Vulnerabilities

In streampark, the project module integrates Maven&amp;#39;s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.<br /> <br /> Mitigation:<br /> <br /> all users should upgrade to 2.1.4<br /> <br /> Background info:<br /> <br /> Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build.<br /> <br /> In the latest version, the special symbol ` is intercepted.

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.

The Schema &amp; Structured Data for WP &amp; AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;url&amp;#39; attribute within the Q&amp;A Block widget in all versions up to, and including, 1.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress &amp; WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users.

The 简数采集器 (Keydatas) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the keydatas_downloadImages function in all versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.<br />

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s ultimate_dual_color shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the &amp;#39;import_file&amp;#39; function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Arbitrary File Read to Arbitrary File Creation in all versions up to, and including, 1.1.5 via the &amp;#39;bookingpress_save_lite_wizard_settings_func&amp;#39; function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files that contain the content of files on the server, allowing the execution of any PHP code in those files or the exposure of sensitive information.

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

The AI ChatBot for WordPress – WPBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix too early release of tcx_entry<br /> <br /> Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported<br /> an issue that the tcx_entry can be released too early leading to a use<br /> after free (UAF) when an active old-style ingress or clsact qdisc with a<br /> shared tc block is later replaced by another ingress or clsact instance.<br /> <br /> Essentially, the sequence to trigger the UAF (one example) can be as follows:<br /> <br /> 1. A network namespace is created<br /> 2. An ingress qdisc is created. This allocates a tcx_entry, and<br /> &amp;tcx_entry-&gt;miniq is stored in the qdisc&amp;#39;s miniqp-&gt;p_miniq. At the<br /> same time, a tcf block with index 1 is created.<br /> 3. chain0 is attached to the tcf block. chain0 must be connected to<br /> the block linked to the ingress qdisc to later reach the function<br /> tcf_chain0_head_change_cb_del() which triggers the UAF.<br /> 4. Create and graft a clsact qdisc. This causes the ingress qdisc<br /> created in step 1 to be removed, thus freeing the previously linked<br /> tcx_entry:<br /> <br /> rtnetlink_rcv_msg()<br /> =&gt; tc_modify_qdisc()<br /> =&gt; qdisc_create()<br /> =&gt; clsact_init() [a]<br /> =&gt; qdisc_graft()<br /> =&gt; qdisc_destroy()<br /> =&gt; __qdisc_destroy()<br /> =&gt; ingress_destroy() [b]<br /> =&gt; tcx_entry_free()<br /> =&gt; kfree_rcu() // tcx_entry freed<br /> <br /> 5. Finally, the network namespace is closed. This registers the<br /> cleanup_net worker, and during the process of releasing the<br /> remaining clsact qdisc, it accesses the tcx_entry that was<br /> already freed in step 4, causing the UAF to occur:<br /> <br /> cleanup_net()<br /> =&gt; ops_exit_list()<br /> =&gt; default_device_exit_batch()<br /> =&gt; unregister_netdevice_many()<br /> =&gt; unregister_netdevice_many_notify()<br /> =&gt; dev_shutdown()<br /> =&gt; qdisc_put()<br /> =&gt; clsact_destroy() [c]<br /> =&gt; tcf_block_put_ext()<br /> =&gt; tcf_chain0_head_change_cb_del()<br /> =&gt; tcf_chain_head_change_item()<br /> =&gt; clsact_chain_head_change()<br /> =&gt; mini_qdisc_pair_swap() // UAF<br /> <br /> There are also other variants, the gist is to add an ingress (or clsact)<br /> qdisc with a specific shared block, then to replace that qdisc, waiting<br /> for the tcx_entry kfree_rcu() to be executed and subsequently accessing<br /> the current active qdisc&amp;#39;s miniq one way or another.<br /> <br /> The correct fix is to turn the miniq_active boolean into a counter. What<br /> can be observed, at step 2 above, the counter transitions from 0-&gt;1, at<br /> step [a] from 1-&gt;2 (in order for the miniq object to remain active during<br /> the replacement), then in [b] from 2-&gt;1 and finally [c] 1-&gt;0 with the<br /> eventual release. The reference counter in general ranges from [0,2] and<br /> it does not need to be atomic since all access to the counter is protected<br /> by the rtnl mutex. With this in place, there is no longer a UAF happening<br /> and the tcx_entry is freed at the correct time.