An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

**Downloads****Current Production Release**

XML-RPC.NET 2.5.0 is the current production release.

xml-rpc.net.2.5.0.zip      documentation

New features, changes, and fixed issues:

*   Added <i8> to support 64-bit long integer values.
*   Added support for more ISO8601 date formats. AllowNonStandardDateTime flag is now deprecated. The following formats are now accepted by default, with the '-' and ':' separators being optional.
    *   yyyy-mm-ddThh:mm:ss
    *   yyyy-mm-ddThh:mm:ssZ
    *   yyyy-mm-ddThh:mm:ss�hh
    *   yyyy-mm-ddThh:mm:ss�hh:mmNote: the XML-RPC spec describes the format as 19980717T14:08:55.
*   Added AllowAutoRedirect property to IXmlRpcProxy. Default behaviour remains the same (property set to true).
*   Moved to Visual Studio 2008.
*   Discontinued support for .NET 1.0 and 1.1.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.

**Work in Progress**

This is a snapshot of work in progress.

xml-rpc.net.3.0.0.270-snapshot.zip      documentation

**Build 270**

*   More graceful handling of case where illegal XML characters are rejected during serialization and deserialization.
*   Added generic EndInvoke method to XmlRpcClientProtocol so return type can be used for deserialization.
*   Added support for cookie and response headers for Silverlight and Windows Phone.

**Build 266**

*   Support for easier logging of request and response XML.
*   Support for mapping .NET enums to/from XML-RPC string values using XmlRpcEnumMapping attribute.
*   Fixed problem with logging and decompression of response stream.
*   Fixed problem with return type in XmlRpcClientProtocol.EndInvoke.
*   Added unit testing for Silverlight build.
*   Switch to Silverlight 4 only in order to support credentials using ClientHttp stack.
*   Now throws XmlRpcUnsupportedTypeException when a type has an indexer property.

**Build 241**

*   Fixes problem with mapping <nil /> onto type Object.

**Build 238**

*   Support for <nil> XML-RPC extension.
*   Support for Silverlight 3 and 4.
*   Support for Windows Phone 7.
*   .NET enum types can be mapped to/from XML-RPC <i4> and <i8> values. (more)
*   New UseEmptyElementTags property on IXmlRpcProxy. If this is set to true full element tags will be generated, for example <string></string> instead of <string />. The default setting of false for this property results is consistent with previous releases. This new feature provides compatibility with servers implemented with XML-RPC libraries which don't support empty tags, such XMLRPC++.
*   New UseNagleAlgorithm property on IXmlRpcProxy. With its default value of false calls will be quicker where small XML-RPC requests are being sent.
*   Separate client and server assemblies � client assembly compatible with .NET Client Profile.
*   Changed directory structure within distribution zip file to avoid problem when opening the file in Windows Explorer.
*   Moved to Visual Studio 2010.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.
    *   Issue 74: Fixed case where if a proxy call is made with a ResponseEvent assigned, the call crashes with a "Stream Closed" error.
    *   Issue 77: Fixed exception when AllowStringFaultCode is set to true. Now string fault codes are handled as well as integer fault code by default.
    *   Issue 78: XmlRpcServiceInfo.GetXmlRpcType now handles case of NonSerializedAttribute on all types.
    *   Issue 83: Change to prevent internal server error when viewing auto-generated help on Mono based servers.
    *   Issue 86: XmlRpcDocWriter.WriteStruct now writes XmlRpcMember.Description.
    *   Issue 89: Workaround on XmlRpcListenerService for cases where closing the request stream was resulting in an InvalidOperationException.
*   Changes:
    *   Custom nullable types � XmlRpcBoolean, XmlRpcDateTime, XmlRpcDouble, XmlRpcInt � have been discontinued. Use the standard nullable types bool?, DateTime?, double?, int?.
    *   A server implementation now needs to reference the CookComputing.XmlRpcServer assembly in addition to the CookComputing.XmlRpc assembly.
    *   Default value for new UseNagleAlgorithm. By default it was previously always false.

**Older Releases****2.4.0**

xml-rpc.net.2.4.0.zip

New feature and fixed issues:

*   New StructParams property on XmlRpcMethodAttribute which provides supports for APIs which use a struct to provide named parameters to a method call. (more).
*   NonSerialized attribute can be applied to struct members to prevent them being serialized and deserialized. (more).
*   Fixed issues:
    *   Issue 25: NullReferenceException when struct member name is an empty string. Now throws XmlRpcInvalidXmlRpcException.
    *   Issue 26: Auto-Documentation does not work with HttpListener.
    *   Issue 27: XmlRpcListenerService.ProcessRequest may not close stream in case of exception.
    *   Issue 28: XmlRpcSerializer.GetStructName does not check for Properties.
    *   Issue 31: UseIntTag is being ignored.
    *   Issue 32: XmlRpcClientProtocol problem with response from void method.
    *   Issue 34: XmlRpcServerProtocol should be derived from MarshalByRefObject. The system.\* methods do not work with remoting object.
    *   Issue 35: UseEmptyParamsTag property on the proxy doesn�t work unless you are making asynchronous calls.
    *   Issue 36: Fixed SelectSingleNode and using statement in XmlRpcFaultException for Compact Framework version.
    *   Issue 38: Check of ParamArrayAttribute causes crash under Mono/Linux.
    *   Issue 40: Deserialization performance enhancement.

**2.3.2**

xml-rpc.net.2.3.2.zip

Changes:

*   Issue 22: XmlRpcTypeMismatchException thrown if an XML-RPC array is mistakenly mapped onto a .Net struct (was throwing MissingMethodException).
*   Issue 23: Fixes problem where XML-RPC string values containing just one or more spaces were deserialized as an empty .Net string value.
*   Issue 24: XmlRpcV2 assembly is now built with a strong name.

**2.3.1**

xml-rpc.net.2.3.1.zip

Changes:

*   Issue 20: Fixes problem where XML-RPC service implemented as HttpHandler returns 500 server error.
*   Issue 21: Fixes problem with StateNameServer sample which returns fault response because of duplicate XML-RPC method names.

**2.3.0**

xml-rpc.net.2.3.0.zip

New features and changes:

*   Issue 15: Support for accessing response headers and cookies. (more).
*   Issue 17: Support for not sending a params element if no method parameters. (more).
*   Changes:
    *   Issue 16: Content type set before writing to response stream (fixes Mono issue).
    *   Issue 18: Modified proxy code generation so that it verifies - prevents �Operation could destabilize the runtime" problem.
    *   Issue 19: XmlRpcListenerService now sets Content Length header and does not use chunked content by default.

**2.2.0**

xml-rpc.net.2.2.0.zip

New features and changes:

*   Support for using System.Net.HttpListener to implement an XML-RPC server. (more).
*   Allow client to configure that <string> tag is not used for string values. (more).
*   Server configuration using XmlRpcServiceAttribute. (more).
*   Client support for Accept-Encoding - gzip and deflate. (more).
*   Changes:
    *   Fixed null exception if acquiring request stream fails while logging.
    *   Fixed stack overflow in GetXmlRpcType if invalid types such as DBNull passed in.
    *   Fixed handling of params method parameter if it is first parameter of method.
    *   Improved error reporting when processing params parameters.
    *   Throw XmlRpcDupXmlRpcMethodNames if same XML-RPC name applied to two methods.
    *   Handle zero offset timezones when AllowNonStandardDateTime flag set.

**2.1.0**

xml-rpc.net.2.1.0.zip

New features and changes:

*   Add support for proxy interfaces with overloaded methods. (more).
*   Add support for the int?, bool?, double?, and DateTime? nullable types to represent struct member types (.NET 2.0 version). These can be used to support optional struct members of int, boolean, double, and dateTime.iso8601 types. (more).

**2.0.0**

xml-rpc.net.2.0.0.zip

New features and changes:

*   Add generic form of XmlRpcProxyGen.Create() to remove need to cast the result of Create to the relevant interface (v2 assembly only) (more).
*   Add support for XmlRpcNonStandard.AllowInvalidHttpContent to handle HTTP response content which has whitespace before the start of the XML-RPC response (more).
*   Switch from NAnt to MSBuild and now builds a .NET 2.0 assembly as well as a .NET 1.0 assembly. Note that the 1.0 assembly can be used on all versions of the .NET runtime and should be used where backwards compatibility is required. The 2.0 assembly contains enhancements which rely on features of .NET 2.0 such as generics and can only be used on the .NET 2.0 and later versions of the runtime (more).
*   Error handling
    *   Throws XmlRpcInvalidParametersException if the parameters array passed to XmlRpcClientProtocol.Invoke contains more parameters than are defined for the method being invoked.
    *   Throws XmlRpcInvalidXmlRpcException if a struct member is missing its name or value child element or if it has a duplicate name or value child element.
    *   Attempt to serialize type with one or more properties that cannot be serialized to an XML-RPC type now results in the correct exception being thrown: XmlRpcUnsupportedTypeException.
*   Samples:
    *   Modify samples to use IXmlRpcProxy interface.
    *   Fix threading issue in AsyncBettyApplication sample.

**1.0.0**

xml-rpc.net.1.0.0.zip

New features and changes:

*   IXmlRpcProxy interface to simplify setting proxy properties (more).
*   Expect100Continue property on XmlRpcClientProtocol to configure "Expect: 100-continue" header; default is header not sent (more).
    *   Note: default behavior in previous versions of XML-RPC.NET was to send this header.
*   Support for variable number of method parameters using params (more).
*   Configurable client support for server which don't comply with XML-RPC standard:
    *   UseIntTag proxy property to use <int> instead of <i4>.
    *   Support dateTime with all zeroes (e.g. eGroupWare).
    *   Support empty dateTime values.
    *   Support fault code returned as string.
    *   Support for non-standard dateTime formats
    *   Note: default is standard XML-RPC only. Existing code which relies on non-standard behaviour will need to configure the proxy NonStandard property (more).
*   Support for sending cookies with request (thanks to JC Bertin) (more).
*   Changes:
    *   Fix for when passing zero-length byte array as base64 value.
    *   Removed large switch statements to circumvent Microsoft .NET bug when running in version 2.0 of the .NET runtime with medium trust.
    *   Uses invariant DateTimeFormatInfo when parsing dateTime.iso8601 so parsing works in all locales
    *   Check for recursive data structures when serializing.
    *   Fix to allow XmlRpcStruct member to be set more than once.
    *   Prevent types which cannot be serialized from being added to XmlRpcStruct.
    *   Improved error handling for null values when serializing.
    *   Fix to XmlRpcServerFormatterSink suggested by Sean Rohead.
*   Sample code:
    *   Updates on sample blogging interfaces from Sam Schillace and Mikahosi.
    *   Sample code for accessing OpenDHT (thanks to Michel Foucault).

**0.9.2**

xml-rpc.net.0.9.2.zip

*   Fixed parsing struct containing an enum member.
*   Lock around generation of proxy type.
*   When generating proxy from interface now includes methods from base interfaces.
*   Added RequestEvent and ResponseEvent events to XmlRpcClientProtocol.
*   Added XmlRpcLogger class for ease of use of RequestEvent and ResponseEvent events.
*   Adding LoggingEample sample.
*   Support for XmlRpcMissingMapping attribute on properties.
*   Invalid struct elements ignored if mapping action is Ignore.
*   Fixed dateTime issue with Wareki calendar.
*   Fixed problem with serializing void return.
*   Modified call to DeserializeResponse in DeserializeMessage.
*   Handles case when server incorrectly returns fault code as a string.
*   XmlRpcStruct restricted to string keys.

**0.9.1**

xml-rpc.net.0.9.1.zip

*   Distribution includes version of library which runs on .NET Compact Framework.
*   DateTime parsing bug fixed (caused problems in particular with it-IT locale)
*   XmlRpcProxyGen caches generated assemblies to avoid leakage if XmlRpcProxyGen is called multiple times for the same interface.

**0.9.0**

xml-rpc.net.0.9.0.zip

*   XmlRpcServiceAttribute has a new AutoDocumentation property which allows automatic documentation to be switched off.
*   Handles XML-RPC response encodings other than UTF-8.
*   XmlRpcMemberAttribute fixed.
*   XmlRpcClientProtocol has new ProtocolVersion property to allow HTTP v1.0 to be specified.
*   XmlRpcClientProtocol has new KeepAlive property (default is true). With some servers it may be necessary to set this to false when running with the current beta of the 2.0 CLR, for example if you start seeing the "Underlying Connection Was Closed" exception or the second call on a proxy appears to hang.
*   Multi-dimensional arrays handled correctly.
*   dateTime parsing supports "yyyy-MM-ddTHH:mm:ss" to handle blog service providers which return invalid XML-RPC dateTime values in this format.
*   Includes Joe Bork's xmlrpcgen utility to generate source code for proxies.
*   Release runs on version 1.0 of CLR upwards.

**0.8.0**

xml-rpc.net.0.8.0.zip

*   optional struct members
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**0.7.1**

xml-rpc.net.0.7.1.zip

*   License change.
*   Fixed problem in XmlRpcServerFormatterSink.cs whereby an exception was thrown if the XML-RPC and .NET method names are different.

**0.7.0**

xml-rpc.net.0.7.0.zip

*   error reporting of parsing errors using parse stack
*   support for async proxy method generation
*   contiuning work on auto-generated documentation
*   params keywords used in XmlRpcClientProtocol.Invoke
*   server method can return void (return empty string in XML-RPC response)
*   proxy method can return void (return value in XML-RPC response discarded)
*   deserializer throws exception if an XML-RPC struct is missing one or more expected members
*   fixed irritating warning when compiling XmlRpcStruct
*   add version of BeginInvoke taking correct params as per docs
*   Close always called on WebResponse
*   fixed usage of XmlRpcClientProtocol Proxy property when used in VS designer (Drew Marsh)
*   fixed handling of response without Content-Length during async calls (Dmitry Jemerov)
*   fixed case when zero-length string in default string value is passed as <value/> (Drew Marsh)
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.6.0**

xml-rpc.net.0.6.0.zip

*   Fixed UserAgent property of XmlRpcClientProtocol.
*   Added Proxy property to XmlRpcClientProtocol.
*   Default for XML-RPC request XML document is no explicit encoding, i.e. implicitly UTF-8.
*   Added Encoding property to XmlRpcClientProtocol to set explicit encoding on XML-RPC request XML document
*   Can now use interface to define XML-RPC methods. For example can use same interface to implement both server and client. MathService changed to illustrate use of interface.
*   Added XmlRpcProxyGen class to dynamically create a proxy object from an interface, i.e. makes hand-coding of proxies unnecessary in most cases. bettyapp sample changed to illustrate this.
*   Fixed parsing of double type to be culture independent.
*   Fault response XML document now generated in same way as ordinary response, i.e. will be in same format and encoding.

**0.5.5**

xml-rpc.net.0.5.5.zip

*   Added ClientCertificates property to XmlRpcClientProtocol  
    
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release  
**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.5.4**

xml-rpc.net.0.5.4.zip

*   Added Headers property to XmlRpcClientProtocol.
*   Added XmlRpcMemberAttribute.
*   Modified deserialization of arrays to return more specific array type when all elements are of the same type.

**0.5.3**

xml-rpc.net.0.5.3.zip

*   Fixed problem with deserializing arrays.

**0.5.2**

xml-rpc.net.0.5.2.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.1**

xml-rpc.net.0.5.1.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.0**

xml-rpc.net.0.5.0.zip

*   Interim release containing preliminary code for client and server NET Remoting formatter sinks.
*   A Remoting sample, with assemblies and config files.

**0.4.3**

xml-rpc.net.0.4.3.zip

*   Interim release containing bug fixes, mainly in the serialization/deserialization code.
*   Some restructuring in preparation for some major changes in the 0.5 series of releases.

**0.4.2**

xml-rpc.net.0.4.2.zip

*   Build for .NET RTM.
*   Added preliminary support for Introspection API.

**0.4.1**

xml-rpc.net.0.4.1.zip

*   Major changes to XmlRpcClientProtocol class to support async calls, working but coding not completed.
*   Extra sample - AsyncBettyApp - to illustrate async calls.

**0.4.0**

Initial release for .NET beta 2.

xml-rpc.net.0.4.0.zip

**0.3.0**

Initial release for .NET beta 1.

**Developers**

Lead Developer - Charles Cook.

CVE-2022-47514: XML-RPC.Net - Downloads

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

Adobe Campaign version 7.3.1 (and earlier) and 8.3.9 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Security updates available for Adobe Campaign Classic | APSB22-58

**Summary**

Adobe has released security updates for Adobe Campaign Classic. This update addresses an important vulnerability that could result in privilege escalation.  
  

**Affected versions**

**Product**

**Affected version**

**Platform**

Adobe Campaign Classic  

ACC v7: 7.3.1 and below

ACC v8: 8.3.9 and below

Windows, Linux

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version:

**Product**

**Updated version**

**Platform**

**Priority rating**

**Availability**

Adobe Campaign Classic  

ACC v7: 7.3.2

ACC v8: 8.4.2

Windows and Linux

3

Release 7 Notes

Release 8 Notes

**Vulnerability Details**

Improper Input Validation (CWE-20)  

**Acknowledgments**

Adobe would like to thank **Felix Martel-Denis - Software Secured** for reporting this issue and for working with Adobe to help protect our customers.

CVE-2022-42343: Adobe Security Bulletin

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

CVE-2022-3590

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

**Apache CXF Server-Side Request Forgery vulnerability**

High severity GitHub Reviewed Published Dec 13, 2022 • Updated Dec 13, 2022

GHSA-x3x3-qwjq-8gj4: Apache CXF Server-Side Request Forgery vulnerability

CVE-2022-46364: Apache CXF SSRF Vulnerability Severity: important Description: A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Credit: thanat0s from Beijin Qihoo 360 adlab (finder) (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-46364

CVE-2022-46364

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Plot Plugin 2.1.12 disables external entity resolution for its XML parser.



**Jenkins Plot Plugin XML External Entity Reference vulnerability**

High severity GitHub Reviewed Published Dec 12, 2022 • Updated Dec 12, 2022

GHSA-wgpp-g6v9-7hxp: Jenkins Plot Plugin XML External Entity Reference vulnerability

IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.

**Security Bulletin**

  

**Summary**

IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components.

**Vulnerability Details**

**CVEID:**   CVE-2016-1000023  
**DESCRIPTION:**   Minimatch is vulnerable to a denial of service, caused by a regular expression of minimatch.js. By using a specially crafted glob pattern, a remote attacker could exploit this vulnerability to cause the application to consume an overly large amount of CPU resources  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118817 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41296  
**DESCRIPTION:**   IBM Db2U is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237210 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2021-21303  
**DESCRIPTION:**   Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196392 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

**CVEID:**   CVE-2022-36055  
**DESCRIPTION:**   Helm is vulnerable to a denial of service, caused by a flaw in the strvals package. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause memory panics, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235100 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-32690  
**DESCRIPTION:**   Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 6.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203901 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2022-3172  
**DESCRIPTION:**   Kubernetes kube-apiserver is vulnerable to server-side request forgery, caused by a flaw with allowing an aggregated API server to redirect client traffic to any URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to unexpected actions and the client's API server credentials to third parties.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236344 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)

**CVEID:**   CVE-2022-29526  
**DESCRIPTION:**   Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229593 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-30633  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by an uncontrolled recursion flaw in Unmarshal in encoding/xml due to stack exhaustion. By parsing a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a panic.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233146 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-28131  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by an uncontrolled recursion flaw in Decoder.Skip in encoding/xml due to stack exhaustion. By parsing a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a panic.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233141 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-27664  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a closing HTTP/2 server connection to hang, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41297  
**DESCRIPTION:**   IBM Db2U is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237212 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

**IBM X-Force ID:**   221551  
**DESCRIPTION:**   Helm could allow a remote authenticated attacker to obtain sensitive information, caused by repository credentials being passed to alternate domain. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221551 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All platforms of the following IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data refresh levels are affected:

Release

Version

IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

v3.5 through refresh 10  
v4.0 through refresh 9  
v4.5 through refresh 3

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. It can be applied to any affected fixpack and refresh level of the appropriate release.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

30 Nov 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC8M7","label":"IBM Db2 Advanced Edition Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSSAIKN","label":"IBM Db2 Warehouse Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-41296: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Checkmarx Plugin
*   Custom Build Properties Plugin
*   Gitea Plugin
*   Google Login Plugin
*   Plot Plugin
*   Sonar Gerrit Plugin
*   Spring Config Plugin

**Descriptions****XXE vulnerability in Plot Plugin**

**SECURITY-2940 / CVE-2022-46682**  
**Severity (CVSS):** High  
**Affected plugin: plot**  
**Description:**

Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Plot Plugin 2.1.12 disables external entity resolution for its XML parser.

**Open redirect vulnerability in Google Login Plugin**

**SECURITY-2967 / CVE-2022-46683**  
**Severity (CVSS):** Medium  
**Affected plugin: google-login**  
**Description:**

Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.

**Stored XSS vulnerability in Checkmarx Plugin**

**SECURITY-2869 / CVE-2022-46684**  
**Severity (CVSS):** High  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.

Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.

While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.

Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.

**Improper credentials masking in Gitea Plugin**

**SECURITY-2661 / CVE-2022-46685**  
**Severity (CVSS):** Medium  
**Affected plugin: gitea**  
**Description:**

Gitea Plugin support authentication with Gitea personal access tokens.

In Gitea Plugin 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs.

Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens.

Administrators unable to update are advised to use SSH checkout instead.

**Stored XSS vulnerability in Custom Build Properties Plugin**

**SECURITY-2810 / CVE-2022-46686**  
**Severity (CVSS):** High  
**Affected plugin: custom-build-properties**  
**Description:**

Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

Custom Build Properties Plugin 2.82.v16d5b\_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

**Stored XSS vulnerability in Spring Config Plugin**

**SECURITY-2814 / CVE-2022-46687**  
**Severity (CVSS):** High  
**Affected plugin: spring-config**  
**Description:**

Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.

**CSRF vulnerability in Sonar Gerrit Plugin**

**SECURITY-1002 / CVE-2022-46688**  
**Severity (CVSS):** Medium  
**Affected plugin: sonar-gerrit**  
**Description:**

Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

**Severity**

*   SECURITY-1002: Medium
*   SECURITY-2661: Medium
*   SECURITY-2810: High
*   SECURITY-2814: High
*   SECURITY-2869: High
*   SECURITY-2940: High
*   SECURITY-2967: Medium

**Affected Versions**

*   **Checkmarx Plugin** up to and including 2022.3.3
*   **Custom Build Properties Plugin** up to and including 2.79.vc095ccc85094
*   **Gitea Plugin** up to and including 1.4.4
*   **Google Login Plugin** up to and including 1.6
*   **Plot Plugin** up to and including 2.1.11
*   **Sonar Gerrit Plugin** up to and including 377.v8f3808963dc5
*   **Spring Config Plugin** up to and including 2.0.0

**Fix**

*   **Checkmarx Plugin** should be updated to version 2022.4.3
*   **Custom Build Properties Plugin** should be updated to version 2.82.v16d5b\_d3590c7
*   **Gitea Plugin** should be updated to version 1.4.5
*   **Google Login Plugin** should be updated to version 1.7
*   **Plot Plugin** should be updated to version 2.1.12
*   **Spring Config Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Sonar Gerrit Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Asi Greenholts of Cider Security** for SECURITY-2661
*   **CC Bomber, Kitri BoB** for SECURITY-2940
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2810, SECURITY-2869
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1002
*   **Valdes Che Zogou, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2967

Tag

#ssrf