Vulnerabilities

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19.

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free in durable v2 replay of active file handles<br /> <br /> parse_durable_handle_context() unconditionally assigns dh_info-&gt;fp-&gt;conn<br /> to the current connection when handling a DURABLE_REQ_V2 context with<br /> SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by<br /> fp-&gt;conn, so it returns file handles that are already actively connected.<br /> The unconditional overwrite replaces fp-&gt;conn, and when the overwriting<br /> connection is subsequently freed, __ksmbd_close_fd() dereferences the<br /> stale fp-&gt;conn via spin_lock(&amp;fp-&gt;conn-&gt;llist_lock), causing a<br /> use-after-free.<br /> <br /> KASAN report:<br /> <br /> [ 7.349357] ==================================================================<br /> [ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0<br /> [ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108<br /> [ 7.350010]<br /> [ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY<br /> [ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work<br /> [ 7.350083] Call Trace:<br /> [ 7.350087] <br /> [ 7.350087] dump_stack_lvl+0x64/0x80<br /> [ 7.350094] print_report+0xce/0x660<br /> [ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 7.350101] ? __pfx___mod_timer+0x10/0x10<br /> [ 7.350106] ? _raw_spin_lock+0x75/0xe0<br /> [ 7.350108] kasan_report+0xce/0x100<br /> [ 7.350109] ? _raw_spin_lock+0x75/0xe0<br /> [ 7.350114] kasan_check_range+0x105/0x1b0<br /> [ 7.350116] _raw_spin_lock+0x75/0xe0<br /> [ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10<br /> [ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780<br /> [ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0<br /> [ 7.350128] __ksmbd_close_fd+0x27f/0xaf0<br /> [ 7.350131] ksmbd_close_fd+0x135/0x1b0<br /> [ 7.350133] smb2_close+0xb19/0x15b0<br /> [ 7.350142] ? __pfx_smb2_close+0x10/0x10<br /> [ 7.350143] ? xas_load+0x18/0x270<br /> [ 7.350146] ? _raw_spin_lock+0x84/0xe0<br /> [ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10<br /> [ 7.350150] ? _raw_spin_unlock+0xe/0x30<br /> [ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0<br /> [ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0<br /> [ 7.350154] handle_ksmbd_work+0x40f/0x1080<br /> [ 7.350156] process_one_work+0x5fa/0xef0<br /> [ 7.350162] ? assign_work+0x122/0x3e0<br /> [ 7.350163] worker_thread+0x54b/0xf70<br /> [ 7.350165] ? __pfx_worker_thread+0x10/0x10<br /> [ 7.350166] kthread+0x346/0x470<br /> [ 7.350170] ? recalc_sigpending+0x19b/0x230<br /> [ 7.350176] ? __pfx_kthread+0x10/0x10<br /> [ 7.350178] ret_from_fork+0x4fb/0x6c0<br /> [ 7.350183] ? __pfx_ret_from_fork+0x10/0x10<br /> [ 7.350185] ? __switch_to+0x36c/0xbe0<br /> [ 7.350188] ? __pfx_kthread+0x10/0x10<br /> [ 7.350190] ret_from_fork_asm+0x1a/0x30<br /> [ 7.350197] <br /> [ 7.350197]<br /> [ 7.355160] Allocated by task 123:<br /> [ 7.355261] kasan_save_stack+0x33/0x60<br /> [ 7.355373] kasan_save_track+0x14/0x30<br /> [ 7.355484] __kasan_kmalloc+0x8f/0xa0<br /> [ 7.355593] ksmbd_conn_alloc+0x44/0x6d0<br /> [ 7.355711] ksmbd_kthread_fn+0x243/0xd70<br /> [ 7.355839] kthread+0x346/0x470<br /> [ 7.355942] ret_from_fork+0x4fb/0x6c0<br /> [ 7.356051] ret_from_fork_asm+0x1a/0x30<br /> [ 7.356164]<br /> [ 7.356214] Freed by task 134:<br /> [ 7.356305] kasan_save_stack+0x33/0x60<br /> [ 7.356416] kasan_save_track+0x14/0x30<br /> [ 7.356527] kasan_save_free_info+0x3b/0x60<br /> [ 7.356646] __kasan_slab_free+0x43/0x70<br /> [ 7.356761] kfree+0x1ca/0x430<br /> [ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0<br /> [ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40<br /> [ 7.357138] kthread+0x346/0x470<br /> [ 7.357240] ret_from_fork+0x4fb/0x6c0<br /> [ 7.357350] ret_from_fork_asm+0x1a/0x30<br /> [ 7.357463]<br /> [ 7.357513] The buggy address belongs to the object at ffff8881056ac000<br /> [ 7.357513] which belongs to the cache kmalloc-1k of size 1024<br /> [ 7.357857] The buggy address is located 396 bytes inside of<br /> [ 7.357857] freed 1024-byte region <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free of share_conf in compound request<br /> <br /> smb2_get_ksmbd_tcon() reuses work-&gt;tcon in compound requests without<br /> validating tcon-&gt;t_state. ksmbd_tree_conn_lookup() checks t_state ==<br /> TREE_CONNECTED on the initial lookup path, but the compound reuse path<br /> bypasses this check entirely.<br /> <br /> If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state<br /> to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),<br /> subsequent commands dereference the freed share_conf through<br /> work-&gt;tcon-&gt;share_conf.<br /> <br /> KASAN report:<br /> <br /> [ 4.144653] ==================================================================<br /> [ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70<br /> [ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44<br /> [ 4.145772]<br /> [ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY<br /> [ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work<br /> [ 4.145888] Call Trace:<br /> [ 4.145892] <br /> [ 4.145894] dump_stack_lvl+0x64/0x80<br /> [ 4.145910] print_report+0xce/0x660<br /> [ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 4.145928] ? smb2_write+0xc74/0xe70<br /> [ 4.145931] kasan_report+0xce/0x100<br /> [ 4.145934] ? smb2_write+0xc74/0xe70<br /> [ 4.145937] smb2_write+0xc74/0xe70<br /> [ 4.145939] ? __pfx_smb2_write+0x10/0x10<br /> [ 4.145942] ? _raw_spin_unlock+0xe/0x30<br /> [ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0<br /> [ 4.145948] ? smb2_tree_disconnect+0x31c/0x480<br /> [ 4.145951] handle_ksmbd_work+0x40f/0x1080<br /> [ 4.145953] process_one_work+0x5fa/0xef0<br /> [ 4.145962] ? assign_work+0x122/0x3e0<br /> [ 4.145964] worker_thread+0x54b/0xf70<br /> [ 4.145967] ? __pfx_worker_thread+0x10/0x10<br /> [ 4.145970] kthread+0x346/0x470<br /> [ 4.145976] ? recalc_sigpending+0x19b/0x230<br /> [ 4.145980] ? __pfx_kthread+0x10/0x10<br /> [ 4.145984] ret_from_fork+0x4fb/0x6c0<br /> [ 4.145992] ? __pfx_ret_from_fork+0x10/0x10<br /> [ 4.145995] ? __switch_to+0x36c/0xbe0<br /> [ 4.145999] ? __pfx_kthread+0x10/0x10<br /> [ 4.146003] ret_from_fork_asm+0x1a/0x30<br /> [ 4.146013] <br /> [ 4.146014]<br /> [ 4.149858] Allocated by task 44:<br /> [ 4.149953] kasan_save_stack+0x33/0x60<br /> [ 4.150061] kasan_save_track+0x14/0x30<br /> [ 4.150169] __kasan_kmalloc+0x8f/0xa0<br /> [ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0<br /> [ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600<br /> [ 4.150529] smb2_tree_connect+0x2e6/0x1000<br /> [ 4.150645] handle_ksmbd_work+0x40f/0x1080<br /> [ 4.150761] process_one_work+0x5fa/0xef0<br /> [ 4.150873] worker_thread+0x54b/0xf70<br /> [ 4.150978] kthread+0x346/0x470<br /> [ 4.151071] ret_from_fork+0x4fb/0x6c0<br /> [ 4.151176] ret_from_fork_asm+0x1a/0x30<br /> [ 4.151286]<br /> [ 4.151332] Freed by task 44:<br /> [ 4.151418] kasan_save_stack+0x33/0x60<br /> [ 4.151526] kasan_save_track+0x14/0x30<br /> [ 4.151634] kasan_save_free_info+0x3b/0x60<br /> [ 4.151751] __kasan_slab_free+0x43/0x70<br /> [ 4.151861] kfree+0x1ca/0x430<br /> [ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190<br /> [ 4.152088] smb2_tree_disconnect+0x1cd/0x480<br /> [ 4.152211] handle_ksmbd_work+0x40f/0x1080<br /> [ 4.152326] process_one_work+0x5fa/0xef0<br /> [ 4.152438] worker_thread+0x54b/0xf70<br /> [ 4.152545] kthread+0x346/0x470<br /> [ 4.152638] ret_from_fork+0x4fb/0x6c0<br /> [ 4.152743] ret_from_fork_asm+0x1a/0x30<br /> [ 4.152853]<br /> [ 4.152900] The buggy address belongs to the object at ffff88810430c180<br /> [ 4.152900] which belongs to the cache kmalloc-96 of size 96<br /> [ 4.153226] The buggy address is located 20 bytes inside of<br /> [ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)<br /> [ 4.153549]<br /> [ 4.153596] The buggy address belongs to the physical page:<br /> [ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c<br /> [ 4.154000] flags: 0x<br /> ---truncated---

A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file

An issue was discovered in Biztalk360 before 11.5. Because of incorrect access control, any user is able to request the loading a DLL file. During the loading, a method is called. An attacker can craft a malicious DLL, upload it to the server, and use it to achieve remote code execution on the server.

An issue was discovered in Biztalk360 before 11.5. Because of mishandling of user-provided input in an upload mechanism, an authenticated attacker is able to write files outside of the destination directory and/or coerce an authentication from the service, aka Directory Traversal.

An issue was discovered in Biztalk360 through 11.5. because of mishandling of user-provided input in a path to be read by the server, a Super User attacker is able to read files on the system and/or coerce an authentication from the service, aka Directory Traversal.

A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim&amp;#39;s fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.