Newsroom

Targeted Security Release 2024-0001: Disclosure

October 16, 2024

cPanel TSR-2024-0001 Full Disclosure

TSR-417

Summary

Fix information disclosure issue via login page caching

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Description

It was possible that due to caching a valid username was auto-populating in the Username login field in some cases/circumstances.

Credits

This issue was discovered by Dave Strydom [email protected]

Solution

This issue is resolved in the following builds:

11.118.0.20
11.122.0.20
11.124.0.4

TSR-192

Summary

Prevent one user from deleting another user’s email accounts cache file.

Security Rating

cPanel has assigned this vulnerability a CVSS4.0 score of CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

It was possible to get bin/update_quota_cache to delete another user’s email_accounts.json file.

Credits

This issue was discovered by Patrick William [email protected]

Solution

This issue is resolved in the following builds:

11.110.0.44
11.118.0.20
11.122.0.20
11.124.0.4

TSR-562

Summary

Encoding issue in cPanel login_log

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

A malicious user could craft the username for a failed login attempt so that it would create a confusing multi-line log entry
in the login_log. This entry could make it appear that a user successfully logged into the server even though it was just an entry
from a failed login attempt.

Credits

This issue was discovered by John Smith, Shadow Garden

Solution

This issue is resolved in the following builds:

11.110.0.44
11.118.0.20
11.122.0.20
11.124.0.4

TSR-503

Summary

Remove . from @INC for bin/cpanm

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Description

This is needed because the system Perl version provided by CentOS7 and older were vulnerable to a local lib issue as described in this upstream report: https://github.com/perl/perl5/issues/15263

Credits

This issue was discovered by the cPanel Security Team.

Solution This issue is resolved in the following build:

11.110.0.44

The gpg signed version of this disclosure can be found here:
https://news.cpanel.com/wp-content/uploads/2024/10/TSR-2024-0001.disclosure.signed.txt