Vulnerabilities > CVE-2019-7313 - CRLF Injection vulnerability in Buildbot

CVSS 5.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

buildbot

CWE-93

nessus

NVD

Published: 2019-02-03

Updated: 2019-02-06

Summary

www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.

Vulnerable Configurations

Part	Description	Count
Application	Buildbot Buildbot Buildbot 0.9.0 Buildbot Buildbot 0.9.1 Buildbot Buildbot 0.9.2 Buildbot Buildbot 0.9.3 Buildbot Buildbot 0.9.4 Buildbot Buildbot 0.9.5 Buildbot Buildbot 0.9.6 Buildbot Buildbot 0.9.7 Buildbot Buildbot 0.9.8 Buildbot Buildbot 0.9.9 Buildbot Buildbot 0.9.10 Buildbot Buildbot 0.9.11 Buildbot Buildbot 0.9.12 Buildbot Buildbot 0.9.13 Buildbot Buildbot 0.9.14 Buildbot Buildbot 0.9.15 Buildbot Buildbot 1.0.0 Buildbot Buildbot 1.1.0 Buildbot Buildbot 1.1.1 Buildbot Buildbot 1.1.2 Buildbot Buildbot 1.2.0 Buildbot Buildbot 1.3.0 Buildbot Buildbot 1.4.0 Buildbot Buildbot 1.5.0 Buildbot Buildbot 1.6.0 Buildbot Buildbot 1.7.0 Buildbot Buildbot 1.8.0	27

Common Weakness Enumeration (CWE)

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Web Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

Nessus

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-7EB8C71FE8.NASL
description	Update to 1.8.1 to fix CVE-2019-7313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	122076
published	2019-02-11
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122076
title	Fedora 28 : buildbot (2019-7eb8c71fe8)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-7eb8c71fe8. # include("compat.inc"); if (description) { script_id(122076); script_version("1.3"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-7313"); script_xref(name:"FEDORA", value:"2019-7eb8c71fe8"); script_name(english:"Fedora 28 : buildbot (2019-7eb8c71fe8)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 1.8.1 to fix CVE-2019-7313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7eb8c71fe8" ); script_set_attribute( attribute:"solution", value:"Update the affected buildbot package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:buildbot"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/03"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^28([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC28", reference:"buildbot-1.8.1-1.fc28")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "buildbot"); }

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_5536EA5F681411E9A8F70050562A4D7B.NASL
description	A CRLF can be injected in Location header of /auth/login and /auth/logout This is due to lack of input validation in the buildbot redirection code. It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot. - cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain) - HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit.
last seen	2020-06-01
modified	2020-06-02
plugin id	124353
published	2019-04-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124353
title	FreeBSD : buildbot -- CRLF injection in Buildbot login and logout redirect code (5536ea5f-6814-11e9-a8f7-0050562a4d7b)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2020 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(124353); script_version("1.3"); script_cvs_date("Date: 2020/01/21"); script_cve_id("CVE-2019-7313"); script_name(english:"FreeBSD : buildbot -- CRLF injection in Buildbot login and logout redirect code (5536ea5f-6814-11e9-a8f7-0050562a4d7b)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "A CRLF can be injected in Location header of /auth/login and /auth/logout This is due to lack of input validation in the buildbot redirection code. It was not found a way to impact Buildbot product own security through this vulnerability, but it could be used to compromise other sites hosted on the same domain as Buildbot. - cookie injection a master domain (ie if your buildbot is on buildbot.buildbot.net, one can inject a cookie on *.buildbot.net, which could impact another website hosted in your domain) - HTTP response splitting and cache poisoning (browser or proxy) are also typical impact of this vulnerability class, but might be impractical to exploit." ); # https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?04c25f8a" ); # https://vuxml.freebsd.org/freebsd/5536ea5f-6814-11e9-a8f7-0050562a4d7b.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b83c48f8" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py27-buildbot"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py35-buildbot"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py36-buildbot"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:py37-buildbot"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/29"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"py27-buildbot<1.8.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"py35-buildbot<1.8.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"py36-buildbot<1.8.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"py37-buildbot<1.8.0")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-7E722314F3.NASL
description	Update to 1.8.1 to fix CVE-2019-7313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	122075
published	2019-02-11
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122075
title	Fedora 29 : buildbot (2019-7e722314f3)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-7e722314f3. # include("compat.inc"); if (description) { script_id(122075); script_version("1.3"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-7313"); script_xref(name:"FEDORA", value:"2019-7e722314f3"); script_name(english:"Fedora 29 : buildbot (2019-7e722314f3)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 1.8.1 to fix CVE-2019-7313 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7e722314f3" ); script_set_attribute( attribute:"solution", value:"Update the affected buildbot package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:buildbot"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/03"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^29([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC29", reference:"buildbot-1.8.1-1.fc29")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "buildbot"); }

References

https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code