October 2022 Web Application Vulnerabilities Released
The Qualys WAS team has released a new series of signatures (detections) to report the vulnerabilities in the following frameworks: Apache, dotCMS, Drupal, FortiOS, GLPI, Grafana, OpenSSL, PHP, SAP NetWeaver, WordPress, and WS02. Organizations can immediately audit their networks for the following vulnerabilities.
Apache Tomcat
QID 150579 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)
Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.
The simplified implementation of blocking reads and writes exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Affected Versions:
Apache Tomcat 10.1.0-M1 to 10.1.0-M12
Apache Tomcat 10.0.0-M1 to 10.0.18
Apache Tomcat 9.0.0-M1 to 9.0.60
Apache Tomcat 8.5.0 to 8.5.77
dotCMS
QID 150580 dotCMS Cross-Site Scripting (XSS) Vulnerability (CVE-2022-35740)
dotCMS is an open source content management system written in Java for managing content and content driven sites and applications.
On affected versions of dotCMS core a XSS Filter Bypass vulnerability exists due to broken authorization which allows attackers to bypass XSSPreventionWebInterceptor using Matrix Parameter and exploit XSS vulnerability.
Affected versions:
dotCMS versions: 22.05 and below
Drupal
QID 154123 Drupal Core: Twig Template Path Traversal Vulnerability (CVE-2022-39261)
Drupal is a free and open source content management framework written in PHP and distributed under the GNU General Public License.
Drupal uses the Twig third-party library for content templating and sanitization. Twig is vulnerable to path traversal. When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed).
Affected Versions:
Drupal 8.0.0 to 9.3.22
Drupal 9.4.0 to 9.4.7
FortiOS
QID 150585 FortiOS Authentication Bypass Vulnerability (CVE-2022-40684)
FortiOS handles API calls by proxying all requests to an interface that is only accessible internally. This internal interface is responsible for verifying authentication and authorization.
An authentication bypass vulnerability using an alternate path or channel exists in FortiOS which may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Affected Products:
FortiOS version from 7.0.0 to 7.0.6
FortiOS version from 7.2.0 to 7.2.1
GLPI
QID 150584 GLPI HtmlLawed Module Command Injection Vulnerability (CVE-2022-35914)
GLPI or Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.
On affected versions of GLPI /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module allows PHP code injection.
Affected versions:
GLPI versions before 10.0.3
Grafana
QID 150576 Grafana Authentication Bypass Vulnerability (CVE-2022-35957)
Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
Affected versions of Grafana is vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance.
Affected Versions:
Grafana versions before 8.5.13
Grafana versions from 9.0.0 to 9.0.9
Grafana versions from 9.1.0 to 9.1.6
OpenSSL
QID 520001 Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (CVE-2022-3602, CVE-2022-3786)
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.
OpenSSL has released a pre notification for the release of OpenSSL version 3.0.7. As per OpenSSL, version 3.0.7 addresses two High vulnerabilities CVE-2022-3786 and CVE-2022-3602.
Affected Versions:
OpenSSL version 3.0.0 to 3.0.6
PHP
QID 150578 PHP Multiple Vulnerabilities (CVE-2022-31629,CVE-2022-31628)
PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.
Affected versions of PHP has multiple vulnerabilities:
CVE-2022-31628 : The vulnerability exists due to infinite loop within the phar uncompressor code when processing “quines” gzip files. A remote attacker can pass a specially crafted archive to the application, consume all available system resources and cause denial of service conditions.
CVE-2022-31629: The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a standard insecure cookie in the victim’s browser which is treated as a ‘__Host-‘ or ‘__Secure-‘ cookie by PHP applications.
Affected Versions:
PHP versions before 7.4.31
PHP versions 8.0.0 prior to 8.0.24
PHP versions 8.1.0 prior to 8.1.11
SAP NetWeaver
QID 150561 SAP NetWeaver Request Smuggling and Request Concatenation Vulnerability (CVE-2022-22532])
SAP NetWeaver Application Server or SAP Web Application Server is a component of SAP NetWeaver which works as a web application server for SAP products.
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Affected Versions:
Product – SAP NetWeaver Application Server Java, Versions – KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53
WordPress
QID 150577 WordPress Wordfence Security – Firewall and Malware Scan Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2022-3144)
Wordfence Security is a WordPress plugin which includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress sites.
Affected versions of Wordfence Security – Firewall and Malware Scan plugin is vulnerable to Stored Cross-Site Scripting via a setting on the options page due to insufficient escaping on the stored value which makes it possible for authenticated users, with administrative privileges, to inject malicious web scripts.
Affected versions:
Wordfence Security prior to version 7.6.1
WS02
QID 150581 (Potential) WSO2 File Upload Remote Command Execution Vulnerability (CVE-2022-29464)
QID 150524 (Confirmed) WSO2 File Upload Remote Command Execution Vulnerability (CVE-2022-29464)
WSO2 is an open-source technology. It offers an enterprise platform for integrating application programming interfaces, applications, and web services locally and across the Internet.
Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.
Affected Products:
WSO2 API Manager 2.2.0, up to 4.0.0
WSO2 Identity Server 5.2.0, up to 5.11.0
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0
WSO2 Enterprise Integrator 6.2.0, up to 6.6.0
WSO2 Open Banking AM 1.4.0, up to 2.0.0
WSO2 Open Banking KM 1.4.0, up to 2.0.0