-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 cPanel TSR-2022-0001 Full Disclosure SEC-594 Summary Avoid usage of predictable PostgreSQL socket in /tmp. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N Description When installed, PostgreSQL uses a predictable socket in /tmp. It is possible for an unprivileged user to replace this socket with a socket to a process that they control. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-607 Summary Disable liveAPI system for accounts in demo mode. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N Description It is possible for arbitrary code to be executed via the liveAPI system when an account is in demo mode. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-610 Summary Escapes alert messages on manage git repo page. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Description If an alert message on the manage repo page had a string wrapped with < >, the alert would render it as an HTML element. This message is now properly escaped and shows as plain text. Credits This issue was discovered by the cPanel Security Team. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-613 Summary Ensure privilege check also covers reseller without domain creation. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of Sev-D Description Account creation requires root privileges to specify certain options, including homedir. The code branch to create a reseller without a domain was being invoked before this check. By placing the check before it, we can ensure that it covers the case where we are creating a reseller without a domain. Allowing a non-root reseller to specify an arbitrary home directory such as /usr/local/cpanel/Cpanel/Admin/Modules can allow them to stage perl modules of their own for execution as root. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.102.0.5 11.100.0.10 SEC-615 Summary Failed linked node account creation leaves account on mail node. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 3.0 CVSS3.1AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N Description When creating an account with a linked mail node, the account is created on the mail node before it is created on the control node and before all validation checks are complete. This can lead to the account failing to create on the control node after it has been created on the mail node. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-617 Summary Demo mode status does not propagate to child nodes. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.6 CVSS3.1AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N Description Enabling demo mode on an account that is linked to a child node does not propagate the status to the child node. This allowed an ftp user to make changes on the child node that could lead to remote code execution. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-619 Summary Variables::get_user_information UAPI call could reveal sensitive information. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description The Variables::get_user_information UAPI call could reveal the cPanel API token for a linked cPanel account in plain text Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-620 Summary cPanel account takeover via API2 savecontactinfo. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 9.6 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Description The CustInfo::savecontactinfo is available to webmail users but it takes a username argument that allows a webmail user to change the contact information for accounts that it should not have access to. This allowed a webmail user to change the contact email for the main cPanel account. With this, the webmail user could then reset the password for the cPanel account and thus gain access to it. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-621 Summary Sensitive information revealed by CustInfo::* API calls. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 4.3 CVSS3.1AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Description It was possible for a webmail user to provide a username argument to the CustInfo::contactprefs and CustInfo::displaycontactinfo API calls allowing the webmail user to obtain sensitive information belonging to other webmail users and the cPanel account. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-622 Summary Fix reseller ACL restriction bypass for linked nodes. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.2 CVSS3.1AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N Description When creating or editing a package adjustments to the package settings are made based on the package owner's privileges. In a linked node setting, the command to create/edit the package is run as root so those adjustments do not get made. Save and reload the package locally so all the ACL-based adjustments can be made to the settings before sending them onto the remote nodes. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-624 Summary root privilege escalation via passengerapps REGISTER_APPLICATION call. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 7.6 CVSS:3.1AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Description When registering a passenger application, it is possible to gain root privileges by registering an application with a script posing as a node/python/ruby interpreter in the attackers home directory. This fixes that by restricting the interpreters to either the system binaries or one provided by an EasyApache package. Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 SEC-625 Summary Sanitizes domain name on manage dns zones page. Security Rating cPanel has assigned this vulnerability a CVSSv3.1 score of 2.5 CVSS:3.1AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Description Prevents XSS attack using lodash when using the manage dns zones page Credits This issue was discovered by John Lightsey. Solution This issue is resolved in the following builds: 11.94.0.23 11.102.0.5 11.100.0.10 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmIUGScUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd8fXxAA0xwufoDctrXBxQ2s9ca0i8OGKBVf JFyfeyf3Vm3zPqmNudMYF4FqO7bVKrhij27B6GsVH7lFe1fLSkVCkW2tiAwjLOgz 8h0wD9O20w4RlVa8h+YGp9jl1l23cUhzfs65lqBJjzTJI6Yymh9dkXRWmNyerWB8 4XsoioY+wc7MYdcHaSeGB4ZBpjHbJqcVMwKW4fQdzn9rXJA9qVG8EAK3ieLV2s3p J26DfpjH2Fo1Zabi75Nqpa8GQKmrpXzcFfNeh4Y26OQARTH2elTL3g/9BBMRi75T i95Ferm4MQHnK5A84MHEJr3GP/EuPQT8MBMwpKxSMBmxjFHDbb7sPHs9ckFHp0mO UrWVFusi1dgy87e9NbpSI1eXPCTNMHDTvK7LMSlJmxMVNAVYHCKDyxwlCn+V2Aov n7bUMvmOimkqqYoPJzWMxRlBxCDVu75F42ijFivZiRDtaTnWFIXFOyhwdEq8q7M2 uVdfHTwCqRWhFOrYttUAYtA/VV70m+jT7FWJwKrAQrNFHJnpeIPylnb1vCfB7yo0 33eMWoIysXE6pQzdZMH83N6A+ZLAkF9v4K9lCToZ34wQZVlAEGyqQTj/bkEqWi73 V1683bkJIxzzJKC1cd204ek2/Oq6btp7aOC6LRS5paz3wgH0uXOy59D1Xm08eWEj SaZ7msmKabUO8Xg= =VPB+ -----END PGP SIGNATURE-----