ASA-2019-00308 – Evernote: Path traversal vulnerability leads to code execution

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs. A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app). Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

ASA-2019-00307 – BitBucket: Path traversal in the migration tool that leads to Remote Code Execution (RCE)

Bitbucket Data Center had a path traversal vulnerability in the Data Center migration tool. A remote attacker with authenticated user with admin permissions can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Bitbucket Data Center. Bitbucket Server versions without a Data Center license are not vulnerable to this vulnerability.

ASA-2019-00238 – Confluence: Path traversal in the downloadallattachments resource

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

ASA-2019-00231 – Samba: Save registry file outside share as unprivileged user

Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition. Note - existing share restrictions such as "read only" or share ACLs do *not* prevent new registry hive files being written to the filesystem. A file may be written under any share definition wherever the user has unix permissions to create a file. Existing files cannot be overwritten using this vulnerability, only new registry hive files can be created, however the presence of existing files with a specific name can be detected. Samba writes or detects the file as the authenticated user, not as root.