FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-09-07 11:51:16 UTC

List all Vulnerabilities, by package

VuXML entries as processed by FreshPorts
DateDecscriptionPort(s)
2024-09-07VuXML ID 3e44c35f-6cf4-11ef-b813-4ccc6adda413

Kevin Backhouse reports:

An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0, so Exiv2 versions before v0.28 are not affected. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file.

more...
exiv2

more detail
2024-09-06VuXML ID 943f8915-6c5d-11ef-810a-f8b46a88f42c

alster@vinterdalen.se reports PR/281070:

A new version of devel/binutils has been released fixing CVE-2023-1972, CVE-2023-25585, CVE-2023-25586, and CVE-2023-25588.

more...
binutils

more detail
2024-09-06VuXML ID a5e13973-6c75-11ef-858b-23eeba13701a

Problem Description:

  • Replace v-html with v-text in search inputbox
  • Upgrade webpack to v5.94.0 as a precaution to mitigate CVE-2024-43788, although we were not yet able to confirm that this can be exploited in Forgejo.
more...
forgejo
forgejo7

more detail
2024-09-05*VuXML ID 21f505f4-6a1c-11ef-b611-84a93843eb75

The OpenSSL project reports:

Possible denial of service in X.509 name checks [Moderate severity] Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

SSL_select_next_proto buffer overread [Low severity] Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

more...
FreeBSD
openssl
openssl-quictls
openssl31
openssl31-quictls
openssl32
openssl33

more detail
2024-09-05VuXML ID 4edaa9f4-6b51-11ef-9a62-002590c1f29c

Problem Description:

bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.

Impact:

A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

more...
FreeBSD

more detail
2024-09-05VuXML ID 56d76414-6b50-11ef-9a62-002590c1f29c

Problem Description:

bhyve can be configured to provide access to the host's TPM device, where it passes the communication through an emulated device provided to the guest. This may be performed on the command-line by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters.

The MMIO handler for the emulated device did not validate the offset and size of the memory access correctly, allowing guests to read and write memory contents outside of the memory area effectively allocated.

Impact:

Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

more...
FreeBSD

more detail
2024-09-05VuXML ID 66907dab-6bb2-11ef-b813-4ccc6adda413

Backports for 6 security bugs in Chromium:

  • CVE-2024-5496: Use after free in Media Session
  • CVE-2024-5846: Use after free in PDFium
  • CVE-2024-6291: Use after free in Swiftshader
  • CVE-2024-6989: Use after free in Loader
  • CVE-2024-6996: Race in Frames
  • CVE-2024-7536: Use after free in WebAudio
more...
qt5-webengine

more detail
2024-09-05VuXML ID 7e079ce2-6b51-11ef-9a62-002590c1f29c

Problem Description:

Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.

Impact:

A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.

more...
FreeBSD

more detail
2024-09-05VuXML ID 8d1f9adf-6b4f-11ef-9a62-002590c1f29c

Problem Description:

CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.

CVE-2024-45288 is a vulnerability that affects both the kernel and userland. A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer.

Impact:

It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic.

more...
FreeBSD
FreeBSD-kernel

more detail
2024-09-05VuXML ID 9bd5e47b-6b50-11ef-9a62-002590c1f29c

Problem Description:

Several vulnerabilities were found in the ctl subsystem.

The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing (CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it (CVE-2024-8178). The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory (CVE-2024-42416). The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace (CVE-2024-43110).

Guest virtual machines in the bhyve hypervisor can send SCSI commands to the corresponding kernel driver via the virtio_scsi interface. This provides guests with direct access to the vulnerabilities covered by this advisory.

The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI connections, performs authentication and passes connections to the kernel ctl(4) target layer.

Impact:

Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

more...
FreeBSD-kernel

more detail
2024-09-05VuXML ID a3a1caf5-6ba1-11ef-b9e8-b42e991fc52e

security@mozilla.org reports:

This entry contains 8 vulnerabilities:

  • CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment.
  • CVE-2024-8382: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console.
  • CVE-2024-8383: Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will.
  • CVE-2024-8384: The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption.
  • CVE-2024-8385: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability.
  • CVE-2024-8386: If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack.
  • CVE-2024-8387: Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-8389: Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
more...
firefox

more detail
2024-09-05VuXML ID f5d0cfe7-6ba6-11ef-858b-23eeba13701a

Problem Description:

  • Replace v-html with v-text in search inputbox
  • Fix nuget/conan/container packages upload bugs
more...
gitea

more detail
2024-09-03VuXML ID 26125e09-69ca-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [357391257] High CVE-2024-8362: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-08-05
  • [358485426] High CVE-2024-7970: Out of bounds write in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-08-09
more...
chromium
ungoogled-chromium

more detail
2024-08-30VuXML ID 5e4d7172-66b8-11ef-b104-b42e991fc52e

security@mozilla.org reports:

  • Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
  • Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode.
  • When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.
  • It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window.
more...
firefox

more detail
2024-08-30VuXML ID 7e9cc7fd-6b3e-46c5-ad6d-409d90d41bbf

hadmut reports:

This C library includes 2 command-line tools that can take credentials as command-line options. The credentials are exposed as plain-text in the process list. This could allow an attacker with access to the process list to see the credentials.

more...
rabbitmq-c

more detail
2024-08-30VuXML ID eb437e17-66a1-11ef-ac08-75165d18d8d2

The forgejo team reports:

The scope of application tokens was not verified when writing containers or Conan packages. This is of no consequence when the user associated with the application token does not have write access to packages. If the user has write access to packages, such a token can be used to write containers and Conan packages. An application token that was used to write containers or Conan packages without the package:write scope will now fail with an unauthorized error. It must be re-created to include the package:write scope.

more...
forgejo

more detail
2024-08-29VuXML ID 44de1b82-662d-11ef-a51b-b42e991fc52e

security@mozilla.org reports:

This update includes 3 CVEs:

  • The contextual menu for links could provide an opportunity for cross-site scripting attacks.
  • Long pressing on a download link could potentially provide a means for cross-site scripting.
  • Long pressing on a download link could potentially allow Javascript commands to be executed within the browser.
more...
firefox

more detail
2024-08-29VuXML ID 46419e8c-65d9-11ef-ac06-b0416f0c4c67

report@snyk.io reports:

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).**Note:** This is only exploitable in the case of a developer putting the offending value in a server side configuration file.

more...
py310-configobj
py311-configobj
py38-configobj
py39-configobj

more detail
2024-08-29VuXML ID 6f2545bb-65e8-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09
  • [360265320] High CVE-2024-8193: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-16
  • [360533914] High CVE-2024-8194: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-08-18
  • [360758697] High CVE-2024-8198: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-19
more...
chromium
ungoogled-chromium

more detail
2024-08-25VuXML ID 49ef501c-62b6-11ef-bba5-2cf05da270f3

Gitlab reports:

The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases

Denial of Service by importing maliciously crafted GitHub repository

Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline

An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions

more...
gitlab-ce
gitlab-ee

more detail
2024-08-23VuXML ID 6e8b9c75-6179-11ef-8a7d-b42e991fc52e

cve@mitre.org reports:

MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function in support.c.

more...
mcpp

more detail
2024-08-23VuXML ID 7e6e932f-617b-11ef-8a7d-b42e991fc52e

security@mozilla.org reports:

  • CVE-2024-5697: A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox.
  • CVE-2024-5698: By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks.
more...
firefox

more detail
2024-08-23VuXML ID f2b1da2e-6178-11ef-8a7d-b42e991fc52e

cve@mitre.org reports:

md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document.

more...
md4c

more detail
2024-08-22VuXML ID addc71b8-6024-11ef-86a1-8c164567ca3c

The nginx development team reports:

This update fixes the buffer overread vulnerability in the ngx_http_mp4_module.

more...
nginx
nginx-devel

more detail
2024-08-22VuXML ID b339992e-6059-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 38 security fixes:

  • [358296941] High CVE-2024-7964: Use after free in Passwords. Reported by Anonymous on 2024-08-08
  • [356196918] High CVE-2024-7965: Inappropriate implementation in V8. Reported by TheDog on 2024-07-30
  • [355465305] High CVE-2024-7966: Out of bounds memory access in Skia. Reported by Renan Rios (@HyHy100) on 2024-07-25
  • [355731798] High CVE-2024-7967: Heap buffer overflow in Fonts. Reported by Tashita Software Security on 2024-07-27
  • [349253666] High CVE-2024-7968: Use after free in Autofill. Reported by Han Zheng (HexHive) on 2024-06-25
  • [351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09
  • [360700873] High CVE-2024-7971: Type confusion in V8. Reported by Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) on 2024-08-19
  • [345960102] Medium CVE-2024-7972: Inappropriate implementation in V8. Reported by Simon Gerst (intrigus-lgtm) on 2024-06-10
  • [345518608] Medium CVE-2024-7973: Heap buffer overflow in PDFium. Reported by soiax on 2024-06-06
  • [339141099] Medium CVE-2024-7974: Insufficient data validation in V8 API. Reported by bowu(@gocrashed) on 2024-05-07
  • [347588491] Medium CVE-2024-7975: Inappropriate implementation in Permissions. Reported by Thomas Orlita on 2024-06-16
  • [339654392] Medium CVE-2024-7976: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-10
  • [324770940] Medium CVE-2024-7977: Insufficient data validation in Installer. Reported by Kim Dong-uk (@justlikebono) on 2024-02-11
  • [40060358] Medium CVE-2024-7978: Insufficient policy enforcement in Data Transfer. Reported by NDevTK on 2022-07-21
  • [356064205] Medium CVE-2024-7979: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-29
  • [356328460] Medium CVE-2024-7980: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-30
  • [40067456] Low CVE-2024-7981: Inappropriate implementation in Views. Reported by Thomas Orlita on 2023-07-14
  • [350256139] Low CVE-2024-8033: Inappropriate implementation in WebApp Installs. Reported by Lijo A.T on 2024-06-30
  • [353858776] Low CVE-2024-8034: Inappropriate implementation in Custom Tabs. Reported by Bharat (mrnoob) on 2024-07-18
  • [40059470] Low CVE-2024-8035: Inappropriate implementation in Extensions. Reported by Microsoft on 2022-04-26
more...
chromium
ungoogled-chromium

more detail
2024-08-20VuXML ID 04c9c3f8-5ed3-11ef-8262-b0416f0c4c67

security-advisories@github.com reports:

Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

more...
py310-Jinja2
py311-Jinja2
py38-Jinja2
py39-Jinja2

more detail
2024-08-19VuXML ID d0ac9a17-5e68-11ef-b8cc-b42e991fc52e

security@mozilla.org reports:

Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

more...
firefox

more detail
2024-08-18VuXML ID ac025402-4cbc-4177-bd99-c20c03a07f23

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-6776.
  • Security: backported fix for CVE-2024-6778.
  • Security: backported fix for CVE-2024-6777.
  • Security: backported fix for CVE-2024-6773.
  • Security: backported fix for CVE-2024-6774.
  • Security: backported fix for CVE-2024-6772.
  • Security: backported fix for CVE-2024-6775.
  • Security: backported fix for CVE-2024-6779.
  • Security: backported fix for CVE-2024-6989.
  • Security: backported fix for CVE-2024-6991.
more...
electron29
electron30

more detail
2024-08-18VuXML ID e61af8f4-455d-4f99-8d81-fbb004929dab

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-6989.
  • Security: backported fix for CVE-2024-6991.
more...
electron31

more detail
2024-08-16VuXML ID 6a6ad6cb-5c6c-11ef-b456-001e676bf734

Dovecot reports:

A DoS is possible with a large number of address headers or abnormally large email headers.

more...
dovecot

more detail
2024-08-14VuXML ID 9d8e9952-5a42-11ef-a219-1c697a616631

Intel reports:

A potential security vulnerability in SMI Transfer monitor (STM) may allow escalation of privilege. Intel has released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some 3rd Generation Intel Xeon Scalable Processors may allow denial of service. Intel has released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some 3rd, 4th, and 5th Generation Intel Xeon Processors may allow escalation of privilege. Intel has released firmware updates to mitigate this potential vulnerability.

A potential security vulnerability in the Intel Core Ultra Processor stream cache mechanism may allow escalation of privilege. Intel has released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some Intel Processor stream cache mechanisms may allow escalation of privilege. Intel has released microcode updates to mitigate this potential vulnerability.

more...
cpu-microcode-intel

more detail
2024-08-13VuXML ID 5d7939f6-5989-11ef-9793-b42e991fc52e

security@mozilla.org reports:

  • CVE-2024-7531: Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
  • CVE-2024-7529: The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
  • CVE-2024-7525: It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
  • CVE-2024-7522: Editor code failed to check an attribute value. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
  • CVE-2024-7520: A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.
  • CVE-2024-7521: Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
  • CVE-2024-7530: Incorrect garbage collection interaction could have led to a use-after-free. This vulnerability affects Firefox < 129.
  • CVE-2024-7528: Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.
  • CVE-2024-7527: Unexpected marking work at the start of sweeping could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
more...
mozilla

more detail
2024-08-12VuXML ID d2723b0f-58d9-11ef-b611-84a93843eb75

SO-AND-SO reports:

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

more...
vaultwarden

more detail
2024-08-10VuXML ID 5776cc4f-5717-11ef-b611-84a93843eb75

The Roundcube project reports:

XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]

XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]

information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

more...
roundcube

more detail
2024-08-10VuXML ID 7d631146-5769-11ef-b618-1c697a616631

AMD reports:

Researchers from IOActive have reported that it may be possible for an attacker with ring 0 access to modify the configuration of System Management Mode (SMM) even when SMM Lock is enabled. Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.

more...
cpu-microcode-amd

more detail
2024-08-10VuXML ID aa1c7af9-570e-11ef-a43e-b42e991fc52e

security@mozilla.org reports:

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

more...
firefox

more detail
2024-08-09VuXML ID 587ed8ac-5957-11ef-854a-001e676bf734

OpenHAB reports:

This patch release addresses the following security advisories:

All of these are related to the CometVisu add-on for openHAB - if you are a user of CometVisu, we strongly recommend to upgrade your system to openHAB 4.2.1 in order to fix those vulnerabilities.

more...
openhab-addons

more detail
2024-08-09VuXML ID 8c342a6c-563f-11ef-a77e-901b0e9408dc

soft-serve team reports:

Arbitrary code execution by crafting git ssh requests

It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git.

more...
soft-serve

more detail
2024-08-08VuXML ID 48e6d514-5568-11ef-af48-6cc21735f730

PostgreSQL project reports:

An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

more...
postgresql12-client
postgresql12-server
postgresql13-client
postgresql13-server
postgresql14-client
postgresql14-server
postgresql15-client
postgresql15-server
postgresql16-client
postgresql16-server

more detail
2024-08-07VuXML ID 729008b9-54bf-11ef-a61b-2cf05da270f3

Gitlab reports:

Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access

Cross project access of Security policy bot

Advanced search ReDOS in highlight for code results

Denial of Service via banzai pipeline

Denial of service using adoc files

ReDoS in RefMatcher when matching branch names using wildcards

Path encoding can cause the Web interface to not render diffs correctly

XSS while viewing raw XHTML files through API

Ambiguous tag name exploitation

Logs disclosings potentially sensitive data in query params

Password bypass on approvals using policy projects

ReDoS when parsing git push

Webhook deletion audit log can preserve auth credentials

more...
gitlab-ce
gitlab-ee

more detail
2024-08-07VuXML ID 94d441d2-5497-11ef-9d2f-080027836e8b

Django reports:

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat().

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize().

CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget.

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list().

more...
py310-django42
py310-django50
py311-django42
py311-django50
py39-django42

more detail
2024-08-07VuXML ID db8fa362-0ccb-4aa8-9220-72b7763e9a4a

Jenkins Security Advisory:

Description

(Critical) SECURITY-3430 / CVE-2024-43044

Arbitrary file read vulnerability through agent connections can lead to RCE

Description

(Medium) SECURITY-3349 / CVE-2024-43045

Missing permission check allows accessing other users' "My Views"

more...
jenkins
jenkins-lts

more detail
2024-08-06VuXML ID 05cd9f82-5426-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 5 security fixes:

  • [350528343] Critical CVE-2024-7532: Out of bounds memory access in ANGLE. Reported by wgslfuzz on 2024-07-02
  • [353552540] High CVE-2024-7533: Use after free in Sharing. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-07-17
  • [355256380] High CVE-2024-7550: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-07-25
  • [352467338] High CVE-2024-7534: Heap buffer overflow in Layout. Reported by Tashita Software Security on 2024-07-11
  • [352690885] High CVE-2024-7535: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-07-12
  • [354847246] High CVE-2024-7536: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-07-23
more...
chromium
ungoogled-chromium

more detail
2024-07-31VuXML ID 15d398ea-4f73-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 3 security fixes:

  • [353034820] Critical CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert on 2024-07-15
  • [352872238] High CVE-2024-7255: Out of bounds read in WebTransport. Reported by Marten Richter on 2024-07-13
  • [354748060] High CVE-2024-7256: Insufficient data validation in Dawn. Reported by gelatin dessert on 2024-07-23
more...
chromium
ungoogled-chromium

more detail
2024-07-30VuXML ID fb0b5574-4e64-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 22 security fixes:

  • [349198731] High CVE-2024-6988: Use after free in Downloads. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-25
  • [349342289] High CVE-2024-6989: Use after free in Loader. Reported by Anonymous on 2024-06-25
  • [346618785] High CVE-2024-6991: Use after free in Dawn. Reported by wgslfuzz on 2024-06-12
  • [339686368] Medium CVE-2024-6994: Heap buffer overflow in Layout. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2024-05-10
  • [343938078] Medium CVE-2024-6995: Inappropriate implementation in Fullscreen. Reported by Alesandro Ortiz on 2024-06-01
  • [333708039] Medium CVE-2024-6996: Race in Frames. Reported by Louis Jannett (Ruhr University Bochum) on 2024-04-10
  • [325293263] Medium CVE-2024-6997: Use after free in Tabs. Reported by Sven Dysthe (@svn-dys) on 2024-02-15
  • [340098902] Medium CVE-2024-6998: Use after free in User Education. Reported by Sven Dysthe (@svn-dys) on 2024-05-13
  • [340893685] Medium CVE-2024-6999: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-15
  • [339877158] Medium CVE-2024-7000: Use after free in CSS. Reported by Anonymous on 2024-05-11
  • [347509736] Medium CVE-2024-7001: Inappropriate implementation in HTML. Reported by Jake Archibald on 2024-06-17
  • [338233148] Low CVE-2024-7003: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-01
  • [40063014] Low CVE-2024-7004: Insufficient validation of untrusted input in Safe Browsing. Reported by Anonymous on 2023-02-10
  • [40068800] Low CVE-2024-7005: Insufficient validation of untrusted input in Safe Browsing. Reported by Umar Farooq on 2023-08-04
more...
chromium
ungoogled-chromium

more detail
2024-07-28VuXML ID 8057d198-4d26-11ef-8e64-641c67a117d8

Mitre reports:

In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

more...
znc

more detail
2024-07-26VuXML ID 3e917407-4b3f-11ef-8e49-001999f8d30b

Mailpit developer reports:

A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI.

more...
mailpit

more detail
2024-07-25VuXML ID 24c88add-4a3e-11ef-86d7-001b217b3468

Gitlab reports:

XSS via the Maven Dependency Proxy

Project level analytics settings leaked in DOM

Reports can access and download job artifacts despite use of settings to prevent it

Direct Transfer - Authorised project/group exports are accessible to other users

Bypassing tag check and branch check through imports

Project Import/Export - Make project/group export files hidden to everyone except user who initiated it

more...
gitlab-ce
gitlab-ee

more detail
2024-07-19VuXML ID 574028b4-a181-455b-a78b-ec5c62781235

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-6291.
  • Security: backported fix for CVE-2024-6293.
  • Security: backported fix for CVE-2024-6290.
  • Security: backported fix for CVE-2024-6292.
more...
electron29

more detail
2024-07-17VuXML ID 088b8b7d-446c-11ef-b611-84a93843eb75

The Apache httpd project reports:

source code disclosure with handlers configured via AddType (CVE-2024-40725) (Important): A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

more...
apache24

more detail
2024-07-16VuXML ID 3b018063-4358-11ef-b611-84a93843eb75

Oracle reports:

36 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

more...
mysql80-client
mysql80-server
mysql81-client
mysql81-server
mysql84-client
mysql84-server

more detail
2024-07-16VuXML ID 6091d1d8-4347-11ef-a4d4-080027957747

GLPI team reports:

GLPI 10.0.16 Changelog

  • [SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
  • [SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)
  • [SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)
more...
glpi

more detail
2024-07-13VuXML ID 55d4a92f-c75f-43e8-ab1f-4a0efc9795c4

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-6291.
  • Security: backported fix for CVE-2024-6293.
  • Security: backported fix for CVE-2024-6290.
  • Security: backported fix for CVE-2024-6292.
more...
electron29

more detail
2024-07-13VuXML ID 6410f91d-1214-4f92-b7e0-852e39e265f9

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-5493.
  • Security: backported fix for CVE-2024-5831.
  • Security: backported fix for CVE-2024-5832.
  • Security: backported fix for CVE-2024-6100.
  • Security: backported fix for CVE-2024-6101.
  • Security: backported fix for CVE-2024-6103.
  • Security: backported fix for CVE-2024-6291.
  • Security: backported fix for CVE-2024-6293.
  • Security: backported fix for CVE-2024-6290.
  • Security: backported fix for CVE-2024-6292.
more...
electron30

more detail
2024-07-11VuXML ID acb4eab6-3f6d-11ef-8657-001b217b3468

Gitlab reports:

An attacker can run pipeline jobs as an arbitrary user

Developer user with admin_compliance_framework permission can change group URL

Admin push rules custom role allows creation of project level deploy token

Package registry vulnerable to manifest confusion

User with admin_group_member permission can ban group members

Subdomain takeover in GitLab Pages

more...
gitlab-ce
gitlab-ee

more detail
2024-07-10VuXML ID 171afa61-3eba-11ef-a58f-080027836e8b

Django reports:

CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize().

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save().

CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant().

more...
py310-django42
py310-django50
py311-django42
py311-django50
py39-django42

more detail
2024-07-07VuXML ID 767dfb2d-3c9e-11ef-a829-5404a68ad561

The traefik authors report:

There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

more...
traefik

more detail
2024-07-04VuXML ID 51498ee4-39a1-11ef-b609-002590c1f29c

Request Tracker reports:

CVE-2024-3262 describes previously viewed pages being stored in the browser cache, which is the typical default behavior of most browsers to enable the "back" button. Someone who gains access to a host computer could potentially view ticket data using the back button, even after logging out of RT. The CVE specifically references RT version 4.4.1, but this behavior is present in most browsers viewing all versions of RT before 5.0.6.

more...
rt50

more detail
2024-07-04VuXML ID 5d921a8c-3a43-11ef-b611-84a93843eb75

The Apache httpd project reports:

isource code disclosure with handlers configured via AddType (CVE-2024-39884) (Important). A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

more...
apache24

more detail
2024-07-03VuXML ID b0374722-3912-11ef-a77e-901b0e9408dc

The Go project reports:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

more...
go121
go122

more detail
2024-07-03*VuXML ID f1a00122-3797-11ef-b611-84a93843eb75

The OpenSSH project reports:

A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems.

more...
openssh-portable

more detail
2024-07-01VuXML ID d7efc2ad-37af-11ef-b611-84a93843eb75

The Apache httpd project reports:

DoS by Null pointer in websocket over HTTP/2 (CVE-2024-36387) (Low). Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

Proxy encoding problem (CVE-2024-38473) (Moderate). Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

Weakness with encoded question marks in backreferences (CVE-2024-38474) (Important). Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Weakness in mod_rewrite when first segment of substitution matches filesystem path (CVE-2024-38475) (Important). Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476) (Important). Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerable to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477) (Important). Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.

mod_rewrite proxy handler substitution (CVE-2024-39573) (Moderate). Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.

more...
apache24

more detail
2024-06-30VuXML ID c742dbe8-3704-11ef-9e6e-b42e991fc52e

cve@mitre.org reports:

This entry documents the following three vulnerabilities:

  • Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.
  • Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ...
  • Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.
more...
netatalk3

more detail
2024-06-28VuXML ID 07f0ea8c-356a-11ef-ac6d-a0423f48a938

cve@mitre.org reports:

In FRRouting (FRR) through 9.1, there are multiples vulnerabilities.

  • CVE-2024-31950: buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets
  • CVE-2024-31951: buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets
more...
frr8
frr9

more detail
2024-06-28VuXML ID 0e73964d-053a-481a-bf1c-202948d68484

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-5499.
  • Security: backported fix for CVE-2024-5493.
  • Security: backported fix for CVE-2024-5494.
  • Security: backported fix for CVE-2024-5495.
  • Security: backported fix for CVE-2024-5496.
  • Security: backported fix for CVE-2024-5158.
  • Security: backported fix for CVE-2024-5160.
  • Security: backported fix for CVE-2024-5157.
  • Security: backported fix for CVE-2024-5159.
  • Security: backported fix for CVE-2024-5831.
  • Security: backported fix for CVE-2024-5832.
  • Security: backported fix for CVE-2024-6100.
  • Security: backported fix for CVE-2024-6101.
  • Security: backported fix for CVE-2024-6103.
more...
electron29

more detail
2024-06-27VuXML ID 589de937-343f-11ef-8a7b-001b217b3468

Gitlab reports:

Run pipelines as any user

Stored XSS injected in imported project's commit notes

CSRF on GraphQL API IntrospectionQuery

Remove search results from public projects with unauthorized repos

Cross window forgery in user application OAuth flow

Project maintainers can bypass group's merge request approval policy

ReDoS via custom built markdown page

Private job artifacts can be accessed by any user

Security fixes for banzai pipeline

ReDoS in dependency linker

Denial of service using a crafted OpenAPI file

Merge request title disclosure

Access issues and epics without having an SSO session

Non project member can promote key results to objectives

more...
gitlab-ce
gitlab-ee

more detail
2024-06-25VuXML ID 2b68c86a-32d5-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 5 security fixes:

  • [342428008] High CVE-2024-6290: Use after free in Dawn. Reported by wgslfuzz on 2024-05-23
  • [40942995] High CVE-2024-6291: Use after free in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-15
  • [342545100] High CVE-2024-6292: Use after free in Dawn. Reported by wgslfuzz on 2024-05-24
  • [345993680] High CVE-2024-6293: Use after free in Dawn. Reported by wgslfuzz on 2024-06-09
more...
chromium
ungoogled-chromium

more detail
2024-06-23VuXML ID 4f6c4c07-3179-11ef-9da5-1c697a616631

GNU Emacs developers report:

Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability. Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code.

more...
emacs
emacs-canna
emacs-devel
emacs-devel-nox
emacs-nox
emacs-wayland

more detail
2024-06-22VuXML ID 82830965-3073-11ef-a17d-5404a68ad561

The traefik authors report:

There is a vulnerability in Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

more...
traefik

more detail
2024-06-20VuXML ID 007e7e77-2f06-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 6 security fixes:

  • [344608204] High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04
  • [343748812] High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31
  • [339169163] High CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz on 2024-05-07
  • [344639860] High CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz on 2024-06-04
more...
chromium
ungoogled-chromium

more detail
2024-06-20VuXML ID 142c538e-b18f-40a1-afac-c479effadd5c

Gert Doering reports that OpenVPN 2.6.11 fixes two security bugs (three on Windows):

CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)

CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. (Reynir Björnsson)

more...
openvpn

more detail
2024-06-20VuXML ID aa2b65e4-2f63-11ef-9cab-4ccc6adda413

Backports for 5 security bugs in Chromium:

  • CVE-2024-3837: Use after free in QUIC
  • CVE-2024-3839: Out of bounds read in Fonts
  • CVE-2024-3914: Use after free in V8
  • CVE-2024-4058: Type confusion in ANGLE
  • CVE-2024-4558: Use after free in ANGLE
more...
qt5-webengine

more detail
2024-06-20VuXML ID c5415838-2f52-11ef-9cab-4ccc6adda413

Qt qtwebengine-chromium repo reports:

Backports for 7 security bugs in Chromium:

  • CVE-2024-4948: Use after free in Dawn
  • CVE-2024-5274: Type Confusion in V8
  • CVE-2024-5493: Heap buffer overflow in WebRTC
  • CVE-2024-5494: Use after free in Dawn
  • CVE-2024-5495: Use after free in Dawn
  • CVE-2024-5496: Use after free in Media Session
  • CVE-2024-5499: Out of bounds write in Streams API
more...
qt6-webengine

more detail
2024-06-18VuXML ID 453aa0fc-2d91-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 21 security fixes:

  • [342456991] High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24
  • [339171223] High CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz on 2024-05-07
  • [340196361] High CVE-2024-5832: Use after free in Dawn. Reported by wgslfuzz on 2024-05-13
  • [342602616] High CVE-2024-5833: Type Confusion in V8. Reported by @ginggilBesel on 2024-05-24
  • [342840932] High CVE-2024-5834: Inappropriate implementation in Dawn. Reported by gelatin dessert on 2024-05-26
  • [341991535] High CVE-2024-5835: Heap buffer overflow in Tab Groups. Reported by Weipeng Jiang (@Krace) of VRI on 2024-05-22
  • [341875171] High CVE-2024-5836: Inappropriate Implementation in DevTools. Reported by Allen Ding on 2024-05-21
  • [342415789] High CVE-2024-5837: Type Confusion in V8. Reported by Anonymous on 2024-05-23
  • [342522151] High CVE-2024-5838: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-24
  • [340122160] Medium CVE-2024-5839: Inappropriate Implementation in Memory Allocator. Reported by Micky on 2024-05-13
  • [41492103] Medium CVE-2024-5840: Policy Bypass in CORS. Reported by Matt Howard on 2024-01-17
  • [326765855] Medium CVE-2024-5841: Use after free in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-02-26
  • [40062622] Medium CVE-2024-5842: Use after free in Browser UI. Reported by Sven Dysthe (@svn_dy) on 2023-01-12
  • [333940412] Medium CVE-2024-5843: Inappropriate implementation in Downloads. Reported by hjy79425575 on 2024-04-12
  • [331960660] Medium CVE-2024-5844: Heap buffer overflow in Tab Strip. Reported by Sri on 2024-04-01
  • [340178596] Medium CVE-2024-5845: Use after free in Audio. Reported by anonymous on 2024-05-13
  • [341095523] Medium CVE-2024-5846: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-16
  • [341313077] Medium CVE-2024-5847: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-18
more...
chromium
ungoogled-chromium

more detail
2024-06-15VuXML ID 219aaa1e-2aff-11ef-ab37-5404a68ad561

The traefik authors report:

There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

more...
traefik

more detail
2024-06-15VuXML ID a5c64f6f-2af3-11ef-a77e-901b0e9408dc

The Go project reports:

archive/zip: mishandling of corrupt central directory record

The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

more...
go121
go122

more detail
2024-06-13VuXML ID 92cd1c03-2940-11ef-bc02-001b217b3468

Gitlab reports:

ReDoS in gomod dependency linker

ReDoS in CI interpolation (fix bypass)

ReDoS in Asana integration issue mapping when webhook is called

XSS and content injection when viewing raw XHTML files on iOS devices

Missing agentk request validation could cause KAS to panic

more...
gitlab-ce
gitlab-ee

more detail
2024-06-11VuXML ID 479df73e-2838-11ef-9cab-4ccc6adda413

David Edmundson reports:

KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager.

A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot.

more...
plasma5-plasma-workspace
plasma6-plasma-workspace

more detail
2024-06-10VuXML ID 5f608c68-276c-11ef-8caa-0897988a1c07

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

more...
php81-composer
php82-composer
php83-composer

more detail
2024-06-07VuXML ID 91929399-249e-11ef-9296-b42e991fc52e

security-advisories@github.com reports:

Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.

more...
kanboard

more detail
2024-06-05VuXML ID 14908bda-232b-11ef-b621-00155d645102

Cyrus IMAP 3.8.3 Release Notes states:

Fixed CVE-2024-34055: Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.

The IMAP protocol allows for command arguments to be LITERALs of negotiated length, and for these the server allocates memory to receive the content before instructing the client to proceed. The allocated memory is released when the whole command has been received and processed.

The IMAP protocol has a number commands that specify an unlimited number of arguments, for example SEARCH. Each of these arguments can be a LITERAL, for which memory will be allocated and not released until the entire command has been received and processed. This can run a server out of memory, with varying consequences depending on the server's OOM policy.

more...
cyrus-imapd25
cyrus-imapd30
cyrus-imapd32
cyrus-imapd34
cyrus-imapd36
cyrus-imapd38

more detail
2024-06-03VuXML ID b058380e-21a4-11ef-8a0f-a8a1599412c6

Chrome Releases reports:

This update includes 11 security fixes:

  • [339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
  • [338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
  • [339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
  • [339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
  • [339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11
more...
chromium
ungoogled-chromium

more detail
2024-05-29VuXML ID 320a19f7-1ddd-11ef-a2ae-8c164567ca3c

The nginx development team reports:

This update fixes the following vulnerabilities:

  • Stack overflow and use-after-free in HTTP/3
  • Buffer overwrite in HTTP/3
  • Memory disclosure in HTTP/3
  • NULL pointer dereference in HTTP/3
more...
nginx
nginx-devel

more detail
2024-05-29VuXML ID 6926d038-1db4-11ef-9f97-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20
more...
chromium
ungoogled-chromium

more detail
2024-05-28VuXML ID 73a697d7-1d0f-11ef-a490-84a93843eb75

The OpenSSL project reports:

Use After Free with SSL_free_buffers (low).

Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

more...
openssl
openssl-quictls
openssl31
openssl31-quictls
openssl32
openssl33

more detail
2024-05-25VuXML ID 04e78f32-04b2-4c23-bfae-72600842d317

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-4948.
more...
electron29

more detail
2024-05-25VuXML ID 43d1c381-a3e5-4a1d-b3ed-f37b61a451af

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-4948.
  • Security: backported fix for CVE-2024-3914.
  • Security: backported fix for CVE-2024-4060.
  • Security: backported fix for CVE-2024-4058.
  • Security: backported fix for CVE-2024-4558.
more...
electron28

more detail
2024-05-24VuXML ID f5fa174d-19de-11ef-83d8-4ccc6adda413

Andy Shaw reports:

The OAuth1 implementation in QtNetworkAuth created nonces using a PRNG that was seeded with a predictable seed.

This means that an attacker that can somehow control the time of the first OAuth1 flow of the process has a high chance of predicting the nonce used in said OAuth flow.

more...
qt5-networkauth
qt6-networkauth

more detail
2024-05-22VuXML ID 8247af0d-183b-11ef-9f97-a8a1599412c6

Chrome Releases reports:

This update includes 15 security fixes:

  • [336012573] High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang on 2024-04-21
  • [338908243] High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-06
  • [335613092] High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop) on 2024-04-18
  • [338161969] High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz on 2024-05-01
  • [340221135] High CVE-2024-4947: Type Confusion in V8. Reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on 2024-05-13
  • [333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
  • [326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
  • [40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06
more...
chromium
ungoogled-chromium

more detail
2024-05-22VuXML ID f848ef90-1848-11ef-9850-001b217b3468

Gitlab reports:

1-click account takeover via XSS in the code editor in gitlab.com

A DOS vulnerability in the 'description' field of the runner

CSRF via K8s cluster-integration

Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match

Redos on wiki render API/Page

Resource exhaustion and denial of service with test_report API calls

Guest user can view dependency lists of private projects through job artifacts

Stored XSS via PDFjs

more...
gitlab-ce
gitlab-ee

more detail
2024-05-21VuXML ID 9bcff2c4-1779-11ef-b489-b42e991fc52e

security-advisories@github.com reports:

Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isnt available for a specific release, or isnt quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

more...
openfire

more detail
2024-05-21VuXML ID e020b0fd-1751-11ef-a490-84a93843eb75

The Roundcube project reports:

cross-site scripting (XSS) vulnerability in handling SVG animate attributes.

cross-site scripting (XSS) vulnerability in handling list columns from user preferences.

more...
roundcube

more detail
2024-05-19VuXML ID d58455cc-159e-11ef-83d8-4ccc6adda413

Backports for 2 security bugs in Chromium:

  • CVE-2024-3157: Out of bounds write in Compositing
  • CVE-2024-3516: Heap buffer overflow in ANGLE
more...
qt5-webengine

more detail
2024-05-18VuXML ID f393b5a7-1535-11ef-8064-c5610a6efffb

Tor Project reports:

When building anonymizing circuits to or from an onion service with 'lite' vanguards (the default) enabled, the circuit manager code would build the circuits with one hop too few.

When 'full' vanguards are enabled, some circuits are supposed to be built with an extra hop to minimize the linkability of the guard nodes. In some circumstances, the circuit manager would build circuits with one hop too few, making it easier for an adversary to discover the L2 and L3 guards of the affected clients and services.

more...
arti

more detail
2024-05-17VuXML ID a431676c-f86c-4371-b48a-b7d2b0bec3a3

Electron developers report:

This update fixes the following vulnerability:

  • Backported fix for CVE-2024-22017.
more...
electron29

more detail
2024-05-17VuXML ID b88aa380-1442-11ef-a490-84a93843eb75

The OpenSSL project reports:

Excessive time spent checking DSA keys and parameters (Low)

Checking excessively long DSA keys or parameters may be very slow.

more...
openssl
openssl-quictls
openssl31
openssl31-quictls
openssl32
openssl33

more detail
2024-05-15VuXML ID c6f03ea6-12de-11ef-83d8-4ccc6adda413

Qt qtwebengine-chromium repo reports:

Backports for 16 security bugs in Chromium:

  • CVE-2024-2625: Object lifecycle issue in V8
  • CVE-2024-2626: Out of bounds read in Swiftshader
  • CVE-2024-2885: Use after free in Dawn
  • CVE-2024-2887: Type Confusion in WebAssembly
  • CVE-2024-3157: Out of bounds write in Compositing
  • CVE-2024-3159: Out of bounds memory access in V8
  • CVE-2024-3516: Heap buffer overflow in ANGLE
  • CVE-2024-3837: Use after free in QUIC
  • CVE-2024-3839: Out of bounds read in Fonts
  • CVE-2024-3914: Use after free in V8
  • CVE-2024-3840: Insufficient policy enforcement in Site Isolation
  • CVE-2024-4058: Type Confusion in ANGLE
  • CVE-2024-4060: Use after free in Dawn
  • CVE-2024-4331: Use after free in Picture In Picture
  • CVE-2024-4368: Use after free in Dawn
  • CVE-2024-4671: Use after free in Visuals
more...
qt6-webengine

more detail
2024-05-15VuXML ID e79cc4e2-12d7-11ef-83d8-4ccc6adda413

Andy Shaw reports:

QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack. Qt itself is not vulnerable to remote attack however an application using QStringDecoder either directly or indirectly can be vulnerable.

This requires:

  1. the attacker be able to tell the application a specific codec to use
  2. the attacker be able to feed the application data in a specific way to cause the desired modification
  3. the attacker what in the stack will get modified, which requires knowing the build of the application (and not all builds will be vulnerable)
  4. the modification do anything in particular that is useful to the attacker, besides maybe crashing the application

Qt does not automatically use any of those codecs, so this needs the application to implement something using QStringDecoder to be vulnerable.

more...
qt6-base

more detail
2024-05-14VuXML ID 5afd64ae-122a-11ef-8eed-1c697a616631

Intel reports:

Potential security vulnerabilities in some Intel Trust Domain Extensions (TDX) module software may allow escalation of privilege. Improper input validation in some Intel TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

A potential security vulnerability in some Intel Processors may allow information disclosure. Hardware logic contains race conditions in some Intel Processors that may allow an authenticated user to potentially enable partial information disclosure via local access. Intel is releasing microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in Intel Core Ultra Processors may allow denial of service. Sequence of processor instructions leads to unexpected behavior in Intel Core Ultra Processors may allow an authenticated user to potentially enable denial of service via local access. Intel is releasing microcode updates to mitigate this potential vulnerability.

more...
cpu-microcode-intel

more detail
2024-05-14VuXML ID 8e0e8b56-11c6-11ef-9f97-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [339458194] High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09
more...
chromium
ungoogled-chromium

more detail
2024-05-13VuXML ID d3847eba-114b-11ef-9c21-901b0e9408dc

The Go project reports:

net: malformed DNS message can cause infinite loop

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

more...
go121
go122

more detail
2024-05-13VuXML ID f2d8342f-1134-11ef-8791-6805ca2fa271

PowerDNS Security Advisory reports:

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

more...
dnsdist

more detail
2024-05-12VuXML ID 3cf8ea44-1029-11ef-9f97-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07
more...
chromium
ungoogled-chromium

more detail
2024-05-09VuXML ID d53c30c1-0d7b-11ef-ba02-6cc21735f730

PostgreSQL project reports:

A security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql for each of your databases. See the link for details.

more...
postgresql-server

more detail
2024-05-09VuXML ID ec994672-5284-49a5-a7fc-93c02126e5fb

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-3914.
  • Security: backported fix for CVE-2024-4558.
more...
electron29

more detail
2024-05-09VuXML ID ee6936da-0ddd-11ef-9c21-901b0e9408dc

Tailscale team reports:

In Tailscale versions earlier than 1.66.0, exit nodes, subnet routers, and app connectors, could allow inbound connections to other tailnet nodes from their local area network (LAN). This vulnerability only affects Linux exit nodes, subnet routers, and app connectors in tailnets where ACLs allow "src": "*", such as with default ACLs.

more...
tailscale

more detail
2024-05-09VuXML ID fbc2c629-0dc5-11ef-9850-001b217b3468

Gitlab reports:

ReDoS in branch search when using wildcards

ReDoS in markdown render pipeline

Redos on Discord integrations

Redos on Google Chat Integration

Denial of Service Attack via Pin Menu

DoS by filtering tags and branches via the API

MR approval via CSRF in SAML SSO

Banned user from groups can read issues updates via the api

Require confirmation before linking JWT identity

View confidential issues title and description of any public project via export

SSRF via Github importer

more...
gitlab-ce
gitlab-ee

more detail
2024-05-08VuXML ID 059a99a9-45e0-492b-b9f9-5a79573c8eb6

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-4060.
  • Security: backported fix for CVE-2024-4058.
more...
electron29

more detail
2024-05-02VuXML ID 4a1e2bad-0836-11ef-9fd2-1c697a616631

HiddenLayer Research reports:

Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system.

more...
R

more detail
2024-05-02VuXML ID f69415aa-086e-11ef-9f97-a8a1599412c6

Chrome Releases reports:

This update includes 2 security fixes:

  • [335003891] High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16
  • [333508731] High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
more...
chromium
ungoogled-chromium

more detail
2024-05-01VuXML ID da4adc02-07f4-11ef-960d-5404a68ad561

The openSUSE project reports:

The problematic function in question is putSDN() in mail.c. The static variable `cp` is used as an index for a fixed-sized buffer `ibuf`. There is a range check: `if ( cp >= HDR_BUF_LEN ) ...` but under certain circumstances, cp can be incremented beyond the buffer size, leading to a buffer overwrite

more...
ko-hcode

more detail
2024-04-28VuXML ID 5da8b1e6-0591-11ef-9e00-080027957747

GLPI team reports:

GLPI 10.0.15 Changelog

  • [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
  • [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)
more...
glpi

more detail
2024-04-28VuXML ID b3affee8-04d1-11ef-8928-901b0ef714d4

GitHub Advisory Database:

Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

more...
py310-social-auth-app-django
py311-social-auth-app-django
py38-social-auth-app-django
py39-social-auth-app-django

more detail
2024-04-25*VuXML ID 0309c898-3aed-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

more...
glpi

more detail
2024-04-25*VuXML ID 07aecafa-3b12-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID 09eef008-3b16-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

more...
glpi

more detail
2024-04-25*VuXML ID 0ba61fcc-3b38-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.

more...
glpi

more detail
2024-04-25*VuXML ID 190176ce-3b3a-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

more...
glpi

more detail
2024-04-25*VuXML ID 27a230a2-3b11-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID 3a63f478-3b10-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID 5acd95db-3b16-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

more...
glpi

more detail
2024-04-25*VuXML ID 675e5098-3b15-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.

more...
glpi

more detail
2024-04-25*VuXML ID 68958e18-ed94-11ed-9688-b42e991fc52e

glpi Project reports:

Multiple vulnerabilities found and fixed in this version:

  • High CVE-2023-28849: SQL injection and Stored XSS via inventory agent request.
  • High CVE-2023-28632: Account takeover by authenticated user.
  • High CVE-2023-28838: SQL injection through dynamic reports.
  • Moderate CVE-2023-28852: Stored XSS through dashboard administration.
  • Moderate CVE-2023-28636: Stored XSS on external links.
  • Moderate CVE-2023-28639: Reflected XSS in search pages.
  • Moderate CVE-2023-28634: Privilege Escalation from technician to super-admin.
  • Low CVE-2023-28633: Blind Server-Side Request Forgery (SSRF) in RSS feeds.
more...
glpi

more detail
2024-04-25*VuXML ID 695b2310-3b3a-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

more...
glpi

more detail
2024-04-25*VuXML ID 6a467439-3b38-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.

more...
glpi

more detail
2024-04-25VuXML ID 7a42852d-0347-11ef-9f97-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [332546345] Critical CVE-2024-4058: Type Confusion in ANGLE. Reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02
  • [333182464] High CVE-2024-4059: Out of bounds read in V8 API. Reported by Eirik on 2024-04-08
  • [333420620] High CVE-2024-4060: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
more...
chromium
ungoogled-chromium

more detail
2024-04-25*VuXML ID 7f163c81-3b12-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

more...
glpi

more detail
2024-04-25*VuXML ID 832fd11b-3b11-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID aec9cbe0-3b0f-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID b3695b08-3b3a-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

more...
glpi

more detail
2024-04-25*VuXML ID b3aae7ea-3aef-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID b64edef7-3b10-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

more...
glpi

more detail
2024-04-25*VuXML ID b7abdb0f-3b15-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

more...
glpi

more detail
2024-04-25*VuXML ID d222241d-91cc-11ea-82b8-4c72b94353b5

MITRE Corporation reports:

inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.

more...
glpi

more detail
2024-04-25*VuXML ID d3f60db0-3aea-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

more...
glpi

more detail
2024-04-24VuXML ID 1af16f2b-023c-11ef-8791-6805ca2fa271

PowerDNS Team reports:

PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor

more...
powerdns-recursor

more detail
2024-04-24VuXML ID b857606c-0266-11ef-8681-001b217b3468

Gitlab reports:

GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider

Path Traversal leads to DoS and Restricted File Read

Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search

Personal Access Token scopes not honoured by GraphQL subscriptions

Domain based restrictions bypass using a crafted email address

more...
gitlab-ce
gitlab-ee

more detail
2024-04-24VuXML ID bdfa6c04-027a-11ef-9c21-901b0e9408dc

Matrix developers report:

Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage. (High severity)

more...
py310-matrix-synapse
py311-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2024-04-23VuXML ID 2ce1a2f1-0177-11ef-a45e-08002784c58d

sp2ip reports:

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

more...
ruby
ruby31
ruby32
ruby33

more detail
2024-04-22VuXML ID 304d92c3-00c5-11ef-bd52-080027bff743

GitHub Security Lab reports:

stb_image.h and stb_vorbis libraries contain several memory access violations of different severity

  1. Wild address read in stbi__gif_load_next (GHSL-2023-145).
  2. Multi-byte read heap buffer overflow in stbi__vertical_flip (GHSL-2023-146).
  3. Disclosure of uninitialized memory in stbi__tga_load (GHSL-2023-147).
  4. Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148).
  5. Null pointer dereference in stbi__convert_format (GHSL-2023-149).
  6. Possible double-free or memory leak in stbi__load_gif_main (GHSL-2023-150).
  7. Null pointer dereference because of an uninitialized variable (GHSL-2023-151).
  8. 0 byte write heap buffer overflow in start_decoder (GHSL-2023-165)
  9. Multi-byte write heap buffer overflow in start_decoder (GHSL-2023-166)
  10. Heap buffer out of bounds write in start_decoder (GHSL-2023-167)
  11. Off-by-one heap buffer write in start_decoder (GHSL-2023-168)
  12. Attempt to free an uninitialized memory pointer in vorbis_deinit (GHSL-2023-169)
  13. Null pointer dereference in vorbis_deinit (GHSL-2023-170)
  14. Out of bounds heap buffer write (GHSL-2023-171)
  15. Wild address read in vorbis_decode_packet_rest (GHSL-2023-172)
more...
sdl2_sound

more detail
2024-04-22VuXML ID bb49f1fa-00da-11ef-92b7-589cfc023192

GLPI team reports:

GLPI 10.0.13 Changelog

  • [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
  • [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
  • [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
  • [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
  • [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
  • [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)
more...
glpi

more detail
2024-04-22VuXML ID ed688880-00c4-11ef-92b7-589cfc023192

GLPI team reports:

GLPI 10.0.11 Changelog

  • [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
  • [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
  • [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
more...
glpi

more detail
2024-04-22VuXML ID faccf131-00d9-11ef-92b7-589cfc023192

GLPI team reports:

GLPI 10.0.12 Changelog

  • [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
  • [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)
more...
glpi

more detail
2024-04-21VuXML ID 9bed230f-ffc8-11ee-8e76-a8a1599412c6

Chrome Releases reports:

This update includes 23 security fixes:

  • [331358160] High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
  • [331383939] High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
  • [330759272] High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
  • [326607008] High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24
  • [41491379] Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15
  • [328278717] Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06
  • [41491859] Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16
  • [41493458] Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22
  • [330376742] Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19
  • [41486690] Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24
  • [40058873] Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23
  • [323583084] Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03
  • [40064754] Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23
  • [328690293] Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08
more...
chromium
ungoogled-chromium

more detail
2024-04-19VuXML ID 4ebdd56b-fe72-11ee-bc57-00e081b7aa2d

Jenkins Security Advisory:

Description

(Medium) SECURITY-3386 / CVE-2023-48795

Terrapin SSH vulnerability in Jenkins CLI client

more...
jenkins
jenkins-lts

more detail
2024-04-19VuXML ID ecafc4af-fe8a-11ee-890c-08002784c58d

Błażej Pawłowski reports:

A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

more...
clamav

more detail
2024-04-18VuXML ID f90bf863-e43c-4db3-b5a8-d9603684657a

Electron develpers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-3515.
  • Security: backported fix for CVE-2024-3516.
  • Security: backported fix for CVE-2024-3157.
  • Security: backported fix for CVE-2024-1580.
more...
electron27
electron28
electron29

more detail
2024-04-16VuXML ID 080936ba-fbb7-11ee-abc8-6960f2492b1d

Simon Tatham reports:

ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise known as ecdsa-sha2-nistp521) were generated with biased random numbers. This permits an attacker in possession of a few dozen signatures to RECOVER THE PRIVATE KEY.

Any 521-bit ECDSA private key that PuTTY or Pageant has used to sign anything should be considered compromised.

Additionally, if you have any 521-bit ECDSA private keys that you've used with PuTTY, you should consider them to be compromised: generate new keys, and remove the old public keys from any authorized_keys files.

A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), [...] and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

more...
filezilla
putty
putty-nogtk

more detail
2024-04-16VuXML ID 6d82c5e9-fc24-11ee-a689-04421a1baf97

This update includes 3 security fixes:

  • High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
  • High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
  • Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
  • High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs
more...
php81
php82
php83

more detail
2024-04-15VuXML ID cdb5e0e3-fafc-11ee-9c21-901b0e9408dc

The Go project reports:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

more...
go121
go122

more detail
2024-04-12VuXML ID 7314942b-0889-46f0-b02b-2c60aabe4a82

Chrome Releases reports:

This update includes 3 security fixes:

  • [331237485] High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26
  • [328859176] High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao (zx) Pham and Toan (suto) Pham of Qrious Secure on 2024-03-09
  • [331123811] High CVE-2024-3515: Use after free in Dawn. Reported by wgslfuzz on 2024-03-25
more...
chromium
ungoogled-chromium

more detail
2024-04-11VuXML ID 02be46c1-f7cc-11ee-aa6b-b42e991fc52e

cve@mitre.org reports:

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

more...
jose

more detail
2024-04-11VuXML ID 31617e47-7eec-4c60-9fdf-8aee61622bab

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-3159.
more...
electron27
electron28

more detail
2024-04-11VuXML ID 7c217849-f7d7-11ee-a490-84a93843eb75

The OpenSSL project reports:

Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

more...
openssl
openssl-quictls
openssl31
openssl31-quictls
openssl32

more detail
2024-04-11VuXML ID c092be0e-f7cc-11ee-aa6b-b42e991fc52e

security@golang.org reports:

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

more...
forgejo

more detail
2024-04-11VuXML ID dad6294c-f7c1-11ee-bb77-001b217b3468

Gitlab reports:

Stored XSS injected in diff viewer

Stored XSS via autocomplete results

Redos on Integrations Chat Messages

Redos During Parse Junit Test Report

more...
gitlab-ce

more detail
2024-04-11VuXML ID f0ba7008-2bbd-11ef-b4ca-814a3d504243

The forgejo team reports:

CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file.

The OAuth2 implementation does not always require authentication for public clients, a requirement of RFC 6749 Section 10.2. A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.

more...
forgejo

more detail
2024-04-10VuXML ID ea4a2dfc-f761-11ee-af2c-589cfc0f81b0

The Wordpress team reports:

A cross-site scripting (XSS) vulnerability affecting the Avatar block type

more...
de-wordpress-de_DE
fr-wordpress-fr_FR
ja-wordpress-ja
ru-wordpress-ru_RU
wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW

more detail
2024-04-05VuXML ID 8e6f684b-f333-11ee-a573-84a93843eb75

The Apache httpd project reports:

HTTP/2 DoS by memory exhaustion on endless continuation frames

HTTP Response Splitting in multiple modules

more...
apache24
mod_http2

more detail
2024-04-05VuXML ID c2431c4e-622c-4d92-996d-d8b5258ae8c9

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-2885.
  • Security: backported fix for CVE-2024-2883.
  • Security: backported fix for CVE-2024-2887.
  • Security: backported fix for CVE-2024-2886.
more...
electron27
electron28

more detail
2024-04-04VuXML ID 4a026b6c-f2b8-11ee-8e76-a8a1599412c6

Chrome Releases reports:

This update includes 3 security fixes:

  • [329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
  • [329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17
  • [330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
more...
chromium
ungoogled-chromium

more detail
2024-04-04VuXML ID 57561cfc-f24b-11ee-9730-001fc69cd6dc

The X.Org project reports:

  • CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents

    The ProcXIGetSelectedEvents() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

  • CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice

    The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

  • CVE-2024-31083: User-after-free in ProcRenderAddGlyphs

    The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.

more...
xephyr
xorg-nextserver
xorg-server
xorg-vfbserver
xwayland
xwayland-devel

more detail
2024-04-02VuXML ID 2e3bea0c-f110-11ee-bc57-00e081b7aa2d

Jenkins Security Advisory:

Description

(High) SECURITY-3379 / CVE-2024-22201

HTTP/2 denial of service vulnerability in bundled Jetty

more...
jenkins
jenkins-lts

more detail
2024-04-01*VuXML ID 21a854cc-cac1-11ee-b7a7-353f1e043d9a

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.

more...
bind9-devel
bind916
bind918
dnsmasq
dnsmasq-devel
FreeBSD
powerdns-recursor
unbound

more detail
2024-03-31VuXML ID d58726ff-ef5e-11ee-8d8e-080027a5b8e9

Mediawiki reports:

(T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.

(T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.

more...
mediawiki139
mediawiki140
mediawiki141

more detail
2024-03-29VuXML ID bdcd041e-5811-4da3-9243-573a9890fdb1

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-2625.
more...
electron27
electron28

more detail
2024-03-28VuXML ID d2992bc2-ed18-11ee-96dc-001b217b3468

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis

more...
gitlab-ce

more detail
2024-03-27VuXML ID 814af1be-ec63-11ee-8e76-a8a1599412c6

Chrome Releases reports:

This update includes 7 security fixes:

  • [327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
  • [328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
  • [330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
  • [330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21
more...
chromium
ungoogled-chromium

more detail
2024-03-26VuXML ID 34f98d06-eb56-11ee-8007-6805ca2fa271

Quiche Releases reports:

This release includes 2 security fixes:

  • CVE-2024-1410: Unbounded storage of information related to connection ID retirement, in quiche. Reported by Marten Seeman (@marten-seeman)
  • CVE-2024-1765: Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche. Reported by Marten Seeman (@marten-seeman)
more...
quiche

more detail
2024-03-26*VuXML ID 6d31ef38-df85-11ee-abf1-6c3be5272acd

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

more...
grafana
grafana9

more detail
2024-03-26VuXML ID 8b3be705-eba7-11ee-99b3-589cfc0f81b0

phpMyFAQ team reports:

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.

more...
phpmyfaq-php81
phpmyfaq-php82
phpmyfaq-php83

more detail
2024-03-26VuXML ID f661184a-eb90-11ee-92fc-1c697a616631

GNU Emacs developers report:

Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.

  • Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
  • New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
  • Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
  • LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
  • Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
more...
emacs
emacs-canna
emacs-nox

more detail
2024-03-22VuXML ID 80815c47-e84f-11ee-8e76-a8a1599412c6

Chrome Releases reports:

This update includes 12 security fixes:

  • [327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01
  • [40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22
  • [41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21
  • [41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03
  • [41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02
  • [41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07
  • [41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29
more...
chromium
ungoogled-chromium

more detail
2024-03-21VuXML ID 7a7129ef-e790-11ee-a1c0-0050569f0b83

Shibboleth Developers report:

The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter.

more...
shibboleth-idp

more detail
2024-03-20VuXML ID a8448963-e6f5-11ee-a784-dca632daf43b

MongoDB, Inc. reports:

A security vulnerability was found where a server process running MongoDB 3.2.6 or later will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured (CVE-2024-1351).

more...
mongodb44
mongodb50
mongodb60
mongodb70

more detail
2024-03-18VuXML ID 05b7180b-e571-11ee-a1c0-0050569f0b83

The Varnish Development Team reports:

A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of streams, retaining the associated resources.

more...
varnish7

more detail
2024-03-17VuXML ID 0a48e552-e470-11ee-99b3-589cfc0f81b0

The Amavis project reports:

Emails which consist of multiple parts (`Content-Type: multipart/*`) incorporate boundary information stating at which point one part ends and the next part begins.

A boundary is announced by an Content-Type header's `boundary` parameter. To our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a parser should handle multiple boundary parameters that contain conflicting values. As a result, there is no canonical choice which of the values should or should not be used for mime part decomposition.

more...
amavisd-new

more detail
2024-03-16VuXML ID 1ad3d264-e36b-11ee-9c27-40b034429ecf

Typo3 developers reports:

All versions are security releases and contain important security fixes - read the corresponding security advisories here:

  • Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451
  • Code Execution in TYPO3 Install Tool CVE-2024-22188
  • Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118
  • Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119
  • Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120
  • Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121
more...
typo3-11
typo3-12

more detail
2024-03-14VuXML ID 49dd9362-4473-48ae-8fac-e1b69db2dedf

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-2173.
more...
electron27
electron28

more detail
2024-03-12VuXML ID b6dd9d93-e09b-11ee-92fc-1c697a616631

Intel reports:

2024.1 IPU - Intel Processor Bus Lock Advisory

A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.

2024.1 IPU - Intel Processor Return Predictions Advisory

A potential security vulnerability in some Intel Processors may allow information disclosure.

2024.1 IPU - Intel Atom Processor Advisory

A potential security vulnerability in some Intel Atom Processors may allow information disclosure.

2024.1 IPU - Intel Xeon Processor Advisory

A potential security vulnerability in some 3rd and 4th Generation Intel Xeon Processors when using Intel Software Guard Extensions (SGX) or Intel Trust Domain Extensions (TDX) may allow escalation of privilege.

2024.1 IPU OOB - Intel Xeon D Processor Advisory

A potential security vulnerability in some Intel Xeon D Processors with Intel Software Guard Extensions (SGX) may allow information disclosure.

more...
cpu-microcode-intel

more detail
2024-03-09VuXML ID c2ad8700-de25-11ee-9190-84a93843eb75

NLNet Labs reports:

Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.

more...
unbound

more detail
2024-03-07VuXML ID b2caae55-dc38-11ee-96dc-001b217b3468

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions

more...
gitlab-ce

more detail
2024-03-07VuXML ID e74da31b-276a-4a22-9772-17dd42b97559

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-25062.
more...
electron27
electron28

more detail
2024-03-06VuXML ID b1b039ec-dbfc-11ee-9165-901b0e9408dc

The Go project reports reports:

crypto/x509: Verify panics on certificates with an unknown public key algorithm

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

net/http: memory exhaustion in Request.ParseMultipartForm

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

html/template: errors returned from MarshalJSON methods may break template escaping

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

net/mail: comments in display names are incorrectly handled

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

more...
go121
go122

more detail
2024-03-06VuXML ID fd3401a1-b6df-4577-917a-2c22fee99d34

Chrome Releases reports:

This update includes 3 security fixes:

  • [325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19
  • [325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19
  • [325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20
more...
chromium
ungoogled-chromium

more detail
2024-03-04VuXML ID 0ef3398e-da21-11ee-b23a-080027a5b8e9

Django reports:

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words().

more...
py310-django32
py310-django42
py310-django50
py311-django32
py311-django42
py311-django50
py39-django32
py39-django42

more detail
2024-03-01VuXML ID 46a9eb0f-d7d2-11ee-bb12-001b217b3468

support@hackerone.com reports:

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

more...
null

more detail
2024-03-01VuXML ID 77a6f1c9-d7d2-11ee-bb12-001b217b3468

Node.js reports:

Code injection and privilege escalation through Linux capabilities- (High)

http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)

Path traversal by monkey-patching Buffer internals- (High)

setuid() does not drop all privileges due to io_uring - (High)

Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)

Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)

Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)

Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

more...
node
node16
node18
node20
node21

more detail
2024-02-29VuXML ID 31bb1b8d-d6dc-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11
  • [323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05
more...
chromium
ungoogled-chromium

more detail
2024-02-29VuXML ID 3567456a-6b17-41f7-ba7f-5cd3efb2b7c9

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-1670.
more...
electron27
electron28

more detail
2024-02-28VuXML ID 02e33cd1-c655-11ee-8613-08002784c58d

Hiroki Kurosawa reports:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

more...
curl

more detail
2024-02-28VuXML ID 3dada2d5-4e17-4e39-97dd-14fdbd4356fb

sep@nlnetlabs.nl reports:

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.

more...
null

more detail
2024-02-24VuXML ID 2a470712-d351-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 12 security fixes:

  • [41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
  • [41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
  • [41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
  • [41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
  • [41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
  • [40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
  • [41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartłomiej Wacko on 2023-12-21
  • [40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
more...
chromium
ungoogled-chromium

more detail
2024-02-24VuXML ID 5ecfb588-d2f4-11ee-ad82-dbdfaa8acfc2

Problem Description:

  • The Wiki page did not sanitize author name
  • the reviewer name on a "dismiss review" comment is also affected
  • the migration page has some spots
more...
gitea

more detail
2024-02-23VuXML ID 255bf44c-d298-11ee-9c27-40b034429ecf

c-ares project reports:

Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.

more...
c-ares

more detail
2024-02-23VuXML ID 80ad6d6c-b398-457f-b88f-bf6be0bbad44

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-1283.
  • Security: backported fix for CVE-2024-1284.
more...
electron27

more detail
2024-02-23VuXML ID 979dc373-d27d-11ee-8b84-b42e991fc52e

Suricata team reports:

Multiple vulnerabilities fixed in the last release of suricata.

No details have been disclosed yet

more...
suricata

more detail
2024-02-22VuXML ID 03bf5157-d145-11ee-acee-001b217b3468

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

more...
gitlab-ce

more detail
2024-02-20VuXML ID 6a851dc0-cfd2-11ee-ac09-6c3be5272acd

Grafana Labs reports:

The vulnerability impacts instances where Grafana basic authentication is enabled.

Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.

This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

more...
grafana
grafana10
grafana9

more detail
2024-02-16VuXML ID e15ba624-cca8-11ee-84ca-b42e991fc52e

cve@mitre.org reports:

CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

more...
powerdns-recursor

more detail
2024-02-15VuXML ID bd7592a1-cbfd-11ee-a42a-5404a6f3ca32

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.

more...
gitea

more detail
2024-02-15VuXML ID c97a4ecf-cc25-11ee-b0ee-0050569f0b83

The nginx development team reports:

When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session.

more...
nginx-devel

more detail
2024-02-14*VuXML ID 43768ff3-c683-11ee-97d0-001b217b3468

Git community reports:

A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application

A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application

A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities

more...
eza
libgit2

more detail
2024-02-14VuXML ID 46a29f83-cb47-11ee-b609-002590c1f29c

Problem Description:

The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail.

Impact:

Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.

more...
FreeBSD-kernel

more detail
2024-02-14VuXML ID 4edbea45-cb0c-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix.

more...
chromium
ungoogled-chromium

more detail
2024-02-14VuXML ID c62285cb-cb46-11ee-b609-002590c1f29c

Problem Description:

`bhyveload -h ` may be used to grant loader access to the directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to , allowing the loader to read any file the host user has access to.

Impact:

In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.

more...
FreeBSD

more detail
2024-02-12VuXML ID 388eefc0-c93f-11ee-92ce-4ccc6adda413

Google reports:

A heap buffer overflow exists in readstat_convert.

more...
readstat

more detail
2024-02-12VuXML ID f161a5ad-c9bd-11ee-b7a7-353f1e043d9a

Austin Hackers Anonymous report:

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.

more...
openexr

more detail
2024-02-11VuXML ID cb22a9a6-c907-11ee-8d1c-40b034429ecf

Spreadsheet-ParseExcel reports:

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

more...
p5-Spreadsheet-ParseExcel

more detail
2024-02-11VuXML ID cbfc1591-c8c0-11ee-b45a-589cfc0f81b0

phpMyFAQ team reports:

phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.

more...
phpmyfaq-php81
phpmyfaq-php82
phpmyfaq-php83

more detail
2024-02-08VuXML ID 19047673-c680-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 3 security fixes:

  • [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
  • [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
more...
chromium
qt5-webengine
qt6-webengine
ungoogled-chromium

more detail
2024-02-08VuXML ID 19e6dd1b-c6a5-11ee-9cd0-6cc21735f730

PostgreSQL Project reports:

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.

more...
postgresql-server

more detail
2024-02-08VuXML ID 33ba2241-c68e-11ee-9ef3-001999f8d30b

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

more...
php81-composer
php82-composer
php83-composer

more detail
2024-02-08VuXML ID 6b2cba6a-c6a5-11ee-97d0-001b217b3468

Gitlab reports:

Restrict group access token creation for custom roles

Project maintainers can bypass group's scan result policy block_branch_modification setting

ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax

Resource exhaustion using GraphQL vulnerabilitiesCountByDay

more...
gitlab-ce

more detail
2024-02-07VuXML ID 68ae70c5-c5e5-11ee-9768-08002784c58d

The ClamAV project reports:

CVE-2024-20290
A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.
CVE-2024-20328
Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.
more...
clamav
clamav-lts

more detail
2024-02-07VuXML ID e0f6215b-c59e-11ee-a6db-080027a5b8e9

Django reports:

CVE-2024-24680:Potential denial-of-service in intcomma template filter.

more...
py310-django32
py310-django42
py311-django32
py311-django42
py311-django50
py39-django32
py39-django42

more detail
2024-02-02VuXML ID 72d6d757-c197-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 17 security fixes:

  • [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
  • [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
  • [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
  • [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
  • [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
  • [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25
  • [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
  • [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
  • [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
  • [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
more...
chromium
ungoogled-chromium

more detail
2024-02-02VuXML ID dc9e5237-c197-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
  • [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
  • [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
more...
chromium
qt5-webengine
qt6-webengine
ungoogled-chromium

more detail
2024-02-01VuXML ID 13a8c4bf-cb2b-48ec-b49c-a3875c72b3e8

Electron developers reports:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-0807.
more...
electron26
electron27
electron28

more detail
2024-01-31VuXML ID 10dee731-c069-11ee-9190-84a93843eb75

The OpenSSL project reports:

Excessive time spent checking invalid RSA public keys (CVE-2023-6237)

PKCS12 Decoding crashes (CVE-2024-0727)

more...
openssl
openssl-quictls
openssl31
openssl31-quictls
openssl32

more detail
2024-01-31VuXML ID 67c2eb06-5579-4595-801b-30355be24654

cve@mitre.org reports:

In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.

more...
lizard

more detail
2024-01-31VuXML ID bbcb1584-c068-11ee-bdd6-4ccc6adda413

Qt qtwebengine-chromium repo reports:

Backports for 3 security bugs in Chromium:

  • [1505080] High CVE-2024-0807: Use after free in WebAudio
  • [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
  • [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
more...
qt5-webengine
qt6-webengine

more detail
2024-01-29VuXML ID a11e7dd1-bed4-11ee-bdd6-4ccc6adda413

Qt qtwebengine-chromium repo reports:

Backports for 8 security bugs in Chromium:

  • [1505053] High CVE-2023-6345: Integer overflow in Skia
  • [1501326] High CVE-2023-6702: Type Confusion in V8
  • [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
  • [1501798] High CVE-2024-0222: Use after free in ANGLE
  • [1505086] High CVE-2024-0224: Use after free in WebAudio
  • [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
  • [1507412] High CVE-2024-0518: Type Confusion in V8
  • [1517354] High CVE-2024-0519: Out of bounds memory access in V8
more...
qt5-webengine

more detail
2024-01-29VuXML ID a25b323a-bed9-11ee-bdd6-4ccc6adda413

Qt qtwebengine-chromium repo reports:

Backports for 15 security bugs in Chromium:

  • [1505053] High CVE-2023-6345: Integer overflow in Skia
  • [1500856] High CVE-2023-6346: Use after free in WebAudio
  • [1494461] High CVE-2023-6347: Use after free in Mojo
  • [1501326] High CVE-2023-6702: Type Confusion in V8
  • [1502102] High CVE-2023-6703: Use after free in Blink
  • [1505708] High CVE-2023-6705: Use after free in WebRTC
  • [1500921] High CVE-2023-6706: Use after free in FedCM
  • [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
  • [1501798] High CVE-2024-0222: Use after free in ANGLE
  • [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
  • [1505086] High CVE-2024-0224: Use after free in WebAudio
  • [1506923] High CVE-2024-0225: Use after free in WebGPU
  • [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
  • [1507412] High CVE-2024-0518: Type Confusion in V8
  • [1517354] High CVE-2024-0519: Out of bounds memory access in V8
more...
qt6-webengine

more detail
2024-01-26VuXML ID 61fe903b-bc2e-11ee-b06e-001b217b3468

Gitlab reports:

Arbitrary file write while creating workspace

ReDoS in Cargo.toml blob viewer

Arbitrary API PUT requests via HTML injection in user's name

Disclosure of the public email in Tags RSS Feed

Non-Member can update MR Assignees of owned MRs

more...
gitlab-ce

more detail
2024-01-26VuXML ID b5e22ec5-bc4b-11ee-b0b5-b42e991fc52e

Multiple vulnerabilities in ssh and golang

  • CVE-2023-45286: HTTP request body disclosure in go-resty disclosure across requests.
  • CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks.
more...
rclone

more detail
2024-01-24VuXML ID 8b03d274-56ca-489e-821a-cf32f07643f0

Jenkins Security Advisory:

Description

(Critical) SECURITY-3314 / CVE-2024-23897

Arbitrary file read vulnerability through the CLI can lead to RCE

Description

(High) SECURITY-3315 / CVE-2024-23898

Cross-site WebSocket hijacking vulnerability in the CLI

more...
jenkins
jenkins-lts

more detail
2024-01-23VuXML ID 9532a361-b84d-11ee-b0d7-84a93843eb75

TinyMCE reports:

Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin

more...
roundcube
tinymce

more detail
2024-01-22VuXML ID fedf7e71-61bd-49ec-aaf0-6da14bdbb319

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of packets containing nested MIME entities can cause Zeek to spend large amounts of time parsing the entities.

more...
zeek

more detail
2024-01-19VuXML ID 2264566a-a890-46eb-a895-7881dd220bd0

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-0519.
more...
electron26

more detail
2024-01-18*VuXML ID a8326b61-eda0-4c03-9a5b-49ebd8f41c1a

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-0518.
  • Security: backported fix for CVE-2024-0517.
more...
electron26
electron27

more detail
2024-01-17VuXML ID 1bc07be0-b514-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
  • [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
  • [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
more...
chromium
ungoogled-chromium

more detail
2024-01-16VuXML ID 7467c611-b490-11ee-b903-001fc69cd6dc

The X.Org project reports:

  • CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer

    Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used.

  • CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access

    If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function.

  • CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent

    The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow.

  • CVE-2024-21886: Heap buffer overflow in DisableDevice

    The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.

more...
xephyr
xorg-nextserver
xorg-server
xorg-vfbserver
xwayland
xwayland-devel

more detail
2024-01-12VuXML ID 28b42ef5-80cd-440c-904b-b7fbca74c73d

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-0224.
  • Security: backported fix for CVE-2024-0225.
  • Security: backported fix for CVE-2024-0223.
  • Security: backported fix for CVE-2024-0222.
more...
electron26
electron27

more detail
2024-01-12VuXML ID 4c8c2218-b120-11ee-90ec-001b217b3468

Gitlab reports:

Account Takeover via Password Reset without user interactions

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user

Bypass CODEOWNERS approval removal

Workspaces able to be created under different root namespace

Commit signature validation ignores headers after signature

more...
gitlab-ce

more detail
2024-01-11VuXML ID 8337251b-b07b-11ee-b0d7-84a93843eb75

SO-AND-SO reports:

The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

more...
openssl
openssl-quictls
openssl31
openssl31-quictls
openssl32

more detail
2024-01-10VuXML ID ec8e4040-afcd-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
more...
chromium
ungoogled-chromium

more detail
2024-01-07VuXML ID e2f981f1-ad9e-11ee-8b55-4ccc6adda413

Andy Shaw reports:

A potential integer overflow has been discovered in Qt's HTTP2 implementation. If the HTTP2 implementation receives more than 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.

more...
qt5-network
qt6-base

more detail
2024-01-06VuXML ID 1f0d0024-ac9c-11ee-8e91-1c697a013f4b

Mantis 2.25.8 release reports:

Security and maintenance release

  • 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
  • 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
more...
mantis-php74
mantis-php80
mantis-php81
mantis-php82
mantis-php83

more detail
2024-01-04VuXML ID 0cee4f9c-5efb-4770-b917-f4e4569e8bec

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6704.
  • Security: backported fix for CVE-2023-6705.
  • Security: backported fix for CVE-2023-6703.
  • Security: backported fix for CVE-2023-6702.
more...
electron26

more detail
2024-01-04VuXML ID 3ee577a9-aad4-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 6 security fixes:

  • [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
  • [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
  • [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
  • [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
more...
chromium
ungoogled-chromium

more detail
2024-01-04VuXML ID d1b20e09-dbdf-432b-83c7-89f0af76324a

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6706.
  • Security: backported fix for CVE-2023-6705.
  • Security: backported fix for CVE-2023-6703.
  • Security: backported fix for CVE-2023-6702.
  • Security: backported fix for CVE-2023-6704.
more...
electron27

more detail
2024-01-02VuXML ID 13d83980-9f18-11ee-8e38-002590c1f29c

Problem Description:

The SSH protocol executes an initial handshake between the server and the client. This protocol handshake includes the possibility of several extensions allowing different options to be selected. Validation of the packets in the handshake is done through sequence numbers.

Impact:

A man in the middle attacker can silently manipulate handshake messages to truncate extension negotiation messages potentially leading to less secure client authentication algorithms or deactivating keystroke timing attack countermeasures.

more...
FreeBSD

more detail
2023-12-31*VuXML ID 2fe004f5-83fd-11ee-9f5d-31909fb2f495

The OpenVPN community project team reports:

CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.

Reported by Niccolo Belli and WIPocket (Github #400, #417).

CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)

more...
openvpn
openvpn-devel

more detail
2023-12-22VuXML ID 7015ab21-9230-490f-a2fe-f7557e3de25d

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6508.
  • Security: backported fix for CVE-2023-7024.
more...
electron26
electron27

more detail
2023-12-21VuXML ID 1b2a8e8a-9fd5-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19
more...
chromium
ungoogled-chromium

more detail
2023-12-21VuXML ID b2765c89-a052-11ee-bed2-596753f1a87c

The Gitea team reports:

Update golang.org/x/crypto

more...
gitea

more detail
2023-12-19VuXML ID 0f7598cc-9fe2-11ee-b47f-901b0e9408dc

Upstream reports:

Security fix:

  • Update golang.org/x/crypto, which includes a fix for CVE-2023-48795.
more...
nebula

more detail
2023-12-19VuXML ID 76c2110b-9e97-11ee-ae23-a0f3c100ae18

Slurm releases notes:

Description

CVE-2023-49933 through CVE-2023-49938

Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They've been assigned CVE-2023-49933 through CVE-2023-49938.

more...
slurm-wlm

more detail
2023-12-19VuXML ID 91955195-9ebb-11ee-bc14-a703705db3a6

Simon Tatham reports:

PuTTY version 0.80 [contains] one security fix [...] for a newly discovered security issue known as the 'Terrapin' attack, also numbered CVE-2023-48795. The issue affects widely-used OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305 cipher system, and 'encrypt-then-MAC' mode.

In order to benefit from the fix, you must be using a fixed version of PuTTY _and_ a server with the fix, so that they can agree to adopt a modified version of the protocol. [...]

more...
putty
putty-nogtk

more detail
2023-12-17VuXML ID fd47fcfe-ec69-4000-b9ce-e5e62102c1c7

Nick Vatamane reports:

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using various design document functions.

more...
couchdb

more detail
2023-12-14*VuXML ID 9cbbc506-93c1-11ee-8e38-002590c1f29c

Problem Description:

As part of its stateful TCP connection tracking implementation, pf performs sequence number validation on inbound packets. This makes it difficult for a would-be attacker to spoof the sender and inject packets into a TCP stream, since crafted packets must contain sequence numbers which match the current connection state to avoid being rejected by the firewall.

A bug in the implementation of sequence number validation means that the sequence number is not in fact validated, allowing an attacker who is able to impersonate the remote host and guess the connection's port numbers to inject packets into the TCP stream.

Impact:

An attacker can, with relatively little effort, inject packets into a TCP stream destined to a host behind a pf firewall. This could be used to implement a denial-of-service attack for hosts behind the firewall, for example by sending TCP RST packets to the host.

more...
FreeBSD-kernel

more detail
2023-12-14VuXML ID e2fb85ce-9a3c-11ee-af26-001b217b3468

Gitlab reports:

Smartcard authentication allows impersonation of arbitrary user using user's public certificate

When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge

The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags

Project maintainer can escalate to Project owner using project access token rotate API

Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content

Unvalidated timeSpent value leads to unable to load issues on Issue board

Developer can bypass predefined variables via REST API

Auditor users can create merge requests on projects they don't have access to

more...
gitlab-ce

more detail
2023-12-13VuXML ID 502c9f72-99b3-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 9 security fixes:

  • [1501326] High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10
  • [1502102] High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14
  • [1504792] High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23
  • [1505708] High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28
  • [1500921] High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09
  • [1504036] Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21
more...
chromium
ungoogled-chromium

more detail
2023-12-13VuXML ID 8eefff69-997f-11ee-8e38-002590c1f29c

Problem Description:

In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the performance of IO_APPEND writes, that is, writes which add data to the end of a file and so extend its size. This uncovered an old bug in some routines which copy userspace data into the kernel. The bug also affects the NFS client's implementation of direct I/O; however, this implementation is disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only used to handle synchronous writes.

Impact:

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication.

The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network.

Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem.

more...
FreeBSD-kernel

more detail
2023-12-13VuXML ID 972568d6-3485-40ab-80ff-994a8aaf9683

The X.Org project reports:

  • CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org server: Out-of-bounds memory write in XKB button actions

    A device has XKB button actions for each button on the device. When a logical device switch happens (e.g. moving from a touchpad to a mouse), the server re-calculates the information available on the respective master device (typically the Virtual Core Pointer). This re-calculation only allocated enough memory for a single XKB action rather instead of enough for the newly active physical device's number of button. As a result, querying or changing the XKB button actions results in out-of-bounds memory reads and writes.

    This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).

  • CVE-2023-6478/ZDI-CAN-22561: X.Org server: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty

    This fixes an OOB read and the resulting information disclosure.

    Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->nUnits value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check.

    The server then proceeded with reading at least stuff->nUnits bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->nUnits bytes, i.e. 4GB.

more...
xephyr
xorg-nestserver
xorg-server
xorg-vfbserver
xwayland
xwayland-devel

more detail
2023-12-11VuXML ID 4405e9ad-97fe-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 10 security fixes:

  • [1497984] High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy Kim(@cassidy6564) on 2023-10-31
  • [1494565] High CVE-2023-6509: Use after free in Side Panel Search. Reported by Khalil Zhani on 2023-10-21
  • [1480152] Medium CVE-2023-6510: Use after free in Media Capture. Reported by [pwn2car] on 2023-09-08
  • [1478613] Low CVE-2023-6511: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-09-04
  • [1457702] Low CVE-2023-6512: Inappropriate implementation in Web Browser UI. Reported by Om Apip on 2023-06-24
more...
chromium
qt5-webengine
qt6-webengine
ungoogled-chromium

more detail
2023-12-10VuXML ID 2bc376c0-977e-11ee-b4bc-b42e991fc52e

security@apache.org reports:

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped.As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.

more...
zookeeper

more detail
2023-12-09VuXML ID bbda3d16-968e-11ee-b780-b42e991fc52e

cve@mitre.org reports:

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

more...
null

more detail
2023-12-07VuXML ID e07a7754-12a4-4661-b852-fd221d68955f

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6350.
  • Security: backported fix for CVE-2023-6351.
more...
electron25

more detail
2023-12-02VuXML ID f25a34b1-910d-11ee-a1a2-641c67a117d8

Varnish Cache Project reports:

A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large volume of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the Varnish server to consume unnecessary resources processing requests for which the response will not be delivered.

more...
varnish6
varnish7

more detail
2023-12-01VuXML ID 302fc846-860f-482e-a8f6-ee9f254dfacf

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6345.
  • Security: backported fix for CVE-2023-6346.
  • Security: backported fix for CVE-2023-6347.
more...
electron25

more detail
2023-12-01VuXML ID 3b14b2b4-9014-11ee-98b3-001b217b3468

Gitlab reports:

XSS and ReDoS in Markdown via Banzai pipeline of Jira

Members with admin_group_member custom permission can add members with higher role

Release Description visible in public projects despite release set as project members only through atom response

Manipulate the repository content in the UI (CVE-2023-3401 bypass)

External user can abuse policy bot to gain access to internal projects

Client-side DOS via Mermaid Flowchart

Developers can update pipeline schedules to use protected branches even if they don't have permission to merge

Users can install Composer packages from public projects even when Package registry is turned off

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Guest users can react (emojis) on confidential work items which they cant see in a project

more...
gitlab-ce

more detail
2023-12-01VuXML ID 7e1a508f-7167-47b0-b9fc-95f541933a86

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6345.
  • Security: backported fix for CVE-2023-6346.
  • Security: backported fix for CVE-2023-6347.
  • Security: backported fix for CVE-2023-6350.
more...
electron26

more detail
2023-11-29VuXML ID 8cdd38c7-8ebb-11ee-86bb-a8a1599412c6

Chrome Releases reports:

This update includes 7 security fixes:

  • [1491459] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
  • [1494461] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
  • [1500856] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
  • [1501766] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
  • [1501770] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
  • [1505053] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24
more...
chromium
qt5-webengine
qt6-webengine
ungoogled-chromium

more detail
2023-11-26VuXML ID 388e6557-8c80-11ee-9ee3-84a93843eb75

The MariaDB project reports:

Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

more...
mariadb1011-server
mariadb105-server
mariadb106-server

more detail
2023-11-24VuXML ID a62c0c50-8aa0-11ee-ac0d-00e0670f2660

strongSwan reports:

A vulnerability in charon-tkm related to processing DH public values was discovered in strongSwan that can result in a buffer overflow and potentially remote code execution. All versions since 5.3.0 are affected.

more...
strongswan

more detail
2023-11-22VuXML ID 147353a3-c33b-46d1-b751-e72c0d7f29df

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5997.
more...
electron25
electron26

more detail
2023-11-16VuXML ID 0da4db89-84bf-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 4 security fixes:

  • [1497997] High CVE-2023-5997: Use after free in Garbage Collection. Reported by Anonymous on 2023-10-31
  • [1499298] High CVE-2023-6112: Use after free in Navigation. Reported by Sergei Glazunov of Google Project Zero on 2023-11-04
more...
chromium
qt5-webengine
qt6-webengine
ungoogled-chromium

more detail
2023-11-16VuXML ID a30f1a12-117f-4dac-a1d0-d65eaf084953

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5996.
more...
electron25
electron26

more detail
2023-11-15VuXML ID 7cc003cb-83b9-11ee-957d-b42e991fc52e

security-advisories@github.com reports:

Weak Authentication in Session Handling in typo3/cms-core: In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Information Disclosure in Install Tool in typo3/cms-install: In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - classic non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

By-passing Cross-Site Scripting Protection in HTML Sanitizer: In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

more...
typo3-11
typo3-12

more detail
2023-11-09VuXML ID 0f445859-7f0e-11ee-94b4-6cc21735f730

PostgreSQL Project reports:

While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

more...
postgresql-server

more detail
2023-11-09VuXML ID 31f45d06-7f0e-11ee-94b4-6cc21735f730

PostgreSQL Project reports:

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

more...
postgresql-server

more detail
2023-11-09VuXML ID 5558dded-a870-4fbe-8b0a-ba198db47007

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-5849.
  • Security: backported fix for CVE-2023-5482.
more...
electron25
electron26

more detail
2023-11-09VuXML ID bbb18fcb-7f0d-11ee-94b4-6cc21735f730

PostgreSQL Project reports:

Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

more...
postgresql-server

more detail
2023-11-08VuXML ID 4ade0c4d-7e83-11ee-9a8c-00155d01f201

cve@mitre.org reports:

Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.

more...
libsndfile

more detail
2023-11-08VuXML ID 5afcc9a4-7e04-11ee-8e38-002590c1f29c

Problem Description:

For line-buffered streams the __sflush() function did not correctly update the FILE object's write space member when the write(2) system call returns an error.

Impact:

Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overfly may occur. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program.

more...
FreeBSD

more detail
2023-11-08VuXML ID 77fc311d-7e62-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [1497859] High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30
more...
chromium
ungoogled-chromium

more detail
2023-11-08VuXML ID a5956603-7e4f-11ee-9df6-84a93843eb75

The OpenSSL project reports:

Excessive time spent in DH check / generation with large Q parameter value (low). Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

more...
openssl
openssl-quictls
openssl111
openssl31
openssl31-quictls

more detail
2023-11-08VuXML ID f4464e49-7e04-11ee-8e38-002590c1f29c

Problem Description:

Casper services allow limiting operations that a process can perform. Each service maintains a specific list of permitted operations. Certain operations can be further restricted, such as specifying which domain names can be resolved. During the verification of limits, the service must ensure that the new set of constraints is a subset of the previous one. In the case of the cap_net service, the currently limited set of domain names was fetched incorrectly.

Impact:

In certain scenarios, if only a list of resolvable domain names was specified without setting any other limitations, the application could submit a new list of domains including include entries not previously in the list.

more...
FreeBSD

more detail
2023-11-05VuXML ID a1a1f81c-7c13-11ee-bcf1-f8b156b6dcc8

Frank-Z7 reports:

Heap buffer overflow when vorbis-tools/oggenc converts WAV files to Ogg files.

more...
vorbis-tools

more detail
2023-11-03VuXML ID a1e27775-7a61-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 15 security fixes:

  • [1492698] High CVE-2023-5480: Inappropriate implementation in Payments. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2023-10-14
  • [1492381] High CVE-2023-5482: Insufficient data validation in USB. Reported by DarkNavy on 2023-10-13
  • [1492384] High CVE-2023-5849: Integer overflow in USB. Reported by DarkNavy on 2023-10-13
  • [1281972] Medium CVE-2023-5850: Incorrect security UI in Downloads. Reported by Mohit Raj (shadow2639) on 2021-12-22
  • [1473957] Medium CVE-2023-5851: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-08-18
  • [1480852] Medium CVE-2023-5852: Use after free in Printing. Reported by [pwn2car] on 2023-09-10
  • [1456876] Medium CVE-2023-5853: Incorrect security UI in Downloads. Reported by Hafiizh on 2023-06-22
  • [1488267] Medium CVE-2023-5854: Use after free in Profiles. Reported by Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ on 2023-10-01
  • [1492396] Medium CVE-2023-5855: Use after free in Reading Mode. Reported by ChaobinZhang on 2023-10-13
  • [1493380] Medium CVE-2023-5856: Use after free in Side Panel. Reported by Weipeng Jiang (@Krace) of VRI on 2023-10-17
  • [1493435] Medium CVE-2023-5857: Inappropriate implementation in Downloads. Reported by Will Dormann on 2023-10-18
  • [1457704] Low CVE-2023-5858: Inappropriate implementation in WebApp Provider. Reported by Axel Chong on 2023-06-24
  • [1482045] Low CVE-2023-5859: Incorrect security UI in Picture In Picture. Reported by Junsung Lee on 2023-09-13
more...
chromium
qt6-webengine
ungoogled-chromium

more detail
2023-11-02VuXML ID 4f370c80-79ce-11ee-be8e-589cfc0f81b0

phpmyfaq developers report:

XSS

Insufficient session expiration

more...
phpmyfaq-php80
phpmyfaq-php81
phpmyfaq-php82
phpmyfaq-php83

more detail
2023-11-02VuXML ID fe7ac70a-792b-11ee-bf9a-a04a5edf46d9

Frank-Z7 reports:

Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out" configuration options enabled raises a global-buffer-overflow bug, which could allow a remote attacker to conduct a denial-of-service attack or other unspecified effect on a crafted file.

more...
optipng

more detail
2023-11-01VuXML ID a612c25f-788a-11ee-8d57-001b217b3468

Gitlab reports:

Disclosure of CI/CD variables using Custom project templates

GitLab omnibus DoS crash via OOM with CI Catalogs

Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service

DoS - Blocking FIFO files in Tar archives

Titles exposed by service-desk template

Approval on protected environments can be bypassed

Version information disclosure when super_sidebar_logged_out feature flag is enabled

Add abuse detection for search syntax filter pipes

more...
gitlab-ce

more detail
2023-11-01VuXML ID d2505ec7-78ea-11ee-9131-6f01853956d5

VMware reports:

This update includes 2 security fixes:

  • High CVE-2023-34058: SAML token signature bypass vulnerability
  • High CVE-2023-34059: File descriptor hijack vulnerability in the vmware-user-suid-wrapper
more...
open-vm-tools
open-vm-tools-nox11

more detail
2023-10-27VuXML ID 386a14bb-1a21-41c6-a2cf-08d79213379b

Tim Wojtulewicz of Corelight reports:

A specially-crafted SSL packet could cause Zeek to leak memory and potentially crash.

A specially-crafted series of FTP packets could cause Zeek to log entries for requests that have already been completed, using resources unnecessarily and potentially causing Zeek to lose other traffic.

A specially-crafted series of SSL packets could cause Zeek to output a very large number of unnecessary alerts for the same record.

A specially-crafted series of SSL packets could cause Zeek to generate very long ssl_history fields in the ssl.log, potentially using a large amount of memory due to unbounded state growth

A specially-crafted IEEE802.11 packet could cause Zeek to overflow memory and potentially crash

more...
zeek

more detail
2023-10-27VuXML ID db33e250-74f7-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 2 security fixes:

  • [1491296] High CVE-2023-5472: Use after free in Profiles. Reported by @18楼梦想改造家 on 2023-10-10
more...
chromium
ungoogled-chromium

more detail
2023-10-25VuXML ID 9e2fdfc7-e237-4393-9fa5-2d50908c66b3

The X.Org project reports:

  • ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty

    When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy() would write into memory outside the heap-allocated array.

  • ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in DestroyWindow

    This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed.

more...
xephyr
xorg-nestserver
xorg-server
xorg-vfbserver
xwayland
xwayland-devel

more detail
2023-10-25VuXML ID a8fb8e3a-730d-11ee-ab61-b42e991fc52e

The squid-cache project reports:

  • Denial of Service in FTP
  • Request/Response smuggling in HTTP/1.1 and ICAP
  • Denial of Service in HTTP Digest Authentication
more...
squid

more detail
2023-10-24VuXML ID 4a4712ae-7299-11ee-85eb-84a93843eb75

SO-AND-SO reports:

Moderate severity: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

more...
openssl
openssl-quictls
openssl31

more detail
2023-10-23VuXML ID 22df5074-71cd-11ee-85eb-84a93843eb75

Oracle reports:

This Critical Patch Update contains 37 new security patches, plus additional third party patches noted below, for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

more...
mysql-connector-c++
mysql-connector-j
mysql-connector-odbc
mysql57-server
mysql80-server

more detail
2023-10-19VuXML ID 9000591b-483b-45ac-9c87-b3df3a4198ec

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5218.
more...
electron25
electron26

more detail
2023-10-19VuXML ID f923205f-6e66-11ee-85eb-84a93843eb75

The Apache httpd project reports:

  • CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
  • CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
  • CVE-2023-31122: mod_macro buffer over-read
more...
apache24

more detail
2023-10-18VuXML ID 1ee26d45-6ddb-11ee-9898-00e081b7aa2d

Jenkins Security Advisory:

Description

(High) SECURITY-3291 / CVE-2023-36478, CVE-2023-44487

HTTP/2 denial of service vulnerability in bundled Jetty

more...
jenkins
jenkins-lts

more detail
2023-10-18VuXML ID 8706e097-6db7-11ee-8744-080027f5fec9

Redis core team reports:

The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

more...
redis
redis-devel
redis62
redis70

more detail
2023-10-18VuXML ID d2ad7647-6dd9-11ee-85eb-84a93843eb75

The Roundcube project reports:

cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages

more...
roundcube

more detail
2023-10-18VuXML ID e14b9870-62a4-11ee-897b-000bab9f87f1

Request Tracker reports:

CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.

CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.

CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.

more...
rt44
rt50

more detail
2023-10-16VuXML ID f8c2f741-6be1-11ee-b33a-a04a5edf46d9

The moonlight-embedded project reports:

Moonlight Embedded v2.6.1 fixed CVE-2023-42799, CVE-2023-42800, and CVE-2023-42801.

more...
moonlight-embedded

more detail
2023-10-14VuXML ID 7a1b2624-6a89-11ee-af06-5404a68ad561

The traefik authors report:

There is a vulnerability in GO managing HTTP/2 requests, which impacts Traefik. This vulnerability could be exploited to cause a denial of service.

more...
traefik

more detail
2023-10-14VuXML ID ae0ee356-6ae1-11ee-bfb6-8c164567ca3c

The libcue team reports:

There is a vulnerability to out-of-bounds array access.

more...
libcue

more detail
2023-10-12VuXML ID 199cdb4d-690d-11ee-9ed0-001fc69cd6dc

The X.Org project reports:

CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
An out-of-bounds read is located in ParseComment() when reading from a memory buffer instead of a file, as it continued to look for the closing comment marker past the end of the buffer.
CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
A corrupted colormap section may cause libXpm to read out of bounds.
more...
libXpm

more detail
2023-10-12VuXML ID 4281b712-ad6b-4c21-8f66-619a9150691f

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5187.
more...
electron25

more detail
2023-10-12VuXML ID bd92f1ab-690c-11ee-9ed0-001fc69cd6dc

The X.Org project reports:

CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
When libX11 is processing the reply from the X server to the XkbGetMap request, if it detected the number of symbols in the new map was less than the size of the buffer it had allocated, it always added room for 128 more symbols, instead of the actual size needed. While the _XkbReadBufferCopyKeySyms() helper function returned an error if asked to copy more keysyms into the buffer than there was space allocated for, the caller never checked for an error and assumed the full set of keysyms was copied into the buffer and could then try to read out of bounds when accessing the buffer. libX11 1.8.7 has been patched to both fix the size allocated and check for error returns from _XkbReadBufferCopyKeySyms().
CVE-2023-43786: stack exhaustion in XPutImage
When splitting a single line of pixels into chunks that fit in a single request (not using the BIG-REQUESTS extension) to send to the X server, the code did not take into account the number of bits per pixel, so would just loop forever finding it needed to send more pixels than fit in the given request size and not breaking them down into a small enough chunk to fit. An XPM file was provided that triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function, which in turn calls XPutImage() and hit this bug.
CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow
When creating an image, there was no validation that the multiplication of the caller-provided width by the visual's bits_per_pixel did not overflow and thus result in the allocation of a buffer too small to hold the data that would be copied into it. An XPM file was provided that triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function, which in turn calls XCreateImage() and hit this bug.i
more...
libX11

more detail
2023-10-11VuXML ID 040e69f1-6831-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 07ee8c14-68f1-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 20 security fixes:

  • [1487110] Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦想改造家 on 2023-09-27
  • [1062251] Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17
  • [1414936] Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11
  • [1476952] Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30
  • [1425355] Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17
  • [1458934] Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28
  • [1474253] Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20
  • [1483194] Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15
  • [1471253] Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09
  • [1395164] Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02
  • [1472404] Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12
  • [1472558] Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13
  • [1357442] Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29
  • [1484000] Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18
more...
chromium
qt6-webengine
ungoogled-chromium

more detail
2023-10-11VuXML ID 10e86b16-6836-11ee-b06f-0050569ceb3a

From the GLPI 10.0.10 Changelog:

You will find below security issues fixed in this bugfixes version: [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).

The mentioned CVE is invalid

more...
glpi

more detail
2023-10-11VuXML ID 1fe40200-6823-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

more...
glpi

more detail
2023-10-11VuXML ID 20302cbc-6834-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 257e1bf0-682f-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

more...
glpi

more detail
2023-10-11VuXML ID 40173815-6827-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

more...
glpi

more detail
2023-10-11VuXML ID 548a4163-6821-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

more...
glpi

more detail
2023-10-11VuXML ID 54e5573a-6834-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 6851f3bb-6833-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 6f6518ab-6830-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 717efd8a-6821-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

more...
glpi

more detail
2023-10-11VuXML ID 894f2491-6834-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 95c4ec45-6831-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID 95fde6bc-6821-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

more...
glpi

more detail
2023-10-11VuXML ID ae8b1445-6833-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID b14a6ddc-6821-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.

more...
glpi

more detail
2023-10-11*VuXML ID d6c19e8c-6806-11ee-9464-b42e991fc52e

The curl team reports:

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.

more...
cmake-core
curl

more detail
2023-10-11VuXML ID df71f5aa-6831-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

more...
glpi

more detail
2023-10-11VuXML ID e44e5ace-6820-11ee-b06f-0050569ceb3a

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

more...
glpi

more detail
2023-10-10VuXML ID bf545001-b96d-42e4-9d2e-60fdee204a43

Kazuo Okuhu reports:

H2O is vulnerable to the HTTP/2 Rapid Reset attack. An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.

more...
h2o
h2o-devel

more detail
2023-10-05VuXML ID 4f254817-6318-11ee-b2ff-080027de9982

Django reports:

CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator.

more...
py310-django32
py310-django41
py310-django42
py311-django32
py311-django41
py311-django42
py39-django32
py39-django41
py39-django42

more detail
2023-10-04VuXML ID 162a675b-6251-11ee-8e38-002590c1f29c

Problem Description:

On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized.

Impact:

No speculative execution workarounds are installed on CPU 0.

more...
FreeBSD-kernel

more detail
2023-10-04VuXML ID 4e45c45b-629e-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 1 security fix:

  • [1485829] High CVE-2023-5346: Type Confusion in V8. Reported by Amit Kumar on 2023-09-22
more...
chromium
ungoogled-chromium

more detail
2023-10-04VuXML ID 915855ad-283d-4597-b01e-e0bf611db78b

Trendmicro ZDI reports:

Integer Underflow Remote Code Execution Vulnerability

The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account.

more...
libspf2

more detail
2023-10-04VuXML ID e261e71c-6250-11ee-8e38-002590c1f29c

Problem Description:

The syscall checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the syscall must additionally require the CAP_SEEK capability.

Impact:

A sandboxed process with only read or write but no seek capability on a file descriptor may be able to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.

more...
FreeBSD-kernel

more detail
2023-10-04VuXML ID fefcd340-624f-11ee-8e38-002590c1f29c

Problem Description:

In certain cases using the truncate or ftruncate system call to extend a file size populates the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes.

Impact:

A user with write access to files on a msdosfs file system may be able to read unintended data (for example, from a previously deleted file).

more...
FreeBSD-kernel

more detail
2023-10-02VuXML ID e59fed96-60da-11ee-9102-000c29de725b

Mediawikwi reports:

(T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission.

(T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.

(T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.

(T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.

(T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.

(T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.

(T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration).

more...
mediawiki135
mediawiki139
mediawiki140

more detail
2023-09-30*VuXML ID 2bcd6ba4-d8e2-42e5-9033-b50b722821fb

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5217.
more...
electron22
electron24
electron25
libvpx

more detail
2023-09-30*VuXML ID 33922b84-5f09-11ee-b63d-0897988a1c07

Composer project reports:

Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

more...
php80-composer
php80-composer2
php81-composer
php81-composer2
php82-composer
php82-composer2
php83-composer
php83-composer2

more detail
2023-09-29VuXML ID 6d9c6aae-5eb1-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 10 security fixes:

  • [1486441] High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25
  • [1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
  • [1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
more...
chromium
qt6-webengine
ungoogled-chromium

more detail
2023-09-29VuXML ID 6e0ebb4a-5e75-11ee-a365-001b217b3468

Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project

Group import allows impersonation of users in CI pipelines

Developers can bypass code owners approval by changing a MR's base branch

Leaking source code of restricted project through a fork

Third party library Consul requires enable-script-checks to be False to enable patch

Service account not deleted when namespace is deleted allowing access to internal projects

Enforce SSO settings bypassed for public projects for Members without identity

Removed project member can write to protected branches

Unauthorised association of CI jobs for Machine Learning experiments

Force pipelines to not have access to protected variables and will likely fail using tags

Maintainer can create a fork relationship between existing projects

Disclosure of masked CI variables via processing CI/CD configuration of forks

Asset Proxy Bypass using non-ASCII character in asset URI

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Removed Developer can continue editing the source code of a public project

A project reporter can leak owner's Sentry instance projects

Math rendering in markdown can escape container and hijack clicks

more...
gitlab-ce

more detail
2023-09-27VuXML ID af065e47-5d62-11ee-bbae-1c61b4739ac9

xrdp team reports:

Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

more...
xrdp

more detail
2023-09-27VuXML ID c9ff1150-5d63-11ee-bbae-1c61b4739ac9

xrdp team reports:

In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.

more...
xrdp

more detail
2023-09-27VuXML ID ea9d1fd2-5d24-11ee-8507-b42e991fc52e

sep@nlnetlabs.nl reports:

NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests. The location of these stored responses is constructed from the URL of the request. Due to insufficient sanitation of the URL, it is possible for an attacker to craft a URL that results in the response being stored outside of the directory specified for it.

more...
routinator

more detail
2023-09-25VuXML ID 402fccd0-5b6d-11ee-9898-00e081b7aa2d

Jenkins Security Advisory:

Description

(Medium) SECURITY-3261 / CVE-2023-43494

Builds can be filtered by values of sensitive build variables

(High) SECURITY-3245 / CVE-2023-43495

Stored XSS vulnerability

(High) SECURITY-3072 / CVE-2023-43496

Temporary plugin file created with insecure permissions

(Low) SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)

Temporary uploaded file created with insecure permissions

more...
jenkins
jenkins-lts

more detail
2023-09-23VuXML ID 732282a5-5a10-11ee-bca0-001999f8d30b

Mailpit author reports:

Update Go modules to address CVE-2023-42821 (go markdown module DoS).

more...
mailpit

more detail
2023-09-21VuXML ID 4fd7a2fc-5860-11ee-a1b3-dca632daf43b

Google Chrome reports:

Heap buffer overflow in WebP ... allowed a remote attacker to perform an out of bounds memory write ...

more...
webp

more detail
2023-09-20VuXML ID 58a738d4-57af-11ee-8c58-b42e991fc52e

chrome-cve-admin@google.com reports:

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) The Tor browser is based on Firefox and GeckoView and uses also libwep so it is affected by this bug.

more...
tor-browser

more detail
2023-09-19VuXML ID 32a4896a-56da-11ee-9186-001b217b3468

Gitlab reports:

Attacker can abuse scan execution policies to run pipelines as another user

more...
gitlab-ce

more detail
2023-09-16VuXML ID 11982747-544c-11ee-ac3e-a04a5edf46d9

NLnet Labs report:

This release fixes two issues in Routinator that can be exploited remotely by rogue RPKI CAs and repositories. We therefore advise all users of Routinator to upgrade to this release at their earliest convenience.

The first issue, CVE-2022-39915, can lead to Routinator crashing when trying to decode certain illegal RPKI objects.

The second issue, CVE-2022-39916, only affects users that have the rrdp-keep-responses option enabled which allows storing all received RRDP responses on disk. Because the file name for these responses is derived from the URI and the path wasn't checked properly, a RRDP URI could be constructed that results in the response stored outside the directory, possibly overwriting existing files.

more...
routinator

more detail
2023-09-16VuXML ID b5508c08-547a-11ee-85eb-84a93843eb75

The Roundcube webmail project reports:

cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages

more...
roundcube

more detail
2023-09-13VuXML ID 3693eca5-f0d3-453c-9558-2353150495bb

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4572.
  • Security: backported fix for CVE-2023-4762.
  • Security: backported fix for CVE-2023-4863.
more...
electron22

more detail
2023-09-13VuXML ID 4bc66a81-89d2-4696-a04b-defd2eb77783

VSCode developers report:

Visual Studio Code Remote Code Execution Vulnerability

A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.

VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.

more...
vscode

more detail
2023-09-13VuXML ID 773ce35b-eabb-47e0-98ca-669b2b98107a

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4763.
  • Security: backported fix for CVE-2023-4762.
  • Security: backported fix for CVE-2023-4761.
  • Security: backported fix for CVE-2023-4863.
more...
electron24
electron25

more detail
2023-09-13VuXML ID 833b469b-5247-11ee-9667-080027f5fec9

selmelc on hackerone reports:

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

more...
curl

more detail
2023-09-13VuXML ID 88754d55-521a-11ee-8290-a8a1599412c6

Chrome Releases reports:

This update includes 16 security fixes:

  • [1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06
  • [1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
  • [1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29
  • [1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14
  • [1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18
  • [1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09
  • [1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29
  • [1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30
  • [1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04
  • [1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06
  • [1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09
more...
chromium
ungoogled-chromium

more detail
2023-09-12VuXML ID 8eefa87f-31f1-496d-bf8e-2b465b6e4e8a

Tim Wojtulewicz of Corelight reports:

File extraction limits were not correctly enforced for files containing large amounts of missing bytes.

Sessions are sometimes not cleaned up completely within Zeek during shutdown, potentially causing a crash when using the -B dpd flag for debug logging.

A specially-crafted HTTP packet can cause Zeek's filename extraction code to take a long time to process the data.

A specially-crafted series of FTP packets made up of a CWD request followed by a large amount of ERPT requests may cause Zeek to spend a long time logging the commands.

A specially-crafted VLAN packet can cause Zeek to overflow memory and potentially crash.

more...
zeek

more detail
2023-09-10VuXML ID 4061a4b2-4fb1-11ee-acc7-0151f07bc899

The Gitea team reports:

check blocklist for emails when adding them to account

more...
gitea

more detail
2023-09-10VuXML ID 482bb980-99a3-11ee-b5f7-6bd56600d90c

The Gitea team reports:

Fix missing check

Do some missing checks

By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.

more...
gitea

more detail
2023-09-07VuXML ID 6c72b13f-4d1d-11ee-a7f1-080027f5fec9

yangbodong22011 reports:

Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.

more...
redis
redis-devel
redis70

more detail
2023-09-07VuXML ID 924cb116-4d35-11ee-8e38-002590c1f29c

Problem Description:

The net80211 subsystem would fallback to the multicast key for unicast traffic in the event the unicast key was removed. This would result in buffered unicast traffic being exposed to any stations with access to the multicast key.

Impact:

As described in the "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues" paper, an attacker can induce an access point to buffer frames for a client, deauthenticate the client (causing the unicast key to be removed from the access point), and subsequent flushing of the buffered frames now encrypted with the multicast key. This would give the attacker access to the data.

more...
FreeBSD-kernel

more detail
2023-09-07VuXML ID a57472ba-4d84-11ee-bf05-000c29de725b

Python reports:

gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

more...
python310
python311
python38
python39

more detail
2023-09-07VuXML ID beb36f39-4d74-11ee-985e-bff341e78d94

The Go project reports:

cmd/go: go.mod toolchain directive allows arbitrary execution

The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

html/template: improper handling of HTML-like comments within script contexts

The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "#!" comment tokens, in