TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formSetLg.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46549: Digging/TOTOLINK/X2000R/18/1.md at main · XYIYM/Digging

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 25 Oct 2023 15:27:24 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* CloudBees CD Plugin 1.1.33
\* GitHub Plugin 1.37.3.1
\* lambdatest-automation Plugin 1.20.10 and 1.21.0
\* Warnings Plugin 10.5.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Edgewall Trac Plugin
\* Gogs Plugin
\* MSTeams Webhook Trigger Plugin
\* Multibranch Scan Webhook Trigger Plugin
\* Zanata Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2023-10-25/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3246 / CVE-2023-46650
GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on
the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-3265 / CVE-2023-46651
Warnings Plugin 10.5.0 and earlier does not set the appropriate context for
credentials lookup, allowing the use of system-scoped credentials otherwise
reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture
credentials they are not entitled to.


SECURITY-3222 / CVE-2023-46652
lambdatest-automation Plugin 1.20.9 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part
of an attack to capture the credentials using another vulnerability.


SECURITY-3202 / CVE-2023-46653
lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST
Credentials access token at the INFO level.

This can result in accidental exposure of the token through the default
system log.


SECURITY-3237 / CVE-2023-46654
In CloudBees CD Plugin, artifacts that were previously copied from an agent
to the controller are deleted after publishing by the 'CloudBees CD -
Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations
outside of the expected directory during this cleanup process.

This allows attackers able to configure jobs to delete arbitrary files on
the Jenkins controller file system.


SECURITY-3238 / CVE-2023-46655
CloudBees CD Plugin temporarily copies files from an agent workspace to the
controller in preparation for publishing them in the 'CloudBees CD -
Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations
outside of the temporary directory on the controller when collecting the
list of files to publish.

This allows attackers able to configure jobs to publish arbitrary files
from the Jenkins controller file system to the previously configured
CloudBees CD server.


SECURITY-2875 / CVE-2023-46656
Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a
constant-time comparison when checking whether the provided and expected
webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.


SECURITY-2896 / CVE-2023-46657
Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when
checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.


SECURITY-2876 / CVE-2023-46658
MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a
constant-time comparison when checking whether the provided and expected
webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.


SECURITY-3247 / CVE-2023-46659
Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL
on the build page.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2879 / CVE-2023-46660
Zanata Plugin 0.6 and earlier does not use a constant-time comparison when
checking whether the provided and expected webhook token hashes are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-46650: security - Multiple vulnerabilities in Jenkins plugins

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formNtp.

CVE-2023-46540: Digging/TOTOLINK/X2000R/11/1.md at main · XYIYM/Digging

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., light-oauth2) from Github, and a security issue detected by our detector are shown in the following. The specific security issues we found are as follows:  
(1) Location: Package: **com.networknt.oauth.key.handler**; Class: **Oauth2KeysGetHandler.class**  
Security issue: not verify the public key certificate used to validate JWT signature.

We detected that the **handleRequest** method get public key from the certificate without any verification. An attacker may use the private key corresponding to a revoked or expired or self-signed public key certificate to forge a JWT. We recommend to verify the validity of certificates and certificate chains to improve system security.

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.

CVE-2023-31580: A certificate verification issue when get the public key used to verify JWT. · Issue #369 · networknt/light-oauth2

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Libsyn Libsyn Publisher Hub plugin <= 1.4.4 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank minhtuanact for reporting this vulnerability. Buy a coffee ☕

minhtuanact discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Libsyn Publisher Hub Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45835: WordPress Libsyn Publisher Hub plugin <= 1.4.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. 


This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-175607
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2023-41255
        *   Base Score: 8.8 (High)
    *   CVE-2023-41372
        *   Base Score: 7.8 (High)
    *   CVE-2023-41960
        *   Base Score: 7.1 (High)
    *   CVE-2023-43488
        *   Base Score: 7.9 (High)
    *   CVE-2023-45220
        *   Base Score: 8.8 (High)
    *   CVE-2023-45321
        *   Base Score: 8.3 (High)
    *   CVE-2023-45844
        *   Base Score: 7.3 (High)
    *   CVE-2023-45851
        *   Base Score: 8.8 (High)
    *   CVE-2023-46102
        *   Base Score: 8.8 (High)
*   **Published:** 20 Oct 2023
*   **Last Updated:** 25 Oct 2023

**Summary**

The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities.

Furthermore, the "Android Agent" application which is shipped with the ctrlX WR21 HMI contains multiple flaws, which in a worst case scenario might allow an attacker to execute arbitrary commands on the device.

**Affected Products**

Vendor Name

Product Name

Affected versions

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2107)

all

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2110)

all

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2115)

all

**Solution and Mitigations****Solution**

An updated firmware version will be published soon. This version prevents that an attacker with physical access to the device might gain root access.

Furthermore, the application "Android Agent" will be removed entirely.

This advisory will be updated as soon as the new version becomes available. Users are strongly advised to upgrade to the new version.

**Mitigation**

Until the updated version becomes available, users are strongly advised not to use Google Chrome for the Kiosk mode. As an alternative, the WebStation app may be used for this purpose.

Android Agent should not be used at all.

**Vulnerability Details****CVE-2023-41255**

CVE description: The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network.

*   Problem Type:
    *   CWE-306 Missing Authentication for Critical Function
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**CVE-2023-41372**

CVE description: The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a hardcoded RSA key pair

*   Problem Type:
    *   CWE-798 Use of Hard-coded Credentials
*   CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 7.8 (High)

**CVE-2023-41960**

CVE description: The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself.

*   Problem Type:
    *   CWE-926 Improper Export of Android Application Components
*   CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
    *   Base Score: 7.1 (High)

**CVE-2023-43488**

CVE description: The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the physical access through USB.

*   Problem Type:
    *   CWE-862 Missing Authorization
*   CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
    *   Base Score: 7.9 (High)

**CVE-2023-45220**

CVE description: The Android Client application, when enrolled with the define method 1(the user manually inserts the server IP address), use HTTP protocol to retrieve sensitive information (IP address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.

*   Problem Type:
    *   CWE-306 Missing Authentication for Critical Function
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**CVE-2023-45321**

CVE description: The Android Client application, when enrolled with the define method 1 (the user manually inserts the server IP address), use HTTP protocol to retrieve sensitive information (IP address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user. Due to the lack of encryption of HTTP,this issue allows an attacker placed in the same subnet network of the HMI device to intercept username and password necessary to authenticate to the MQTT server responsible to implement the remote management protocol.

*   Problem Type:
    *   CWE-319 Cleartext Transmission of Sensitive Information
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    *   Base Score: 8.3 (High)

**CVE-2023-45844**

CVE description: The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the device power management or eventually the device secure settings (ADB debug).

*   Problem Type:
    *   CWE-284 Improper Access Control
*   CVSS Vector String: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 7.3 (High)

**CVE-2023-45851**

CVE description: The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.

This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

*   Problem Type:
    *   CWE-306 Missing Authentication for Critical Function
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**CVE-2023-46102**

CVE description: The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric key, that can be retrieved reversing both the Android Client application and the server-side web application.

This issue allows an attacker able to control a malicious MQTT broker on the same subnet network of the device, to craft malicious messages and send them to the HMI device, executing arbitrary commands on the device itself.

*   Problem Type:
    *   CWE-798 Use of Hard-coded Credentials
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**Remarks****Acknowledgement**

**These vulnerabilities have been uncovered and disclosed responsibly by Diego Giubertoni from Nozomi Networks. We thank him for making a responsible disclosure with us.**

**Security Update Information**

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

**CVSS Scoring**

Vulnerability classification has been performed using the CVSS v3.0 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Bosch Rexroth Advisory: https://www.boschrexroth.com/en/dc/product-security/security-advisories/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   25 Oct 2023: Added CVE list
*   20 Oct 2023: Initial Publication

CVE-2023-45851: Multiple vulnerabilities on ctrlX HMI Web Panel - WR21

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mitchell Bennis Simple File List plugin <= 6.1.9 versions.

**Solution**

 No fix

No patched version is available.

Bae Song Hyun (Otwooo) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple File List Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 8 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39924: WordPress Simple File List plugin <= 6.1.9 - Cross Site Scripting (XSS) vulnerability - Patchstack

IBM TXSeries for Multiplatforms, 8.1, 8.2, and 9.1, CICS TX Standard CICS TX Advanced 10.1 and 11.1 could allow a privileged user to cause a denial of service due to uncontrolled resource consumption.  IBM X-Force ID:  266016.

  

**Summary**

Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms. IBM TXSeries for Multiplatforms has addressed the applicable issue.

**Vulnerability Details**

**CVEID:**   CVE-2023-42031  
**DESCRIPTION:**   IBM CICS TX could allow a privileged user to cause a denial of service due to uncontrolled resource consumption.  
CVSS Base score: 4.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266061 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM TXSeries for Multiplatforms

8.1

IBM TXSeries for Multiplatforms

8.2

IBM TXSeries for Multiplatforms

9.1

**Remediation/Fixes**

**Product**

**Version(s)**

**Platform(s)**

**Remediation/Fix**

IBM TXSeries for Multiplatforms

8.1

Linux, AIX

PSIRT fixes for TXSeries 8.1 will be provided only for extended support customers with request through Salesforce case

IBM TXSeries for Multiplatforms

8.2

Linux, AIX

Please refer to this documentation

IBM TXSeries for Multiplatforms

9.1

Linux, AIX

Please refer to this documentation

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

20 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSAL2T","label":"TXSeries for Multiplatforms"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF002","label":"AIX"}\],"Version":"8.1, 8.2, 9.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2023-42031: Security Bulletin: Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms

An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.

**affected version:**

SaToken version <= 1.36.0  
and (SpringBoot version >= 2.3.1.RELEASE or Spring version >= 5.3.0)

**fixed version：**

version = 1.37.0

**description**

When SaToken version <= 1.36.0, together with SpringBoot version >= 2.3.1.RELEASE or Spring version >= 5.3.0, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when SaToken and Spring Boot/Spring are using different pattern-matching techniques. Update to SaToken 1.37.0 or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher

**复现步骤：**

First register the user, the permission is：user  
(首先，注册用户，权限是user)

    @Component
    public class StpInterfaceImpl implements StpInterface {
        @Override
        public List<String> getPermissionList(Object loginId, String loginType) {
            List<String> list = new ArrayList<String>();
            list.add("user");
            return list;
        }
    }
    

Register an interceptor whose interception address is：/admin/**，Need permission：admin  
(注册一个拦截器，地址是/admin/**，需要权限admin)

    @Configuration
    public class SaTokenConfigure implements WebMvcConfigurer {
        @Override
        public void addInterceptors(InterceptorRegistry registry) {
            registry.addInterceptor(new SaInterceptor(handler -> {
                SaRouter
                    .match("/**")
                    .notMatch("/user/doLogin")
                    .check(r -> StpUtil.checkLogin());
    
                SaRouter.match("/admin/**", r -> StpUtil.checkPermission("admin"));
            })).addPathPatterns("/**");
        }
    }
    

Then write a login interface, an admin interface, the interface address is：/admin/**  
(然后写一个登录接口，一个admin接口，admin接口地址是/admin/**)

    @RestController
    public class UserController {
        // Test login, browser access： http://localhost:8081/user/doLogin?username=zhang&password=123456
        @RequestMapping("/user/doLogin")
        public String doLogin(String username, String password) {
            if("zhang".equals(username) && "123456".equals(password)) {
                StpUtil.login(10001);
                return "success";
            }
            return "fail";
        }
    
        @RequestMapping("/admin/**")
        public String getPassword() {
            return "flag{m4ra7h0n}";
        }
    }
    

Login first(http://localhost:8081/user/doLogin?username=zhang&password=123456)  
(首先登录)  
  
Then access: /admin/.. without url normalizing  
(然后访问/admin/..，使用url未被curl/浏览器标准化的访问方式)

curl -H "Cookie: satoken=42ae3a64-974e-4e6e-8a9a-6a9e41c83396" --path-as-is http://localhost:8081/admin/..

**root cause**

其根本原因在于SaRequestForServlet.getRequestPath()函数使用HttpServletRequest.getServletPath()获取标准化的servlet path，处理了跨目录。

而Spring与SpringBoot情况如下(未处理跨目录)：  
1.SpringBoot版本>=2.3.1.RELEASE时org.springframework.web.servlet.mvc.method.RequestMappingInfo#getMatchingCondition()中使用PatternsCondition.getMatchingCondition()获取匹配的路径，其内部PathHelper.getLookupPathForRequest()函数查找映射时alwaysUseFullPath=true(这里是SpringBoot自动装配配置的，版本<=2.3.0.RELEASE时使用spring中默认的false)，其使用getPathWithinApplication()查找url，未处理跨目录，而此时Spring版本<5.3.0  
2.当Spring版本>=5.3.0时Url匹配模式直接从PatternsCondition.getMatchingCondition();转变成了PathPatternsRequestCondition.getMatchingCondition()，这会导致其使用ServletRequestPathUtils.getParsedRequestPath(request).pathWithinApplication();查找url，同样未处理跨目录。

Springboot版本>=2.3.1.RELEASE时引发的路径绕过可参考http://rui0.cn/archives/1643  
spring5.3.0版本更新文档可参考https://spring.io/blog/2020/06/30/url-matching-with-pathpattern-in-spring-mvc  
此漏洞可参考CVE-2023-22602  
修复参考apache/shiro@e167a71

CVE-2023-44794: SaToken和Spring对uri处理的差异化引发的越权漏洞(SaToken and Spring's differential handling of URIs raises authorization bypass vulnerabilities) · Issue #515 · dromara/Sa-Token

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.

**Summary**

The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests.

This presents the opportunity for Server Side Request Forgery.

**Details**

This vulnerability requires:

*   The WPS extension to be installed
*   The WPS security setting "Disable complex inputs" to be unselected
*   Security URL checks to be disabled

**Impact**

This vulnerability presents the opportunity for Server Side Request Forgery.

**Mitigation**

The ability to reference an external URL location is defined by the WPS standard Execute operation. This operations is defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.

To disable complex remote inputs on GeoServer 2.20.5 and GeoServer 2.21.0:

1.  Navigate to **Security > WPS Security** page
2.  Locate **Complex Inputs** heading
3.  Select the check box for **Disable loading complex inputs from remote references**

**Resolution**

To allow processing of complex inputs safely in GeoServer 2.22.5 and GeoServer 2.23.2:

1.  Navigate to **Security > URL Checks**
2.  Enable **URL Checks** are enabled setting
3.  Check the user manual for examples of how to trust specific locations for your external services.

Processing of complex inputs safely is on by default in GeoServer 2.24.0.

**References**

*   Complex Inputs
*   URL Checks

Tag

#web