A growing group of OWASP members and board leaders are calling for the AppSec group to make big changes to stay apace with modern development.

As the OWASP Foundation navigates its third decade of existence, many application security experts and OWASP volunteer contributors say it's time for the organization to make some big changes to stay relevant. This week, a group of over 60 high-profile OWASP members sent an open letter to the OWASP Board of Directors and to the foundation's executive director demanding significant changes to the foundation. Many of these co-signers were leaders of flagship OWASP projects, lifetime contributors, and former OWASP board members.

"OWASP simply isn't driving innovation anymore," says Contrast Security co-founder and CTO Jeff Williams, author of the first OWASP Top Ten, the OWASP chair from 2001 through 2011, and one of the co-signers. "Open source has changed, and OWASP needs to keep up by supporting contributors better."

Among the signatories were also two current board members, Glenn ten Cate and Mark Curphey. While Curphey says the letter is the result of mutual collaboration within the group, it also aligns very closely with a manifesto he published last year as a part of his successful bid for a seat on the 2023 board. As the founder of OWASP, Curphey hadn't been directly involved with the organization for some time, but had always been a supporter and advocate for OWASP while he was busy being a security practitioner, security product leader, and entrepreneur in the application security space.

Curphey focused on the following three major points during his campaign for the board:

*   to change the funding model of OWASP to look more like how Linux Foundation and its Open Software Security Foundation works with donors to support their project,
*   to install a chief product officer to lead the charge to clean up projects (and prioritize the high-impact ones) as well as renovate the OWASP site to make it more developer friendly, and
*   to change the culture of OWASP to eliminate red tape and to add more transparency in how vendors are (or are not) involved in the OWASP mission.

The open letter echoes many of these points, while calling for a change in governance that could fuel a drastic effort in fundraising that they feel could pull in millions of dollars to hire dedicated developers and project leaders.

**OWASP Then and Now**

When OWASP was founded way back in 2001, it was a scrappy labor of love founded by application security advocates who were concerned about the mounting risk to the Internet posed by insecure Web applications. They wanted to boost awareness of the problem outside the bubble of cybersecurity insiders. And so OWASP was born to help deliver education and resources to not just security professionals, but also developers and enterprise stakeholders.

The idea was to give organizations technical guidance that could enable developers to improve their coding practices and reduce the risk of vulnerabilities in the software they deployed. This was the genesis of the OWASP Top 10, the group's vaunted list of the 10 riskiest flaws in applications that was first published in 2003 and which has since spawned numerous updates and sub-lists, and which has fueled a whole host of security open source projects, commercial products, and services.

Lots of things have changed since those early years. The awareness piece of OWASP has certainly hit its mark, and today the group has grown to support over 240 chapters and tens of thousands of members and participants around the world. It hosts a full slate of local and global events, and a number of projects like the Top 10, the Software Assurance Maturity Model (SAMM), and Zed Attack Proxy (ZAP).

However, the scope of application security work to be done has broadened considerably as the world has moved way beyond Web applications and is now awash with mobile apps, IoT and embedded systems, wearables, and everything in between — all of which is driven by software.

And the development environment has radically changed, too. Modern development practices have coopted methods like continuous integration/continuous delivery (CI/CD), DevOps, and Agile development to take over from traditional waterfall development patterns. Developers lean heavily on microservices architectures and mix-and-match open source components to build out their software.

Unfortunately, in the face of all that change, some things have also stayed the same. Many of the issues on that first OWASP Top 10 are just as problematic today and still on the list, including injection flaws, misconfigurations, and authentication failures. Now, though, these nagging problems that have never gone away are only exacerbated by the expanded scope, the speed of development, and the tangle of software supply chain dependencies that have been added to the mix over the years.

**Clamoring for Change**

In the context of these factors, many OWASP insiders argue that the nonprofit has not kept up with the pace of change within the software development world. They say the foundation isn't supporting the needs of the OWASP community, especially in regard to the foundation's flagship projects, which includes over a dozen projects among OWASP's 274 other projects.

"What worked in the past simply isn’t working now and OWASP needs to change. Year after year, concerns have been raised and there have been promises of change, but year after year it hasn't happened," said the open letter to the OWASP Board of Directors and to the foundation's executive director. "The gap between what our projects and the community around them want, and the support that OWASP provides, continues to grow wider."

With the publication of this latest missive, the letter's cosigners say that some of OWASP's most impactful projects — ones that are relied upon by many enterprises and by products enterprises use today — are left to "operate independently, in some cases managing their own sponsorships, finance, websites, domains, communication platforms, and developer tools."

The signatories are clamoring for some drastic changes in funding models and governance to get the group back to serving the needs of developers in the context of modern software delivery models. They developed an action list consists of five major points, calling the foundation and board to:

1.  develop a community plan that prioritizes key initiatives, pointing to the OSSF plan as a reference
2.  change the foundation's governance structure to "better reflect the need of the entire security community"
3.  establish an aggressive funding campaign to raise $5 million to $10 million to pay for dedicated developers, community managers, and support staff
4.  improve centralized infrastructure and services for the community to take the heat off the projects
5.  take a more centralized hand in managing the product portfolio and what goes on in local chapters

Williams says he signed because he felt that the changes the group called for are "unfortunately necessary."

"OWASP has a glaring hole in not having a financial plan built from the bottom up based on project needs," he says. "Without that, it's impossible to fundraise effectively. Writing down an aggressive funding plan, going after some big funding increments, and taking on more aggressive projects is the only way to keep OWASP moving quickly."

**Next-Step Realities**

The question is whether the foundation and the OWASP community is willing and able to make some of these changes. According to Chenxi Wang, a former OWASP board member, there are many items in the proposal that are "much needed" since she believes OWASP has devolved into an organization that doesn't do much more than run events.

"But some of the other items seem to be too ambitious for OWASP, which has a volunteer board and a small operating staff. For example, the item to 'actively manage the project portfolio and chapters' would require a substantial effort going forward, which may not be something the foundation can do with today's resources," she says. "Also, the proposal about funding prioritized projects would require a change to today's model and may disenfranchise newer projects."

As she sees it, the proposal is going to require drastic changes to the funding model, the community model, and the way funds are distributed.

"To do all of this in one swoop is going to be too disruptive," Wang says. "A phased approach is the only way to make this happen."

For his part, OWASP Foundation executive director Andrew van der Stock says he also agrees with many of the points in the letter. The day after the letter was published, the proposals were presented at the foundation's monthly board meeting. He says the meeting went well, and he agrees that the board needs to set a prioritized plan anyway as a part of their fiduciary duty.

"Beyond the way it was presented, there's nothing in there that we disagree with," he says of the letter. "I think creating a plan within 30 days is definitely doable. My major concern is really around if we don't manage to achieve all of the five goals in a timeframe that the projects want us to achieve it in."

He also does wonder whether the board's current bylaws and the will of the OWASP community's paying members will allow for the kind of governance and funding changes the co-signers want. For example, OWASP isn't set up the way the OSSF organization is, which currently has a board that consists of members that buy their seats through corporate membership and pay significantly to retain those seats. OWASP currently has about 7,000 financial members in addition to the 80,000 people who participate in the community through events, chapter meetings, and projects. That paying membership includes individuals who pay $50 a year, lifetime members who pay $500, and corporate sponsors who pay $5,000 and up, depending on the level of support they want to give.

"I don't think our community would support that change. It's one of those things that I think is going to be a little bit unrealistic," says van der Stock, who adds that these kinds of changes would require a change in OWASP bylaws, which are already in the last stages of being overhauled to a set of "fairly standard" nonprofit bylaws in response to a discovery about a year ago that the original bylaws were invalid according to Delaware General Corporate Law. That routine procedure alone required an extensive process that included a vote by the general membership.

Nevertheless, van der Stock says that OWASP could definitely flourish if the board can find a way to pull in more funding.

"If we could get between $5 million and $10 million a year, we could get a lot done. If we could get people to work on projects full-time, these things would appear much quicker and probably with much higher quality," he says, noting that the foundation currently only has five staffers on its roster. "I think the only friction really, and the only thing that might be contested, is the governance model. I think our community would have a lot to say about that."

This is the concern from Williams as well.

"I'm worried that OWASP won't be able to respond to the letter, given the current governance structures," he says.

But according to Curphey, the board meeting was a good start to laying out the change-makers' proposal and considering next steps.

"The board meeting was positive," he says. "There's still a long way to go, but we'll see. I did have to leave early to attend another board meeting, but when I left was very pleased with progress and desire from current board to adapt and change."

**Why Should CISOs Care?**

The big question for CISOs and security practitioners is whether any of this internal jockeying at OWASP really matters to them. According to Wang, the decisions and actions the foundation makes today may not necessarily directly impact CISOs right now. But it could have a long-term ripple effect that influences the kind of technology options they'll have for helping developers in the long run.

"This could result in better support of emergent technologies, which down the line could impact the way practitioners adopt these technologies," she says.

Is OWASP at Risk of Irrelevance?

Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function.

**Describe the bug**  
It's possible to inject arbitrary Javascript code in the main page of changedetection.io. This can result in a stored cross site scripting attack. Since in /settings#api it's exposed the plaintext API Key, the attacker can read also the api key with an XSS attack.

**Version**  
I'm using _v0.39.20.4_, but I'm sure other version could be affected as well.

**To Reproduce**

Steps to reproduce the behavior:

1.  Go to the main page.
2.  Under _Add a new change detection watch_ add as URL javascript:alert(document.domain)
3.  Click _Watch_
4.  A new row is added under the websites watched
5.  Click CTRL+ click with mouse on the link taking to a new tab
6.  Javascript payload is being executed.

Reproduce the vulnerability with https://changedetection.io/share/LpbICKx5Rbca

**Expected behavior**  
javascript protocol should be blocked like file:// for security reasons.

**Screenshots**  

**Desktop (please complete the following information):**

*   OS: Linux edoardottt 5.19.0-29-generic
*   Browser: Chrome Version 109.0.5414.119 (Official Build) (64-bit)
*   Changedetetion.io Version: v0.39.20.4

CVE-2023-24769: [Security] Stored XSS in main page · Issue #1358 · dgtlmoon/changedetection.io

IBM InfoSphere Information Server 11.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 246333

  

**Summary**

A path traversal vulnerability in InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2023-24960  
**DESCRIPTION:**   IBM InfoSphere Information Server could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246333 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

**Remediation/Fixes**

**Product**

**VRMF**

**APAR**

**Remediation**

InfoSphere Information Server, InfoSphere Information Server on Cloud

11.7

DT174491

\--Apply IBM InfoSphere Information Server version 11.7.1.0  
\--Apply InfoSphere Information Server version 11.7.1.4  
\--Apply InfoSphere DataStage security patch

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

10 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-24960: IBM InfoSphere Information Server is affected by a path traversal vulnerability (CVE-2023-24960)

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 238684.

  

**Summary**

IBM Sterling B2B Integrator has addressed the cross-site scripting security vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2022-43579  
**DESCRIPTION:**   IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238684 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.7

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.2.0

  

**Remediation/Fixes**

**Product  
**

**Version**

**APAR**

**Remediation & Fix**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.7

IT42394

Apply 6.0.3.8

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.2.0

IT42394

Apply 6.1.2.1

The IIM versions of 6.0.3.8 and 6.1.2.1 are available on Fix Central. 

The container version of 6.1.2.1 is available in IBM Entitled Registry with following tags.  

*   cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1 for IBM Sterling B2B Integrator
*   cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1 for IBM Sterling File Gateway

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

10 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"6.0.0.0 - 6.1.2.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2022-43579: Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579)

Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.

@@ -287,6 +287,7 @@ INT64 LibRaw\_file\_datastream::tell()

  

char \*LibRaw\_file\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_STREAM\_CHK();

std::istream is(f.get());

is.getline(str, sz);

@@ -421,6 +422,7 @@ INT64 LibRaw\_buffer\_datastream::tell()

  

char \*LibRaw\_buffer\_datastream::gets(char \*s, int sz)

{

if(sz<1) return NULL;

unsigned char \*psrc, \*pdest, \*str;

str = (unsigned char \*)s;

psrc = buf + streampos;

@@ -618,6 +620,7 @@ INT64 LibRaw\_bigfile\_datastream::tell()

  

char \*LibRaw\_bigfile\_datastream::gets(char \*str, int sz)

{

if(sz<1) return NULL;

LR\_BF\_CHK();

return fgets(str, sz, f);

}

CVE-2021-32142: check for input buffer size on datastream::gets · LibRaw/LibRaw@bc3aaf4

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.

CrafterCMS

*   

**CV-2023021701**

 

**Date**

2023.02.17

**Affected Versions**

**4.0** <= 4.0.1, **3.1** =< 3.1.26

**Vulnerability Type**

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Risk**

Medium

**Description**

Authenticated administrators can perform a SQL Injection attack against the authoring database that holds Studio users, groups, and item workflow states.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2023-26020

**Credit**

Gil Correia, gil.correia@devoteam.com

**CV-2022091302**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40635

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022091301**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40634

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022051603**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

High

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23267

**Credit**

Kai Zhao (ToTU Security Team), https://github.com/happyhacking-k

**CV-2022051602**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-117 Improper Output Neutralization for Logs

**Risk**

Medium

**Description**

An anonymous user can craft a URL with text that ends up in the log viewer as is.The text can then include textual messages to mislead the administrator.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23266

**Credit**

Faizan Wani, https://github.com/faizanw8

**CV-2021120106**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)

**Risk**

Medium

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23263

**Credit**

Carlos Ortiz, https://github.com/cortiz

**CV-2021120107**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere

**Risk**

High

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23264

**Credit**

Sparsh Kulshrestha, https://github.com/sparshkulshrestha

**CV-2020080102**

 

**Date**

2020.08.01

**Affected Versions**

**3.0** < 3.0.27  
**3.1** < 3.1.7

**Vulnerability Type**

RCE

**Risk**

Medium

**Description**

Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2020-25803

**Credit**

Alvaro Muñoz (GitHub), https://github.com/pwntester

**CV-2017061502**

 

**Date**

2017.06.15

**Affected Versions**

**3.0** < 3.0.1

**Vulnerability Type**

Directory Traversal

**Risk**

Critical

**Description**

A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2017-15681

**Credit**

Jasmin Landry, https://github.com/JR0ch17

CVE-2023-26020: Security Advisories — CrafterCMS 4.0.2 documentation

An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c.

CVE-2021-33391: Heap use-after-free in the CleanNode() function · Issue #946 · htacg/tidy-html5

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to an Information Disclosure as sensitive information may be included in a log file. IBM X-Force ID: 241677.

  

**Summary**

IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file.

**Vulnerability Details**

**CVEID:**   CVE-2022-43930  
**DESCRIPTION:**   IBM Db2 is vulernable to an Information Disclosure as sensitive information may be included in a log file.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241677 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V10.5, V11.1, and V11.5  editions on Windows are affected.  Linux, and Unix are not impacted.  

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

DT174059

Special Build for V10.5 FP11:

Windows 32-bit, x86  
Windows 64-bit, x86

V11.1

TBD

DT174059

Special Build for V11.1.4 FP7:

Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT174059

Special Build for V11.5.8:

Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"10.5, 11.1, 10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-43930: IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)

Buffer Overflow vulnerability in Dvidelabs flatcc v.0.6.0 allows local attacker to execute arbitrary code via the fltacc execution of the error_ref_sym function.

in parser.c  
k seems like the size of the rest of buffer on stack(var 'buf' which type is char\[\]).  
n is memcpy size as 3rd para.  
while condition k>0 to keep buffer is not full.  
if enter in if(k<n) branch n=k,var n is assigned the value of k  
then k -=n ,var k is assigned the value 0  
then --k, var k is assigned the value 0xffffffffffffffff while var k's type is size\_t.  
so the while conditionk > 0 not make sense.  
next memcpy will lead to stack overflow

void error\_ref\_sym(fb\_parser\_t \*P, fb\_ref\_t \*ref, const char \*msg, fb\_symbol\_t \*s2)
{
    fb\_ref\_t \*p;
    char buf\[FLATCC\_MAX\_IDENT\_SHOW + 1\];
    size\_t k = FLATCC\_MAX\_IDENT\_SHOW;
    size\_t n = 0;
    size\_t n0 = 0;
    p = ref;
    while (p && k > 0) {
        n = (size\_t)p->ident\->len;
        if (k < n) {
            n = k;
        }
        memcpy(buf + n0, p->ident\->text, n);
        k -= n;
        n0 += n;
        buf\[n0\] = '.';
        --k; //overflow here when k = 0
        ++n0;
        p = p->link;
    }
    buf\[n0\] = '\\0';
    if (n0 > 0) {
        --n0;
    }
    if (k <= 0) {
        memcpy(buf + FLATCC\_MAX\_IDENT\_SHOW + 1 - 4, "...\\0", 4);
        n0 = FLATCC\_MAX\_IDENT\_SHOW;
    }
    error\_report(P, ref->ident, msg, s2 ? s2->ident : 0, buf, n0);
}

poc:

    ➜  fuzz_test cat test9
    struct tsj{
            damage:shortllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllve.tlllllllllllllllllllllllllllllllllllllll;
    }
    ➜  fuzz_test ../flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    [1]    3685 abort (core dumped)  ../flatcc/bin/flatcc test9
    ➜  fuzz_test
    

    ➜  fuzz_test gdb ../flatcc/bin/flatcc
    GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    pwndbg: loaded 196 commands. Type pwndbg [filter] for a list.
    pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
    Reading symbols from ../flatcc/bin/flatcc...
    pwndbg> set args test9
    pwndbg> r
    Starting program: /mnt/c/Users/tsj/Desktop/flatcc/bin/flatcc test9
    test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllllllllll': unknown type reference used with struct field: test9:2:2: 'damage'
    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffff7e13c0 ◂— 0x7fffff7e13c0
     RCX  0x8
     RDX  0x0
     RDI  0x2
     RSI  0x7ffffffed990 ◂— 0x0
     R8   0x0
     R9   0x7ffffffed990 ◂— 0x0
     R10  0x8
     R11  0x8
     R12  0x7ffffffedc10 ◂— 0x642ccf000a276567 /* "ge'\n" */
     R13  0x20
     R14  0x7fffff510000 ◂— 0x202a2a2a00001000
     R15  0x1
     RBP  0x7ffffffedd10 —▸ 0x7fffff76a07c ◂— '*** %s ***: terminated\n'
     RSP  0x7ffffffed990 ◂— 0x0
     RIP  0x7fffff5f618b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────────
     ► 0x7fffff5f618b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7fffff5f6193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7fffff5f619c <raise+220>    jne    raise+260 <raise+260>
        ↓
       0x7fffff5f61c4 <raise+260>    call   __stack_chk_fail <__stack_chk_fail>
    
       0x7fffff5f61c9                nop    dword ptr [rax]
       0x7fffff5f61d0 <killpg>       endbr64
       0x7fffff5f61d4 <killpg+4>     test   edi, edi
       0x7fffff5f61d6 <killpg+6>     js     killpg+16 <killpg+16>
    
       0x7fffff5f61d8 <killpg+8>     neg    edi
       0x7fffff5f61da <killpg+10>    jmp    kill <kill>
    
       0x7fffff5f61df <killpg+15>    nop
    ───────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7ffffffed990 ◂— 0x0
    01:0008│            0x7ffffffed998 —▸ 0x7ffffffedb48 ◂— 0x3000000030 /* '0' */
    02:0010│            0x7ffffffed9a0 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    03:0018│            0x7ffffffed9a8 —▸ 0x7fffff63f11a (__vsnprintf_internal+170) ◂— mov    r9, qword ptr [rsp + 8]
    04:0020│            0x7ffffffed9b0 ◂— 0x3
    05:0028│            0x7ffffffed9b8 —▸ 0x7ffffffedab0 ◂— 0x20 /* ' ' */
    06:0030│            0x7ffffffed9c0 ◂— 0xfbad8001
    07:0038│            0x7ffffffed9c8 —▸ 0x7ffffffedb60 ◂— "test9:2:9: error: 'shortlllllllllllllllllllllllllllllllllllllllllllll.tlllllllllllllllllllllllllllllllll"
    ─────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7fffff5f618b raise+203
       f 1   0x7fffff5d5859 abort+299
       f 2   0x7fffff6403ee __libc_message+670
       f 3   0x7fffff6e2b4a __fortify_fail+42
       f 4   0x7fffff6e2b16
       f 5        0x8073af9
       f 6        0x80976b9 __flatcc_fb_build_schema+21961
       f 7        0x80976b9 __flatcc_fb_build_schema+21961
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-33983: found a integer overflow leads to stack_overflow  · Issue #188 · dvidelabs/flatcc

Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file.

Tag

#linux