-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

cPanel TSR-2021-0001 Full Disclosure

SEC-578

Summary

Reseller suspension lock bypass.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Description

It is possible to suspend an already suspended account via the WHM API. This can allow for an attacker to re-suspend and then unsuspend an account suspension-locked by the root user.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.92.0.9
11.86.0.36

SEC-579

Summary

MySQL user suspension fails with old-style password hashes.

Security Rating

cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Description

When suspending a MySQL user with old-style password hashes on a MySQL 5.5 system, suspendacct would fail to disable the passwords. This allowed access to the databases to remain active.

Credits

This issue was discovered by the cPanel Security Team.

Solution

This issue is resolved in the following builds:
11.92.0.9
11.86.0.36
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmAFwi0UHHNlY3VyaXR5
QGNwYW5lbC5uZXQACgkQlSG+3KvZTd+AuRAAzZX8W7s6s/9cH2aDb5emObhWCb7k
AMqx4YBXOLIy+cDe8iMaAXqrbCtnEFEJa6RLJHpnRNL4kBSiZMG6coEsPSR/vLos
Mdy8jHVSLTpRjV/ZA+8n6YkALxPh41/KFmDepxFGWiNZ9/CuZBkcO5kDOAbCK91j
b4F+qbhcovORSe3mm/klnocgV8I7AqRGPScX/En3GWdl2Zjjk+VwtEDsTHhR2ibB
KUxn/L5OMonotllGbvIU7tUWnVT+pKFQ4bw4f5QJFHeyniZYvcVw+2OUCIzGvIeM
ZK83fhgzxPa8nAZlEefLRYRrrB9sNPQmTo9Mzt5q/8wORQp6JmiHakAyyjWBOH5k
ktTnOI1CFp5bCyoiAdH8a1B66/WsPTTSmr7Ppuhc87BKxs+bRT5tCAu+WLdsqUnF
eG4H/uB5fSOGwooJcCRtpbA4aW6NTy8Qi0Gk0NcyrqgcHA73vUhalqFGkxJ/lPUR
AnSqeKTm2MHT4qHqGJKKf8Xfd9EE4vur9r6GqR1W9m8vtybyVBIymT/vVmajFg22
TvfKc379+ThPrXByD+fBgMtHChiJuTCMZ/L2nFPpsyraTiCRa3TK7/BMvxXt9nm+
xsIxqqCiI5HGknXppjUyMAhSygpUsBh+i6AUL/bdCSGJ+ytQYLLT+7aWZdoxca7c
R4RLjNrdIwexUzM=
=l+bE
-----END PGP SIGNATURE-----