Security:Security Advisories/BSSA-2023-02: Difference between revisions

VisualWikitext
(Created page with "{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}} {| class="wikitable" |+ ! ! |- |Date |2023-07-25 |- |Severity |Medium |- |Affected | * BlueSpice Infrastructure: Ghostscript |- |Fixed in | * Ghostscript 9.53.3 and 10.01.2 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664] |} == Problem == A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF docum...")
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 6: Line 6:
|-
|-
|Date
|Date
|2023-07-25
|2023-10-30
|-
|-
|Severity
|Severity
|Medium
|Low
|-
|-
|Affected
|Affected
|
|
* BlueSpice Infrastructure: Ghostscript
* BlueSpiceAvatars
|-
|-
|Fixed in
|Fixed in
|
|
* Ghostscript 9.53.3 and 10.01.2
* BlueSpiceAvatars 4.3.3
* BlueSpiceAvatars 3.2.10.1
|-
|-
|CVE
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|}
|}


== Problem ==
== Problem ==
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.
PDFHandler is not enabled by default, but many installations have set it active.


When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
== Solution ==
== Solution ==
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.  
* BlueSpice 4: Update to version 4.3.3
 
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]
If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.
 
== Resources ==
* For Debian: https://www.debian.org/security/2023/dsa-5446
* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)]
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8
 


== Acknowledgements ==
== Acknowledgements ==
Found during an internal security audit.
Special thanks to the security team of an undisclosed customer.

Latest revision as of 12:56, 30 October 2023

Date 2023-10-30
Severity Low
Affected
  • BlueSpiceAvatars
Fixed in
  • BlueSpiceAvatars 4.3.3
  • BlueSpiceAvatars 3.2.10.1
CVE CVE-2023-42431

Problem

When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.

Solution

  • BlueSpice 4: Update to version 4.3.3
  • BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1

Acknowledgements

Special thanks to the security team of an undisclosed customer.

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2023-02&oldid=7455"
No categories assignedEdit

Discussions