### Impact
SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

### Patches
PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

### Workarounds
no

### References
no


**SQL filter bypass leading to arbitrary write requests using "SQL Manager"**

Critical severity GitHub Reviewed Published Apr 25, 2023 in PrestaShop/PrestaShop • Updated Apr 25, 2023

GHSA-p379-cxqh-q822: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.

**Package**

composer prestashop/prestashop (Composer)

**Affected versions**

< 8.0.4

**Patched versions**

8.0.4, 1.7.8.9

**Description**

**Impact**

SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

**Patches**

PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

**Workarounds**

no

**References**

no

CVE-2023-30839: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.

**Security Advisory - CVE-2021-23166**

**Affects**: Odoo 15.0 and earlier (Community and Enterprise Editions)  
**CVE ID**: CVE-2021-23166  
**Component**: Core  
**Credits**: Nils Hamerlinck (Trobz)

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise  
15.0 and earlier allows authenticated administrators to read and write  
local files on the server.

**I. Background**

Odoo uses the Python library psycopg2 to interact with the PostgreSQL database.

**II. Problem Description**

The pyscopg2 library could be abused to access the local files of the server  
running the Odoo instance.

**III. Impact**

**Attack Vector**: Network exploitable  
**Authentication**: Privileged user account required  
**CVSS3 Score**: high :: 8.7  
**CVSS3 Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

A malicious administrator might be able to read or modify sensitive files stored  
on the server such as protected configuration secrets.

Systems who host Odoo databases for untrusted users are particularly at risk,  
(e.g. SaaS platforms), as they typically allow users to become administrators  
of their own Odoo database. This is sufficient to exploit the vulnerability.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

**IV. Workaround**

No workaround is available, updating to the latest revision or applying the  
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

**V. Solution**

Update to the latest revision, either via GitHub or by downloading it:  
https://www.odoo.com/page/download  
If updating is not an option, you may instead apply the patch corresponding  
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid  
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

**VI. Correction details**

The following list contains the patches that fix the vulnerability for  
each version:

*   13.0: c306ce2
*   14.0: 1f1e03f
*   15.0: 0122cb3
*   15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.

CVE-2021-23166: [SEC] CVE-2021-23166 - A sandboxing issue in Odoo Community 15.0 and... · Issue #107687 · odoo/odoo

No exception handling vulnerability which revealed sensitive or excessive information to users.

Release date: April 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.2. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see DPA hotfixes.
*   For information about requirements, see DPA system requirements.
*   For information about working with DPA, see the DPA Administrator Guide.

**New features and improvements in DPA**

Return to top

DPA 2023.2 includes the following changes.

**Additions to systems requirements and monitored instances**

 

Category

Vender and version

Repository database

Amazon RDS for MySQL 8.0

Monitored database instances

EDB Postgres 14

For more information, see the DPA 2023.2 system requirements and Database instances DPA can monitor.

**Security enhancements**

DPA 2023.2 includes security enhancements, including:

*   **HTTPS connections are now required.**
    
    To improve security, DPA 2023.2 accepts only HTTPS connections. Any attempts to connect using the HTTP connector port are automatically redirected to the HTTPS connector port.
    
    If you are upgrading from a previous version, please complete the tasks under Before you upgrade to ensure that all users can access DPA and that DPA Central can connect to all DPA servers.
    
*   **Tomcat and MS JDBC Driver are upgraded.**
    
    DPA now includes Tomcat 8.5.85 and MS JDBC Driver 12.2.0.
    

**Support for SAML authentication with Azure AD as the identity provider**

To configure DPA to use SAML authentication with Azure AD as the identity provider, see this topic.

**Fixed issues**

Return to top

DPA 2023.2 fixes the following issues.

 

Case number

Description

01206958, 01245439, 01265950

When DPA is monitoring a database instance on a VM with a large number of disks, the vSphere cleaner job runs as expected and cleans VM disk metrics for each granularity (seconds, 10 minutes, hours, days). This job removes old data from the DPA repository database, which prevents the repository from growing at a high rate and consuming excessive space and memory on the repository server.

01190371

Monitoring a Sybase database instance no longer fails with the error Monitor attempting to start - see log.

00960237

Monitoring an Oracle database instance no longer fails with the error Monitor for database [DB_name] failed in job [TextPollJob] due to [Underlying datasource has not been set.].

01200056

Configuring an Azure SQL DB repository database no longer fails because of missing properties. DPA automatically adds the required JDBC URL properties in the Advanced Connection Properties dialog box.

01105926, 01183265, 01225013, 01234101, 01241730

Health, connection status, and other data about monitored SQL Server Availability Groups (AGs) is updated as expected in the Availability Group Summary view.

01256667

When you are registering a database instance for monitoring and the com.confio.ignite.jdbc.sqlserver.useJtdsDriver property value is set to true in the system.properties file, DPA honors this setting and uses the jTDS JDBC driver.

01235456

DPA sorts index advisors based on the estimated time savings, listing advisors with the largest estimated savings first.

01179091, 01235460

DPA index advisors no longer display estimates savings percentages that are greater than 100%. When DPA detects that information from the database vendor is inconsistent, DPA displays 'Unknown'. For more information, see this KB article.

01183457, 01191341, 01194479, 01217066, 01311041

DPA index analysis no longer fails with errors such as Unable to run index analysis or Out of range value for column 'CARDINALITY' in the logs, and it no longer shows no recommendation when the table advisor recommends indexes.

01174998, 01179091

This release fixes an issue that caused DPA index advisors to recommend creating indexes that already existed or to create indexes that included table columns that did not exist.

01181748

DPA index analysis recommendations are no longer displayed one day and then missing the next even though the recommended indexes were not created.

01142556, 01166969, 01172735, 01273937

When deadlock alerts occur, DPA lists the deadlocks on the Deadlocks tab.

**SolarWinds CVEs**

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2023-23837

No Exception Handling Vulnerability

No exception handling vulnerability which revealed sensitive or excessive information to users.

Medium

CVE-2023-23838

Directory traversal and file enumeration vulnerability

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

Medium

**Third-party CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2020-26870

URL redirection vulnerability

Due to vulnerable Swagger UI version 3.27.0, URL redirection was possible, which can help attackers modify a URL and redirect a user to any other malicious site.

High

**New customer installation**

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

**Before you upgrade!**

DPA 2023.2 includes fixes that might require changes to your DPA deployment. Before you upgrade, determine if you need to make the following changes:

*   If any users access DPA using HTTP (instead of HTTPS), redirect connection attempts that use the HTTP connector port.
    
*   If DPA Central is configured to access any DPA servers using HTTP, update the connection definitions.
    
*   If you monitor Db2 instances, update the permissions of the DPA monitoring user for each Db2 instance.
    

You can make these changes either before or after an upgrade. However, to ensure DPA availability and to avoid any gaps in monitoring Db2 instances, SolarWinds recommends making them **before** you upgrade to 2023.2.

**Redirect connection attempts that use the HTTP connector port**

To ensure that DPA is available to users who previously connected over HTTP, update the server.xml file to redirect traffic to the HTTP connector port (8123 by default) to the HTTPS/SSL connector port (8124 by default).

If the redirect is **not** added and users attempt to connect over HTTP after the upgrade, they will receive a message that the site can't be reached.

1.  Open the following file in a text editor:
    
    _DPA-install-dir_\iwc\tomcat\conf\server.xml
    
2.  Locate the Connector property below <!--HTTPS/SSL connector>, and note the port value. (By default, this is 8124.)
    
3.  Locate the Connector property below <!--HTTP connector>. Within the Connector property, add the following, where hpptsPortNumber is the port value noted in the previous step:
    
    redirectPort="hpptsPortNumber"
    
    For example:
    
    redirectPort="8124"
    
4.  If you make these changes after the upgrade, restart DPA for the changes to take effect.
    

**Update DPA Central connections to DPA servers**

If you use DPA Central, ensure that it is configured to connect to all DPA servers over HTTPS.

1.  Determine if DPA Central is configured to connect to any DPA servers over HTTP:
    
    1.  From the DPA menu in the upper-right corner, click Central.
        
    2.  Click Manage Central.
        
    3.  Verify that every server has a lock in the SSL column. If a server's SSL column does not display a lock, DPA Central is configured to connect to that server over HTTP.
        
2.  If one or more servers are configured to use HTTP, update each server's connection properties:
    
    1.  In the Registered Servers list, click the server's display name to open the Edit Server dialog.
        
    2.  Change the Port value to the port used for HTTPS connections (8124 by default).
        
    3.  Select SSL.
        
    4.  Click Save.
        

**Update the permissions of the DPA monitoring user for each Db2 instance**

DPA 2023.2 replaces six of the deprecated SNAP* functions that previous DPA versions used to monitor Db2 database instances. Because of this change, the DPA monitoring user requires additional privileges to monitor a Db2 instance. In addition to SYSADM permissions, the user requires EXECUTE privileges on certain tables. To monitor Db2 instances with DPA 2023.2 and later versions, modify the monitoring user's permission on each Db2 instance.

The required permissions can be granted in Db2 10.1 and later. DPA does not support monitoring earlier versions of Db2.

1.  Run the following commands to grant the DPA monitoring user EXECUTE privileges on the required tables:
    
        grant execute on function SYSPROC.MON_GET_DATABASE to userName;
        grant execute on function SYSPROC.MON_SAMPLE_WORKLOAD_METRICS to userName;
        grant execute on function SYSPROC.MON_GET_ACTIVITY to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_BUFFERPOOL to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_TABLESPACE to <USER_NAME>;
        grant execute on function SYSPROC.MON_GET_TRANSACTION_LOG to <USER_NAME>;
    
2.  To verify that the permissions were applied correctly, run the following command:
    
        select substr(authid,1,20) as authid
            , authidtype
            , privilege
            , grantable
            , substr(objectschema,1,12) as objectschema
            , substr(objectname,1,30) as objectname
            , objecttype
        from sysibmadm.privileges
        where objectschema ='SYSPROC' AND AUTHID='<USER_NAME>';
    

**How to upgrade**

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

*   Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
*   When you are ready, download the upgrade package from the SolarWinds Customer Portal.

**Known issues**

Return to top

 

Intermittent connection issues when monitoring IBM Db2 instances

**Issue**

When DPA monitors IBM Db2 instances, DPA is sometimes unable to connect to the instances. This occurs because DPA uses SNAP* functions to collect information from Db2 instances, and these functions have been deprecated by IBM.

In 2023.2 release most of the deprecated functions have been migrated. Please upgrade to 2023.2 and refer the KB for required permissions to monitor db2 in DPA.

NOTE: Migration has not been fully done in 2023.2 release. would be released soon with next deliverables.

**Resolution or Workaround**

None.

DPA 2023.2 replaces six of the deprecated SNAP* functions used in earlier DPA versions. The remaining SNAP* functions will be replaced in an upcoming release.

Because of this change, when you upgrade to DPA 2023.2, you must update the permissions of the DPA monitoring user for each Db2 instance.

 

REST API does not work when you access DPA with SAML login credentials

**Issue**

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

**Resolution or Workaround**

Access DPA with a local login when you generate the refresh token.

 

Importing an alert definition without the associated database assignment rule

**Issue**

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

**Resolution or Workaround**

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

**End of life**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.2

**April 18, 2023** End-of-Life (EoL) announcement - Customers on DPA version 2022.2 or earlier should begin transitioning to the latest version of DPA.

**August 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.2 or earlier will no longer actively be supported by SolarWinds.

**April 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.2 or earlier.

DPA 2022.1

**January 18, 2023** End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

**April 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2022.1 or earlier will no longer actively be supported by SolarWinds.

**April 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

See the End of Life Policy for information about SolarWinds product life cycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**Deprecation notices**

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

DPA server OS

Installing DPA on a server with a **Windows Server 2012 R2** operating system is still supported in 2023.2, but support will be removed in an upcoming release.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-23837: DPA 2023.2 Release Notes

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9


**Package**

composer prestashop/prestashop (Composer)

**Affected versions**

< 8.0.3

**Patched versions**

8.0.4 and 1.7.8.9

**Description**

**Impact**

It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD\_FILE in a SELECT request. So It can access to critical information.

**Patches**

The patch will be on PS 8.0.4 and PS 1.7.8.9

CVE-2023-30545: Arbitrary file read

Red Hat Security Advisory 2023-1961-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: pcs security and bug fix update  
Advisory ID:       RHSA-2023:1961-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1961  
Issue date:        2023-04-25  
CVE Names:         CVE-2023-27530 CVE-2023-27539  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage EUS (v.8.4) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* rubygem-rack: Denial of service in Multipart MIME parsing  
(CVE-2023-27530)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Command 'pcs config checkpoint diff' does not show configuration  
differences between checkpoints (BZ#2180703)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing  
2180703 - Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints [rhel-8.4.0.z]

6. Package List:

Red Hat Enterprise Linux High Availability EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.4.src.rpm

aarch64:  
pcs-0.10.8-1.el8_4.4.aarch64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.aarch64.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.4.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.4.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.4.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.4.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.4.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.4.src.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.4.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.4.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.4.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.4.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.4.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-27530  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEe/NtzjgjWX9erEAQiymRAAh7wVvEGzqhsCs1XGuq0lSzudo1boptSw  
PXKzaJampR25ecUOMs8QDELxNUuqsBbb1aDX3Y3oBLy3XEdkJb1sMErXCD1meOVH  
wDOP2GKuMO4YjwruV6QGZlgOhCtTpsvuvHYRGS6m6qiuvfSQlqmeofVwq/eUT3Kg  
SI4Ig8aNUOg3agF8YdSRVtrJZf+BfjZjjaldWSr/bWbHz2SgjTkJ/ZHCZ4UUCcgB  
L8Mi4pq4XDxXmLwJOguhOcEWKf8Y40X4sNPceOcV2WnPtH1FoyTy3Tck6Z4/lPh1  
MYVfuWlEuX0iwKMJ+rpW1NzOWML0Uc5P7MVb3br9XLgHvTpJa1v3LEwbBGBTHyzb  
E+E0Z/EhMqKsb3KL+VczTGXgznPH4g6lby/mlRwXI5HYBAu/2JVJU/awDHE+RQlb  
Xeux9vthG2Ncztfls8NMRE2/JLMV8sxWqYSPq3lmPxw7NwISvVE0NGDyu1ijEDBL  
6Q0yj0/kFCJx584uEAVXFFIDYLBIaiBB+bZNoGbDLDt/zjKXaeM/wFEHfFyI2yNp  
S8fCc4NxbhB2fE1Uqvpanxj54N4yVoqWYPSJLWd8AIvsaug6VbwhjDgncsNZZJCB  
D7Mg9eWqy6EF4nZ5wZVMOUoDlf/rF+Pk+SjOgE2phMPEXsAbfudMbPaEck1jCtMt  
KOfyPN8GR8I=l8Fw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1961-01

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CVE-2023-1020

The Random Text WordPress plugin through 0.3.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

CVE-2023-0388

SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.

The **BDroppy dropshipping service** allows you to connect our catalog of designer fashion products to your online store or to the best marketplaces, without any stock risk and without having to deal with shipments.

Sell the best fashion products with no minimum order quantity.  
Start your dropshipping business: choose your channel now!

**Our integrations**

**Woocommerce Dropshipping**

**Selling in dropshipping with Woocommerce** is a pretty simple procedure. Once you have created your e-commerce, you should select the dropshipping service provider and look for a plugin to include and synchronize its products. Thanks to BDroppy, you can have your site configured with our fashion catalog integrated. Through the plugin, all data (products, prices and orders) will be automatically synchronized.  
Find out more

**Shopify Dropshipping**

Shopify is definitely one of the most used online sales platforms: **creating a store with Shopify** is very simple and this means that it is used a lot all over the world. Would you like to sell the best fashion products on your Shopify store without big investments?**Use our app to sell fashion on Shopify in dropshipping**, in just a few steps, and our catalog will be uploaded to your online store. Find out more

**Prestashop Dropshipping**

Prestashop is a **free e-commerce platform** for online sales that helps small and large businesses create online stores in a simple way and without sales commissions. If you want a **multi-language and multi-currency shop** with a large integrated fashion catalog choose your dropshipping plan with BDroppy now: we will take care of shipments worldwide and you will manage your sales from a simple dashboard!

**Squarespace Dropshipping**

Squarespace is a **paid site builder**. By subscribing you gain access to a wide range of tools that you can use to design your site, without the need for coding skills or Web development. Do you want to **connect BDroppy to your Squarespace store** and sell designer products in dropshipping? No problem, the integration is now available!

**Ecwid Dropshipping**

Dropshipping with Ecwid is easy! Ecwid is **a platform that allows you to create your e-commerce** with your products in as many marketplaces as possible and allows you to create your online showcase and incorporate it to other platforms. Combine Ecwid with the BDroppy catalog, and start selling designer fashion **without worrying about shipping** and **without having to anticipate the purchase of the goods**! Connect your Ecwid shop with the BDroppy catalog.  
Find out more

**Wix Dropshipping**

If you have created your ecommerce site with WIX, you can easily integrate it with the BDroppy catalog. Thanks to our plugin, you can enrich your shop with thousands of designer fashion products, and the orders and **available products will be automatically synchronized.** **You won’t have any stock risks and we’ll take care of the shipments.** Manage your catalog from the dashboard and start selling the most requested products right away!

**EKM dropshipping**

Discover how easy it is to sell online thanks to EKM! EKM is a site builder that allows you to design your site and customize it according to your needs.

If you want to connect BDroppy to your EKM store to **sell in dropshipping** without worrying about the warehouse or shipping, no problem: the integration is now available!

**Ebay Dropshipping**

eBay is a marketplace offering its users the opportunity **to sell and buy both new and used objects**, in different ways, including sales at a fixed price and at a dynamic price, commonly defined as «online auctions». **How to sell on eBay without stock risks**? With BDroppy you can sell our fashion catalog online on eBay and make money thanks to our dropshipping service: you will buy our products at a wholesale price and resell them at the best price to your customers on your eBay virtual shop. Find out more

**Amazon Dropshipping**

Amazon is definitely the most important marketplace in the world, with a wide range of products and categories for sale, so much so that it can be considered essentially a search engine for shopping. **Do you want to sell the most popular products on Amazon?** You can integrate the **BDroppy fashion catalog**into your Amazon store, with the dropshipping service included, to resell thousands of original designer fashion products online, using a single control panel. Find out more

**What are you waiting for?**

You can **integrate the BDroppy catalog of great fashion brands with one or more sales channels** choosing from the main marketplaces, your existing e-commerce, or if you want, we can create for you a turnkey website with our catalog already included!

Tag

#sql