Home Unlabelled SB18-267: Vulnerability Summary for the Week of September 17, 2018

SB18-267: Vulnerability Summary for the Week of September 17, 2018

By
Tuesday, September 25, 2018
Read
Add Comment
Original release date: September 24, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
There were no high vulnerabilities recorded this week.
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
There were no medium vulnerabilities recorded this week.
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
There were no low vulnerabilities recorded this week.
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
accusoft -- prizmdoc
 		Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Site Scripting issue through a crafted PDF file.2018-09-18not yet calculatedCVE-2018-15546
CONFIRM
MISC
apache -- camel
 		Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.2018-09-17not yet calculatedCVE-2018-8041
CONFIRM
BID
CONFIRM
apache -- karaf
 		In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.2018-09-18not yet calculatedCVE-2018-11786
CONFIRM
CONFIRM
MLIST
apache -- karaf
 		In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.2018-09-18not yet calculatedCVE-2018-11787
CONFIRM
CONFIRM
MLIST
apache -- mesos
 		Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.2018-09-21not yet calculatedCVE-2018-8023
MLIST
apache -- spamassassin
 		A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.2018-09-17not yet calculatedCVE-2018-11780
BID
MLIST
apache -- spamassassin
 		Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.2018-09-17not yet calculatedCVE-2018-11781
MLIST
apache -- spamassassin
 		A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.2018-09-17not yet calculatedCVE-2017-15705
BID
MLIST
apache -- tika
 		In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.2018-09-19not yet calculatedCVE-2018-11761
MLIST
apache -- tika
 		In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.2018-09-19not yet calculatedCVE-2018-11762
MLIST
apache -- tika
 		In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.2018-09-19not yet calculatedCVE-2018-8017
MLIST
artifex -- ghostscript
 		Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code.2018-09-19not yet calculatedCVE-2018-17183
MISC
MISC
asus -- gt-ac5300
 		blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (NULL pointer dereference and device crash) via a request that lacks a timestap parameter.2018-09-17not yet calculatedCVE-2018-17127
MISC
atlassian -- fisheye_and_crucible
 		The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.2018-09-18not yet calculatedCVE-2018-13398
CONFIRM
CONFIRM
atlassian -- jiraThe DEISER "Profields - Project Custom Fields" app before 6.0.2 for Jira has Incorrect Access Control.2018-09-21not yet calculatedCVE-2018-16281
CONFIRM
audiofile -- audiofile
 		An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.2018-09-16not yet calculatedCVE-2018-17095
MISC
MISC
avaya -- aura_orchestration_designer
 		A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.2018-09-21not yet calculatedCVE-2018-15612
CONFIRM
avaya -- aura_orchestration_designer
 		A cross-site scripting (XSS) vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could result in malicious content being returned to the user. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.2018-09-21not yet calculatedCVE-2018-15613
CONFIRM
bitcoin_core -- bitcoin_core
 		Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.2018-09-19not yet calculatedCVE-2018-17144
MISC
MISC
MISC
MISC
blackberry -- enterprise_mobility_server
 		A directory traversal vulnerability in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS) 2.8.17.29 and earlier could allow an attacker to retrieve arbitrary files in the context of a BEMS administrator account.2018-09-19not yet calculatedCVE-2018-8889
CONFIRM
browserify-hmr -- browserify-hmr
 		An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.2018-09-21not yet calculatedCVE-2018-14730
MISC
MISC
bullguard -- safe_browsing
 		BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, and Yahoo! pages via domains indexed in search results.2018-09-15not yet calculatedCVE-2018-17061
MISC
CONFIRM
circontrol -- circarlife
 		An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.2018-09-18not yet calculatedCVE-2018-16671
MISC
circontrol -- circarlife
 		An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository.2018-09-18not yet calculatedCVE-2018-16668
MISC
circontrol -- circarlife
 		An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.2018-09-18not yet calculatedCVE-2018-16670
MISC
circontrol -- open_charge_point_protocol
 		An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in XML files, an unprivileged user can look at /services/config/config.xml for the admin credentials of the ocpp and circarlife panels.2018-09-18not yet calculatedCVE-2018-16669
MISC
cloud_foundry_foundation -- container_runtime
 		Cloud Foundry Container Runtime (kubo-release), versions prior to 0.14.0, may leak UAA and vCenter credentials to application logs. A malicious user with the ability to read the application logs could use these credentials to escalate privileges.2018-09-17not yet calculatedCVE-2018-1223
CONFIRM
cloud_foundry_foundation -- garden-runc
 		Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote authenticated malicious user may create and delete apps with crafted file attributes to cause a denial of service for new app instances or scaling up of existing apps.2018-09-18not yet calculatedCVE-2018-11084
CONFIRM
cscms -- cscms
 		CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php.2018-09-17not yet calculatedCVE-2018-17125
MISC
MISC
cscms -- cscms
 		CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.2018-09-17not yet calculatedCVE-2018-17126
MISC
MISC
cuppacms -- cuppacms
 		Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/#/component/table_manager/view/cu_menus section name.2018-09-21not yet calculatedCVE-2018-17300
MISC
dedecms -- dedecms
 		DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "2018-09-21not yet calculatedCVE-2018-12511
MISC
ethereum -- minttoken_tokenThe mintToken function of a smart contract implementation for PolyAi (AI), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.2018-09-21not yet calculatedCVE-2018-17050
MISC
exiv2 -- exiv2Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.2018-09-19not yet calculatedCVE-2018-17230
MISC
exiv2 -- exiv2An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.2018-09-20not yet calculatedCVE-2018-17282
MISC
exiv2 -- exiv2Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.2018-09-19not yet calculatedCVE-2018-17229
MISC
foreman -- foreman
 		An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.2018-09-21not yet calculatedCVE-2018-14643
BID
REDHAT
CONFIRM
CONFIRM
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.2018-09-19not yet calculatedCVE-2017-2875
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-17not yet calculatedCVE-2017-2856
MISC
foscam -- c1_indoor_hd_cameraAn exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SoftAP configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.2018-09-19not yet calculatedCVE-2017-2873
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data.2018-09-19not yet calculatedCVE-2017-2876
MISC
foscam -- c1_indoor_hd_cameraAn information disclosure vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 can allow for a user to retrieve sensitive information without authentication.2018-09-17not yet calculatedCVE-2017-2874
MISC
foscam -- c1_indoor_hd_cameraInsufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are flashed to the device, binaries as well as arguments to shell commands contained in the image are executed with elevated privileges.2018-09-17not yet calculatedCVE-2017-2872
MISC
foscam -- c1_indoor_hd_cameraA missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication.2018-09-19not yet calculatedCVE-2017-2877
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-19not yet calculatedCVE-2017-2855
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the UPnP implementation used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted UPnP discovery response can cause a buffer overflow resulting in overwriting arbitrary data. An attacker needs to be in the same subnetwork and reply to a discovery message to trigger this vulnerability.2018-09-19not yet calculatedCVE-2017-2879
MISC
foscam -- c1_indoor_hd_cameraAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-17not yet calculatedCVE-2017-2857
MISC
foscam -- c1_indoor_hd_camera
 		An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can cause a buffer overflow resulting in overwriting arbitrary data. An attacker can simply send an HTTP request to the device to trigger this vulnerability.2018-09-19not yet calculatedCVE-2017-2878
MISC
foscam -- c1_indoor_hd_camera
 		An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.2018-09-17not yet calculatedCVE-2017-2854
MISC
gitolite -- gitolitegitolite before commit fa06a34 might allow local users to read arbitrary files in repositories via vectors related to the user umask when running gitolite setup.2018-09-21not yet calculatedCVE-2013-7203
CONFIRM
FEDORA
MLIST
gitolite -- gitolite
 		gitolite commit fa06a34 through 3.5.3 might allow attackers to have unspecified impact via vectors involving world-writable permissions when creating (1) ~/.gitolite.rc, (2) ~/.gitolite, or (3) ~/repositories/gitolite-admin.git on fresh installs.2018-09-21not yet calculatedCVE-2013-4451
CONFIRM
CONFIRM
MLIST
BID
golang -- goThe html package (aka x/net/html) through 2018-09-17 in Go mishandles