August 2022 Web Application Vulnerabilities Released
The Qualys WAS team has released a new series of signatures (detections) to report the vulnerabilities in the following 6 frameworks: Apache, Atlassian, Oracle WebLogic, PHP, Webmin, and WordPress. Organizations can immediately audit their networks for the following vulnerabilities.
Apache Spark is a multi-language engine for executing data engineering, data science, and machine learning on single-node machines or clusters.
QID 150557: Apache Spark Shell Command Injection Vulnerability (CVE-2022-33891)
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. This will result in arbitrary shell command execution as the user Spark is currently running as.
Apache Spark versions 3.0.3 and earlier
Apache Spark versions 3.1.1 to 3.1.2
Apache Spark versions 3.2.0 to 3.2.1.
QID 150556: Atlassian Confluence Server and Data Center : Questions for Confluence App – Hardcoded Credentials (CVE-2022-26138)
Confluence is a team collaboration software. Written in Java and mainly used in corporate environments, it is developed and marketed by Atlassian.
Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password.
Questions for Confluence Version 2.7.34
Questions for Confluence Version 2.7.35
Questions for Confluence Version 3.0.2
QID 150559: Atlassian Jira Server and Data Center Multiple Servlet Filter Vulnerabilities(JRASERVER-73897)
Jira is a proprietary issue tracking product, product developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.
Multiple Vulnerabilities are identified in Atlassian Jira Server and Data Center:
Arbitrary Servlet Filter Bypass (CVE-2022-26136): This vulnerability allows an unauthenticated threat actor to bypass Servlet Filters used by first- and third-party applications.
Additional Servlet Filter Invocation (CVE-2022-26137): This vulnerability allows a remote, unauthenticated threat actor to invoke additional Servlet Filters when the application processes a request or response.
before version 8.13.22
from version 8.14.0 before 8.19.1
from version 8.20.0 before 8.20.10
from version 8.21.0 before 8.21.1
from version 8.22.0 before 8.22.4
Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services.
QID 150555: Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2022)
The Oracle WebLogic Server component in Oracle Fusion Middleware for versions 126.96.36.199.0, 188.8.131.52.0 and 184.108.40.206.0 has fixes for multiple vulnerabilities.
Oracle WebLogic Server, version(s) 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0
PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.
QID 150558: PHP Heap Buffer Overflow Vulnerability (CVE-2022-31627)
In installed version of PHP, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
PHP versions 8.1.x prior to 8.1.7
Webmin is a powerful and flexible web-based server management control panel for Unix-like systems.
QID 150563: Webmin Authenticated Command Injection Vulnerability (CVE-2022-36446)
In affected versions of Webmin, software/apt-lib.pl before version 1.997 lacks HTML escaping for a UI command leading to Command Injection Vulnerability.
Webmin versions prior to 1.997
WordPress is an open-source content management system (CMS) written in PHP
QID 150554: WordPress WP Maintenance Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2022-30536)
The WP Maintenance plugin allows you to put your website on the waiting time for you to do maintenance or launch your website.
The plugin does not sanitize and escape multiple of its settings, which could allow high privileged users such as admin to perform Cross-Site Scripting attack when the unfiltered_html is disallowed.
WordPress WP Maintenance Plugin before 6.0.8.
QID 150560: WordPress WP-DBManager Plugin: Authenticated Remote Command Execution Vulnerability (CVE-2022-2354)
WP-DBManager is a WordPress plugin, which allows you to optimize database, repair database, backup database, restore database, delete backup database, drop/empty tables and run selected queries.
The WP-DBManager WordPress plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should.
WordPress WP-DBManager plugin before 2.80.8
QID 150564: WordPress uDraw Plugin : Arbitrary File Read Vulnerability (CVE-2022-0656)
Web to Print Shop: uDraw WordPress plugin is a browser based graphic designer which allows customers to create template based products.
Affected versions of uDraw plugin do not validate the url parameter in “udraw_convert_url_to_base64” AJAX action before using it in the “file_get_contents” function and returning its content base64 encoded in HTTP response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
uDraw prior to version 3.3.3