Dan Callaghan

**Name of the Vulnerable Software and Affected Versions** Beaker versions prior to 20.1 **Description** The issue allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system. This is due to an XML external entity (XXE) vulnerability in bkr/server/jobs.py. **Recommendations** For versions prior to 20.1, update to version 20.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `bkr/server/jobs.py` module to minimize the risk of exploitation. Avoid using entity references in job XML submissions to the server until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Beaker versions prior to 20.1 **Description** The issue concerns the search bar code in the bkr/server/widgets.py file, which fails to escape </script> tags in string literals when producing JSON. This could potentially lead to security issues. **Recommendations** For versions prior to 20.1, update to version 20.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Beaker version 20.1 **Description** A cross-site scripting (XSS) issue exists in the edit comment dialog, allowing remote authenticated users to inject arbitrary web script or HTML by writing a crafted comment on an acked or nacked canceled job. This occurs due to insufficient input validation in the `bkr/server/widgets.py` file. **Recommendations** For Beaker version 20.1, as a temporary workaround, consider restricting access to the edit comment dialog until a patch is available. Avoid using the edit comment feature on acked or nacked canceled jobs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Beaker versions prior to 20.1 **Description** The issue concerns the lack of access controls on the admin pages for power types and key types in Beaker. This allows remote authenticated users to modify these types by navigating to the respective pages, such as `$BEAKER/powertypes` and `$BEAKER/keytypes`. **Recommendations** For versions prior to 20.1, update to version 20.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Python versions prior to 2.6.8 Python versions 2.7.x prior to 2.7.3 Python versions 3.x prior to 3.1.5 Python versions 3.2.x prior to 3.2.3 **Description** The issue allows remote attackers to cause a denial of service, resulting in infinite loops and high CPU consumption. This can be achieved via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. The vulnerability is caused by the `SimpleXMLRPCRequestHandler.do POST()` method not properly handling an EOF when processing POST requests, which can be exploited via a specially crafted HTTP POST request. **Recommendations** For Python versions prior to 2.6.8, update to version 2.6.8 or later. For Python versions 2.7.x prior to 2.7.3, update to version 2.7.3 or later. For Python versions 3.x prior to 3.1.5, update to version 3.1.5 or later. For Python versions 3.2.x prior to 3.2.3, update to version 3.2.3 or later.