New Signatures Released by Qualys WAS, May 2022

John Delaroderie

Last updated on: July 20, 2022

The Qualys WAS team has released a new series of signatures (detections) to report the vulnerabilities in the following 6 frameworks Apache, Atlassian, Drupal, F5, Joomla, Lighttpd, Oracle, phpMyAdmin, Spring and WordPress. Organizations can immediately audit their networks for the following vulnerabilities.

Apache

The version of Apache httpd installed on the remote host is prior to 2.4.53. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.53 advisory.

QID 150504 – Apache Struts 2 Remote Code Execution Vulnerability (CVE-2021-31805)

QID 150515 – Apache HTTP Server 2.4.53 Multiple Vulnerabilities

CVE-2022-23943
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker-provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

CVE-2022-22721
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-22720
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

CVE-2022-22719
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.

Atlassian

QID 150510 – Atlassian Jira Server Cross-Site Scripting (XSS) Vulnerabilities (JRASERVER-72392(CVE-2021-26078), JRASERVER-72432(CVE-2021-26080) )
This vulnerability, if exploited, allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting (XSS) vulnerability.

QID 150512 – Atlassian Jira Server Broken Authentication Vulnerability (JRASERVER-72029(CVE-2021-26070))
A Broken Authentication vulnerability allows remote attackers to bypass behind-the-firewall security of app-linked resources.

QID 150513 – Atlassian Jira Server Cross-Site Scripting (XSS) Vulnerability (JRASERVER-72396( CVE-2021-26079) )
The CardLayoutConfigTable component in Jira Server and Jira Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting (XSS) vulnerability.

QID 150514 – Atlassian Jira Server Multiple Vulnerabilities
An anonymous user can execute a variety of attacks against a vulnerable JIRA instance, including remote code execution, the exposure of confidential files, and a denial-of-service attack against the JIRA server. The affected versions allow remote anonymous attackers to-

(JRASERVER-72252 ( CVE-2021-26076), JRASERVER-72316 ( CVE-2021-26075)- Learn which mode a user is editing in.

JRASERVER-72233 (CVE-2021-26071)- Obtain the full path of the Jira application data directory.

JRASERVER-72010 (CVE-2021-26069)- Download temporary files and enumerate project keys.

Drupal

QID 154106 – Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2021-011 (CVE-2021-41164CVE-2021-41165))
Successful exploitation might allow an attacker to execute arbitrary JavaScript code in the context of the interface or get access to sensitive, browser-based information.

F5

QID 150511 – F5 BIG-IP iControl REST Remote Code Execution (RCE) Vulnerability (CVE-2022-1388)
An unauthenticated remote attacker who successfully exploits this vulnerability might circumvent authentication and execute arbitrary commands with root capabilities on the target device.

Joomla

QID 154107 – Joomla! Core Arbitrary File Write via Archive Extraction (Zip Slip) Vulnerability (CVE-2022-23793)
A remote attacker can send a specially crafted archive to the web application and write files outside of the intended path.

QID 154108 – Joomla! Core Information Exposure Vulnerability (CVE-2022-23794)
Successful exploitation would lead to the disclosure of the path of the source code of the web application, which can help the attacker carry out further attacks.

QID 154109 – Joomla! Core Improper Authentication Vulnerability (CVE-2022-23795)
This package’s affected versions are vulnerable to incorrect authentication. A user row was not tied to a specific authentication technique, which might allow an account takeover in extreme situations.

QID 154113 – Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2022-23796)
An attacker might exploit this bug to execute arbitrary script code in the browser of an unauthorized party while browsing the vulnerable site. This gives the attacker the ability to collect cookie-based login credentials and execute other attacks.

QID 154114 – Joomla! Core SQL injection Vulnerability (CVE-2022-23797)
An attacker might compromise the application, access, or edit data, or leverage latent vulnerabilities in the underlying database by exploiting this flaw.

QID 154115 – Joomla! Core Open Redirect Vulnerability (CVE-2022-23798)
Exploiting this vulnerability may allow attackers to reroute users to arbitrary web pages and execute phishing attacks, among other things. Inadequate URL validation may result in an erroneous verification of whether a redirect URL is internal or not.

QID 154116 – Joomla! Core Multiple Vulnerabilities (CVE-2022-23799,CVE-2022-23800,CVE-2022-23801)
An attacker might exploit these flaws to run arbitrary script code in an unwary user’s browser in the context of the vulnerable site, allowing the attacker to obtain cookie-based login credentials.

WordPress

QID 150498 – WordPress AnyComment Plugin: Arbitrary HyperComments Import/Revert via CSRF Vulnerability (CVE-2022-0134)

If successful, an attacker might execute arbitrary JavaScript code in the context of the interface or get access to sensitive, browser-based information.

QID 150499 – WordPress AnyComment Plugin: Comment Rating Increase/Decrease via Race Condition Vulnerability (CVE-2022-0279)
Successful exploitation could allow an authenticated user to quickly raise their rating or lower the rating of other users.

QID  150501 – WordPress Download Manager Plugin: Authenticated SQL Injection to Reflected XSS Vulnerability (CVE-2021-25069)
Successful exploitation might allow an attacker to execute arbitrary JavaScript code in the context of the interface or get access to sensitive, browser-based information.

QID 150502 – WordPress LoginPress Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2022-0347)
A successful attack might provide intruder access to private, browser-based data or the ability to execute arbitrary JavaScript code in the context of the interface.

QID 150507 – WordPress Photo Gallery by 10Web Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2022-0169)
An attacker may be able to breach the application, get access to or edit data, or make use of hidden vulnerabilities in the underlying database by taking advantage of this flaw.

QID 154110 – WordPress Multiple Vulnerabilities (CVE-2017-5610,CVE-2017-5611,CVE-2017-5612)
If these flaws are successfully exploited, an attacker may be able to run any JavaScript code, SQL queries, and grant unauthorized users access to the user interface.

QID 154111 – WordPress Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2019-20042)
A JavaScript payload can be injected by an attacker thanks to it. After being stored in the database, this payload would eventually infect several user interfaces.

Lighttpd

QID 150508 – Lighttpd Server Log Injection Vulnerability (CVE-2015-3200)

This QID tries to determine whether the host is running a vulnerable version of lighttpd Server by sending an HTTP GET request and examining the response headers. If this vulnerability is exploited effectively, a malicious attacker will be able to manipulate system information.

QID 150509 – Lighttpd Server Path Traversal Vulnerability (CVE-2018-19052)
A remote attacker will be able to make a specially crafted HTTP request and access any file placed in a directory above an alias target, if the exploit is successful.

Oracle

QID 150500 – Oracle WebLogic Server Multiple Vulnerabilities(CVE-2022-21350,CVE-2022-21347,CVE-2022-21306,CVE-2022-21371,CVE-2022-21386,CVE-2022-21353)
Unauthenticated attackers with network access can compromise Oracle WebLogic Server. Successful attacks on this vulnerability may result in unauthorized access to some Oracle WebLogic Server accessible data, as well as the ability to cause a partial denial of service.

phpMyAdmin

QID 150518 – phpMyAdmin Information Exposure Vulnerability (CVE-2022-0813)
The QID makes an HTTP GET call to “doc/html/index.html” to discover the vulnerable version of phpMyAdmin on the target system. An unauthorized attacker can obtain sensitive information.

QID 150491 – phpMyAdmin Authentication bypass Vulnerability (CVE-2022-23807)
A legitimate user who is already logged in to phpMyAdmin can alter their account to evade using two-factor authentication for future logins.

Spring

QID 150494 – Spring Cloud Function Remote Code Execution (RCE) Vulnerability (CVE-2022-22963)
The qid can allow an attacker might supply a forged Spring Expression Language (SpEL) as a routing expression, granting access to local resources.

QID 150495 – Spring Core Remote Code Execution (RCE) Vulnerability (CVE-2022-22965) (Spring4Shell) 
Exploiting the vulnerability successfully may result in arbitrary remote code execution.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *