Red Hat Security Advisory 2022-7209-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: libksba security update  
Advisory ID:       RHSA-2022:7209-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7209  
Issue date:        2022-10-26  
CVE Names:         CVE-2022-3515  
====================================================================  
1. Summary:

An update for libksba is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as  
the CMS easily accessible by other applications.  Both specifications are  
building blocks of S/MIME and TLS.

Security Fix(es):

* libksba: integer overflow may lead to remote code execution  
(CVE-2022-3515)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135610 - CVE-2022-3515 libksba: integer overflow may lead to remote code execution

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
libksba-1.3.5-8.el8_1.src.rpm

aarch64:  
libksba-1.3.5-8.el8_1.aarch64.rpm  
libksba-debuginfo-1.3.5-8.el8_1.aarch64.rpm  
libksba-debugsource-1.3.5-8.el8_1.aarch64.rpm

ppc64le:  
libksba-1.3.5-8.el8_1.ppc64le.rpm  
libksba-debuginfo-1.3.5-8.el8_1.ppc64le.rpm  
libksba-debugsource-1.3.5-8.el8_1.ppc64le.rpm

s390x:  
libksba-1.3.5-8.el8_1.s390x.rpm  
libksba-debuginfo-1.3.5-8.el8_1.s390x.rpm  
libksba-debugsource-1.3.5-8.el8_1.s390x.rpm

x86_64:  
libksba-1.3.5-8.el8_1.i686.rpm  
libksba-1.3.5-8.el8_1.x86_64.rpm  
libksba-debuginfo-1.3.5-8.el8_1.i686.rpm  
libksba-debuginfo-1.3.5-8.el8_1.x86_64.rpm  
libksba-debugsource-1.3.5-8.el8_1.i686.rpm  
libksba-debugsource-1.3.5-8.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1klltzjgjWX9erEAQivSxAAgzKR6f0zSUXg33N9wnNA6a0Lb4bEsIF7  
al4nC4pjng1Mp/saxg4m7/pH98bX5fQkRVqBirGUsHRbGTT9ThUgQkhO2iIwL6dS  
21qzdeOPOZzw9HCeXtltUk+fs+RGUGnUIbN08wCn0Qsi6eqNmSqOx8lDf7AYL5CU  
4K5O3S7fYg1uFe1iwoZ3+myv0TYGcDuQ8Qsu9MoGigTU7cy4HFWkte72FtJQUd1y  
LClk7tOw0qMIgzAoTli1RqV8GKWO96HbuaQwQ+c+uKt+oc3tM2K9CMXnO5v3lkhn  
Fm7Si+iKnCw5vuwLmLOnpYCnsGkqIDx1FjwBlnkV8VUO7q3RTwFoq7422PV9/uqp  
uDrsmrHaykT1h28gczlR/iwDV9Xfk5gw9xBIyQC49pFtGOeJCeXweyYUL5i3GD3x  
SnE6WfD82XST1exLu4ptNJ6eyoSBzNawsW6bxrUEOHhAU7aWCFiddgt5/NZ9Hw/6  
TMkheHN8OVmMEA4+iVxjZcSQL32T/8g4LZZGCCNTY00lzVbpfLezufeLu5ZtivZ4  
+4hDOCXx9P9U2HdCRhCtbDP0gSrv3atb/6jy8B8rSlPIDabq6sreJQIQjI8auxKB  
HQbRZoiZrpNesS8hpmKEQuVUkFIsXY2/TLOxrfDIXJucNMRNXHJv2LB5BqqneDyl  
T2k6Cn0IE1E=UF8/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7209-01

feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection.

**feathers-sequelize vulnerable to SQL injection due to improper parameter filtering**

Critical severity GitHub Reviewed Published Oct 26, 2022 • Updated Oct 31, 2022

GHSA-5hq7-j5wq-p227: feathers-sequelize vulnerable to SQL injection due to improper parameter filtering

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

**PENDING feathers-sequelize contains improper input validation leading to SQL injection**

Critical severity GitHub Reviewed Published Oct 26, 2022 • Updated Oct 31, 2022

GHSA-qpv8-4pjq-qqh7: PENDING feathers-sequelize contains improper input validation leading to SQL injection

Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection

CVE-2022-29822

CVE-2022-2422: Redirecting…

CVE-2022-2422

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

from logging import getLogger from django.conf import settings from django.db import models from django.db.models import UniqueConstraint, Q from django.contrib.postgres import fields as psql\_fields from django.contrib.postgres import search as psql\_search from django\_lifecycle import AFTER\_UPDATE, BEFORE\_UPDATE, hook from pulpcore.plugin.models import ( BaseModel, Content, Remote, Repository, RepositoryVersion, Distribution, SigningService, Task, EncryptedTextField, ) from .downloaders import AnsibleDownloaderFactory log \= getLogger(\_\_name\_\_) class Role(Content): """ A content type representing a Role. """ TYPE \= "role" namespace \= models.CharField(max\_length\=64) name \= models.CharField(max\_length\=64) version \= models.CharField(max\_length\=128) @property def relative\_path(self): """ Return the relative path of the ContentArtifact. """ return self.contentartifact\_set.get().relative\_path class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("version", "name", "namespace") class Collection(BaseModel): """A model representing a Collection.""" namespace \= models.CharField(max\_length\=64, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) def \_\_str\_\_(self): """Return a representation.""" return f"<{self.\_\_class\_\_.\_\_name\_\_}: {self.namespace}.{self.name}\>" class Meta: unique\_together \= ("namespace", "name") class CollectionImport(models.Model): """A model representing a collection import task details.""" task \= models.OneToOneField( Task, on\_delete\=models.CASCADE, editable\=False, related\_name\="+", primary\_key\=True ) messages \= models.JSONField(default\=list, editable\=False) class Meta: ordering \= \["task\_\_pulp\_created"\] def add\_log\_record(self, log\_record): """ Records a single log message but does not save the CollectionImport object. Args: log\_record(logging.LogRecord): The logging record to record on messages. """ self.messages.append( {"message": log\_record.msg, "level": log\_record.levelname, "time": log\_record.created} ) class Tag(BaseModel): """A model representing a Tag. Fields: name (models.CharField): The Tag's name. """ name \= models.CharField(max\_length\=64, unique\=True, editable\=False) def \_\_str\_\_(self): """Returns tag name.""" return self.name class CollectionVersion(Content): """ A content type representing a CollectionVersion. This model is primarily designed to adhere to the data format for Collection content. That spec is here: https://docs.ansible.com/ansible/devel/dev\_guide/collections\_galaxy\_meta.html Fields: authors (psql\_fields.ArrayField): A list of the CollectionVersion content's authors. contents (models.JSONField): A JSON field with data about the contents. dependencies (models.JSONField): A dict declaring Collections that this collection requires to be installed for it to be usable. description (models.TextField): A short summary description of the collection. docs\_blob (models.JSONField): A JSON field holding the various documentation blobs in the collection. manifest (models.JSONField): A JSON field holding MANIFEST.json data. files (models.JSONField): A JSON field holding FILES.json data. documentation (models.CharField): The URL to any online docs. homepage (models.CharField): The URL to the homepage of the collection/project. issues (models.CharField): The URL to the collection issue tracker. license (psql\_fields.ArrayField): A list of licenses for content inside of a collection. name (models.CharField): The name of the collection. namespace (models.CharField): The namespace of the collection. repository (models.CharField): The URL of the originating SCM repository. version (models.CharField): The version of the collection. requires\_ansible (models.CharField): The version of Ansible required to use the collection. is\_highest (models.BooleanField): Indicates that the version is the highest one in the collection. Relations: collection (models.ForeignKey): Reference to a collection model. tag (models.ManyToManyField): A symmetric reference to the Tag objects. """ TYPE \= "collection\_version" \# Data Fields authors \= psql\_fields.ArrayField(models.CharField(max\_length\=64), default\=list, editable\=False) contents \= models.JSONField(default\=list, editable\=False) dependencies \= models.JSONField(default\=dict, editable\=False) description \= models.TextField(default\="", blank\=True, editable\=False) docs\_blob \= models.JSONField(default\=dict, editable\=False) manifest \= models.JSONField(default\=dict, editable\=False) files \= models.JSONField(default\=dict, editable\=False) documentation \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) homepage \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) issues \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) license \= psql\_fields.ArrayField(models.CharField(max\_length\=32), default\=list, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) namespace \= models.CharField(max\_length\=64, editable\=False) repository \= models.CharField(default\="", blank\=True, max\_length\=2000, editable\=False) version \= models.CharField(max\_length\=128, editable\=False) requires\_ansible \= models.CharField(null\=True, max\_length\=255) is\_highest \= models.BooleanField(editable\=False, default\=False) \# Foreign Key Fields collection \= models.ForeignKey( Collection, on\_delete\=models.PROTECT, related\_name\="versions", editable\=False ) tags \= models.ManyToManyField(Tag, editable\=False) \# Search Fields search\_vector \= psql\_search.SearchVectorField(default\="") @property def relative\_path(self): """ Return the relative path for the ContentArtifact. """ return "{namespace}-{name}-{version}.tar.gz".format( namespace\=self.namespace, name\=self.name, version\=self.version ) def \_\_str\_\_(self): """Return a representation.""" return f"<{self.\_\_class\_\_.\_\_name\_\_}: {self.namespace}.{self.name} {self.version}\>" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("namespace", "name", "version") constraints \= \[ UniqueConstraint( fields\=("collection", "is\_highest"), name\="unique\_is\_highest", condition\=Q(is\_highest\=True), ) \] class CollectionVersionSignature(Content): """ A content type representing a signature that is attached to a content unit. Fields: data (models.BinaryField): A signature, base64 encoded. # Not sure if it is base64 encoded digest (models.CharField): A signature sha256 digest. pubkey\_fingerprint (models.CharField): A fingerprint of the public key used. Relations: signed\_collection (models.ForeignKey): A collection version this signature is relevant to. signing\_service (models.ForeignKey): An optional signing service used for creation. """ PROTECTED\_FROM\_RECLAIM \= False TYPE \= "collection\_signature" signed\_collection \= models.ForeignKey( CollectionVersion, on\_delete\=models.CASCADE, related\_name\="signatures" ) data \= models.TextField() digest \= models.CharField(max\_length\=64) pubkey\_fingerprint \= models.CharField(max\_length\=64) signing\_service \= models.ForeignKey( SigningService, on\_delete\=models.SET\_NULL, related\_name\="signatures", null\=True ) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("pubkey\_fingerprint", "signed\_collection") class DownloadLog(BaseModel): """ A download log for content units by user, IP and org\_id. """ content\_unit \= models.ForeignKey( Content, on\_delete\=models.CASCADE, related\_name\="download\_logs" ) user \= models.ForeignKey( settings.AUTH\_USER\_MODEL, on\_delete\=models.CASCADE, null\=True, related\_name\="download\_logs", ) ip \= models.GenericIPAddressField() extra\_data \= models.JSONField(null\=True) user\_agent \= models.TextField() repository \= models.ForeignKey( Repository, on\_delete\=models.CASCADE, related\_name\="download\_logs" ) repository\_version \= models.ForeignKey( RepositoryVersion, null\=True, on\_delete\=models.SET\_NULL, related\_name\="download\_logs" ) class RoleRemote(Remote): """ A Remote for Ansible content. """ TYPE \= "role" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class CollectionRemote(Remote): """ A Remote for Collection content. """ TYPE \= "collection" requirements\_file \= models.TextField(null\=True) auth\_url \= models.CharField(null\=True, max\_length\=255) token \= EncryptedTextField(null\=True) sync\_dependencies \= models.BooleanField(default\=True) signed\_only \= models.BooleanField(default\=False) @property def download\_factory(self): """ Return the DownloaderFactory which can be used to generate asyncio capable downloaders. Upon first access, the DownloaderFactory is instantiated and saved internally. Plugin writers are expected to override when additional configuration of the DownloaderFactory is needed. Returns: DownloadFactory: The instantiated DownloaderFactory to be used by get\_downloader() """ try: return self.\_download\_factory except AttributeError: self.\_download\_factory \= AnsibleDownloaderFactory(self) return self.\_download\_factory @hook( AFTER\_UPDATE, when\_any\=\["url", "requirements\_file", "sync\_dependencies", "signed\_only"\], has\_changed\=True, ) def \_reset\_repository\_last\_synced\_metadata\_time(self): AnsibleRepository.objects.filter( remote\_id\=self.pk, last\_synced\_metadata\_time\_\_isnull\=False ).update(last\_synced\_metadata\_time\=None) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class GitRemote(Remote): """ A Remote for Collection content hosted in Git repositories. """ TYPE \= "git" metadata\_only \= models.BooleanField(default\=False) git\_ref \= models.TextField() class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" class AnsibleCollectionDeprecated(Content): """ A model that represents if a Collection is \`deprecated\` for a given RepositoryVersion. """ TYPE \= "collection\_deprecation" namespace \= models.CharField(max\_length\=64, editable\=False) name \= models.CharField(max\_length\=64, editable\=False) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" unique\_together \= ("namespace", "name") class AnsibleRepository(Repository): """ Repository for "ansible" content. Fields: last\_synced\_metadata\_time (models.DateTimeField): Last synced metadata time. """ TYPE \= "ansible" CONTENT\_TYPES \= \[ Role, CollectionVersion, AnsibleCollectionDeprecated, CollectionVersionSignature, \] REMOTE\_TYPES \= \[RoleRemote, CollectionRemote\] last\_synced\_metadata\_time \= models.DateTimeField(null\=True) gpgkey \= models.TextField(null\=True) class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s" permissions \= (("modify\_ansible\_repo\_content", "Can modify ansible repository content"),) def finalize\_new\_version(self, new\_version): """Finalize repo version.""" removed\_collection\_versions \= new\_version.removed( base\_version\=new\_version.base\_version ).filter(pulp\_type\=CollectionVersion.get\_pulp\_type()) \# Remove any deprecated and signature content associated with the removed collection \# versions for version in removed\_collection\_versions: version \= version.cast() signatures \= new\_version.get\_content( content\_qs\=CollectionVersionSignature.objects.filter(signed\_collection\=version) ) new\_version.remove\_content(signatures) other\_collection\_versions \= new\_version.get\_content( content\_qs\=CollectionVersion.objects.filter(collection\=version.collection) ) \# AnsibleCollectionDeprecated applies to all collection versions in a repository, \# so only remove it if there are no more collection versions for the specified \# collection present. if not other\_collection\_versions.exists(): deprecations \= new\_version.get\_content( content\_qs\=AnsibleCollectionDeprecated.objects.filter( namespace\=version.namespace, name\=version.name ) ) new\_version.remove\_content(deprecations) @hook(BEFORE\_UPDATE, when\="remote", has\_changed\=True) def \_reset\_repository\_last\_synced\_metadata\_time(self): self.last\_synced\_metadata\_time \= None class AnsibleDistribution(Distribution): """ A Distribution for Ansible content. """ TYPE \= "ansible" class Meta: default\_related\_name \= "%(app\_label)s\_%(model\_name)s"

CVE-2022-3644: pulp_ansible/models.py at main · pulp/pulp_ansible

PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When the device page loads, the arbitrary Cascading Style Sheets (CSS) data is inserted into the style tag, loading malicious content. Due to PRTG Network Monitor preventing “characters, and from modern browsers disabling JavaScript support in style tags, this vulnerability could not be escalated into a Cross-Site Scripting vulnerability.

CVE-2022-35739: PRTG Network Monitor - Version History

The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.

CVE-2022-3395

The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Tag

#sql