Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 12 Jan 2022 19:10:44 +0100
From: Wadeck Follonier <wfollonier@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Jenkins 2.330
\* Jenkins LTS 2.319.2
\* Active Directory Plugin 2.25.1
\* Badge Plugin 1.9.1
\* Bitbucket Branch Source Plugin 746.v350d2781c184
\* Configuration as Code Plugin 1.55.1
\* Credentials Binding Plugin 1.27.1
\* Docker Commons Plugin 1.18
\* HashiCorp Vault Plugin 3.8.0
\* Mailer Plugin 408.vd726a\_1130320
\* Matrix Project Plugin 1.20
\* Metrics Plugin 4.0.2.8.1
\* SSH Agent Plugin 1.23.2
\* Warnings Next Generation Plugin 9.10.3

Additionally, we announce unresolved security issues in the following
plugins:

\* batch task Plugin
\* Conjur Secrets Plugin
\* Debian Package Builder Plugin
\* Publish Over SSH Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-01-12/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2558 / CVE-2022-20612
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST
requests for the HTTP endpoint handling manual build requests when no
security realm is set, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to trigger build of job without
parameters.


SECURITY-2163 / CVE-2022-20613 (CSRF) & CVE-2022-20614 (missing permission
check)
Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the
Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2017 / CVE-2022-20615
Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters
in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Agent/Configure permission.


SECURITY-2342 / CVE-2022-20616
Credentials Binding Plugin 1.27 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential
ID refers to a secret file credential and whether it's a zip file.


SECURITY-1878 / CVE-2022-20617
Docker Commons Plugin 1.17 and earlier does not sanitize the name of an
image or a tag.

This results in an OS command execution vulnerability exploitable by
attackers with Item/Configure permission or able to control the contents of
a previously configured job's SCM repository.


SECURITY-2033 / CVE-2022-20618
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2467 / CVE-2022-20619
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-2189 / CVE-2022-20620
SSH Agent Plugin 1.23 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-1624 / CVE-2022-20621
Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its
global configuration file \`jenkins.metrics.api.MetricsAccessKey.xml\` on the
Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins
controller file system.


SECURITY-1389 / CVE-2022-23105
Active Directory Plugin implements two separate modes: integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission
of data between the Jenkins controller and Active Directory servers unless
it is configured to use the OS agnostic LDAP mode and the system property
\`hudson.plugins.active\_directory.ActiveDirectorySecurityRealm.forceLdaps\`
is set to \`true\`.

This allows attackers able to capture network traffic between the Jenkins
controller and Active Directory servers to obtain credentials of users
logging into Jenkins, as well as credentials of the manager DN (LDAP mode)
or the Windows/Active Directory user Jenkins is running as (ADSI mode).


SECURITY-2141 / CVE-2022-23106
Configuration as Code Plugin 1.55 and earlier does not use a constant-time
comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid authentication token.


SECURITY-2090 / CVE-2022-23107
Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the
name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read
specific files with a hard-coded suffix on the Jenkins controller file
system.


SECURITY-2547 / CVE-2022-23108
Badge Plugin allows adding custom build badges with a custom description
and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not
check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2213 / CVE-2022-23109
Pipelines display commands executed in their Pipeline step descriptions and
their output in build logs. To mask sensitive output,
Pipeline: Groovy Plugin 2.84 and earlier specified an
allowlist of known non-sensitive variables and masked everything else. This
caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline
steps to explicitly specify that variables are to be treated as sensitive
and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior
and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and
Pipeline step descriptions.


SECURITY-2287 / CVE-2022-23110
Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server
name.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Overall/Administer permission.

As of publication of this advisory, there is no fix.


SECURITY-2290 / CVE-2022-23111 (CSRF) & CVE-2022-23112 (missing permission
check)
Publish Over SSH Plugin 1.22 and earlier does not perform permission checks
in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an
attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2307 / CVE-2022-23113
Publish Over SSH Plugin 1.22 and earlier performs a validation of the file
name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with
Item/Configure permission to discover the name of the Jenkins controller
files.

As of publication of this advisory, there is no fix.


SECURITY-2291 / CVE-2022-23114
Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its
global configuration file
\`jenkins.plugins.publish\_over\_ssh.BapSshPublisherPlugin.xml\` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-1025 / CVE-2022-23115
batch task Plugin 1.19 and earlier does not require POST requests for
several HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve
logs, build or delete a batch task.

As of publication of this advisory, there is no fix.


SECURITY-2522 (1) / CVE-2022-23116
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain the plain text of any attacker-provided
encrypted secret.

This allows attackers able to control agent processes to decrypt secrets
stored in Jenkins obtained through another method.

As of publication of this advisory, there is no fix.


SECURITY-2522 (2) / CVE-2022-23117
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain all username/password credentials
(Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those
credentials.

As of publication of this advisory, there is no fix.


SECURITY-2546 / CVE-2022-23118
Debian Package Builder Plugin 1.6.11 and earlier implements functionality
that allows agent processes to invoke command-line \`git\` at an
attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary
OS commands on the controller.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-23116: security - Multiple vulnerabilities in Jenkins and Jenkins plugins

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

Compatibility : WordPress 6.0  
Compatibility : Elementor Pro 3.7  
Added : Heading Title : Animated Split by Word

Added : Heading Title : Animated Split by Character

Added : Heading Title : Animated Split by Line

Added : Display Rules : Image Selector(Advanced Custom Fields: Extended)

Added : Display Rules : Visitor Location (IP Based - Based on Geoplugin )

Added : Display Rules : WordPress Site Language

Added : Display Rules : Visitor Browser Language

Added : Display Rules : String in URL (Exact match from URL value )

Added : Display Rules : Parameter in URL 

Added : Display Rules : Shortcode based visibility (Advanced Custom PHP function based Shortcode)

Added : Display Rules : Cart Product Category (WooCommerce)

Added : Display Rules : Category In Cart (WooCommerce)

Added : Display Rules : Cart Subtotal (WooCommerce)

Added : Display Rules : Cart Total (WooCommerce)

Added : Display Rules : Items in Cart (WooCommerce)

Added : Display Rules : Purchase Date (WooCommerce)

Added : Display Rules : In Purchase Product Category (WooCommerce)

Added : Display Rules : Order(s) Placed (WooCommerce)

Added : Display Rules : Current Product Category (WooCommerce)

Added : Display Rules : Current Product Price (WooCommerce)

Added : Display Rules : Current Product Stock (WooCommerce)

Added : Display Rules : Cart Product (WooCommerce)

Added : Display Rules : Text field (Toolset)

Added : Display Rules : Number field (Toolset)

Added : Display Rules : Radio field (Toolset)

Added : Display Rules : Checkbox field (Toolset)

Added : Display Rules : Checkboxes field (Toolset)

Added : Display Rules : Select field (Toolset)

Added : Display Rules : Text field (PODS)

Added : Display Rules : Date field (PODS)

Added : Display Rules : Number field (PODS)

Added : Display Rules : Boolean field (PODS)

Added : Display Rules : Text field (Jet Engine)

Added : Display Rules : Text Area field (Jet Engine)

Added : Display Rules : Switcher field (Jet Engine)

Added : Display Rules : Checkbox field (Jet Engine)

Added : Display Rules : Radio field (Jet Engine)

Added : Display Rules : Select field (Jet Engine)

Added : Display Rules : Number field (Jet Engine)

Added : Mouse Cursor : Container

Added : Unfold : Container

Added : Post Feature Image : Container

Update : Display Rules : Display Field Name with Group Label

Update : Dynamic Listing : Category Listout improvement

Update : Product Listing : Upsell Listing

Update : Product Listing : Cross-Sell Listing

Update : Accordion : Title Empty condition for Dynamic Value

Update : Accordion : Scroll Top Offset

Update : Tabs & Tours : Title Empty condition for Dynamic Value

Update : Scroll Navigation : Section Top Offset after click

Update : Post Meta : Taxonomies Type option (Category/Tag)

Update : Woo Single Basic : Next/Previous related to current Product Category

Update : Search bar : Search by Word Match

Update : Search bar : Related Search Tag

Update : Search Filter : Category show based on Archive page option

Update : Search Filter : Sorting value option for Tab, Radio, Checkbox and Dropdown

Update : Hotspot : Hover Pin Image with flip effect

Update : Audio Player : Loop Disable option

Update : LottieFiles Animation : JSON File Upload

Update : Dynamic Listing : Slide Animation option

Update : Infobox : Slide Animation option

Update : Gallery Listing : Slide Animation option

Update : Search bar : Animation option

Update : Number Counter : Dynamic Tag option for Number Value, Animation Starting Value and Gap

Update : Navigation Menu : Sticky support Container

Update : Navigation Menu : Accessibility

Update : Animated Service Boxes : Lottie Animations option

Update : Hotspot : Lottie Animations option

Update : Image Cascading : Lottie Animations option

Update : Number Counter : Lottie Animations option

Update : Popup Builder : Lottie Animations option

Update : Pricing List : Lottie Animations option

Update : Pricing Table : Lottie Animations option

Update : Process/Steps : Lottie Animations option

Update : Progress Bar : Lottie Animations option

Update : Unfold : Lottie Animations option

Update : Live Copy : Container Compatibility

Update : Plus Extras : Container Compatibility

Update : Display Rules : Container Compatibility

Update : Page Scroll : Container Compatibility

Update : Row Background : Container Compatibility

Update : Shape Divider : Container Compatibility

Update : Morphing Layouts : Container Compatibility

Update : Dynamic Smart Showcase : Container Compatibility

Update : Global Tilt Effect : Container Compatibility

Update : Carousel Slider : Container Compatibility

Update : Advanced Shadow : Container Compatibility

Update : Equal Height : Container Compatibility

Update : Glass Morphism : Container Compatibility

Update : Wrapper Link : Container Compatibility

Update : Animated Service Box : Container Compatibility

Update : Animated Service box Text (Stroke and Shadow)

Update : Animated Service box Height (EM,%,VH)

Update : Countdown : Label HTML Tag option (h1 - h6)

Update : Coupon Code : Title HTML Tag option (h1 - h6)

Update : Coupon Code : Content HTML Tag option (h1 - h6)

Update : Coupon Code : JS improvement for Copy button

Update : Woo MyAccount : No order Found Styling

Update : Woo MyAccount : Order tab Individual improvement

Update : Process Step : Margin option for Description

Update : Listing Widget : Post Excerpt empty value validation

Update : Infobox : Top margin option

Update : Social Feed : Instagram Business Account condition improvement

Update : Dynamic Listing : Author Prefix text dynamic

Update : Blog Listing : Author Prefix text dynamic

Fix : Google Map : HTML display bug with Filter

Fix : Table : Tooltip Field

Fix : Listing Widget : On Load more / Lazy load animation

Fix : Mouse Cursor : Column Cursor icon

Fix : LottieFiles Animation : Animation Play Speed

Fix : Countdown : Fake Number

Fix : Sticky Column

Fix : Design Tool : Background Visibility

Fix : Navigation Menu : CSS based effect bug on click

Fix : Slick Carousel : Draggable Disable bug on Mobile

CVE-2021-24948: Give feedback and suggest new ideas for The Plus Addons for Elementor. Powered by FeedBear.

CVE-2021-24948: The Plus Addons for Elementor

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used,

Edit this page

Toggle table of contents sidebar

**Fredrik Lundh#**

This release is dedicated to the memory of Fredrik Lundh, aka Effbot, who died in November 2021. Fredrik created PIL in 1995 and he was instrumental in the early success of Python.

Guido wrote:

> Fredrik was an early Python contributor (e.g. Elementtree and the ‘re’ module) and his enthusiasm for the language and community were inspiring for all who encountered him or his work. He spent countless hours on comp.lang.python answering questions from newbies and advanced users alike.
> 
> He also co-founded an early Python startup, Secret Labs AB, which among other software released an IDE named PythonWorks. Fredrik also created the Python Imaging Library (PIL) which is still THE way to interact with images in Python, now most often through its Pillow fork. His effbot.org site was a valuable resource for generations of Python users, especially its Tkinter documentation.

Thank you, Fredrik.

**Backwards Incompatible Changes#**

**Python 3.6#**

Pillow has dropped support for Python 3.6, which reached end-of-life on 2021-12-23.

**PILLOW\_VERSION constant#**

PILLOW_VERSION has been removed. Use __version__ instead.

**FreeType 2.7#**

Support for FreeType 2.7 has been removed; FreeType 2.8 is the minimum supported.

We recommend upgrading to at least FreeType 2.10.4, which fixed a severe vulnerability introduced in FreeType 2.6 (CVE-2020-15999).

**Image.show command parameter#**

The command parameter has been removed. Use a subclass of PIL.ImageShow.Viewer instead.

**Image.\_showxv#**

Image._showxv has been removed. Use show() instead. If custom behaviour is required, use register() to add a custom Viewer class.

**ImageFile.raise\_ioerror#**

IOError was merged into OSError in Python 3.3. So, ImageFile.raise_ioerror has been removed. Use ImageFile.raise_oserror instead.

**API Changes#**

**Added line width parameter to ImageDraw polygon#**

An optional line width parameter has been added to ImageDraw.Draw.polygon.

**API Additions#**

**ImageShow.XDGViewer#**

If xdg-open is present on Linux, this new PIL.ImageShow.Viewer subclass will be registered. It displays images using the application selected by the system.

It is higher in priority than the other default PIL.ImageShow.Viewer instances, so it will be preferred by im.show() or ImageShow.show().

**Added support for “title” argument to DisplayViewer#**

Support has been added for the “title” argument in DisplayViewer, so that when im.show() or ImageShow.show() use the display command line tool, the “title” argument will also now be supported, e.g. im.show(title="My Image") and ImageShow.show(im, title="My Image").

**Security#**

**Ensure JpegImagePlugin stops at the end of a truncated file#**

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

**Remove consecutive duplicate tiles that only differ by their offset#**

To prevent attempts to slow down loading times for images, if an image has consecutive duplicate tiles that only differ by their offset, only load the last tile. Credit to Google’s OSS-Fuzz project for finding this issue.

**Restrict builtins available to ImageMath.eval#**

CVE-2022-22817: To limit PIL.ImageMath to working with images, Pillow will now restrict the builtins available to PIL.ImageMath.eval(). This will help prevent problems arising if users evaluate arbitrary expressions, such as ImageMath.eval("exec(exit())").

**Fixed ImagePath.Path array handling#**

CVE-2022-22815 (CWE-126) and CVE-2022-22816 (CWE-665) were found when initializing ImagePath.Path.

**Other Changes#**

**Convert subsequent GIF frames to RGB or RGBA#**

Since each frame of a GIF can have up to 256 colors, after the first frame it is possible for there to be too many colors to fit in a P mode image. To allow for this, seeking to any subsequent GIF frame will now convert the image to RGB or RGBA, depending on whether or not the first frame had transparency.

**Switched to libjpeg-turbo in macOS and Linux wheels#**

The Pillow wheels from PyPI for macOS and Linux have switched from libjpeg to libjpeg-turbo. It is a fork of libjpeg, popular for its speed.

Because different JPEG decoders load images differently, JPEG pixels may be altered slightly with this change.

**Added support for pickling TrueType fonts#**

TrueType fonts may now be pickled and unpickled. For example:

import pickle
from PIL import ImageFont

font \= ImageFont.truetype("arial.ttf", size\=30)
pickled\_font \= pickle.dumps(font, protocol\=pickle.HIGHEST\_PROTOCOL)

\# Later...
unpickled\_font \= pickle.loads(pickled\_font)

**Added support for additional TGA orientations#**

TGA images with top right or bottom right orientations are now supported.

CVE-2022-22817: 9.0.0

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

**Fredrik Lundh¶**

This release is dedicated to the memory of Fredrik Lundh, aka Effbot, who died in November 2021. Fredrik created PIL in 1995 and he was instrumental in the early success of Python.

Guido wrote:

> Fredrik was an early Python contributor (e.g. Elementtree and the ‘re’ module) and his enthusiasm for the language and community were inspiring for all who encountered him or his work. He spent countless hours on comp.lang.python answering questions from newbies and advanced users alike.
> 
> He also co-founded an early Python startup, Secret Labs AB, which among other software released an IDE named PythonWorks. Fredrik also created the Python Imaging Library (PIL) which is still THE way to interact with images in Python, now most often through its Pillow fork. His effbot.org site was a valuable resource for generations of Python users, especially its Tkinter documentation.

Thank you, Fredrik.

**Backwards Incompatible Changes¶**

**Python 3.6¶**

Pillow has dropped support for Python 3.6, which reached end-of-life on 2021-12-23.

**PILLOW\_VERSION constant¶**

`PILLOW_VERSION` has been removed. Use `__version__` instead.

**FreeType 2.7¶**

Support for FreeType 2.7 has been removed; FreeType 2.8 is the minimum supported.

We recommend upgrading to at least FreeType 2.10.4, which fixed a severe vulnerability introduced in FreeType 2.6 (CVE-2020-15999).

**Image.show command parameter¶**

The `command` parameter has been removed. Use a subclass of `PIL.ImageShow.Viewer` instead.

**Image.\_showxv¶**

`Image._showxv` has been removed. Use `show()` instead. If custom behaviour is required, use `register()` to add a custom `Viewer` class.

**ImageFile.raise\_ioerror¶**

`IOError` was merged into `OSError` in Python 3.3. So, `ImageFile.raise_ioerror` has been removed. Use `ImageFile.raise_oserror` instead.

**API Changes¶**

**Added line width parameter to ImageDraw polygon¶**

An optional line `width` parameter has been added to `ImageDraw.Draw.polygon`.

**API Additions¶**

**ImageShow.XDGViewer¶**

If `xdg-open` is present on Linux, this new `PIL.ImageShow.Viewer` subclass will be registered. It displays images using the application selected by the system.

It is higher in priority than the other default `PIL.ImageShow.Viewer` instances, so it will be preferred by `im.show()` or `ImageShow.show()`.

**Added support for “title” argument to DisplayViewer¶**

Support has been added for the “title” argument in `DisplayViewer`, so that when `im.show()` or `ImageShow.show()` use the `display` command line tool, the “title” argument will also now be supported, e.g. `im.show(title="My Image")` and `ImageShow.show(im, title="My Image")`.

**Security¶**

**Ensure JpegImagePlugin stops at the end of a truncated file¶**

`JpegImagePlugin` may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where `JpegImagePlugin` keeps trying to end the file.

**Remove consecutive duplicate tiles that only differ by their offset¶**

To prevent attempts to slow down loading times for images, if an image has consecutive duplicate tiles that only differ by their offset, only load the last tile. Credit to Google’s OSS-Fuzz project for finding this issue.

**Restrict builtins available to ImageMath.eval¶**

To limit `PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to `PIL.ImageMath.eval()`. This will help prevent problems arising if users evaluate arbitrary expressions, such as `ImageMath.eval("exec(exit())")`. CVE TBD

**Fixed ImagePath.Path array handling¶**

CWE-126 and CWE-665 were found when initializing `ImagePath.Path`. CVEs TBD

**Other Changes¶**

**Convert subsequent GIF frames to RGB or RGBA¶**

Since each frame of a GIF can have up to 256 colors, after the first frame it is possible for there to be too many colors to fit in a P mode image. To allow for this, seeking to any subsequent GIF frame will now convert the image to RGB or RGBA, depending on whether or not the first frame had transparency.

**Switched to libjpeg-turbo in macOS and Linux wheels¶**

The Pillow wheels from PyPI for macOS and Linux have switched from libjpeg to libjpeg-turbo. It is a fork of libjpeg, popular for its speed.

**Added support for pickling TrueType fonts¶**

TrueType fonts may now be pickled and unpickled. For example:

import pickle
from PIL import ImageFont

font \= ImageFont.truetype("arial.ttf", size\=30)
pickled\_font \= pickle.dumps(font, protocol\=pickle.HIGHEST\_PROTOCOL)

\# Later...
unpickled\_font \= pickle.loads(pickled\_font)

**Added support for additional TGA orientations¶**

TGA images with top right or bottom right orientations are now supported.

A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.

**Description**

Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vim\_regexec\_multi () at regexp.c:2896

**Proof of Concept**

    ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa!
    

\[POC1\]\[https://drive.google.com/file/d/1VOS93VSakO96z2rnvId\_WDYRM9KAEIgC/view?usp=sharing\]

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x14 
    RBX: 0x7fffffff8520 --> 0x9 ('\t')
    RCX: 0x14 
    RDX: 0x2 
    RSI: 0x10007fff7000 --> 0x0 
    RDI: 0x7fffffff87e0 --> 0x0 
    RBP: 0x7fffffff87a0 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 --> 0x7fffffffb980 --> 0x7fffffffb9f0 (--> ...)
    RSP: 0x7fffffff8420 --> 0x41b58ab3 
    RIP: 0xa54c3b (<vim_regexec_multi+635>: cmp    DWORD PTR [rax],0x0)
    R8 : 0x625000002900 --> 0x3e8 
    R9 : 0x625000005100 --> 0x9 ('\t')
    R10: 0x4 
    R11: 0x0 
    R12: 0x0 
    R13: 0xffffffff0fc --> 0x0 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0xa54c28 <vim_regexec_multi+616>:    mov    rdi,QWORD PTR [rbx+0x148]
       0xa54c2f <vim_regexec_multi+623>:    call   0x49c430 <__asan_report_load4>
       0xa54c34 <vim_regexec_multi+628>:    mov    rax,QWORD PTR [rbx+0x148]
    => 0xa54c3b <vim_regexec_multi+635>:    cmp    DWORD PTR [rax],0x0
       0xa54c3e <vim_regexec_multi+638>:    je     0xa54c75 <vim_regexec_multi+693>
       0xa54c44 <vim_regexec_multi+644>:    movabs rdi,0x1172840
       0xa54c4e <vim_regexec_multi+654>:    call   0x41d310 <gettext@plt>
       0xa54c53 <vim_regexec_multi+659>:    mov    rdi,rax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8420 --> 0x41b58ab3 
    0008| 0x7fffffff8428 --> 0x100b3cb ("1 32 160 13 rex_save:2892")
    0016| 0x7fffffff8430 --> 0xa549c0 (<vim_regexec_multi>: push   rbp)
    0024| 0x7fffffff8438 --> 0x7fffffffb180 --> 0x615000000d00 --> 0xbebebebefbad2488 
    0032| 0x7fffffff8440 --> 0x7fffffff8480 --> 0x7fffffff8980 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 (--> ...)
    0040| 0x7fffffff8448 --> 0x4c5d0e (<lalloc+174>:    mov    QWORD PTR [rbp-0x20],rax)
    0048| 0x7fffffff8450 --> 0x614000000840 --> 0x619024800004 --> 0x0 
    0056| 0x7fffffff8458 --> 0xfffffc4300000001 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    2896        if (rmp->regprog->re_in_use)
    gdb-peda$ bt
    #0  0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    #1  0x00000000006b45ab in ex_global (eap=0x7fffffff8bc0) at ex_cmds.c:4976
    #2  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffa100, flags=0x7, cstack=0x7fffffffa120, fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180) at ex_docmd.c:2572
    #3  0x00000000006c0a9d in do_cmdline (cmdline=0x611000000680 "", fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180, flags=0x7) at ex_docmd.c:994
    #4  0x0000000000b25523 in do_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", check_other=0x0, 
        is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1420
    #5  0x0000000000b228eb in cmd_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", eap=0x7fffffffba60)
        at scriptfile.c:985
    #6  0x0000000000b22641 in ex_source (eap=0x7fffffffba60) at scriptfile.c:1011
    #7  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffcfa0, flags=0xb, cstack=0x7fffffffcfc0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2572
    #8  0x00000000006c0a9d in do_cmdline (cmdline=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", fgetline=0x0, 
        cookie=0x0, flags=0xb) at ex_docmd.c:994
    #9  0x00000000006c40b4 in do_cmdline_cmd (cmd=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2")
        at ex_docmd.c:588
    #10 0x0000000000f39719 in exe_commands (parmp=0x1a99e80 <params>) at main.c:3080
    #11 0x0000000000f36873 in vim_main2 () at main.c:774
    #12 0x0000000000f2f64d in main (argc=0xb, argv=0x7fffffffe2d8) at main.c:426
    #13 0x00007ffff7be10b3 in __libc_start_main (main=0xf2ee20 <main>, argc=0xb, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
    #14 0x000000000041da9e in _start ()
    
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2021-46059: Untrusted Pointer Dereference in vim

A NULL Pointer Dereference vulnerability exists in GNU inetutils 2.2 via the setcmd function at commands.c, which causes a denial of service.

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

\[POC1\](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)

Program received signal SIGSEGV, Segmentation fault.

\[----------------------------------registers-----------------------------------\]

RAX: 0x10 

RBX: 0x3 

RCX: 0x3 

RDX: 0x0 

RSI: 0x55555556d0c5 --> 0x6572207325006666 ('ff')

RDI: 0x555555577068 --> 0xa001c23 

RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553 

RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

RIP: 0x55555555b7cd (<setcmd+701>: mov    BYTE PTR \[rdx\],al)

R8 : 0x555555577067 --> 0xa001c2310 

R9 : 0x0 

R10: 0x55555556d439 --> 0x69626d413f00203e ('> ')

R11: 0x7fffffffe65c --> 0x550074656e6c6574 ('telnet')

R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ')

R13: 0x7fffffffe380 --> 0x1 

R14: 0x0 

R15: 0x0

EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)

\[-------------------------------------code-------------------------------------\]

   0x55555555b7bf <setcmd+687>: cmove  eax,edx

   0x55555555b7c2 <setcmd+690>: nop    WORD PTR \[rax+rax\*1+0x0\]

   0x55555555b7c8 <setcmd+696>: mov    rdx,QWORD PTR \[r12+0x18\]

\=> 0x55555555b7cd <setcmd+701>: mov    BYTE PTR \[rdx\],al

   0x55555555b7cf <setcmd+703>: mov    rax,QWORD PTR \[r12+0x18\]

   0x55555555b7d4 <setcmd+708>: movzx  edi,BYTE PTR \[rax\]

   0x55555555b7d7 <setcmd+711>: call   0x55555555aed0 <control>

   0x55555555b7dc <setcmd+716>: mov    rdx,QWORD PTR \[r12\]

\[------------------------------------stack-------------------------------------\]

0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 ('set')

0016| 0x7fffffffe1c0 --> 0x0 

0024| 0x7fffffffe1c8 --> 0x1 

0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1 

0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>: test   eax,eax)

0048| 0x7fffffffe1e0 --> 0x0 

0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0 

\[------------------------------------------------------------------------------\]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

1152       \*(ct->charp) = (cc\_t) value;

gdb-peda$ bt

#0  0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

#1  0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047

#2  0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426

#3  0x00007ffff7db60b3 in \_\_libc\_start\_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 

    rtld\_fini=<optimized out>, stack\_end=0x7fffffffe378) at ../csu/libc-start.c:308

#4  0x000055555555a01e in \_start () at main.c:426

CVE-2021-46060: NULL Pointer Dereference in setcmd () at commands.c:1152

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

CVE-2021-22569

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2021-22569: 39330 - oss-fuzz - OSS-Fuzz: Fuzzing the planet

In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set.

**Bottom line up front**

I discovered two sensitive information disclosure vulnerabilities that affect **Beaver Builder’s** element visibility and **Beaver Themer’s** conditional logic controls. These vulnerabilities are resolved in Beaver Builder 2.5.1!

These vulnerabilities allow ANY user to view content that is hidden via the visibility or conditional logic controls.

**NOTE:** these vulnerabilities have been resolved by the Beaver Builder team, however, 3rd parties that have built their own modules (ie post archive /search modules) must update their module’s code so that their modules do not leak sensitive information. The Beaver Builder team has notified many of the 3rd party developers. The Beaver Builder team has also posted a developer oriented article about this issue.

**The Issues**

Content protected with visibility or conditional logic controls is accessible:

*   to ANY user via the **WordPress REST API** _(CVE-2021-42748)_
*   if a Beaver Themer layout is applied, and the post excerpt field is not set, the protected content may be shown in _(CVE-2021-42749)_:
    *   **post archive**
    *   **search results**
    *   potentially in **Google Search**

**What is affected****Beaver Builder**

The **lite** (2.5.0.3 and older) and **professional** versions (2.5.0.3 and older) of the Beaver Builder page builder are affected. The lite version of Beaver Builder is installed on more than **200,000** websites.

**NOTE:** at the time of this writing, the Beaver Builder team hasn’t released an update for the lite version of Beaver Builder. They plan to release the Beaver Builder Lite update the week of 12/12/2021.

**Beaver Themer**

Beaver Themer is also affected. Beaver Themer is an add-on to the professional version of the Beaver Builder page builder which allows you to design every front-end area of WordPress.

The fix for the Beaver Themer vulnerability is included in Beaver Builder 2.5.1. Beaver Themer’s Conditional Logic feature is functionally separate from Beaver Builder’s visibility feature, but Beaver Themer uses a filter to hook into Beaver Builder’s codebase. The Beaver Builder 2.5.1 patch addresses both vulnerabilities.

**Timeline**

The Beaver Builder team was extremely responsive and professional as they developed a fix to remediate these vulnerabilities!

*   **Notification Sent to Beaver Builder**
    *   Sunday, 10/17/2021
*   **1st Response from Beaver Builder**
    *   Monday, 10/18/2021
*   **Patch Sent to Me for Testing**
    *   Tuesday, 11/16/2021
*   **Patch for Beaver Builder Professional Released**
    *   Thursday, 12/9/2021

**Vulnerability Summary**

The **lite** & **professional** versions of **Beaver Builder** include **visibility settings** which allow you to limit the visibility of content based on the user’s login status. You can even specify a WordPress capability (aka permission) that the user must have to see the content.

![](https://tekfused.com/wp-content/uploads/2021/10/image-12.png)

Beaver Builder Lite visibility settings

**Beaver Themer** extends the visibility controls by adding **conditional logic**. Conditional logic allows you to create complex if-then-this conditions to control the visibility of content. A simple example would be “show the content only IF the user is a customer.”

![](https://tekfused.com/wp-content/uploads/2021/10/Conditional-Logic-2.png)

Beaver Themer Conditional Logic

Visibility rules & conditional logic are checked on the server side before delivering the rendered page. As such, these features should be able to be used to control access to sensitive content on a page.

The Beaver Builder team gave the following explanation:

> The Post modules and the search module used the native WP the\_excerpt() which looks at the saved data in post\_content. The fix we implemented is to bypass that and use our layout functions. BB mirrors text based modules text in normal post content as a block so if you deactivate no text data or images are lost. So when WP looks up the excerpt it sees that data. As a result of that, it isn’t that we fixed a bug per se, more that we had to change default behavior.

**The Test Page**

The **first row** is hidden by using the visibility control “Display -> Logged In User” setting:

![](https://tekfused.com/wp-content/uploads/2021/10/image-1.png)

Row 1 settings

The **second row** is hidden by using the Conditional Logic setting (user role equals “Customer”):

![](https://tekfused.com/wp-content/uploads/2021/10/image-14.png)

Row 2 settings

The **third row** is visible to all users.

![](https://tekfused.com/wp-content/uploads/2021/10/image-4.png)

Row 3 settings

The page displays the “Content for the world!” text module for anonymous users as expected.

![](https://tekfused.com/wp-content/uploads/2021/10/image-8.png)

Test page seen as an unauthenticated user

**The Vulnerabilities****Content Exposed in the WordPress REST API (CVE-2021-42748)**

_This vulnerability affects **Beaver Builder** (Lite & Professional) and **Beaver Themer**._

I sent a request to the “Posts” WordPress REST API endpoint as an unauthenticated (ie not logged in) user, and observed the protected content.

![](https://tekfused.com/wp-content/uploads/2021/10/image-6.png)

Unathenticated REST API call to WordPress

**Content Exposed in the Post Archive (CVE-2021-42749)**

_This vulnerability affects **Beaver Themer**._

If:

*   A Beaver Themer layout is applied to the post/search archive
*   The post’s “Excerpt” field is not set
*   The protected content is at the top of the post’s content

The protected content will be displayed under the post’s title.

![](https://tekfused.com/wp-content/uploads/2021/10/image-9.png)

Post archive showing protected content

**Content Exposed in Google Search (CVE-2021-42749)**

_This vulnerability affects **Beaver Themer**._

Google lists the protected content in the Google SERP as it is displayed in the post category archive.

**RSS Feeds**

I tested the RSS feeds as an unauthenticated user, and they did **NOT** show the protected content.

**Conclusion**

The solution to these vulnerabilities is to update to Beaver Builder **2.5.1**!

The principle of least functionality applies here – if you do not utilize the REST API, disable it – at least for unauthenticated users.

Tag

#google