Bartek Nowotarski

Name of the Vulnerable Software and Affected Versions: Backuply – Backup, Restore, Migrate and Clone plugin for WordPress versions up to, and including, 1.3.4 Description: The issue is related to SQL Injection via the `options` parameter passed to the `backuply wp clone sql()` function due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with administrator-level access and above to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database. Recommendations: For versions up to, and including, 1.3.4, consider disabling the `backuply wp clone sql()` function until a patch is available. Restrict access to the `options` parameter in the affected function to minimize the risk of exploitation. Avoid using the `options` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** File Manager Pro – Filester plugin for WordPress versions up to, and including, 1.8.2 **Description** The issue allows authenticated attackers with granted permissions by an Administrator to update plugin settings for user role restrictions. This is due to a missing capability check on the `njt fs saveSettingRestrictions` function, making it possible to allow file types such as .php to be uploaded. **Recommendations** For versions up to, and including, 1.8.2, update to a version that includes a fix for the missing capability check on the `njt fs saveSettingRestrictions` function. As a temporary workaround, consider restricting access to the `njt fs saveSettingRestrictions` function to prevent unauthorized modification of data. Additionally, restrict the upload of file types such as .php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The SEO Plugin by Squirrly SEO plugin for WordPress versions up to and including 12.3.19 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages. This can be achieved via the `url` parameter. The injected scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to and including 12.3.19, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `url` parameter in affected pages to minimize the risk of arbitrary script injection.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 125 Firefox ESR versions prior to 115.10 Thunderbird versions prior to 115.10 **Description** The issue is related to the implementation of the HTTP/2 protocol in the affected browsers, where there was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This could allow a remote attacker to cause a denial of service. **Recommendations** For Firefox versions prior to 125, update to version 125 or later to resolve the issue. For Firefox ESR versions prior to 115.10, update to version 115.10 or later to resolve the issue. For Thunderbird versions prior to 115.10, update to version 115.10 or later to resolve the issue. As a temporary workaround, consider restricting access to HTTP/2 CONTINUATION frames until a patch is available.

**Name of the Vulnerable Software and Affected Versions** net/http and net/http2 in Go (affected versions not specified) **Description** An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to the fixed version **Description** The issue is related to parsing multipart forms, where limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This allows a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. The `ParseMultipartForm` function now correctly limits the maximum size of form lines with the fix. **Recommendations** For Go versions prior to the fixed version, consider updating to a version that includes the fix for the `ParseMultipartForm` function to correctly limit the maximum size of form lines. As a temporary workaround, consider restricting the use of the `Request.ParseMultipartForm`, `Request.FormValue`, `Request.PostFormValue`, or `Request.FormFile` functions to minimize the risk of exploitation. Avoid using these functions with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but updating to the latest version may help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** nghttp2 versions prior to the fixed version Apache HTTP Server versions prior to the fixed version Apple Software (affected versions not specified) NetApp ONTAP (affected versions not specified) Fedoraproject Fedora (affected versions not specified) **Description** The issue is related to the handling of HTTP/2 incoming headers, where exceeding the limit leads to temporary buffering in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this results in memory exhaustion. The vulnerability is also associated with uncontrolled resource consumption due to incorrect determination of the end of a header when processing CONTINUATION frames. Exploitation of the vulnerability may allow a remote attacker to cause a denial of service by sending specially crafted HTTP requests. **Recommendations** For nghttp2, update to a version that includes a fix for this issue. For Apache HTTP Server, update to a version that includes a fix for this issue. For Apple Software, there is no information about a newer version that contains a fix for this vulnerability. For NetApp ONTAP, there is no information about a newer version that contains a fix for this vulnerability. For Fedoraproject Fedora, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `HTTP/2` protocol until a patch is available. Avoid using the `CONTINUATION` frames in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions prior to 11.0.0-M1, 10.1.0-M1, 9.0.0-M1, 8.5.0 through 8.5.98. **Description** The vulnerability in Apache Tomcat is due to improper input validation for HTTP/2 requests, leading to potential DoS conditions. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. **Recommendations** To resolve the issue, users are recommended to upgrade to the latest version of Apache Tomcat, specifically to versions 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99. Upgrading to these versions will fix the vulnerability and prevent potential DoS conditions. Additionally, users can temporarily disable the `vulnerableFunction()` function until a patch is available, or restrict access to the vulnerable module to minimize the risk of exploitation. However, these are temporary measures and should not be used as a permanent solution. Users should follow the release notes for the latest version of Confluence Data Center and Server and download the latest version from the download center. Note: The CVSS score and vector are not provided in the input data, but they are mentioned in the descriptions as having a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The CVSS score and vector are used to describe the severity of the vulnerability but are not included in the input data. Recommendations for each affected version: - Apache Tomcat version 11.0.0-M1: Upgrade to version 11.0.0-M17. - Apache Tomcat version 10.1.0-M1: Upgrade to version 10.1.19. - Apache Tomcat version 9.0.0-M1: Upgrade to version 9.0.86. - Apache Tomcat version 8.5.0: Upgrade to version 8.5.99. In summary, the vulnerability in Apache Tomcat affects versions prior to 11.0.0-M1, 10.1.0-M1, 9.0.0-M1, 8.5.0 through 8.5.98, and users are recommended to upgrade to the latest version to fix the issue. The CVSS score and vector are mentioned but not provided in the input data. The recommendations for each affected version are to upgrade to the specified fixed versions.

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.29.3 Envoy versions prior to 1.28.2 Envoy versions prior to 1.27.4 Envoy versions prior to 1.26.8 **Description** The HTTP/2 protocol stack in Envoy is vulnerable to CPU exhaustion due to a flood of CONTINUATION frames. This allows an attacker to send a sequence of CONTINUATION frames without the END HEADERS bit set, causing CPU utilization and culminating in denial of service through CPU exhaustion. **Recommendations** For versions prior to 1.29.3, upgrade to version 1.29.3 to mitigate the effects of the CONTINUATION flood. For versions prior to 1.28.2, upgrade to version 1.28.2 to mitigate the effects of the CONTINUATION flood. For versions prior to 1.27.4, upgrade to version 1.27.4 to mitigate the effects of the CONTINUATION flood. For versions prior to 1.26.8, upgrade to version 1.26.8 to mitigate the effects of the CONTINUATION flood. As a temporary workaround, consider disabling the HTTP/2 protocol for downstream connections.

**Name of the Vulnerable Software and Affected Versions** Envoy versions 1.29.0 through 1.29.1 **Description** The issue is related to the Envoy HTTP/2 protocol stack, which is vulnerable to a flood of CONTINUATION frames. This occurs because Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded, allowing an attacker to send a sequence of CONTINUATION frames without the END HEADERS bit set, causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. **Recommendations** For Envoy versions 1.29.0 and 1.29.1, upgrade to version 1.29.2 to mitigate the effects of the CONTINUATION flood. As a temporary workaround for versions 1.29.0 and 1.29.1, consider downgrading to version 1.28.1 or earlier. Alternatively, for versions 1.29.0 and 1.29.1, disable the HTTP/2 protocol for downstream connections as a workaround.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 8.0.0 through 8.1.9 Apache Traffic Server versions 9.0.0 through 9.2.3 **Description** The HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. This issue is related to the incorrect determination of the end of a header when processing CONTINUATION frames, which can lead to an uncontrolled consumption of resources. A remote attacker can exploit this issue by sending multiple HTTP packets, potentially causing a denial of service. **Recommendations** For versions 8.0.0 through 8.1.9, upgrade to version 8.1.10. For versions 9.0.0 through 9.2.3, upgrade to version 9.2.4. As a temporary workaround, consider setting a new setting `proxy.config.http2.max continuation frames per minute` to limit the number of CONTINUATION frames per minute.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.21.5 Go versions prior to 1.20.12 **Description** A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. **Recommendations** Update to Go version 1.21.5 or later to fix the issue. Update to Go version 1.20.12 or later to fix the issue. As a temporary workaround, consider restricting the use of chunk extensions in HTTP requests and responses until a patch is available. Avoid using the chunked encoding feature in net/http until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** The issue is related to the Node.js HTTP/2 server, where an attacker can make the server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. This can cause a race condition when headers with HTTP/2 CONTINUATION frames are sent to the server and then a TCP connection is abruptly closed by the client, triggering the `Http2Session` destructor while header frames are still being processed. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golang (affected versions not specified) **Description** The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With the fix, the HTTP/1 client now refuses to send requests containing an invalid `Request.Host` or `Request.URL.Host` value. The issue allows a remote attacker to execute arbitrary code by exploiting the vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.