Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

**PENDING feathers-sequelize contains improper input validation leading to SQL injection**

Critical severity GitHub Reviewed Published Oct 26, 2022 • Updated Oct 31, 2022

GHSA-qpv8-4pjq-qqh7: PENDING feathers-sequelize contains improper input validation leading to SQL injection

Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection

CVE-2022-29822

CVE-2022-2422: Redirecting…

CVE-2022-2422

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

from logging import getLogger from django.conf import settings from django.db import models from django.db.models import UniqueConstraint, Q from django.contrib.postgres import fields as psql\_fields from django.contrib.postgres import search as psql\_search from django\_lifecycle import AFTER\_UPDATE, BEFORE\_UPDATE, hook from pulpcore.plugin.models import ( BaseModel, Content, Remote, Repository, RepositoryVersion, Distribution, SigningService, Task, EncryptedTextField, ) from .downloaders import AnsibleDownloaderFactory log \= getLogger(\_\_name\_\_) class Role(Content): """ A content type representing a Role. """ TYPE \= "role" namespace \= models.CharField(max\_length\=64) name \= models.CharField(max\_length\=64) version \= models.CharField(max\_length\=128) @property def relative\_path(self): """ Return the relative path of the ContentArtifact. """ return self.contentartifact\_set.get().relative\_path class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("version", "name", "namespace") class Collection(BaseModel): """A model representing a Collection.""" namespace \= models.CharField(max\_length\=64, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) def \_\_str\_\_(self): """Return a representation.""" return f"<{self.\_\_class\_\_.\_\_name\_\_}: {self.namespace}.{self.name}\>" class Meta: unique\_together \= ("namespace", "name") class CollectionImport(models.Model): """A model representing a collection import task details.""" task \= models.OneToOneField( Task, on\_delete\=models.CASCADE, editable\=False, related\_name\="+", primary\_key\=True ) messages \= models.JSONField(default\=list, editable\=False) class Meta: ordering \= \["task\_\_pulp\_created"\] def add\_log\_record(self, log\_record): """ Records a single log message but does not save the CollectionImport object. Args: log\_record(logging.LogRecord): The logging record to record on messages. """ self.messages.append( {"message": log\_record.msg, "level": log\_record.levelname, "time": log\_record.created} ) class Tag(BaseModel): """A model representing a Tag. Fields: name (models.CharField): The Tag's name. """ name \= models.CharField(max\_length\=64, unique\=True, editable\=False) def \_\_str\_\_(self): """Returns tag name.""" return self.name class CollectionVersion(Content): """ A content type representing a CollectionVersion. This model is primarily designed to adhere to the data format for Collection content. That spec is here: https://docs.ansible.com/ansible/devel/dev\_guide/collections\_galaxy\_meta.html Fields: authors (psql\_fields.ArrayField): A list of the CollectionVersion content's authors. contents (models.JSONField): A JSON field with data about the contents. dependencies (models.JSONField): A dict declaring Collections that this collection requires to be installed for it to be usable. description (models.TextField): A short summary description of the collection. docs\_blob (models.JSONField): A JSON field holding the various documentation blobs in the collection. manifest (models.JSONField): A JSON field holding MANIFEST.json data. files (models.JSONField): A JSON field holding FILES.json data. documentation (models.CharField): The URL to any online docs. homepage (models.CharField): The URL to the homepage of the collection/project. issues (models.CharField): The URL to the collection issue tracker. license (psql\_fields.ArrayField): A list of licenses for content inside of a collection. name (models.CharField): The name of the collection. namespace (models.CharField): The namespace of the collection. repository (models.CharField): The URL of the originating SCM repository. version (models.CharField): The version of the collection. requires\_ansible (models.CharField): The version of Ansible required to use the collection. is\_highest (models.BooleanField): Indicates that the version is the highest one in the collection. Relations: collection (models.ForeignKey): Reference to a collection model. tag (models.ManyToManyField): A symmetric reference to the Tag objects. """ TYPE \= "collection\_version" \# Data Fields authors \= psql\_fields.ArrayField(models.CharField(max\_length\=64), default\=list, editable\=False) contents \= models.JSONField(default\=list, editable\=False) dependencies \= models.JSONField(default\=dict, editable\=False) description \= models.TextField(default\="", blank\=True, editable\=False) docs\_blob \= models.JSONField(default\=dict, editable\=False) manifest \= models.JSONField(default\=dict, editable\=False) files \= models.JSONField(default\=dict, editable\=False) documentation \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) homepage \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) issues \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) license \= psql\_fields.ArrayField(models.CharField(max\_length\=32), default\=list, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) namespace \= models.CharField(max\_length\=64, editable\=False) repository \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) version \= models.CharField(max\_length\=128, editable\=False) requires\_ansible \= models.CharField(null\=True, max\_length\=255) is\_highest \= models.BooleanField(editable\=False, default\=False) \# Foreign Key Fields collection \= models.ForeignKey( Collection, on\_delete\=models.PROTECT, related\_name\="versions", editable\=False ) tags \= models.ManyToManyField(Tag, editable\=False) \# Search Fields search\_vector \= psql\_search.SearchVectorField(default\="") @property def relative\_path(self): """ Return the relative path for the ContentArtifact. """ return "{namespace}-{name}-{version}.tar.gz".format( namespace\=self.namespace, name\=self.name, version\=self.version ) def \_\_str\_\_(self): """Return a representation.""" return f"<{self.\_\_class\_\_.\_\_name\_\_}: {self.namespace}.{self.name} {self.version}\>" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("namespace", "name", "version") constraints \= \[ UniqueConstraint( fields\=("collection", "is\_highest"), name\="unique\_is\_highest", condition\=Q(is\_highest\=True), ) \] class CollectionVersionSignature(Content): """ A content type representing a signature that is attached to a content unit. Fields: data (models.BinaryField): A signature, base64 encoded. # Not sure if it is base64 encoded digest (models.CharField): A signature sha256 digest. pubkey\_fingerprint (models.CharField): A fingerprint of the public key used. Relations: signed\_collection (models.ForeignKey): A collection version this signature is relevant to. signing\_service (models.ForeignKey): An optional signing service used for creation. """ PROTECTED\_FROM\_RECLAIM \= False TYPE \= "collection\_signature" signed\_collection \= models.ForeignKey( CollectionVersion, on\_delete\=models.CASCADE, related\_name\="signatures" ) data \= models.TextField() digest \= models.CharField(max\_length\=64) pubkey\_fingerprint \= models.CharField(max\_length\=64) signing\_service \= models.ForeignKey( SigningService, on\_delete\=models.SET\_NULL, related\_name\="signatures", null\=True ) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("pubkey\_fingerprint", "signed\_collection") class DownloadLog(BaseModel): """ A download log for content units by user, IP and org\_id. """ content\_unit \= models.ForeignKey( Content, on\_delete\=models.CASCADE, related\_name\="download\_logs" ) user \= models.ForeignKey( settings.AUTH\_USER\_MODEL, on\_delete\=models.CASCADE, null\=True, related\_name\="download\_logs", ) ip \= models.GenericIPAddressField() extra\_data \= models.JSONField(null\=True) user\_agent \= models.TextField() repository \= models.ForeignKey( Repository, on\_delete\=models.CASCADE, related\_name\="download\_logs" ) repository\_version \= models.ForeignKey( RepositoryVersion, null\=True, on\_delete\=models.SET\_NULL, related\_name\="download\_logs" ) class RoleRemote(Remote): """ A Remote for Ansible content. """ TYPE \= "role" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class CollectionRemote(Remote): """ A Remote for Collection content. """ TYPE \= "collection" requirements\_file \= models.TextField(null\=True) auth\_url \= models.CharField(null\=True, max\_length\=255) token \= EncryptedTextField(null\=True) sync\_dependencies \= models.BooleanField(default\=True) signed\_only \= models.BooleanField(default\=False) @property def download\_factory(self): """ Return the DownloaderFactory which can be used to generate asyncio capable downloaders. Upon first access, the DownloaderFactory is instantiated and saved internally. Plugin writers are expected to override when additional configuration of the DownloaderFactory is needed. Returns: DownloadFactory: The instantiated DownloaderFactory to be used by get\_downloader() """ try: return self.\_download\_factory except AttributeError: self.\_download\_factory \= AnsibleDownloaderFactory(self) return self.\_download\_factory @hook( AFTER\_UPDATE, when\_any\=\["url", "requirements\_file", "sync\_dependencies", "signed\_only"\], has\_changed\=True, ) def \_reset\_repository\_last\_synced\_metadata\_time(self): AnsibleRepository.objects.filter( remote\_id\=self.pk, last\_synced\_metadata\_time\_\_isnull\=False ).update(last\_synced\_metadata\_time\=None) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class GitRemote(Remote): """ A Remote for Collection content hosted in Git repositories. """ TYPE \= "git" metadata\_only \= models.BooleanField(default\=False) git\_ref \= models.TextField() class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class AnsibleCollectionDeprecated(Content): """ A model that represents if a Collection is \`deprecated\` for a given RepositoryVersion. """ TYPE \= "collection\_deprecation" namespace \= models.CharField(max\_length\=64, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("namespace", "name") class AnsibleRepository(Repository): """ Repository for "ansible" content. Fields: last\_synced\_metadata\_time (models.DateTimeField): Last synced metadata time. """ TYPE \= "ansible" CONTENT\_TYPES \= \[ Role, CollectionVersion, AnsibleCollectionDeprecated, CollectionVersionSignature, \] REMOTE\_TYPES \= \[RoleRemote, CollectionRemote\] last\_synced\_metadata\_time \= models.DateTimeField(null\=True) gpgkey \= models.TextField(null\=True) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" permissions \= (("modify\_ansible\_repo\_content", "Can modify ansible repository content"),) def finalize\_new\_version(self, new\_version): """Finalize repo version.""" removed\_collection\_versions \= new\_version.removed( base\_version\=new\_version.base\_version ).filter(pulp\_type\=CollectionVersion.get\_pulp\_type()) \# Remove any deprecated and signature content associated with the removed collection \# versions for version in removed\_collection\_versions: version \= version.cast() signatures \= new\_version.get\_content( content\_qs\=CollectionVersionSignature.objects.filter(signed\_collection\=version) ) new\_version.remove\_content(signatures) other\_collection\_versions \= new\_version.get\_content( content\_qs\=CollectionVersion.objects.filter(collection\=version.collection) ) \# AnsibleCollectionDeprecated applies to all collection versions in a repository, \# so only remove it if there are no more collection versions for the specified \# collection present. if not other\_collection\_versions.exists(): deprecations \= new\_version.get\_content( content\_qs\=AnsibleCollectionDeprecated.objects.filter( namespace\=version.namespace, name\=version.name ) ) new\_version.remove\_content(deprecations) @hook(BEFORE\_UPDATE, when\="remote", has\_changed\=True) def \_reset\_repository\_last\_synced\_metadata\_time(self): self.last\_synced\_metadata\_time \= None class AnsibleDistribution(Distribution): """ A Distribution for Ansible content. """ TYPE \= "ansible" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s"

CVE-2022-3644: pulp_ansible/models.py at main · pulp/pulp_ansible

PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When the device page loads, the arbitrary Cascading Style Sheets (CSS) data is inserted into the style tag, loading malicious content. Due to PRTG Network Monitor preventing “characters, and from modern browsers disabling JavaScript support in style tags, this vulnerability could not be escalated into a Cross-Site Scripting vulnerability.

CVE-2022-35739: PRTG Network Monitor - Version History

The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.

CVE-2022-3395

The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVE-2022-3300

The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin

CVE-2022-3302

Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module.

Tag

#sql