[3.9] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455) (#10492) · Issues · alpine / aports

[3.9] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)

CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c

Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.

References:

https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454

Patches:

https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c

CVE-2019-11455: buffer over-read in function Util_urlDecode in util.c

A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-11455

Patch:

https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a

(from redmine: issue id 10492, created on 2019-05-28, closed on 2019-06-05)

Relations:
- parent #10491 (closed)
Changesets:
- Revision b3c4cba8 on 2019-06-05T13:39:23Z:

main/monit: security fixes (CVE-2019-11454, CVE-2019-11455)

Fixes #10492

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information