Vulnerability Summary for the Week of September 17, 2018

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:  High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0  Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9  Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by Ug-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of Ug-CERT analysis.

High Vulnerabilities Primary CVSS Source & Vendor -- Product Description Published Score Patch Info There were no high vulnerabilities recorded this week.

Back to top

Medium Vulnerabilities Primary CVSS Source & Vendor -- Product Description Published Score Patch Info There were no medium vulnerabilities recorded this week.

Back to top

Low Vulnerabilities Primary CVSS Source & Vendor -- Product Description Published Score Patch Info There were no low vulnerabilities recorded this week.

Back to top

Severity Not Yet Assigned Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info CVE- 2018- not 15546 Accusoft PrizmDoc version 13.3 and earlier yet CONFI accusoft -- prizmdoc contains a Stored Cross-Site Scripting issue 2018- calcul RM through a crafted PDF file. 09-18 ated MISC

CVE- 2018- 8041 CONFI not RM 's Mail 2.20.0 through 2.20.3, yet BID apache -- camel 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to 2018- calcul CONFI path traversal. 09-17 ated RM

In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further CVE- locked down by defining a security manager 2018- policy that limits file system access to those 11786 directories beneath the Karaf home that are CONFI necessary for the system to run. However, this not RM still allows anyone with ssh access to the Karaf yet CONFI apache -- karaf process to read and write a large number of files 2018- calcul RM as the Karaf process user. 09-18 ated MLIST

In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed CVE- in Karaf, it is available at .../system/console and 2018- requires authentication to access it. One part of 11787 the console is a Gogo shell/console that gives CONFI access to the command line console of Karaf via not RM a Web browser, and when navigated to it is yet CONFI available at .../system/console/gogo. Trying to apache -- karaf 2018- calcul RM go directly to that URL does require 09-18 ated MLIST authentication. And optional bundle that some Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse not CVE- the timing difference of when the JWT yet 2018- apache -- mesos validation function returns to reveal the correct 2018- calcul 8023 HMAC value. 09-21 ated MLIST

CVE- not 2018- A potential Remote Code Execution bug exists yet 11780 apache -- spamassassin with the PDFInfo plugin in Apache 2018- calcul BID SpamAssassin before 3.4.2. 09-17 ated MLIST

not CVE- yet 2018- apache -- spamassassin Apache SpamAssassin 3.4.2 fixes a local user 2018- calcul 11781 code injection in the meta rule syntax. 09-17 ated MLIST Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the CVE- wild but not believed to have been purposefully not 2017- part of a Denial of Service attempt. We are yet 15705 apache -- spamassassin concerned that there may be attempts to abuse 2018- calcul BID the vulnerability in the future. 09-17 ated MLIST

In 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. not CVE- They were therefore vulnerable to an entity yet 2018- apache -- tika expansion vulnerability which can lead to a 2018- calcul 11761 denial of service attack. 09-19 ated MLIST

In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) not CVE- and the input file has an embedded file with an yet 2018- apache -- tika absolute path, such as ":/evil.bat", tika-app 2018- calcul 11762 would overwrite that file. 09-19 ated MLIST

not CVE- In Apache Tika 1.2 to 1.18, a carefully crafted yet 2018- apache -- tika file can trigger an infinite loop in the 2018- calcul 8017 IptcAnpaParser. 09-19 ated MLIST Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info Artifex Ghostscript before 9.25 allowed a user- CVE- writable error exception table, which could be not 2018- used by remote attackers able to supply crafted yet 17183 artifex -- ghostscript PostScript to potentially overwrite or replace 2018- calcul MISC error handlers to inject code. 09-19 ated MISC

blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows not CVE- remote attackers to cause a denial of service yet 2018- asus -- gt-ac5300 (NULL pointer dereference and device crash) 2018- calcul 17127 via a request that lacks a timestap parameter. 09-17 ated MISC

CVE- 2018- The administrative smart-commits resource in 13398 Atlassian Fisheye and Crucible before version not CONFI 4.5.4 allows remote attackers to modify smart- yet RM atlassian -- fisheye_and_crucible commit settings via a Cross-site request forgery 2018- calcul CONFI (CSRF) vulnerability. 09-18 ated RM

CVE- not 2018- The DEISER "Profields - Project Custom yet 16281 Fields" app before 6.0.2 for Jira has Incorrect 2018- calcul CONFI atlassian -- jira Access Control. 09-21 ated RM

CVE- An issue has been discovered in mpruett Audio not 2018- File Library (aka audiofile) 0.3.6. A heap-based yet 17095 audiofile -- audiofile buffer overflow in Expand3To4Module::run has 2018- calcul MISC occurred when running sfconvert. 09-16 ated MISC

A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration CVE- Designer could allow an attacker to add, change, not 2018- avaya -- or remove administrative settings. Affected yet 15612 aura_orchestration_designer versions of Avaya Aura Orchestration Designer 2018- calcul CONFI include all versions up to 7.2.1. 09-21 ated RM

CVE- not 2018- A cross-site scripting (XSS) vulnerability in the avaya -- yet 15613 Runtime Config component of Avaya Aura aura_orchestration_designer 2018- calcul CONFI Orchestration Designer could result in malicious 09-21 ated RM content being returned to the user. Affected Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.

CVE- Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 2018- 0.15.2, and 0.16.x before 0.16.3 and Bitcoin 17144 Knots 0.14.x through 0.16.x before 0.16.3 allow not MISC a remote denial of service (application crash) yet MISC bitcoin_core -- bitcoin_core exploitable by miners via duplicate input. An 2018- calcul MISC attacker can make bitcoind or Bitcoin-Qt crash. 09-19 ated MISC

A directory traversal vulnerability in the CVE- Connect Service of the BlackBerry Enterprise not 2018- blackberry -- Mobility Server (BEMS) 2.8.17.29 and earlier yet 8889 enterprise_mobility_server could allow an attacker to retrieve arbitrary files 2018- calcul CONFI in the context of a BEMS administrator account. 09-19 ated RM

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR CVE- (Hot Module Replacement). Anyone can receive not 2018- the HMR message sent by the WebSocket server yet 14730 browserify-hmr -- browserify-hmr via a ws://127.0.0.1:3123/ connection from any 2018- calcul MISC origin. 09-21 ated MISC

CVE- 2018- not 17061 BullGuard Safe Browsing before 18.1.355.9 yet MISC bullguard -- safe_browsing allows XSS on Google, Bing, and Yahoo! pages 2018- calcul CONFI via domains indexed in search results. 09-15 ated RM

An issue was discovered in CIRCONTROL not CVE- CirCarLife before 4.3. There is system software yet 2018- circontrol -- circarlife information disclosure due to lack of 2018- calcul 16671 authentication for /html/device-id. 09-18 ated MISC

An issue was discovered in CIRCONTROL not CVE- CirCarLife before 4.3. There is internal yet 2018- circontrol -- circarlife installation path disclosure due to the lack of 2018- calcul 16668 authentication for /html/repository. 09-18 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info An issue was discovered in CIRCONTROL not CVE- CirCarLife before 4.3. There is PLC status yet 2018- circontrol -- circarlife disclosure due to lack of authentication for 2018- calcul 16670 /html/devstat.html. 09-18 ated MISC

An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP) before 1.5.0, as used in CirCarLife, PowerStudio, and other products. Due to storage of credentials in not CVE- circontrol -- XML files, an unprivileged user can look at yet 2018- open_charge_point_protocol /services/config/config.xml for the admin 2018- calcul 16669 credentials of the ocpp and circarlife panels. 09-18 ated MISC

Cloud Foundry Container Runtime (kubo- release), versions prior to 0.14.0, may leak UAA CVE- and vCenter credentials to application logs. A not 2018- cloud_foundry_foundation -- malicious user with the ability to read the yet 1223 container_runtime application logs could use these credentials to 2018- calcul CONFI escalate privileges. 09-17 ated RM

Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote CVE- authenticated malicious user may create and not 2018- cloud_foundry_foundation -- delete apps with crafted file attributes to cause a yet 11084 garden-runc denial of service for new app instances or 2018- calcul CONFI scaling up of existing apps. 09-18 ated RM

CVE- not 2018- CScms 4.1 allows arbitrary directory deletion yet 17125 cscms -- cscms via a dir=..\\ substring to 2018- calcul MISC plugins\sys\admin\Plugins.php. 09-17 ated MISC

CVE- not 2018- CScms 4.1 allows remote code execution, as yet 17126 cscms -- cscms demonstrated by 1');eval($_POST[cmd]);# in 2018- calcul MISC Web Name to upload\plugins\sys\Install.php. 09-17 ated MISC

Stored XSS exists in CuppaCMS through 2018- not CVE- 09-03 via an yet 2018- cuppacms -- cuppacms administrator/#/component/table_manager/view/ 2018- calcul 17300 cu_menus section name. 09-21 ated MISC Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info not CVE- DedeCMS 5.7 SP2 allows XML injection, and yet 2018- dedecms -- dedecms resultant remote code execution, via a "

The mintToken function of a smart contract implementation for PolyAi (AI), an Ethereum not CVE- token, has an integer overflow that allows the yet 2018- owner of the contract to set the balance of an 2018- calcul 17050 ethereum -- minttoken_token arbitrary user to any value. 09-21 ated MISC

Exiv2::ul2Data in types.cpp in Exiv2 v0.26 not CVE- allows remote attackers to cause a denial of yet 2018- service (heap-based buffer overflow) via a 2018- calcul 17230 exiv2 -- exiv2 crafted image file. 09-19 ated MISC

not CVE- An issue was discovered in Exiv2 v0.26. The yet 2018- function Exiv2::DataValue::copy in value.cpp 2018- calcul 17282 exiv2 -- exiv2 has a NULL pointer dereference. 09-20 ated MISC

2018- Exiv2::d2Data in types.cpp in Exiv2 v0.26 not CVE- exiv2 -- exiv2 09-19 allows remote attackers to cause a denial of yet 2018- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info service (heap-based buffer overflow) via a calcul 17229 crafted image file. ated MISC

CVE- 2018- 14643 BID An authentication bypass flaw was found in the REDH smart_proxy_dynflow component used by AT Foreman. A malicious attacker can use this flaw not CONFI to remotely execute arbitrary commands on yet RM foreman -- foreman machines managed by vulnerable Foreman 2018- calcul CONFI instances, in a highly privileged context. 09-21 ated RM

An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running not CVE- application firmware 2.52.2.43. A specially yet 2017- crafted request on port 10000 can cause a buffer 2018- calcul 2875 foscam -- c1_indoor_hd_camera overflow resulting in overwriting arbitrary data. 09-19 ated MISC

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- compromise the device by creating a rogue 2018- calcul 2856 foscam -- c1_indoor_hd_camera HTTP server. 09-17 ated MISC

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the not CVE- SoftAP configuration resulting in command yet 2017- injection. An attacker can simply send an HTTP 2018- calcul 2873 foscam -- c1_indoor_hd_camera request to the device to trigger this vulnerability. 09-19 ated MISC

An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the 2018- Foscam C1 Indoor HD Camera running not CVE- foscam -- c1_indoor_hd_camera 09-19 application firmware 2.52.2.43. A specially yet 2017- Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info crafted request on port 10000 can cause a buffer calcul 2876 overflow resulting in overwriting arbitrary data. ated MISC

An information disclosure vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application not CVE- firmware 2.52.2.43. A specially crafted request yet 2017- on port 10001 can allow for a user to retrieve 2018- calcul 2874 foscam -- c1_indoor_hd_camera sensitive information without authentication. 09-17 ated MISC

Insufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are not CVE- flashed to the device, binaries as well as yet 2017- arguments to shell commands contained in the 2018- calcul 2872 foscam -- c1_indoor_hd_camera image are executed with elevated privileges. 09-17 ated MISC

A missing error check exists in the Multi- Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port not CVE- 10001 could allow an attacker to reset the user yet 2017- accounts to factory defaults, without 2018- calcul 2877 foscam -- c1_indoor_hd_camera authentication. 09-19 ated MISC

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- compromise the device by creating a rogue 2018- calcul 2855 foscam -- c1_indoor_hd_camera HTTP server. 09-19 ated MISC

An exploitable buffer overflow vulnerability exists in the UPnP implementation used by the Foscam C1 Indoor HD Camera running not CVE- application firmware 2.52.2.43. A specially yet 2017- crafted UPnP discovery response can cause a 2018- calcul 2879 buffer overflow resulting in overwriting foscam -- c1_indoor_hd_camera 09-19 ated MISC arbitrary data. An attacker needs to be in the Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info same subnetwork and reply to a discovery message to trigger this vulnerability.

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- compromise the device by creating a rogue 2018- calcul 2857 foscam -- c1_indoor_hd_camera HTTP server. 09-17 ated MISC

An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can cause a buffer not CVE- overflow resulting in overwriting arbitrary data. yet 2017- foscam -- c1_indoor_hd_camera An attacker can simply send an HTTP request to 2018- calcul 2878 the device to trigger this vulnerability. 09-19 ated MISC

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept not CVE- HTTP connections will be able to fully yet 2017- foscam -- c1_indoor_hd_camera compromise the device by creating a rogue 2018- calcul 2854 HTTP server. 09-17 ated MISC

CVE- 2013- 7203 CONFI gitolite before commit fa06a34 might allow not RM local users to read arbitrary files in repositories yet FEDOR via vectors related to the user umask when 2018- calcul A gitolite -- gitolite running gitolite setup. 09-21 ated MLIST

CVE- not gitolite commit fa06a34 through 3.5.3 might 2013- yet allow attackers to have unspecified impact via 4451 gitolite -- gitolite 2018- calcul vectors involving world-writable permissions CONFI 09-21 ated when creating (1) ~/.gitolite.rc, (2) ~/.gitolite, or RM Source & Primary PublisCVSS Patch Vendor -- Product Description hed Score Info (3) ~/repositories/gitolite-admin.git on fresh CONFI installs. RM MLIST BID

The html package (aka x/net/html) through 2018-09-17 in Go mishandles not CVE-