In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. Fix Version: 6.0.0, 5.5.2ĭue to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. This vulnerability appears to have been fixed in 3.8.0.Ĭouchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. This attack appears to be exploitable via Victim fetches packages from malicious/compromised mirror.
#EJABBERD 2.0.5 VERIFICATION#
The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.Įrlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution.
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute code against a remote system. In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD. Yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0. Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cookie for ejabberd replication. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system running the Erlang node. There are cases where the magic cookie is included in the content of the logs.
Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.Įxposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.Įrlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal.
#EJABBERD 2.0.5 WINDOWS#
This can occur only under specific conditions on Windows with unsafe filesystem permissions.Īn issue was discovered in Erlang/OTP before 23.2.2. By adding files to an existing installation's directory, a local attacker could hijack accounts of other users running Erlang programs or possibly coerce a service running with "erlsrv.exe" to execute arbitrary code as Local System. A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3.
0 kommentar(er)
