こんにちは、セキュリティ レスポンスチームの垣内ゆりかです。 2019 年 8 月に公開したセキュリティ アドバイザリ

[AD管理者向け] 2020 年 LDAP 署名と LDAP チャネルバインディングが有効化。確認を！

Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   DingTalk Plugin
*   HTML Publisher Plugin
*   LDAP Email Plugin
*   Script Security Plugin
*   SourceGear Vault Plugin

**Descriptions****Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1579 / CVE-2019-10431**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented through default parameter expressions in constructors.

This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are now subject to sandbox protection.

**Stored XSS vulnerability in HTML Publisher Plugin**

**SECURITY-1590 / CVE-2019-10432**  
**Severity (CVSS):** Medium  
**Affected plugin: htmlpublisher**  
**Description:**

HTML Publisher Plugin did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission.

HTML Publisher Plugin now escapes the display name displayed in the frame HTML page.

**DingTalk Plugin stores credentials in plain text**

**SECURITY-1423 / CVE-2019-10433**  
**Severity (CVSS):** Low  
**Affected plugin: dingding-notifications**  
**Description:**

DingTalk Plugin stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**LDAP Email Plugin shows plain text password in configuration form**

**SECURITY-1515 / CVE-2019-10434**  
**Severity (CVSS):** Low  
**Affected plugin: ldapemail**  
**Description:**

LDAP Email Plugin stores an LDAP bind password in its global Jenkins configuration.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**SourceGear Vault Plugin shows plain text password in configuration form**

**SECURITY-1524 / CVE-2019-10435**  
**Severity (CVSS):** Low  
**Affected plugin: vault-scm-plugin**  
**Description:**

SourceGear Vault Plugin stores an SCM password in job configurations.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1423: Low
*   SECURITY-1515: Low
*   SECURITY-1524: Low
*   SECURITY-1579: High
*   SECURITY-1590: Medium

**Affected Versions**

*   **DingTalk Plugin** up to and including 1.9
*   **HTML Publisher Plugin** up to and including 1.20
*   **LDAP Email Plugin** up to and including 0.8
*   **Script Security Plugin** up to and including 1.64
*   **SourceGear Vault Plugin** up to and including 1.1.1

**Fix**

*   **HTML Publisher Plugin** should be updated to version 1.21
*   **Script Security Plugin** should be updated to version 1.65

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   DingTalk Plugin
*   LDAP Email Plugin
*   SourceGear Vault Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1423
*   **James Holderness, IB Boost** for SECURITY-1515, SECURITY-1524
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1579
*   **Viktor Gazdag NCC Group** for SECURITY-1590

CVE-2019-10434: Jenkins Security Advisory 2019-10-01

Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

CVE-2019-10435: Jenkins Security Advisory 2019-10-01

Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10433: Jenkins Security Advisory 2019-10-01

An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.

Skip to content

Open Issue created Apr 06, 2019 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**Stored XSS in Wiki pages**

**HackerOne report #526325** by ryhmnlfj on 2019-04-04, assigned to hackerjuan:

**Summary**

I found Stored XSS using Wiki-specific Hierarchical link Markdown in Wiki pages.

**Steps to reproduce**

1.  Sign in to GitLab.
2.  Open a Project page that you have permission to edit Wiki pages.
3.  Open Wiki page.
4.  Click "New page" button.
5.  Fill out "Page slug" form with javascript:.
6.  Click "Create page" button.
7.  Fill out the each form as follows:  
    Title: javascript:  
    Format: Markdown  
    Content: [XSS](.alert(1);)  
    (Please see "CreatePage.png")  
    
8.  Click "Create page" button.
9.  Click "XSS" link in created page.

**What is the current _bug_ behavior?**

The alert dialog appears after clicking "XSS" link in created page.  
Please see "Result\_Firefox.png".  

**Description In Detail:**

GitLab application converts the Markdown string .alert(1); to the href attribute javascript:alert(1);.  
Furthermore, Wiki-specific Markdown string . is converted to javascript: in this case.

**What is the expected _correct_ behavior?**

The dangerous href attribute javascript:alert(1); should be filtered.  
A safe HTTP/HTTPS link should be rendered instead.

**Additional Informations:**

1.  In the above case, another Wiki-specific Markdown string .. is also converted to javascript:.
    
2.  Using Title string such as javascript:STRING_EXPECTED_REMOVING also reproduces this vulnerability.  
    For example, if a wiki page is created with a disguised Title string JavaScript::SubClassName.function_name, GitLab application converts Wiki-specific Markdown string . to JavaScript: in such page.  
    It seems that GitLab application recognizes scheme-like string JavaScript: and removes the rest of Title string :SubClassName.function_name.
    
3.  An attacker can use various schemes by replacing Title string javascript: to other scheme. (e.g. data:, vbscript:, and so on.)
    

**Output of checks**

This bug happens on the official Docker installation of GitLab Enterprise Edition 11.9.4-ee.

**Results of GitLab environment info**

Output of sudo gitlab-rake gitlab:env:info:

    System information  
    System:		  
    Proxy:		no  
    Current User:	git  
    Using RVM:	no  
    Ruby Version:	2.5.3p105  
    Gem Version:	2.7.6  
    Bundler Version:1.16.6  
    Rake Version:	12.3.2  
    Redis Version:	3.2.12  
    Git Version:	2.18.1  
    Sidekiq Version:5.2.5  
    Go Version:	unknown
    
    GitLab information  
    Version:	11.9.4-ee  
    Revision:	55be7f0  
    Directory:	/opt/gitlab/embedded/service/gitlab-rails  
    DB Adapter:	postgresql  
    DB Version:	9.6.11  
    URL:		http://gitlab.example.com  
    HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
    SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
    Elasticsearch:	no  
    Geo:		no  
    Using LDAP:	no  
    Using Omniauth:	yes  
    Omniauth Providers: 
    
    GitLab Shell  
    Version:	8.7.1  
    Repository storage paths:  
    - default: 	/var/opt/gitlab/git-data/repositories  
    GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
    Git:		/opt/gitlab/embedded/bin/git  

**Impact**

If wiki pages created by using this vulnerability are visible to everyone (Wiki Visibility setting is set to "Everyone With Access") in "Public" project, there is a possibility that a considerable number of GitLab users and visitors click a malicious link.

**Attachments**

**Warning:** Attachments received through HackerOne, please exercise caution!

*   CreatePage.png
*   Result\_Firefox.png

CVE-2019-5467: Stored XSS in Wiki pages (#60143) · Issues · GitLab.org / GitLab FOSS · GitLab

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

CVE-2016-10867: All-In-One Security (AIOS) – Security and Firewall

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2019-2808: Oracle Critical Patch Update Advisory - July 2019

IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability to make unauthorized queries or modify the LDAP content. IBM X-Force ID: 160761.

CVE-2019-4297: IBM Robotic Process Automation LDAP injection CVE-2019-4297 Vulnerability Report

A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

Release date: April 25, 2019

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.1.7. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

NPAPI is deprecated in Google Chrome. This means Web Client Pro will not function in Google Chrome. As a workaround, access Web Client Pro using another browser.

**New features and improvements**

Return to top

Serv-U 15.1.7 is a service release containing three hotfixes, and additional fixes, described here.

**Previous releases**

Serv-U 15.1.6 included the following new features and updates:

*   Support for Explicit SSL when connected to SMTP server
*   Support for HTTP Strict Transport Security
*   Support for Elliptic-curve Diffie-Hellman (ECDH) key exchange
*   Forward secrecy is enabled by default (new installations only)
*   TLS 1.0 is disabled by default (new installations only)
*   Disabled SSL/TLS ciphers based on 64-bit block size (new installations only)
*   Support for Secure LDAP protocol (Windows installation only)
*   Various fixes described in the Fixed Issues section.

Serv-U 15.1.5 was a service release containing security fixes, described in the Fixed Issues section.

Serv-U 15.1.4 was a service release containing two hotfixes, described in the Fixed Issues section.

Serv-U 15.1.3 was a service release containing two hotfixes, described in the Fixed Issues section.

For earlier Serv-U 15.x.x releases, please visit the Previous Versions page.

**Fixed issues**

Return to top

Serv-U 15.1.7 fixes the following issues.

 

Case Number

Description

423241

Fixed issue where writing files to disk could cause bottleneck

1197511

Corrected SSL error handling on Socket level

00063383

Fixed issue with service when sending download link to guest user

00068104

Corrected format for X-Csrf-Token HTTP header (FTP Voyager JV)

00159690

Fixed issue with ODBC database validation

00200302

CSRF issues resolved.

00186124

Can now add a user to a collection when the user exists in another collection

00204425

Serv-U no longer deletes incorrect files from directories with delete rules

00229117

Serv-U no longer response incorrectly when empty user name and password is used to log on

00284847

Issues in web management interface fixed

00061457

Special characters from E-mail notification template not sent correctly

00039051, 00081081, 00195143, 00263829, 00260387, 00218061, 1362493, 1338156

Updated jquery libraries

00054823, 1320710, 1335744

Files list returned corrected from LIST Command

00085995, 00201705

CVE-1999-0017 vulnerability fixed.

00187355, 00065590, 00053277, 00105077, 00123871

Multiple issues in SFTP protocol resolved

00240051, 00267281, 00260953, 00280283, 00285641

WinSCP upload issues resolved

n/a

Resolved a privilege escalation issue, logged as CVE-2018-19999 – with thanks to Chris Moberly at The Missing Link.

n/a

Resolved a privilege escalation issue, logged as CVE-2019-12181 – with thanks to Guy Levin (@va\_start).

Serv-U 15.1.6 fixes the following issues.

 

Case Number

Description

961565, 1183341, 887731, 1123968, 1125053, 901145, 1091444, 1131439, 1080928, 796814, 799615, 787936, 1036534

Fixed an issue with limited top level domain.

1050275

Fixed an issue with long timeout where LDAP server was unavailable

166489, 1126605, 914000

Fixed an issue with SSH Ciphers description.

1186645, 979487

Fixed an impersonation issue during downloads.

1039205

Fixed an issue with password stale event.

1086638, 1209329

Fixed an issue with special characters in File Sharing notification template.

1129144, 1115351

Fixed a possible crash of Gateway.

1163543

Fixed an issue with user creation wizard.

1123779

Fixed a memory leak issue related to SFTP sessions.

1231876, 1233371, 1209874

Fixed broken links to support site.

1124857, 1181653, 1215831, 1223871, 1230986, 1241567, 1326419

Fixed an issue with bare line feed character.

Serv-U 15.1.5 fixes the following issues.

 

Case Number

Description

1110916

Fixed potential vulnerability with unauthenticated privilege escalation Reported by – Trustwave SpiderLabs Contact - Leopold von Niebelschuetz-Godlewski

904433, 804380

Fixed an issue with possibility of unauthorized access to the files in installation folder on web server. Reported by – www.netspi.com Contact - Cody Wass (Cody. Wass@netspi.com)

1065565, 1061848, 1056263, 1054225, 1090081, 1045088

Fixed an issue where domain users were not able to login when ldap suffix was used.

741595

Fixed a memory leak issue that occurred during LDAP authentication.

951099, 1065736, 1022993

Fixed a memory leak issue that occurred during SFTP session.

882524, 909979, 871563, 867742, 867834, 981751, 877933

Fixed an issue with "Automatic idle connection timeout" limit.

Serv-U 15.1.4 fixes the following issues.

 

Case Number

Description

991668

ECDHE-RSA-AES256\* ciphers shown as enabled or disabled correctly

954294

Long (encrypted) passwords issue fixed.

984664, 1003106, 993854

OpenSSL vulnerabilities - updated to 1.0.2h

932381

SHA-1 Cert deprecation (Previous cert was due to expire in January 2017)

984485, 887910, 741595

LDAP suffix issue fixed

844572, 894400, 953313, 910253, 881308, 914055, 990080

Web client Favorites fixed.

1005791, 1005383, 990956, 984664, 982577, 966856, 948270, 963296, 941118, 934566, 927375, 917616, 900288, 883047, 885033, 884883, 876306, 876820, 874853, 872968, 857502, 862922, 853433

Serv-U no longer freezes in FIPS mode during SFTP connections.

Serv-U 15.1.3 fixes the following issues.

 

Case Number

Description

872782, 864631

Case sensitivity issues occurred when configuring Directory Access rules.

n/a

An issue with LDAP public key authentication.

n/a

Memory leak occurs during LDAP authentication.

853136

An issue with the expired password change functionality.

868638

An issue with multi-line FTP responses for the FEAT command.

n/a

An issue with the possibility of SQL injection in the invitation link used by secure file sharing.

625348

An issue with the possibility of persistent cross-site scripting in file sharing.

n/a

An issue with the possibility of the injection of additional email headers using a crafter subject in an upload or download request.

**Legal notices**

Return to top

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2019-12181: Serv-U File Server 15.1.7 Release Notes

IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 157012.

**Security Bulletin**

  

**Summary**

If your IBM® Intelligent Operations Center system is configured to use a Lightweight Directory Access Protocol (LDAP) user registry, user passwords might be obtained by a brute force attack that uses HTTP basic authentication requests to IBM Intelligent Operations Center.  

**Vulnerability Details**

**CVEID:** CVE-2019-4067  
**DESCRIPTION:** IBM Intelligent Operations Center does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.  
CVSS Base Score: 5.9  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157012 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

This vulnerability affects the following products and versions:

*   IBM® Intelligent Operations Center V5.1.0 - V5.2.0
*   IBM® Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6
*   IBM® Water Operations for Waternamics V5.1.0 - V5.2.1.1

**Remediation/Fixes**

**Workarounds and Mitigations**

**References**

Off

**Change History**

31 May 2019: Original version published

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3NGB","label":"IBM Intelligent Operations Center"},"Component":"Not Applicable","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"5.1.0;5.1.0.1;5.1.0.2;5.1.0.3;5.1.0.4;5.1.0.5;5.1.0.6;5.1.0.7;5.1.0.8;5.1.0.9;5.1.0.10;5.1.0.11;5.1.0.12;5.1.0.13;5.1.0.14;5.2.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSR3XR","label":"IBM Intelligent Operations Center for Emergency Management"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"5.1.0;5.1.0.2;5.1.0.3;5.1.0.4;5.1.0.5;5.1.0.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS8PY5","label":"IBM Water Operations for Waternamics"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"5.1.0;5.2.0;5.2.0.1;5.2.0.2;5.2.0.3;5.2.0.4;5.2.0.5;5.2.0.6;5.2.1;5.2.1.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

Tag

#ldap