Security Advisories (10)

CVE-2022-24785 (2022-04-04)

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-11358 (2019-04-20)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2011-4969 (2013-03-08)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708 (2018-01-18)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CVE-2020-7656 (2020-05-19)

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVE-2019-5428

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

https://security.snyk.io/vuln/SNYK-JS-JQUERY-174006

CVE-2014-6071 (2018-01-16)

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

NAME

App::Netdisco::Manual::Troubleshooting - Tips and Tricks for Troubleshooting

Understanding Nodes and Devices

The two basic components in Netdisco's world are Nodes and Devices. Devices are your network hardware, such as routers, switches, and firewalls. Nodes are the end-stations connected to Devices, such as workstations, servers, printers, and telephones.

Devices respond to SNMP, and therefore can report useful information about themselves such as interfaces, operating system, IP addresses, as well as knowledge of other systems via MAC address and ARP tables. Devices are actively contacted by Netdisco during a discover (and other polling jobs such as macsuck, arpnip).

Netdisco discovers Devices using "neighbor protocols" such as CDP and LLDP. We assume your Devices are running these protocols and learning about their connections to each other. If they aren't, you'll need to configure manual topology within the web interface (or simply have standalone Devices).

Nodes, on the other hand, are passive as far as Netdisco is concerned. The only job that contacts a Node is nbtstat, which makes NetBIOS queries. Nodes are learned about via the MAC and ARP tables on upstream Devices.

Because Netdisco only learns about Devices through a neighbor protocol, it's possible to run an SNMP agent on a Node. Only if the Node is also advertising itself via a neighbor protocol will Netdisco treat it as a Device. This can account for undesired behaviour, such as treating a server (Node) as a Device, or vice versa only recognising a switch (Device) as a Node.

To prevent avoid discovery of any target as a Device, use the discover_no, discover_no_type, or discover_only configuration settings. If you don't see links between Devices in Netdisco, it might be because they're not running a neighbor protocol, or for some reason not reporting the relationships to Netdisco. Use the show command to troubleshoot this:

~netdisco/bin/netdisco-do show -d 192.0.2.1 -e c_id

Understanding Netdisco Jobs

Please read the section above, if you've not yet done so.

Netdisco has four principal job types:

discover: Gather information about a Device, including interfaces, vlans, PoE status, and chassis components (modules). Also learns about potential new Devices via neighbor protocols and adds jobs for their discovery to the queue.
macsuck: Gather MAC to port mappings from known Devices reporting Layer 2 capability. Wireless client information is also gathered from Devices supporting the 802.11 MIBs.
arpnip: Gather MAC to IP mappings from known Devices reporting layer 3 capability.
nbtstat: Poll a Node to obtain its NetBIOS name.

The actions as named above will operate on one device only. Complimentary job types discoverall, macwalk, arpwalk, and nbtwalk will enqueue one corresponding single-device job for each known device. The Netdisco backend daemon will then process the queue (in a random order).

Run a `netdisco-do` Task with Debugging

The netdisco-do command has several debug flags which will show what's going on internally. Usually you always add -D for general Netdisco debugging, then -I for SNMP::Info logging and -Q for SQL tracing. For example:

~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ

You will see that SNMPv2 community strings are hidden by default, to make the output safe for sending to Netdisco developers. To show the community string, set the SHOW_COMMUNITY environment variable:

SHOW_COMMUNITY=1 ~netdisco/bin/netdisco-do discover -d 192.0.2.1 -DIQ

Dump an SNMP object for a Device

This is useful when trying to work out why some information isn't displaying correctly (or at all) in Netdisco. It may be that the SNMP response isn't understood. Netdisco can dump any leaf or table, by name:

~netdisco/bin/netdisco-do show -d 192.0.2.1 -e interfaces
~netdisco/bin/netdisco-do show -d 192.0.2.1 -e Layer2::HP::interfaces

You can combine this with SNMP::Info debugging, shown above (-I).

Interactive SQL terminal on the Netdisco Database

Start an interactive terminal with the Netdisco PostgreSQL database. If you pass an SQL statement in the "-e" option then it will be executed.

~netdisco/bin/netdisco-do psql
~netdisco/bin/netdisco-do psql -e 'SELECT ip, dns FROM device'
~netdisco/bin/netdisco-do psql -e 'COPY (SELECT ip, dns FROM device) TO STDOUT WITH CSV HEADER'

The last example above is useful for sending data to Netdisco developers, as it's more compact and readable than the standard tabular output (second example).

Database Schema Redeployment

The database schema can be fully redeployed (even over an existing installation), in a safe way, using the following command:

~netdisco/bin/netdisco-db-deploy --redeploy-all

Debug HTTP Requests and Configuration

You can see HTTP Headers received by Netdisco, and other information such as how it's parsing the config file, by enabling the Dancer debug plugin. First download the plugin:

~netdisco/bin/localenv cpanm --notest Dancer::Debug

Then run the web daemon with the environment variable to enable the feature:

DANCER_DEBUG=1 ~/bin/netdisco-web restart

A side panel appears in the web page with debug information. Be sure to turn this off when you're done (stop and start without the environment variable) otherwise secrets could be leaked to end users.

To install App::Netdisco, copy and paste the appropriate command in to your terminal.

cpanm

cpanm App::Netdisco

CPAN shell

perl -MCPAN -e shell
install App::Netdisco

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)