Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1.

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature.

The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1.

\***Affected versions:**\*

*   version < 8.13.12
*   8.14.0 ≤ version < 8.19.1

\***Fixed versions:**\*

*   8.13.12
*   8.19.1
*   8.20.0
*   8.21.0

CVE-2021-39128: [JRASERVER-72804] Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Last updated on October 5, 2021: See revision history located at the end of the post for changes.
On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-38655

Microsoft MSHTML Remote Code Execution Vulnerability

CVE-2021-40444

Multiple camera devices by UDP Technology, GeutebrÃ¼ck and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings. This can lead to manipulation of the device and denial of service.

CVE-2021-33543: UDP Technology IP Camera vulnerabilities

The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE

CVE-2021-24620

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Security Updates Available for Adobe Commerce | APSB21-64

Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.       

**Product**

**Version**

**Platform**

Adobe Commerce  

2.4.2 and earlier versions    

All  

2.4.2-p1 and earlier versions    

All

2.3.7 and earlier versions   

All  

Magento Open Source 

2.4.2-p1 and earlier versions  

All

2.3.7 and earlier versions     

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Adobe Commerce  

2.4.3    

All  

2  

2.4.x release notes

2.3.x release notes

2.4.2-p2  

All  

2  

2.3.7-p1  

All  

2  

Magento Open Source   

2.4.3    

All  

2  

2.4.2-p2  

All

2

2.3.7-p1   

All  

2  

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

**CVSS base score**  

**CVSS vector**  

Magento Bug ID

CVE numbers

Business Logic Errors (CWE-840)  

Security feature bypass

 Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2934

CVE-2021-36012

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

PRODSECBUG-2963

PRODSECBUG-2964

CVE-2021-36026

CVE-2021-36027

Improper Access Control (CWE-284)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2977

CVE-2021-36036

Improper Authorization (CWE-285)

Security feature bypass

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2968

CVE-2021-36029

Improper Authorization (CWE-285)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2980

CVE-2021-36037

Improper Input Validation (CWE-20)

Application denial-of-service

Critical

No

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PRODSECBUG-3004

CVE-2021-36044

Improper Input Validation (CWE-20)

Privilege escalation

Critical

yes

no

8.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

PRODSECBUG-2971

CVE-2021-36032

Improper Input Validation (CWE-20)

Security feature bypass

Critical

no

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2969

CVE-2021-36030

Improper Input Validation (CWE-20)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2982

CVE-2021-36038

Improper Input Validation (CWE-20)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2959

 PRODSECBUG-2960

 PRODSECBUG-2962

PRODSECBUG-2975

PRODSECBUG-2976

PRODSECBUG-2987

PRODSECBUG-2988

PRODSECBUG-2992

CVE-2021-36021

CVE-2021-36024

CVE-2021-36025

CVE-2021-36034

CVE-2021-36035

CVE-2021-36040

CVE-2021-36041

CVE-2021-36042

Path Traversal

(CWE-22)

Arbitrary code execution

Critical

yes

yes

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-2970

CVE-2021-36031

OS Command Injection (CWE-78)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2958

PRODSECBUG-2960

CVE-2021-36022

CVE-2021-36023

Incorrect Authorization (CWE-863)

Arbitrary file system read

Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2984

CVE-2021-36039

Server-Side Request Forgery (SSRF)

(CWE-918)

Arbitrary code execution

Critical

yes

yes

8

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2996

CVE-2021-36043

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

no

no

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

PRODSECBUG-2937

CVE-2021-36020

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2965

PRODSECBUG-2972

CVE-2021-36028

CVE-2021-36033

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
*   Igorsdv (CVE-2021-36012)
*   Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
*   Dftrace (CVE-2021-36044)
*   Floorz (CVE-2021-36030)
*   Eboda (CVE-2021-36022)
*   Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)  
    

August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce. 

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-36022: Adobe Security Bulletin

An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.

**OSSA-2021-005: Arbitrary dnsmasq reconfiguration via extra\_dhcp\_opts¶**

Date:

August 31, 2021

CVE:

CVE-2021-40085

**Affects¶**

*   Neutron: <16.4.1, >=17.0.0 <17.2.1, >=18.0.0 <18.1.1
    

**Description¶**

Pavel Toporkov reported a vulnerability in Neutron. By supplying a specially crafted extra\_dhcp\_opts value, an authenticated user may add arbitrary configuration to the dnsmasq process in order to crash the service, change parameters for other tenants sharing the same interface, or otherwise alter that daemon’s behavior. This vulnerability may also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81, which could lead to remote code execution. All Neutron deployments are affected.

**Patches¶**

*   https://review.opendev.org/806709 (Queens)
    
*   https://review.opendev.org/806862 (Rocky)
    
*   https://review.opendev.org/806708 (Stein)
    
*   https://review.opendev.org/806707 (Train)
    
*   https://review.opendev.org/806750 (Ussuri)
    
*   https://review.opendev.org/806749 (Victoria)
    
*   https://review.opendev.org/806748 (Wallaby)
    
*   https://review.opendev.org/806746 (Xena)
    

**Credits¶**

*   Pavel Toporkov (CVE-2021-40085)
    

**References¶**

*   https://launchpad.net/bugs/1939733
    
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
    

**Notes¶**

*   The stable/train, stable/stein, stable/rocky, and stable/queens branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.

CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts — OpenStack Security Advisories 0.0.1.dev251 documentation

IBM OpenPages with Watson 8.1 and 8.2 could allow an authenticated user to upload a file that could execute arbitrary code on the system. IBM X-Force ID: 207633.

  

**Summary**

An issue was found within the IBM OpenPages with Watson that could allow an authenticated user to upload a file that could execute arbitrary code.

**Vulnerability Details**

**CVEID:**   CVE-2021-29907  
**DESCRIPTION:**   IBM OpenPages with Watson could allow an authenticated user to upload a file that could execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207633 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

IBM OpenPages with Watson versions v8.1 through v8.2

**Remediation/Fixes**

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:  

**Workarounds and Mitigations**

None

**References**

Off

None

**Acknowledgement**

The vulnerability was reported to IBM by Adam Murray

**Change History**

24 Aug 2021: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"8.2,8.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2021-29907: Security Bulletin: IBM OpenPages with Watson has addressed a remote code execution vulnerability (CVE-2021-29907)

Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Azure AD Plugin
*   Code Coverage API Plugin
*   Nested View Plugin
*   Nomad Plugin
*   SAML Plugin

**Descriptions****RCE vulnerability in Code Coverage API Plugin**

**SECURITY-2376 / CVE-2021-21677**  
**Severity (CVSS):** High  
**Affected plugin: code-coverage-api**  
**Description:**

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

**SAML Plugin allows bypassing CSRF protection for any URL**

**SECURITY-2469 / CVE-2021-21678**  
**Severity (CVSS):** High  
**Affected plugin: saml**  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.

**Azure AD Plugin allows bypassing CSRF protection for any URL**

**SECURITY-2470 / CVE-2021-21679**  
**Severity (CVSS):** High  
**Affected plugin: azure-ad**  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Azure AD Plugin implements this extension point for URLs used by a JavaScript component.

In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.

Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.

**XXE vulnerability in Nested View Plugin**

**SECURITY-2411 / CVE-2021-21680**  
**Severity (CVSS):** High  
**Affected plugin: nested-view**  
**Description:**

Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

**Password stored in plain text by Nomad Plugin**

**SECURITY-2396 / CVE-2021-21681**  
**Severity (CVSS):** Low  
**Affected plugin: nomad**  
**Description:**

Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

**Severity**

*   SECURITY-2376: High
*   SECURITY-2396: Low
*   SECURITY-2411: High
*   SECURITY-2469: High
*   SECURITY-2470: High

**Affected Versions**

*   **Azure AD Plugin** up to and including 179.vf6841393099e
*   **Code Coverage API Plugin** up to and including 1.4.0
*   **Nested View Plugin** up to and including 1.20
*   **Nomad Plugin** up to and including 0.7.4
*   **SAML Plugin** up to and including 2.0.7

**Fix**

*   **Azure AD Plugin** should be updated to version 180.v8b1e80e6f242
*   **Code Coverage API Plugin** should be updated to version 1.4.1
*   **Nested View Plugin** should be updated to version 1.21
*   **Nomad Plugin** should be updated to version 0.7.5
*   **SAML Plugin** should be updated to version 2.0.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Brian Hysell, Synopsys Software Integrity Group** for SECURITY-2411
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2469, SECURITY-2470

Tag

#rce