Michael Scherer

**Nome do software vulnerável e versões afetadas: Versões do Ipsilon de 0.1.0 a 1.0.0 Descrição: A configuração padrão do mecanismo de modelos Jinja no servidor do Provedor de Identidade (IdP) não habilita o auto-escaping, facilitando que invasores remotos realizem ataques de cross-site scripting (XSS) por meio de variáveis de modelo. Recomendações: Para as versões do Ipsilon 0.1.0 a 1.0.0, considere habilitar o auto-escaping na configuração do mecanismo de modelagem Jinja para mitigar o risco de ataques de cross-site scripting (XSS).

**Nome do software vulnerável e versões afetadas: Versões do Ipsilon de 0.1.0 a 1.0.0 Descrição: O problema decorre do fato de o servidor do Provedor de Identidade (IdP) não escapar corretamente certos caracteres em um modelo de mensagem de exceção do Python. Isso facilita que invasores remotos realizem ataques de cross-site scripting (XSS) por meio de uma resposta HTTP. Recomendações: Para as versões do Ipsilon 0.1.0 a 1.0.0, atualize para a versão 1.0.1 ou posterior para resolver o problema.

**Nome do software vulnerável e versões afetadas: Zimbra 2013 Descrição: A vulnerabilidade está relacionada a um problema de Cross-Site Scripting (XSS). Ela afeta o arquivo aspell.php. Recomendações: Para o Zimbra 2013, considere desativar o acesso ao arquivo aspell.php como uma solução temporária até que uma correção esteja disponível.

**Name of the Vulnerable Software and Affected Versions** OpenShift haproxy cartridge (affected versions not specified) **Description** The issue concerns a predictable /tmp in the set-proxy connection hook of the OpenShift haproxy cartridge, which could facilitate a denial-of-service (DoS) attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift (affected versions not specified) **Description** The issue is related to the improper creation of files in /tmp by the dump.sh script in the cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin directory of OpenShift. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible (affected versions not specified) **Description** The issue is related to insufficient input validation in Ansible, allowing an attacker to execute arbitrary code. Specifically, when running ad-hoc commands, inventory variables are loaded from the current working directory, which can be under an attacker's control. This can lead to the execution of arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat OpenShift Enterprise versions 1 and 2 **Description** The issue allows local users to have unspecified impact via a symlink attack on an unspecified file in /tmp. This is related to the oo-analytics-export and oo-analytics-import components in the openshift-origin-broker-util package. **Recommendations** For Red Hat OpenShift Enterprise version 1, consider restricting access to the oo-analytics-export and oo-analytics-import components until a fix is available. For Red Hat OpenShift Enterprise version 2, consider restricting access to the oo-analytics-export and oo-analytics-import components until a fix is available. As a temporary workaround, consider disabling the use of temporary files in /tmp by the oo-analytics-export and oo-analytics-import components to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** rkhunter versions prior to 1.4.4 **Description** The issue allows for file download over an insecure channel when performing a mirror update, potentially resulting in remote code execution. **Recommendations** For versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Lynis versions prior to 2.5.0 **Description** The issue allows local users to write to arbitrary files or possibly gain privileges via a symlink attack on a temporary file. This is due to unspecified tests in the software. **Recommendations** For versions prior to 2.5.0, update to version 2.5.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OnionShare versions prior to 0.9.1 **Description** The issue allows local users to modify the hiddenservice by pre-creating the /tmp/onionshare directory. This is related to the hs.py component in OnionShare. **Recommendations** For versions prior to 0.9.1, update to version 0.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/onionshare directory to prevent unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** Openstack DBaaS (aka Trove) versions prior to 2015.1.0 (aka Kilo) **Description** The issue allows local users to write to configuration files via a symlink attack on a temporary file. This is due to vulnerabilities in several functions, including ` write config`, `reset configuration`, `write config`, ` write mycnf`, `InnoBackupEx:: run prepare`, `InnoBackupEx::cmd`, `MySQLDump::cmd`, `InnoBackupExIncremental::cmd`, ` get actual db status`, and multiple class CbBackup methods. **Recommendations** For versions prior to 2015.1.0 (aka Kilo), update to version 2015.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable functions and classes until a patch is available. Avoid using the affected functions and classes in the `trove/guestagent/datastore/experimental` and `trove/guestagent/strategies/backup` modules to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.6.7 **Description** The issue exists due to the failure to neutralize special elements in the get sdl function of the PHP interpreter. Exploitation of this issue may allow an attacker to disclose protected information, impact data integrity, or cause a denial of service. The default configuration of the soap.wsdl cache dir setting in PHP's configuration files specifies the /tmp directory, which facilitates local users' ability to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the `get sdl` function. **Recommendations** For PHP versions prior to 5.6.7, consider updating the soap.wsdl cache dir setting to a directory that is not accessible by local users to minimize the risk of WSDL injection attacks. As a temporary workaround, consider restricting access to the `get sdl` function in ext/soap/php sdl.c until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SaltStack versions prior to 2014.7.4 **Description** The issue arises from improper handling of files in /tmp by the `modules/chef.py` module in SaltStack. **Recommendations** For versions prior to 2014.7.4, update to version 2014.7.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SaltStack versions prior to 2014.7.4 **Description** The issue is related to the `modules/serverdensity device.py` module in SaltStack, which does not properly handle files in the `/tmp` directory. This can be exploited to gain unauthorized access to confidential data, cause a denial of service, or impact data integrity. **Recommendations** For versions prior to 2014.7.4, update to version 2014.7.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/tmp` directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Salt (aka SaltStack) versions prior to 0.17.1 **Description** The issue allows remote attackers to execute arbitrary YAML code. The vendor has noted that this might not be considered a vulnerability because the YAML to be loaded has already been determined to be safe. **Recommendations** For versions prior to 0.17.1, update to version 0.17.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ansible versions 1.2.0 through 1.2.2 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/. This occurs when the playbook does not run due to an error. **Recommendations** For Ansible versions 1.2.0 through 1.2.2, update to version 1.2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ansible versions prior to 1.2.3 **Description** The issue allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. This occurs when using ControlPersist in the `runner/connection plugins/ssh.py` module. **Recommendations** For versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of `ControlPersist` until a patch is available. Restrict access to the `/tmp/` directory to minimize the risk of exploitation. Avoid using predictable names for socket files in the `/tmp/` directory until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Red Hat Storage Management Console version 2.0 Red Hat Native Client version 2.0 Red Hat Server version 2.0 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on multiple temporary files created by certain scripts, including tests/volume.rc and extras/hook-scripts/S30samba-stop.sh. **Recommendations** For Red Hat Storage Management Console version 2.0, consider restricting access to the temporary files created by the vulnerable scripts until a fix is available. For Red Hat Native Client version 2.0, avoid using the vulnerable scripts in a way that could allow a symlink attack. For Red Hat Server version 2.0, restrict access to the vulnerable temporary files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ruby parser gem versions 3.1.1 and earlier **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. This is due to the `diff pp` function in `lib/gauntlet rubyparser.rb`. **Recommendations** For ruby parser gem versions 3.1.1 and earlier, consider restricting access to the `diff pp` function in `lib/gauntlet rubyparser.rb` until a patch is available. As a temporary workaround, avoid using the `diff pp` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.