TYPE \= "git" metadata\_only \= models.BooleanField(default\=False) git\_ref \= models.TextField() class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class AnsibleCollectionDeprecated(Content): """ A model that represents if a Collection is \`deprecated\` for a given RepositoryVersion. """ TYPE \= "collection\_deprecation" namespace \= models.CharField(max\_length\=64, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("namespace", "name") class AnsibleRepository(Repository): """ Repository for "ansible" content. Fields: last\_synced\_metadata\_time (models.DateTimeField): Last synced metadata time. """ TYPE \= "ansible" CONTENT\_TYPES \= \[ Role, CollectionVersion, AnsibleCollectionDeprecated, CollectionVersionSignature, \] REMOTE\_TYPES \= \[RoleRemote, CollectionRemote\] last\_synced\_metadata\_time \= models.DateTimeField(null\=True) gpgkey \= models.TextField(null\=True) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" permissions \= (("modify\_ansible\_repo\_content", "Can modify ansible repository content"),) def finalize\_new\_version(self, new\_version): """Finalize repo version.""" removed\_collection\_versions \= new\_version.removed( base\_version\=new\_version.base\_version ).filter(pulp\_type\=CollectionVersion.get\_pulp\_type()) \# Remove any deprecated and signature content associated with the removed collection \# versions for version in removed\_collection\_versions: version \= version.cast() signatures \= new\_version.get\_content( content\_qs\=CollectionVersionSignature.objects.filter(signed\_collection\=version) ) new\_version.remove\_content(signatures) other\_collection\_versions \= new\_version.get\_content( content\_qs\=CollectionVersion.objects.filter(collection\=version.collection) ) \# AnsibleCollectionDeprecated applies to all collection versions in a repository, \# so only remove it if there are no more collection versions for the specified \# collection present. if not other\_collection\_versions.exists(): deprecations \= new\_version.get\_content( content\_qs\=AnsibleCollectionDeprecated.objects.filter( namespace\=version.namespace, name\=version.name ) ) new\_version.remove\_content(deprecations) @hook(BEFORE\_UPDATE, when\="remote", has\_changed\=True) def \_reset\_repository\_last\_synced\_metadata\_time(self): self.last\_synced\_metadata\_time \= None class AnsibleDistribution(Distribution): """ A Distribution for Ansible content. """ TYPE \= "ansible" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s"

Tag

#js