ID MSF:EXPLOIT/UNIX/WEBAPP/VICIDIAL_USER_AUTHORIZATION_UNAUTH_CMD_EXEC Type metasploit Reporter Rapid7 Modified 2020-10-02T20:00:37
Description
This module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to exec(). This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
{"id": "MSF:EXPLOIT/UNIX/WEBAPP/VICIDIAL_USER_AUTHORIZATION_UNAUTH_CMD_EXEC", "type": "metasploit", "bulletinFamily": "exploit", "title": "VICIdial user_authorization Unauthenticated Command Execution", "description": "This module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to exec(). This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.\n", "published": "2017-05-27T05:09:38", "modified": "2020-10-02T20:00:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.vicidial.org/VICIDIALmantis/view.php?id=1016"], "cvelist": [], "lastseen": "2020-10-15T10:24:32", "viewCount": 53, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2020-10-15T10:24:32", "rev": 2}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4818-1:38382", "DEBIAN:DLA-2506-1:08F00", "DEBIAN:DLA-2504-1:70C2D", "DEBIAN:DLA-2505-1:F8B2D"]}, {"type": "cve", "idList": ["CVE-2020-4642"]}, {"type": "fedora", "idList": ["FEDORA:2C90E30BB66F", "FEDORA:80F2330BB4F7", "FEDORA:F1933304C2F3"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5619-1", "ELSA-2020-5620-1"]}, {"type": "gentoo", "idList": ["GLSA-202012-15", "GLSA-202012-12", "GLSA-202012-14", "GLSA-202012-10", "GLSA-202012-18", "GLSA-202012-11", "GLSA-202012-16", "GLSA-202012-17"]}, {"type": "exploitdb", "idList": ["EDB-ID:49330"]}, {"type": "nessus", "idList": ["SECURITYCENTER_5_17_0_TNS_2020_11.NASL"]}], "modified": "2020-10-15T10:24:32", "rev": 2}, "vulnersScore": 6.6}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}
{"debian": [{"lastseen": "2021-03-01T01:36:03", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23969", "CVE-2021-23978", "CVE-2021-23973", "CVE-2021-23968"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4866-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nFebruary 28, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : thunderbird\nCVE ID : CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978\n\nMultiple security issues were discovered in Thunderbird, which could\nresult in the execution of arbitrary code or information disclosure.\n\t\t \t\t \nFor the stable distribution (buster), these problems have been fixed in\nversion 1:78.8.0-1~deb10u1.\n\nWe recommend that you upgrade your thunderbird packages.\n\nFor the detailed security status of thunderbird please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/thunderbird\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-02-28T18:49:17", "published": "2021-02-28T18:49:17", "id": "DEBIAN:DSA-4866-1:B05DF", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00047.html", "title": "[SECURITY] [DSA 4866-1] thunderbird security update", "type": "debian", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-28T01:29:34", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21285", "CVE-2020-15257", "CVE-2021-21284", "CVE-2020-15157"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4865-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nFebruary 27, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : docker.io\nCVE ID : CVE-2020-15157 CVE-2020-15257 CVE-2021-21284 CVE-2021-21285\n\nMultiple security issues were discovered in Docker, a Linux container\nruntime, which could result in denial of service, an information leak\nor privilege escalation.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 18.09.1+dfsg1-7.1+deb10u3.\n\nWe recommend that you upgrade your docker.io packages.\n\nFor the detailed security status of docker.io please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/docker.io\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-02-27T18:36:59", "published": "2021-02-27T18:36:59", "id": "DEBIAN:DSA-4865-1:E637E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00046.html", "title": "[SECURITY] [DSA 4865-1] docker.io security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-02-27T13:15:08", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21330"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4864-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nFebruary 27, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python-aiohttp\nCVE ID : CVE-2021-21330\n\nBeast Glatisant and Jelmer Vernooij reported that python-aiohttp, a\nasync HTTP client/server framework, is prone to an open redirect\nvulnerability. A maliciously crafted link to an aiohttp-based web-server\ncould redirect the browser to a different website.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 3.5.1-1+deb10u1.\n\nWe recommend that you upgrade your python-aiohttp packages.\n\nFor the detailed security status of python-aiohttp please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/python-aiohttp\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-02-27T08:32:38", "published": "2021-02-27T08:32:38", "id": "DEBIAN:DSA-4864-1:B0A8F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00045.html", "title": "[SECURITY] [DSA 4864-1] python-aiohttp security update", "type": "debian", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2021-02-28T23:00:01", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23336"], "description": "Python 3.9 package for developers. This package exists to allow developers to test their code against a newer version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.9, update your Fedora to a newer version once Python 3.9 is stable. ", "modified": "2021-02-28T17:38:58", "published": "2021-02-28T17:38:58", "id": "FEDORA:8657A309BA6B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: python39-3.9.2-1.fc32", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-02-28T23:00:01", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-02-28T17:27:09", "published": "2021-02-28T17:27:09", "id": "FEDORA:A9575304C34D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: chromium-88.0.4324.182-1.fc33", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-27T22:42:48", "bulletinFamily": "unix", "cvelist": [], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. ", "modified": "2021-02-27T22:18:39", "published": "2021-02-27T22:18:39", "id": "FEDORA:7645C3020AB3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: firefox-86.0-2.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}], "centos": [{"lastseen": "2021-02-27T19:31:38", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23969", "CVE-2021-23978", "CVE-2021-23973", "CVE-2021-23968"], "description": "**CentOS Errata and Security Advisory** CESA-2021:0661\n\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 78.8.0.\n\nSecurity Fix(es):\n\n* Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968)\n\n* Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969)\n\n* Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978)\n\n* Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-February/048280.html\n\n**Affected packages:**\nthunderbird\n\n**Upstream details at:**\n", "edition": 1, "modified": "2021-02-27T14:34:56", "published": "2021-02-27T14:34:56", "id": "CESA-2021:0661", "href": "http://lists.centos.org/pipermail/centos-announce/2021-February/048280.html", "title": "thunderbird security update", "type": "centos", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-27T19:33:46", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23969", "CVE-2021-23978", "CVE-2021-23973", "CVE-2021-23968"], "description": "**CentOS Errata and Security Advisory** CESA-2021:0656\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 78.8.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23968)\n\n* Mozilla: Content Security Policy violation report could have contained the destination of a redirect (CVE-2021-23969)\n\n* Mozilla: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 (CVE-2021-23978)\n\n* Mozilla: MediaError message property could have leaked information about cross-origin resources (CVE-2021-23973)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-February/048279.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 1, "modified": "2021-02-27T14:34:20", "published": "2021-02-27T14:34:20", "id": "CESA-2021:0656", "href": "http://lists.centos.org/pipermail/centos-announce/2021-February/048279.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-27T19:30:27", "bulletinFamily": "unix", "cvelist": ["CVE-2020-29599"], "description": "**CentOS Errata and Security Advisory** CESA-2021:0024\n\n\nImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats.\n\nSecurity Fix(es):\n\n* ImageMagick: Shell injection via PDF password could result in arbitrary code execution (CVE-2020-29599)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-February/048277.html\n\n**Affected packages:**\nImageMagick\nImageMagick-c++\nImageMagick-c++-devel\nImageMagick-devel\nImageMagick-doc\nImageMagick-perl\n\n**Upstream details at:**\n", "edition": 1, "modified": "2021-02-27T14:21:05", "published": "2021-02-27T14:21:05", "id": "CESA-2021:0024", "href": "http://lists.centos.org/pipermail/centos-announce/2021-February/048277.html", "title": "ImageMagick security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-27T19:30:18", "bulletinFamily": "unix", "cvelist": ["CVE-2020-25712", "CVE-2020-14360", "CVE-2020-14347"], "description": "**CentOS Errata and Security Advisory** CESA-2020:5408\n\n\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es):\n\n* xorg-x11-server: Out-of-bounds access in XkbSetMap function (CVE-2020-14360)\n\n* xorg-x11-server: XkbSetDeviceInfo heap-based buffer overflow privilege escalation vulnerability (CVE-2020-25712)\n\n* xorg-x11-server: Leak of uninitialized heap memory from the X server to clients in AllocatePixmap of dix/pixmap.c (CVE-2020-14347)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-February/048276.html\n\n**Affected packages:**\nxorg-x11-server\nxorg-x11-server-Xdmx\nxorg-x11-server-Xephyr\nxorg-x11-server-Xnest\nxorg-x11-server-Xorg\nxorg-x11-server-Xvfb\nxorg-x11-server-Xwayland\nxorg-x11-server-common\nxorg-x11-server-devel\nxorg-x11-server-source\n\n**Upstream details at:**\n", "edition": 1, "modified": "2021-02-27T14:19:46", "published": "2021-02-27T14:19:46", "id": "CESA-2020:5408", "href": "http://lists.centos.org/pipermail/centos-announce/2021-February/048276.html", "title": "xorg security update", "type": "centos", "cvss": {"score": 6.1, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-02-27T19:29:57", "bulletinFamily": "unix", "cvelist": ["CVE-2020-0452"], "description": "**CentOS Errata and Security Advisory** CESA-2020:5402\n\n\nThe libexif packages provide a library for extracting extra information from image files.\n\nSecurity Fix(es):\n\n* libexif: out of bounds write due to an integer overflow in exif-entry.c (CVE-2020-0452)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-February/048275.html\n\n**Affected packages:**\nlibexif\nlibexif-devel\nlibexif-doc\n\n**Upstream details at:**\n", "edition": 1, "modified": "2021-02-27T14:19:00", "published": "2021-02-27T14:19:00", "id": "CESA-2020:5402", "href": "http://lists.centos.org/pipermail/centos-announce/2021-February/048275.html", "title": "libexif security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2021-20193"], "description": "Arch Linux Security Advisory ASA-202102-41\n==========================================\n\nSeverity: Low\nDate : 2021-02-27\nCVE-ID : CVE-2021-20193\nPackage : tar\nType : denial of service\nRemote : No\nLink : https://security.archlinux.org/AVG-1462\n\nSummary\n=======\n\nThe package tar before version 1.34-1 is vulnerable to denial of\nservice.\n\nResolution\n==========\n\nUpgrade to 1.34-1.\n\n# pacman -Syu \"tar>=1.34-1\"\n\nThe problem has been fixed upstream in version 1.34.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn issue was discovered in GNU Tar before version 1.34. There is a\nmemory leak in read_header() in list.c in the tar application.\n\nImpact\n======\n\nA crafted tar archive can crash the application.\n\nReferences\n==========\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1917565\nhttps://savannah.gnu.org/bugs/?59897\nhttps://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777\nhttps://security.archlinux.org/CVE-2021-20193\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-41", "href": "https://security.archlinux.org/ASA-202102-41", "type": "archlinux", "title": "[ASA-202102-41] tar: denial of service", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21240"], "description": "Arch Linux Security Advisory ASA-202102-35\n==========================================\n\nSeverity: Medium\nDate : 2021-02-27\nCVE-ID : CVE-2021-21240\nPackage : python-httplib2\nType : denial of service\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1546\n\nSummary\n=======\n\nThe package python-httplib2 before version 0.19.0-1 is vulnerable to\ndenial of service.\n\nResolution\n==========\n\nUpgrade to 0.19.0-1.\n\n# pacman -Syu \"python-httplib2>=0.19.0-1\"\n\nThe problem has been fixed upstream in version 0.19.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIn python-httplib2 before version 0.19.0, a malicious server which\nresponds with long series of \"\\xa0\" characters in the \"www-\nauthenticate\" header may cause Denial of Service (CPU burn while\nparsing header) of the httplib2 client accessing said server. This is\nfixed in version 0.19.0 which contains a new implementation of auth\nheaders parsing using the pyparsing library.\n\nImpact\n======\n\nA malicious server can crash the application with crafted HTTP\nresponses.\n\nReferences\n==========\n\nhttps://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m\nhttps://github.com/httplib2/httplib2/pull/182\nhttps://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc\nhttps://security.archlinux.org/CVE-2021-21240\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-35", "href": "https://security.archlinux.org/ASA-202102-35", "type": "archlinux", "title": "[ASA-202102-35] python-httplib2: denial of service", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13949"], "description": "Arch Linux Security Advisory ASA-202102-43\n==========================================\n\nSeverity: Medium\nDate : 2021-02-27\nCVE-ID : CVE-2020-13949\nPackage : thrift\nType : denial of service\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1568\n\nSummary\n=======\n\nThe package thrift before version 0.14.0-1 is vulnerable to denial of\nservice.\n\nResolution\n==========\n\nUpgrade to 0.14.0-1.\n\n# pacman -Syu \"thrift>=0.14.0-1\"\n\nThe problem has been fixed upstream in version 0.14.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nApplications using Thrift before version 0.14.0 would not error upon\nreceiving messages declaring containers of sizes larger than the\npayload. As a result, malicious RPC clients could send short messages\nwhich would result in a large memory allocation, potentially leading to\ndenial of service.\n\nImpact\n======\n\nMalicious clients could send crafted messages crashing the server.\n\nReferences\n==========\n\nhttps://www.openwall.com/lists/oss-security/2021/02/11/2\nhttps://security.archlinux.org/CVE-2020-13949\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-43", "href": "https://security.archlinux.org/ASA-202102-43", "type": "archlinux", "title": "[ASA-202102-43] thrift: denial of service", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23840", "CVE-2021-23841"], "description": "Arch Linux Security Advisory ASA-202102-42\n==========================================\n\nSeverity: Medium\nDate : 2021-02-27\nCVE-ID : CVE-2021-23840 CVE-2021-23841\nPackage : openssl\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1581\n\nSummary\n=======\n\nThe package openssl before version 1.1.1.j-1 is vulnerable to multiple\nissues including denial of service and incorrect calculation.\n\nResolution\n==========\n\nUpgrade to 1.1.1.j-1.\n\n# pacman -Syu \"openssl>=1.1.1.j-1\"\n\nThe problems have been fixed upstream in version 1.1.1.j.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2021-23840 (incorrect calculation)\n\nCalls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may\noverflow the output length argument in some cases where the input\nlength is close to the maximum permissable length for an integer on the\nplatform. In such cases the return value from the function call will be\n1 (indicating success), but the output length value will be negative.\nThis could cause applications to behave incorrectly or crash.\n\nOpenSSL versions 1.1.1i and below are affected by this issue. Users of\nthese versions should upgrade to OpenSSL 1.1.1j.\n\nOpenSSL versions 1.0.2x and below are affected by this issue. However\nOpenSSL 1.0.2 is out of support and no longer receiving public updates.\nPremium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y.\nOther users should upgrade to 1.1.1j.\n\nFixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL\n1.0.2y (Affected 1.0.2-1.0.2x).\n\n- CVE-2021-23841 (denial of service)\n\nThe OpenSSL public API function X509_issuer_and_serial_hash() attempts\nto create a unique hash value based on the issuer and serial number\ndata contained within an X509 certificate. However it fails to\ncorrectly handle any errors that may occur while parsing the issuer\nfield (which might occur if the issuer field is maliciously\nconstructed). This may subsequently result in a NULL pointer deref and\na crash leading to a potential denial of service attack.\n\nThe function X509_issuer_and_serial_hash() is never directly called by\nOpenSSL itself so applications are only vulnerable if they use this\nfunction directly and they use it on certificates that may have been\nobtained from untrusted sources.\n\nOpenSSL versions 1.1.1i and below are affected by this issue. Users of\nthese versions should upgrade to OpenSSL 1.1.1j.\n\nOpenSSL versions 1.0.2x and below are affected by this issue. However\nOpenSSL 1.0.2 is out of support and no longer receiving public updates.\nPremium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y.\nOther users should upgrade to 1.1.1j.\n\nImpact\n======\n\nA malicious certificate can be crafted and crash the application, or\nbehave in some incorrect way.\n\nReferences\n==========\n\nhttps://www.openssl.org/news/secadv/20210216.txt\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2\nhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8130d654d1de922ea224fa18ee3bc7262edc39c0\nhttps://security.archlinux.org/CVE-2021-23840\nhttps://security.archlinux.org/CVE-2021-23841\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-42", "href": "https://security.archlinux.org/ASA-202102-42", "type": "archlinux", "title": "[ASA-202102-42] openssl: multiple issues", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-5208"], "description": "Arch Linux Security Advisory ASA-202102-39\n==========================================\n\nSeverity: High\nDate : 2021-02-27\nCVE-ID : CVE-2020-5208\nPackage : ipmitool\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1596\n\nSummary\n=======\n\nThe package ipmitool before version 1.8.18-7 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 1.8.18-7.\n\n# pacman -Syu \"ipmitool>=1.8.18-7\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIt's been found that multiple functions in ipmitool before 1.8.19\nneglect proper checking of the data received from a remote LAN party,\nwhich may lead to buffer overflows and potentially to remote code\nexecution on the ipmitool side. This is especially dangerous if\nipmitool is run as a privileged user. This problem is fixed in version\n1.8.19.\n\nImpact\n======\n\nA remote server could execute arbitrary code on the client.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/69708\nhttps://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp\nhttps://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2\nhttps://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10\nhttps://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22\nhttps://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4\nhttps://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10\nhttps://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637\nhttps://security.archlinux.org/CVE-2020-5208\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-39", "href": "https://security.archlinux.org/ASA-202102-39", "type": "archlinux", "title": "[ASA-202102-39] ipmitool: arbitrary code execution", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23336", "CVE-2021-3177"], "description": "Arch Linux Security Advisory ASA-202102-37\n==========================================\n\nSeverity: Medium\nDate : 2021-02-27\nCVE-ID : CVE-2021-3177 CVE-2021-23336\nPackage : python\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1465\n\nSummary\n=======\n\nThe package python before version 3.9.2-1 is vulnerable to multiple\nissues including arbitrary code execution and url request injection.\n\nResolution\n==========\n\nUpgrade to 3.9.2-1.\n\n# pacman -Syu \"python>=3.9.2-1\"\n\nThe problems have been fixed upstream in version 3.9.2.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2021-3177 (arbitrary code execution)\n\nPython 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in\n_ctypes/callproc.c, which may lead to remote code execution in certain\nPython applications that accept floating-point numbers as untrusted\ninput, as demonstrated by a 1e300 argument to c_double.from_param. This\noccurs because sprintf is used unsafely.\n\n- CVE-2021-23336 (url request injection)\n\nThe package python/cpython from 0 and before 3.6.13, from 3.7.0 and\nbefore 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2\nare vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and\nurllib.parse.parse_qs by using a vector called parameter cloaking. When\nthe attacker can separate query parameters using a semicolon (;), they\ncan cause a difference in the interpretation of the request between the\nproxy (running with default configuration) and the server. This can\nresult in malicious requests being cached as completely safe ones, as\nthe proxy would usually not see the semicolon as a separator, and\ntherefore would not include it in a cache key of an unkeyed parameter.\n\nThe package python-django contains a copy of urllib.parse.parse_qsl()\nwhich was added to backport some security fixes. A further security fix\nhas been issued in versions 3.1.7, 3.0.13 and 2.2.19 such that\nparse_qsl() no longer allows using ; as a query parameter separator by\ndefault.\n\nImpact\n======\n\nA malicious format string could execute code and a malicious user could\nsend crafted HTTP queries poisoning the cache.\n\nReferences\n==========\n\nhttps://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html\nhttps://bugs.python.org/issue42938\nhttps://github.com/python/cpython/pull/24239\nhttps://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932\nhttps://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933\nhttps://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/\nhttps://bugs.python.org/issue42967\nhttps://github.com/python/cpython/pull/24297\nhttps://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92\nhttps://www.djangoproject.com/weblog/2021/feb/19/security-releases/\nhttps://github.com/django/django/commit/8f6d431b08cbb418d9144b976e7b972546607851\nhttps://security.archlinux.org/CVE-2021-3177\nhttps://security.archlinux.org/CVE-2021-23336\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-37", "href": "https://security.archlinux.org/ASA-202102-37", "type": "archlinux", "title": "[ASA-202102-37] python: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-36242"], "description": "Arch Linux Security Advisory ASA-202102-36\n==========================================\n\nSeverity: Medium\nDate : 2021-02-27\nCVE-ID : CVE-2020-36242\nPackage : python-cryptography\nType : incorrect calculation\nRemote : No\nLink : https://security.archlinux.org/AVG-1541\n\nSummary\n=======\n\nThe package python-cryptography before version 3.4-1 is vulnerable to\nincorrect calculation.\n\nResolution\n==========\n\nUpgrade to 3.4-1.\n\n# pacman -Syu \"python-cryptography>=3.4-1\"\n\nThe problem has been fixed upstream in version 3.4.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIn python-cryptography before version 3.3.2, certain sequences of\nupdate calls to symmetrically encrypt multiple gigabytes of data could\nresult in an integer overflow, leading to mishandling of buffers.\n\nImpact\n======\n\nUnintentional use of the API could lead to buffer mishandling.\n\nReferences\n==========\n\nhttps://github.com/pyca/cryptography/security/advisories/GHSA-rhm9-p9w5-fwm7\nhttps://github.com/pyca/cryptography/issues/5615\nhttps://github.com/pyca/cryptography/pull/5747\nhttps://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae\nhttps://security.archlinux.org/CVE-2020-36242\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-36", "href": "https://security.archlinux.org/ASA-202102-36", "type": "archlinux", "title": "[ASA-202102-36] python-cryptography: incorrect calculation", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28243", "CVE-2020-28972", "CVE-2020-35662", "CVE-2021-25281", "CVE-2021-25282", "CVE-2021-25283", "CVE-2021-25284", "CVE-2021-3144", "CVE-2021-3148", "CVE-2021-3197"], "description": "Arch Linux Security Advisory ASA-202102-33\n==========================================\n\nSeverity: High\nDate : 2021-02-27\nCVE-ID : CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3144\nCVE-2021-3148 CVE-2021-3197 CVE-2021-25281 CVE-2021-25282\nCVE-2021-25283 CVE-2021-25284\nPackage : salt\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1624\n\nSummary\n=======\n\nThe package salt before version 3002.5-3 is vulnerable to multiple\nissues including access restriction bypass, arbitrary command\nexecution, certificate verification bypass, cross-site scripting,\ninsufficient validation, privilege escalation, directory traversal and\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 3002.5-3.\n\n# pacman -Syu \"salt>=3002.5-3\"\n\nThe problems have been fixed upstream in version 3002.5.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-28243 (privilege escalation)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The minion's\nrestartcheck is vulnerable to command injection via a crafted process\nname. This allows for a local privilege escalation by any user able to\ncreate a files on the minion in a non-blacklisted directory.\n\n- CVE-2020-28972 (certificate verification bypass)\n\nIn SaltStack Salt before 3002.5, authentication to VMware vcenter,\nvsphere, and esxi servers (in the vmware.py files) does not always\nvalidate the SSL/TLS certificate.\n\n- CVE-2020-35662 (certificate verification bypass)\n\nIn SaltStack Salt before 3002.5, when authenticating to services using\ncertain modules, the SSL certificate is not always validated.\n\n- CVE-2021-3144 (insufficient validation)\n\nIn SaltStack Salt before 3002.5, eauth tokens can be used once after\nexpiration. (They might be used to run command against the salt master\nor minions.)\n\n- CVE-2021-3148 (arbitrary command execution)\n\nAn issue was discovered in SaltStack Salt before 3002.5. Sending\ncrafted web requests to the Salt API can result in\nsalt.utils.thin.gen_thin() command injection because of different\nhandling of single versus double quotes. This is related to\nsalt/utils/thin.py.\n\n- CVE-2021-3197 (arbitrary command execution)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The salt-api's\nssh client is vulnerable to a shell injection by including ProxyCommand\nin an argument, or via ssh_options provided in an API request.\n\n- CVE-2021-25281 (access restriction bypass)\n\nAn issue was discovered in SaltStack Salt before 3002.5. salt-api does\nnot honor eauth credentials for the wheel_async client. Thus, an\nattacker can remotely run any wheel modules on the master.\n\n- CVE-2021-25282 (directory traversal)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The\nsalt.wheel.pillar_roots.write method is vulnerable to directory\ntraversal.\n\n- CVE-2021-25283 (cross-site scripting)\n\nAn issue was discovered in SaltStack Salt before 3002.5. The jinja\nrenderer does not protect against server side template injection\nattacks.\n\n- CVE-2021-25284 (information disclosure)\n\nAn issue was discovered in SaltStack Salt before 3002.5.\nsalt.modules.cmdmod can log credentials to the info or error log level.\n\nImpact\n======\n\nA remote unauthenticated attacker could execute commands, bypass TLS\nverification, traverse directories and disclose credentials.\n\nReferences\n==========\n\nhttps://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/\nhttps://security.archlinux.org/CVE-2020-28243\nhttps://security.archlinux.org/CVE-2020-28972\nhttps://security.archlinux.org/CVE-2020-35662\nhttps://security.archlinux.org/CVE-2021-3144\nhttps://security.archlinux.org/CVE-2021-3148\nhttps://security.archlinux.org/CVE-2021-3197\nhttps://security.archlinux.org/CVE-2021-25281\nhttps://security.archlinux.org/CVE-2021-25282\nhttps://security.archlinux.org/CVE-2021-25283\nhttps://security.archlinux.org/CVE-2021-25284\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-33", "href": "https://security.archlinux.org/ASA-202102-33", "type": "archlinux", "title": "[ASA-202102-33] salt: multiple issues", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-01T00:42:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-8625"], "description": "Arch Linux Security Advisory ASA-202102-40\n==========================================\n\nSeverity: High\nDate : 2021-02-27\nCVE-ID : CVE-2020-8625\nPackage : bind\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1589\n\nSummary\n=======\n\nThe package bind before version 9.16.12-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 9.16.12-1.\n\n# pacman -Syu \"bind>=9.16.12-1\"\n\nThe problem has been fixed upstream in version 9.16.12.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA security issue was found in BIND 9.5.0 up to 9.11.27, 9.12.0 up to\n9.16.11, and versions BIND 9.11.3-S1 up to 9.11.27-S1 and 9.16.8-S1 up\nto 9.16.11-S1 of BIND Supported Preview Edition, as well as the release\nversions 9.17.0 and 9.17.1 of the BIND 9.17 development branch. A\nvulnerability in BIND's GSSAPI security policy can be targeted by a\nbuffer overflow attack.\n\nImpact\n======\n\nA malicious server could execute code on the host.\n\nReferences\n==========\n\nhttps://kb.isc.org/docs/cve-2020-8625\nhttps://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch\nhttps://security.archlinux.org/CVE-2020-8625\n", "modified": "2021-02-27T00:00:00", "published": "2021-02-27T00:00:00", "id": "ASA-202102-40", "href": "https://security.archlinux.org/ASA-202102-40", "type": "archlinux", "title": "[ASA-202102-40] bind: arbitrary code execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
