VuXML entries as processed by FreshPorts | Date | Decscription | Port(s) |
2024-09-07 | VuXML ID 3e44c35f-6cf4-11ef-b813-4ccc6adda413
Kevin Backhouse reports:
An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability
is in the parser for the ASF video format, which was a new feature in v0.28.0,
so Exiv2 versions before v0.28 are not affected. The out-of-bounds read is
triggered when Exiv2 is used to read the metadata of a crafted video file.
more... | exiv2
more detail |
2024-09-06 | VuXML ID 943f8915-6c5d-11ef-810a-f8b46a88f42c
alster@vinterdalen.se reports PR/281070:
A new version of devel/binutils has been released fixing
CVE-2023-1972, CVE-2023-25585, CVE-2023-25586, and
CVE-2023-25588.
more... | binutils
more detail |
2024-09-06 | VuXML ID a5e13973-6c75-11ef-858b-23eeba13701a
Problem Description:
- Replace v-html with v-text in search inputbox
- Upgrade webpack to v5.94.0 as a precaution to mitigate
CVE-2024-43788, although we were not yet able to confirm that this
can be exploited in Forgejo.
more... | forgejo forgejo7
more detail |
2024-09-05* | VuXML ID 21f505f4-6a1c-11ef-b611-84a93843eb75
The OpenSSL project reports:
Possible denial of service in X.509 name checks [Moderate severity]
Applications performing certificate name checks (e.g., TLS clients
checking server certificates) may attempt to read an invalid
memory address resulting in abnormal termination of the application
process.
SSL_select_next_proto buffer overread [Low severity]
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.
more... | FreeBSD openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-09-05 | VuXML ID 4edaa9f4-6b51-11ef-9a62-002590c1f29c
Problem Description:
bhyve can be configured to emulate devices on a virtual USB
controller (XHCI), such as USB tablet devices. An insufficient
boundary validation in the USB code could lead to an out-of-bounds
write on the heap, with data controlled by the caller.
Impact:
A malicious, privileged software running in a guest VM can
exploit the vulnerability to achieve code execution on the host in
the bhyve userspace process, which typically runs as root. Note
that bhyve runs in a Capsicum sandbox, so malicious code is constrained
by the capabilities available to the bhyve process.
more... | FreeBSD
more detail |
2024-09-05 | VuXML ID 56d76414-6b50-11ef-9a62-002590c1f29c
Problem Description:
bhyve can be configured to provide access to the host's TPM
device, where it passes the communication through an emulated device
provided to the guest. This may be performed on the command-line
by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters.
The MMIO handler for the emulated device did not validate the offset
and size of the memory access correctly, allowing guests to read
and write memory contents outside of the memory area effectively
allocated.
Impact:
Malicious software running in a guest VM can exploit the buffer
overflow to achieve code execution on the host in the bhyve userspace
process, which typically runs as root. Note that bhyve runs in a
Capsicum sandbox, so malicious code is constrained by the capabilities
available to the bhyve process.
more... | FreeBSD
more detail |
2024-09-05 | VuXML ID 66907dab-6bb2-11ef-b813-4ccc6adda413
Backports for 6 security bugs in Chromium:
- CVE-2024-5496: Use after free in Media Session
- CVE-2024-5846: Use after free in PDFium
- CVE-2024-6291: Use after free in Swiftshader
- CVE-2024-6989: Use after free in Loader
- CVE-2024-6996: Race in Frames
- CVE-2024-7536: Use after free in WebAudio
more... | qt5-webengine
more detail |
2024-09-05 | VuXML ID 7e079ce2-6b51-11ef-9a62-002590c1f29c
Problem Description:
Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY
sub-request of UMTX_OP_SHM can lead to decreasing the reference
count of the object representing the mapping too many times, causing
it to be freed too early.
Impact:
A malicious code exercizing the UMTX_SHM_DESTROY sub-request
in parallel can panic the kernel or enable further Use-After-Free
attacks, potentially including code execution or Capsicum sandbox
escape.
more... | FreeBSD
more detail |
2024-09-05 | VuXML ID 8d1f9adf-6b4f-11ef-9a62-002590c1f29c
Problem Description:
CVE-2024-45287 is a vulnerability that affects both the kernel
and userland. A malicious value of size in a structure of packed
libnv can cause an integer overflow, leading to the allocation of
a smaller buffer than required for the parsed data.
CVE-2024-45288 is a vulnerability that affects both the kernel and
userland. A missing null-termination character in the last element
of an nvlist array string can lead to writing outside the allocated
buffer.
Impact:
It is possible for an attacker to overwrite portions of memory
(in userland or the kernel) as the allocated buffer might be smaller
than the data received from a malicious process. This vulnerability
could result in privilege escalation or cause a system panic.
more... | FreeBSD FreeBSD-kernel
more detail |
2024-09-05 | VuXML ID 9bd5e47b-6b50-11ef-9a62-002590c1f29c
Problem Description:
Several vulnerabilities were found in the ctl subsystem.
The function ctl_write_buffer incorrectly set a flag which resulted
in a kernel Use-After-Free when a command finished processing
(CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions
allocated memory to be returned to userspace, without initializing
it (CVE-2024-8178). The ctl_report_supported_opcodes function did
not sufficiently validate a field provided by userspace, allowing
an arbitrary write to a limited amount of kernel help memory
(CVE-2024-42416). The ctl_request_sense function could expose up
to three bytes of the kernel heap to userspace (CVE-2024-43110).
Guest virtual machines in the bhyve hypervisor can send SCSI commands
to the corresponding kernel driver via the virtio_scsi interface.
This provides guests with direct access to the vulnerabilities
covered by this advisory.
The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming
iSCSI connections, performs authentication and passes connections
to the kernel ctl(4) target layer.
Impact:
Malicious software running in a guest VM that exposes virtio_scsi
can exploit the vulnerabilities to achieve code execution on the
host in the bhyve userspace process, which typically runs as root.
Note that bhyve runs in a Capsicum sandbox, so malicious code is
constrained by the capabilities available to the bhyve process.
A malicious iSCSI initiator could achieve remote code execution on
the iSCSI target host.
more... | FreeBSD-kernel
more detail |
2024-09-05 | VuXML ID a3a1caf5-6ba1-11ef-b9e8-b42e991fc52e
security@mozilla.org reports:
This entry contains 8 vulnerabilities:
- CVE-2024-8381: A potentially exploitable type
confusion could be triggered when looking up a property
name on an object being used as the `with` environment.
- CVE-2024-8382: Internal browser event interfaces were
exposed to web content when privileged EventHandler listener
callbacks ran for those events. Web content that tried to
use those interfaces would not be able to use them with
elevated privileges, but their presence would indicate
certain browser features had been used, such as when a user
opened the Dev Tools console.
- CVE-2024-8383: Firefox normally asks for confirmation
before asking the operating system to find an application to
handle a scheme that the browser does not support. It did not
ask before doing so for the Usenet-related schemes news: and
snews:. Since most operating systems don't have a
trusted newsreader installed by default, an unscrupulous
program that the user downloaded could register itself as a
handler. The website that served the application download
could then launch that application at will.
- CVE-2024-8384: The JavaScript garbage collector could
mis-color cross-compartment objects if OOM conditions were
detected at the right point between two passes. This could have
led to memory corruption.
- CVE-2024-8385: A difference in the handling of
StructFields and ArrayTypes in WASM could be used to trigger
an exploitable type confusion vulnerability.
- CVE-2024-8386: If a site had been granted the permission
to open popup windows, it could cause Select elements to
appear on top of another site to perform a spoofing attack.
- CVE-2024-8387: Memory safety bugs present in Firefox 129,
Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs
showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run
arbitrary code.
- CVE-2024-8389: Memory safety bugs present in Firefox 129.
Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been
exploited to run arbitrary code.
more... | firefox
more detail |
2024-09-05 | VuXML ID f5d0cfe7-6ba6-11ef-858b-23eeba13701a
Problem Description:
- Replace v-html with v-text in search inputbox
- Fix nuget/conan/container packages upload bugs
more... | gitea
more detail |
2024-09-03 | VuXML ID 26125e09-69ca-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [357391257] High CVE-2024-8362: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-08-05
- [358485426] High CVE-2024-7970: Out of bounds write in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-08-09
more... | chromium ungoogled-chromium
more detail |
2024-08-30 | VuXML ID 5e4d7172-66b8-11ef-b104-b42e991fc52e
security@mozilla.org reports:
- Firefox adds web-compatibility shims in place of some
tracking scripts blocked by Enhanced Tracking Protection.
On a site protected by Content Security Policy in
"strict-dynamic" mode, an attacker able to
inject an HTML element could have used a DOM
Clobbering attack on some of the shims and achieved XSS,
bypassing the CSP strict-dynamic protection.
- Form validation popups could capture escape key presses.
Therefore, spamming form validation messages could be used
to prevent users from exiting full-screen mode.
- When almost out-of-memory an elliptic curve key which
was never allocated could have been freed again.
- It was possible to move the cursor using pointerlock
from an iframe. This allowed moving the cursor outside
of the viewport and the Firefox window.
more... | firefox
more detail |
2024-08-30 | VuXML ID 7e9cc7fd-6b3e-46c5-ad6d-409d90d41bbf
hadmut reports:
This C library includes 2 command-line tools that can take
credentials as command-line options. The credentials are exposed
as plain-text in the process list. This could allow an attacker
with access to the process list to see the credentials.
more... | rabbitmq-c
more detail |
2024-08-30 | VuXML ID eb437e17-66a1-11ef-ac08-75165d18d8d2
The forgejo team reports:
The scope of application tokens was not verified when writing
containers or Conan packages. This is of no consequence when the
user associated with the application token does not have write
access to packages. If the user has write access to packages, such
a token can be used to write containers and Conan packages. An
application token that was used to write containers or Conan
packages without the package:write scope will now fail with an
unauthorized error. It must be re-created to include the
package:write scope.
more... | forgejo
more detail |
2024-08-29 | VuXML ID 44de1b82-662d-11ef-a51b-b42e991fc52e
security@mozilla.org reports:
This update includes 3 CVEs:
- The contextual menu for links could provide an
opportunity for cross-site scripting attacks.
- Long pressing on a download link could potentially
provide a means for cross-site scripting.
- Long pressing on a download link could potentially
allow Javascript commands to be executed within the
browser.
more... | firefox
more detail |
2024-08-29 | VuXML ID 46419e8c-65d9-11ef-ac06-b0416f0c4c67
report@snyk.io reports:
All versions of the package configobj are vulnerable to Regular
Expression Denial of Service (ReDoS) via the validate function,
using (.+?)\((.*)\).**Note:** This is only exploitable in the case
of a developer putting the offending value in a server side
configuration file.
more... | py310-configobj py311-configobj py38-configobj py39-configobj
more detail |
2024-08-29 | VuXML ID 6f2545bb-65e8-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09
- [360265320] High CVE-2024-8193: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-16
- [360533914] High CVE-2024-8194: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-08-18
- [360758697] High CVE-2024-8198: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-19
more... | chromium ungoogled-chromium
more detail |
2024-08-25 | VuXML ID 49ef501c-62b6-11ef-bba5-2cf05da270f3
Gitlab reports:
The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases
Denial of Service by importing maliciously crafted GitHub repository
Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline
An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions
more... | gitlab-ce gitlab-ee
more detail |
2024-08-23 | VuXML ID 6e8b9c75-6179-11ef-8a7d-b42e991fc52e
cve@mitre.org reports:
MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function
in support.c.
more... | mcpp
more detail |
2024-08-23 | VuXML ID 7e6e932f-617b-11ef-8a7d-b42e991fc52e
security@mozilla.org reports:
- CVE-2024-5697: A website was able to detect when a
user took a screenshot of a page using the built-in
Screenshot functionality in Firefox.
- CVE-2024-5698: By manipulating the fullscreen
feature while opening a data-list, an attacker could
have overlaid a text box over the address bar. This
could have led to user confusion and possible spoofing
attacks.
more... | firefox
more detail |
2024-08-23 | VuXML ID f2b1da2e-6178-11ef-8a7d-b42e991fc52e
cve@mitre.org reports:
md_analyze_line in md4c.c in md4c 0.4.7 allows attackers
to trigger use of uninitialized memory, and cause a denial
of service via a malformed Markdown document.
more... | md4c
more detail |
2024-08-22 | VuXML ID addc71b8-6024-11ef-86a1-8c164567ca3c
The nginx development team reports:
This update fixes the buffer overread vulnerability in the
ngx_http_mp4_module.
more... | nginx nginx-devel
more detail |
2024-08-22 | VuXML ID b339992e-6059-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 38 security fixes:
- [358296941] High CVE-2024-7964: Use after free in Passwords. Reported by Anonymous on 2024-08-08
- [356196918] High CVE-2024-7965: Inappropriate implementation in V8. Reported by TheDog on 2024-07-30
- [355465305] High CVE-2024-7966: Out of bounds memory access in Skia. Reported by Renan Rios (@HyHy100) on 2024-07-25
- [355731798] High CVE-2024-7967: Heap buffer overflow in Fonts. Reported by Tashita Software Security on 2024-07-27
- [349253666] High CVE-2024-7968: Use after free in Autofill. Reported by Han Zheng (HexHive) on 2024-06-25
- [351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09
- [360700873] High CVE-2024-7971: Type confusion in V8. Reported by Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) on 2024-08-19
- [345960102] Medium CVE-2024-7972: Inappropriate implementation in V8. Reported by Simon Gerst (intrigus-lgtm) on 2024-06-10
- [345518608] Medium CVE-2024-7973: Heap buffer overflow in PDFium. Reported by soiax on 2024-06-06
- [339141099] Medium CVE-2024-7974: Insufficient data validation in V8 API. Reported by bowu(@gocrashed) on 2024-05-07
- [347588491] Medium CVE-2024-7975: Inappropriate implementation in Permissions. Reported by Thomas Orlita on 2024-06-16
- [339654392] Medium CVE-2024-7976: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-10
- [324770940] Medium CVE-2024-7977: Insufficient data validation in Installer. Reported by Kim Dong-uk (@justlikebono) on 2024-02-11
- [40060358] Medium CVE-2024-7978: Insufficient policy enforcement in Data Transfer. Reported by NDevTK on 2022-07-21
- [356064205] Medium CVE-2024-7979: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-29
- [356328460] Medium CVE-2024-7980: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-30
- [40067456] Low CVE-2024-7981: Inappropriate implementation in Views. Reported by Thomas Orlita on 2023-07-14
- [350256139] Low CVE-2024-8033: Inappropriate implementation in WebApp Installs. Reported by Lijo A.T on 2024-06-30
- [353858776] Low CVE-2024-8034: Inappropriate implementation in Custom Tabs. Reported by Bharat (mrnoob) on 2024-07-18
- [40059470] Low CVE-2024-8035: Inappropriate implementation in Extensions. Reported by Microsoft on 2022-04-26
more... | chromium ungoogled-chromium
more detail |
2024-08-20 | VuXML ID 04c9c3f8-5ed3-11ef-8262-b0416f0c4c67
security-advisories@github.com reports:
Jinja is an extensible templating engine. The `xmlattr` filter in
affected versions of Jinja accepts keys containing non-attribute
characters. XML/HTML attributes cannot contain spaces, `/`, `>`,
or `=`, as each would then be interpreted as starting a separate
attribute. If an application accepts keys (as opposed to only
values) as user input, and renders these in pages that other users
see as well, an attacker could use this to inject other attributes
and perform XSS. The fix for CVE-2024-22195 only addressed spaces
but not other characters. Accepting keys as user input is now
explicitly considered an unintended use case of the `xmlattr` filter,
and code that does so without otherwise validating the input should
be flagged as insecure, regardless of Jinja version. Accepting
_values_ as user input continues to be safe. This vulnerability
is fixed in 3.1.4.
more... | py310-Jinja2 py311-Jinja2 py38-Jinja2 py39-Jinja2
more detail |
2024-08-19 | VuXML ID d0ac9a17-5e68-11ef-b8cc-b42e991fc52e
security@mozilla.org reports:
Select options could obscure the fullscreen notification dialog.
This could be used by a malicious site to perform a spoofing attack.
This vulnerability affects Firefox < 129, Firefox ESR < 128.1,
and Thunderbird < 128.1.
more... | firefox
more detail |
2024-08-18 | VuXML ID ac025402-4cbc-4177-bd99-c20c03a07f23
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6776.
- Security: backported fix for CVE-2024-6778.
- Security: backported fix for CVE-2024-6777.
- Security: backported fix for CVE-2024-6773.
- Security: backported fix for CVE-2024-6774.
- Security: backported fix for CVE-2024-6772.
- Security: backported fix for CVE-2024-6775.
- Security: backported fix for CVE-2024-6779.
- Security: backported fix for CVE-2024-6989.
- Security: backported fix for CVE-2024-6991.
more... | electron29 electron30
more detail |
2024-08-18 | VuXML ID e61af8f4-455d-4f99-8d81-fbb004929dab
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6989.
- Security: backported fix for CVE-2024-6991.
more... | electron31
more detail |
2024-08-16 | VuXML ID 6a6ad6cb-5c6c-11ef-b456-001e676bf734
Dovecot reports:
A DoS is possible with a large number of address headers or abnormally large email headers.
more... | dovecot
more detail |
2024-08-14 | VuXML ID 9d8e9952-5a42-11ef-a219-1c697a616631
Intel reports:
A potential security vulnerability in SMI Transfer monitor (STM) may
allow escalation of privilege. Intel has released microcode updates
to mitigate this potential vulnerability.
A potential security vulnerability in some 3rd Generation Intel Xeon
Scalable Processors may allow denial of service. Intel has released
microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some 3rd, 4th, and 5th
Generation Intel Xeon Processors may allow escalation of privilege.
Intel has released firmware updates to mitigate this potential
vulnerability.
A potential security vulnerability in the Intel Core Ultra Processor
stream cache mechanism may allow escalation of privilege. Intel has
released microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some Intel Processor stream
cache mechanisms may allow escalation of privilege. Intel has
released microcode updates to mitigate this potential vulnerability.
more... | cpu-microcode-intel
more detail |
2024-08-13 | VuXML ID 5d7939f6-5989-11ef-9793-b42e991fc52e
security@mozilla.org reports:
-
CVE-2024-7531: Calling `PK11_Encrypt()` in NSS using
CKM_CHACHA20 and the same buffer for input and output can
result in plaintext on an Intel Sandy Bridge processor. In
Firefox this only affects the QUIC header protection
feature when the connection is using the ChaCha20-Poly1305
cipher suite. The most likely outcome is connection
failure, but if the connection persists despite the high
packet loss it could be possible for a network observer to
identify packets as coming from the same source despite a
network path change. This vulnerability affects Firefox
< 129, Firefox ESR < 115.14, and Firefox ESR <
128.1.
-
CVE-2024-7529: The date picker could partially obscure
security prompts. This could be used by a malicious site
to trick a user into granting permissions. This
vulnerability affects Firefox < 129, Firefox ESR <
115.14, Firefox ESR < 128.1, Thunderbird < 128.1,
and Thunderbird < 115.14.
-
CVE-2024-7525: It was possible for a web extension with
minimal permissions to create a `StreamFilter` which could
be used to read and modify the response body of requests
on any site. This vulnerability affects Firefox < 129,
Firefox ESR < 115.14, Firefox ESR < 128.1,
Thunderbird < 128.1, and Thunderbird < 115.14.
-
CVE-2024-7522: Editor code failed to check an attribute
value. This could have led to an out-of-bounds read. This
vulnerability affects Firefox < 129, Firefox ESR <
115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and
Thunderbird < 115.14.
-
CVE-2024-7520: A type confusion bug in WebAssembly could
be leveraged by an attacker to potentially achieve code
execution. This vulnerability affects Firefox < 129,
Firefox ESR < 128.1, and Thunderbird < 128.1.
-
CVE-2024-7521: Incomplete WebAssembly exception handing
could have led to a use-after-free. This vulnerability
affects Firefox < 129, Firefox ESR < 115.14,
Firefox ESR < 128.1, Thunderbird < 128.1, and
Thunderbird < 115.14.
-
CVE-2024-7530: Incorrect garbage collection interaction
could have led to a use-after-free. This vulnerability
affects Firefox < 129.
-
CVE-2024-7528: Incorrect garbage collection interaction in
IndexedDB could have led to a use-after-free. This
vulnerability affects Firefox < 129,
Firefox ESR < 128.1, and Thunderbird < 128.1.
-
CVE-2024-7527: Unexpected marking work at the start of
sweeping could have led to a use-after-free. This
vulnerability affects Firefox < 129,
Firefox ESR < 115.14, Firefox ESR < 128.1,
Thunderbird < 128.1, and Thunderbird < 115.14.
more... | mozilla
more detail |
2024-08-12 | VuXML ID d2723b0f-58d9-11ef-b611-84a93843eb75
SO-AND-SO reports:
This release has several CVE Reports fixed and we recommend
everybody to update to the latest version as soon as possible.
more... | vaultwarden
more detail |
2024-08-10 | VuXML ID 5776cc4f-5717-11ef-b611-84a93843eb75
The Roundcube project reports:
XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
more... | roundcube
more detail |
2024-08-10 | VuXML ID 7d631146-5769-11ef-b618-1c697a616631
AMD reports:
Researchers from IOActive have reported that it may be possible for
an attacker with ring 0 access to modify the configuration of System
Management Mode (SMM) even when SMM Lock is enabled. Improper
validation in a model specific register (MSR) could allow a malicious
program with ring0 access to modify SMM configuration while SMI lock
is enabled, potentially leading to arbitrary code execution.
more... | cpu-microcode-amd
more detail |
2024-08-10 | VuXML ID aa1c7af9-570e-11ef-a43e-b42e991fc52e
security@mozilla.org reports:
By monitoring the time certain operations take, an attacker could
have guessed which external protocol handlers were functional on a
user's system. This vulnerability affects Firefox < 127,
Firefox ESR < 115.12, and Thunderbird < 115.12.
more... | firefox
more detail |
2024-08-09 | VuXML ID 587ed8ac-5957-11ef-854a-001e676bf734
OpenHAB reports:
This patch release addresses the following security advisories:
All of these are related to the CometVisu add-on for openHAB - if you are a user of CometVisu, we strongly recommend to upgrade your system to openHAB 4.2.1 in order to fix those vulnerabilities.
more... | openhab-addons
more detail |
2024-08-09 | VuXML ID 8c342a6c-563f-11ef-a77e-901b0e9408dc
soft-serve team reports:
Arbitrary code execution by crafting git ssh requests
It is possible for a user who can commit files to a
repository hosted by Soft Serve to execute arbitrary code
via environment manipulation and Git.
more... | soft-serve
more detail |
2024-08-08 | VuXML ID 48e6d514-5568-11ef-af48-6cc21735f730
PostgreSQL project reports:
An attacker able to create and drop non-temporary objects could
inject SQL code that would be executed by a concurrent pg_dump
session with the privileges of the role running pg_dump
(which is often a superuser). The attack involves replacing a
sequence or similar object with a view or foreign table that will
execute malicious code. To prevent this, introduce a new server
parameter restrict_nonsystem_relation_kind that can disable
expansion of non-builtin views as well as access to foreign
tables, and teach pg_dump to set it when available. Note that the
attack is prevented only if both pg_dump and the server it is
dumping from are new enough to have this fix.
more... | postgresql12-client postgresql12-server postgresql13-client postgresql13-server postgresql14-client postgresql14-server postgresql15-client postgresql15-server postgresql16-client postgresql16-server
more detail |
2024-08-07 | VuXML ID 729008b9-54bf-11ef-a61b-2cf05da270f3
Gitlab reports:
Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access
Cross project access of Security policy bot
Advanced search ReDOS in highlight for code results
Denial of Service via banzai pipeline
Denial of service using adoc files
ReDoS in RefMatcher when matching branch names using wildcards
Path encoding can cause the Web interface to not render diffs correctly
XSS while viewing raw XHTML files through API
Ambiguous tag name exploitation
Logs disclosings potentially sensitive data in query params
Password bypass on approvals using policy projects
ReDoS when parsing git push
Webhook deletion audit log can preserve auth credentials
more... | gitlab-ce gitlab-ee
more detail |
2024-08-07 | VuXML ID 94d441d2-5497-11ef-9d2f-080027836e8b
Django reports:
CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat().
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize().
CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget.
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list().
more... | py310-django42 py310-django50 py311-django42 py311-django50 py39-django42
more detail |
2024-08-07 | VuXML ID db8fa362-0ccb-4aa8-9220-72b7763e9a4a
Jenkins Security Advisory:
Description
(Critical) SECURITY-3430 / CVE-2024-43044
Arbitrary file read vulnerability through agent connections can lead to RCE
Description
(Medium) SECURITY-3349 / CVE-2024-43045
Missing permission check allows accessing other users' "My Views"
more... | jenkins jenkins-lts
more detail |
2024-08-06 | VuXML ID 05cd9f82-5426-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [350528343] Critical CVE-2024-7532: Out of bounds memory access in ANGLE. Reported by wgslfuzz on 2024-07-02
- [353552540] High CVE-2024-7533: Use after free in Sharing. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-07-17
- [355256380] High CVE-2024-7550: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-07-25
- [352467338] High CVE-2024-7534: Heap buffer overflow in Layout. Reported by Tashita Software Security on 2024-07-11
- [352690885] High CVE-2024-7535: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-07-12
- [354847246] High CVE-2024-7536: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-07-23
more... | chromium ungoogled-chromium
more detail |
2024-07-31 | VuXML ID 15d398ea-4f73-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [353034820] Critical CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert on 2024-07-15
- [352872238] High CVE-2024-7255: Out of bounds read in WebTransport. Reported by Marten Richter on 2024-07-13
- [354748060] High CVE-2024-7256: Insufficient data validation in Dawn. Reported by gelatin dessert on 2024-07-23
more... | chromium ungoogled-chromium
more detail |
2024-07-30 | VuXML ID fb0b5574-4e64-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 22 security fixes:
- [349198731] High CVE-2024-6988: Use after free in Downloads. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-25
- [349342289] High CVE-2024-6989: Use after free in Loader. Reported by Anonymous on 2024-06-25
- [346618785] High CVE-2024-6991: Use after free in Dawn. Reported by wgslfuzz on 2024-06-12
- [339686368] Medium CVE-2024-6994: Heap buffer overflow in Layout. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2024-05-10
- [343938078] Medium CVE-2024-6995: Inappropriate implementation in Fullscreen. Reported by Alesandro Ortiz on 2024-06-01
- [333708039] Medium CVE-2024-6996: Race in Frames. Reported by Louis Jannett (Ruhr University Bochum) on 2024-04-10
- [325293263] Medium CVE-2024-6997: Use after free in Tabs. Reported by Sven Dysthe (@svn-dys) on 2024-02-15
- [340098902] Medium CVE-2024-6998: Use after free in User Education. Reported by Sven Dysthe (@svn-dys) on 2024-05-13
- [340893685] Medium CVE-2024-6999: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-15
- [339877158] Medium CVE-2024-7000: Use after free in CSS. Reported by Anonymous on 2024-05-11
- [347509736] Medium CVE-2024-7001: Inappropriate implementation in HTML. Reported by Jake Archibald on 2024-06-17
- [338233148] Low CVE-2024-7003: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-01
- [40063014] Low CVE-2024-7004: Insufficient validation of untrusted input in Safe Browsing. Reported by Anonymous on 2023-02-10
- [40068800] Low CVE-2024-7005: Insufficient validation of untrusted input in Safe Browsing. Reported by Umar Farooq on 2023-08-04
more... | chromium ungoogled-chromium
more detail |
2024-07-28 | VuXML ID 8057d198-4d26-11ef-8e64-641c67a117d8
Mitre reports:
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.
more... | znc
more detail |
2024-07-26 | VuXML ID 3e917407-4b3f-11ef-8e49-001999f8d30b
Mailpit developer reports:
A vulnerability was discovered which allowed a bad
actor with SMTP access to Mailpit to bypass the Content
Security Policy headers using a series of crafted HTML
messages which could result in a stored XSS attack via
the web UI.
more... | mailpit
more detail |
2024-07-25 | VuXML ID 24c88add-4a3e-11ef-86d7-001b217b3468
Gitlab reports:
XSS via the Maven Dependency Proxy
Project level analytics settings leaked in DOM
Reports can access and download job artifacts despite use of settings to prevent it
Direct Transfer - Authorised project/group exports are accessible to other users
Bypassing tag check and branch check through imports
Project Import/Export - Make project/group export files hidden to everyone except user who initiated it
more... | gitlab-ce gitlab-ee
more detail |
2024-07-19 | VuXML ID 574028b4-a181-455b-a78b-ec5c62781235
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6291.
- Security: backported fix for CVE-2024-6293.
- Security: backported fix for CVE-2024-6290.
- Security: backported fix for CVE-2024-6292.
more... | electron29
more detail |
2024-07-17 | VuXML ID 088b8b7d-446c-11ef-b611-84a93843eb75
The Apache httpd project reports:
source code disclosure with handlers configured via AddType
(CVE-2024-40725) (Important): A partial fix for CVE-2024-39884
in the core of Apache HTTP Server 2.4.61 ignores some use of the
legacy content-type based configuration of handlers. "AddType"
and similar configuration, under some circumstances where files
are requested indirectly, result in source code disclosure of
local content. For example, PHP scripts may be served instead
of interpreted.
more... | apache24
more detail |
2024-07-16 | VuXML ID 3b018063-4358-11ef-b611-84a93843eb75
Oracle reports:
36 new security patches for Oracle MySQL. 11 of these vulnerabilities
may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 9.8.
more... | mysql80-client mysql80-server mysql81-client mysql81-server mysql84-client mysql84-server
more detail |
2024-07-16 | VuXML ID 6091d1d8-4347-11ef-a4d4-080027957747
GLPI team reports:
GLPI 10.0.16 Changelog
- [SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
- [SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)
- [SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)
more... | glpi
more detail |
2024-07-13 | VuXML ID 55d4a92f-c75f-43e8-ab1f-4a0efc9795c4
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6291.
- Security: backported fix for CVE-2024-6293.
- Security: backported fix for CVE-2024-6290.
- Security: backported fix for CVE-2024-6292.
more... | electron29
more detail |
2024-07-13 | VuXML ID 6410f91d-1214-4f92-b7e0-852e39e265f9
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-5493.
- Security: backported fix for CVE-2024-5831.
- Security: backported fix for CVE-2024-5832.
- Security: backported fix for CVE-2024-6100.
- Security: backported fix for CVE-2024-6101.
- Security: backported fix for CVE-2024-6103.
- Security: backported fix for CVE-2024-6291.
- Security: backported fix for CVE-2024-6293.
- Security: backported fix for CVE-2024-6290.
- Security: backported fix for CVE-2024-6292.
more... | electron30
more detail |
2024-07-11 | VuXML ID acb4eab6-3f6d-11ef-8657-001b217b3468
Gitlab reports:
An attacker can run pipeline jobs as an arbitrary user
Developer user with admin_compliance_framework permission can change group URL
Admin push rules custom role allows creation of project level deploy token
Package registry vulnerable to manifest confusion
User with admin_group_member permission can ban group members
Subdomain takeover in GitLab Pages
more... | gitlab-ce gitlab-ee
more detail |
2024-07-10 | VuXML ID 171afa61-3eba-11ef-a58f-080027836e8b
Django reports:
CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize().
CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords.
CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save().
CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant().
more... | py310-django42 py310-django50 py311-django42 py311-django50 py39-django42
more detail |
2024-07-07 | VuXML ID 767dfb2d-3c9e-11ef-a829-5404a68ad561
The traefik authors report:
There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early
data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.
more... | traefik
more detail |
2024-07-04 | VuXML ID 51498ee4-39a1-11ef-b609-002590c1f29c
Request Tracker reports:
CVE-2024-3262 describes previously viewed pages being stored in the
browser cache, which is the typical default behavior of most browsers to
enable the "back" button. Someone who gains access to a host computer could
potentially view ticket data using the back button, even after logging out
of RT. The CVE specifically references RT version 4.4.1, but this behavior
is present in most browsers viewing all versions of RT before 5.0.6.
more... | rt50
more detail |
2024-07-04 | VuXML ID 5d921a8c-3a43-11ef-b611-84a93843eb75
The Apache httpd project reports:
isource code disclosure with handlers configured via AddType
(CVE-2024-39884) (Important). A regression in the core of Apache HTTP
Server 2.4.60 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly, result
in source code disclosure of local content. For example, PHP scripts
may be served instead of interpreted.
more... | apache24
more detail |
2024-07-03 | VuXML ID b0374722-3912-11ef-a77e-901b0e9408dc
The Go project reports:
net/http: denial of service due to improper 100-continue handling
The net/http HTTP/1.1 client mishandled the case where a
server responds to a request with an "Expect: 100-continue"
header with a non-informational (200 or higher) status. This
mishandling could leave a client connection in an invalid
state, where the next request sent on the connection will
fail.
An attacker sending a request to a
net/http/httputil.ReverseProxy proxy can exploit this
mishandling to cause a denial of service by sending "Expect:
100-continue" requests which elicit a non-informational
response from the backend. Each such request leaves the
proxy with an invalid connection, and causes one subsequent
request using that connection to fail.
more... | go121 go122
more detail |
2024-07-03* | VuXML ID f1a00122-3797-11ef-b611-84a93843eb75
The OpenSSH project reports:
A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems.
more... | openssh-portable
more detail |
2024-07-01 | VuXML ID d7efc2ad-37af-11ef-b611-84a93843eb75
The Apache httpd project reports:
DoS by Null pointer in websocket over HTTP/2 (CVE-2024-36387) (Low).
Serving WebSocket protocol upgrades over a HTTP/2 connection could
result in a Null Pointer dereference, leading to a crash of the server
process, degrading performance.
Proxy encoding problem (CVE-2024-38473) (Moderate).
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier
allows request URLs with incorrect encoding to be sent to backend
services, potentially bypassing authentication via crafted requests.
Weakness with encoded question marks in backreferences
(CVE-2024-38474) (Important). Substitution encoding issue in
mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker
to execute scripts in directories permitted by the configuration but
not directly reachable by any URL or source disclosure of scripts
meant to only to be executed as CGI.
Weakness in mod_rewrite when first segment of substitution matches
filesystem path (CVE-2024-38475) (Important). Improper escaping of
output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows
an attacker to map URLs to filesystem locations that are permitted to
be served by the server but are not intentionally/directly reachable
by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables
as the first segment of the substitution are affected. Some unsafe
RewiteRules will be broken by this change and the rewrite flag
"UnsafePrefixStat" can be used to opt back in once ensuring the
substitution is appropriately constrained.
may use exploitable/malicious backend application output to run local
handlers via internal redirect (CVE-2024-38476) (Important).
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are
vulnerable to information disclosure, SSRF or local script execution
via backend applications whose response headers are malicious or
exploitable.
Crash resulting in Denial of Service in mod_proxy via a malicious
request (CVE-2024-38477) (Important). Null pointer dereference in
mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker
to crash the server via a malicious request.
mod_rewrite proxy handler substitution (CVE-2024-39573) (Moderate).
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
allows an attacker to cause unsafe RewriteRules to unexpectedly setup
URL's to be handled by mod_proxy.
more... | apache24
more detail |
2024-06-30 | VuXML ID c742dbe8-3704-11ef-9e6e-b42e991fc52e
cve@mitre.org reports:
This entry documents the following three vulnerabilities:
- Netatalk before 3.2.1 has an off-by-one error and resultant heap-based
buffer overflow because of setting ibuf[len] to '\0' in
FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19
are also fixed versions.
- Netatalk before 3.2.1 has an off-by-one error, and resultant
heap-based buffer overflow and segmentation violation, because of
incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c.
The original issue 1097 report stated: 'The latest version of
Netatalk (v3.2.0) contains a security vulnerability. This vulnerability
arises due to a lack of validation for the length field after parsing
user-provided data, leading to an out-of-bounds heap write of one
byte (\0). Under specific configurations, this can result in reading
metadata of the next heap block, potentially causing a Denial of
Service (DoS) under certain heap layouts or with ASAN enabled. ...
- Netatalk before 3.2.1 has an off-by-one error and resultant heap-based
buffer overflow because of setting ibuf[PASSWDLEN] to '\0'
in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19
are also fixed versions.
more... | netatalk3
more detail |
2024-06-28 | VuXML ID 07f0ea8c-356a-11ef-ac6d-a0423f48a938
cve@mitre.org reports:
In FRRouting (FRR) through 9.1, there are multiples vulnerabilities.
- CVE-2024-31950: buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets
- CVE-2024-31951: buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets
more... | frr8 frr9
more detail |
2024-06-28 | VuXML ID 0e73964d-053a-481a-bf1c-202948d68484
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-5499.
- Security: backported fix for CVE-2024-5493.
- Security: backported fix for CVE-2024-5494.
- Security: backported fix for CVE-2024-5495.
- Security: backported fix for CVE-2024-5496.
- Security: backported fix for CVE-2024-5158.
- Security: backported fix for CVE-2024-5160.
- Security: backported fix for CVE-2024-5157.
- Security: backported fix for CVE-2024-5159.
- Security: backported fix for CVE-2024-5831.
- Security: backported fix for CVE-2024-5832.
- Security: backported fix for CVE-2024-6100.
- Security: backported fix for CVE-2024-6101.
- Security: backported fix for CVE-2024-6103.
more... | electron29
more detail |
2024-06-27 | VuXML ID 589de937-343f-11ef-8a7b-001b217b3468
Gitlab reports:
Run pipelines as any user
Stored XSS injected in imported project's commit notes
CSRF on GraphQL API IntrospectionQuery
Remove search results from public projects with unauthorized repos
Cross window forgery in user application OAuth flow
Project maintainers can bypass group's merge request approval policy
ReDoS via custom built markdown page
Private job artifacts can be accessed by any user
Security fixes for banzai pipeline
ReDoS in dependency linker
Denial of service using a crafted OpenAPI file
Merge request title disclosure
Access issues and epics without having an SSO session
Non project member can promote key results to objectives
more... | gitlab-ce gitlab-ee
more detail |
2024-06-25 | VuXML ID 2b68c86a-32d5-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [342428008] High CVE-2024-6290: Use after free in Dawn. Reported by wgslfuzz on 2024-05-23
- [40942995] High CVE-2024-6291: Use after free in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-15
- [342545100] High CVE-2024-6292: Use after free in Dawn. Reported by wgslfuzz on 2024-05-24
- [345993680] High CVE-2024-6293: Use after free in Dawn. Reported by wgslfuzz on 2024-06-09
more... | chromium ungoogled-chromium
more detail |
2024-06-23 | VuXML ID 4f6c4c07-3179-11ef-9da5-1c697a616631
GNU Emacs developers report:
Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability. Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code.
more... | emacs emacs-canna emacs-devel emacs-devel-nox emacs-nox emacs-wayland
more detail |
2024-06-22 | VuXML ID 82830965-3073-11ef-a17d-5404a68ad561
The traefik authors report:
There is a vulnerability in Azure Identity Libraries and
Microsoft Authentication Library Elevation of Privilege Vulnerability.
more... | traefik
more detail |
2024-06-20 | VuXML ID 007e7e77-2f06-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 6 security fixes:
- [344608204] High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04
- [343748812] High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31
- [339169163] High CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz on 2024-05-07
- [344639860] High CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz on 2024-06-04
more... | chromium ungoogled-chromium
more detail |
2024-06-20 | VuXML ID 142c538e-b18f-40a1-afac-c479effadd5c
Gert Doering reports that OpenVPN 2.6.11 fixes two security bugs (three on Windows):
CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. (Reynir Björnsson)
more... | openvpn
more detail |
2024-06-20 | VuXML ID aa2b65e4-2f63-11ef-9cab-4ccc6adda413
Backports for 5 security bugs in Chromium:
- CVE-2024-3837: Use after free in QUIC
- CVE-2024-3839: Out of bounds read in Fonts
- CVE-2024-3914: Use after free in V8
- CVE-2024-4058: Type confusion in ANGLE
- CVE-2024-4558: Use after free in ANGLE
more... | qt5-webengine
more detail |
2024-06-20 | VuXML ID c5415838-2f52-11ef-9cab-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 7 security bugs in Chromium:
- CVE-2024-4948: Use after free in Dawn
- CVE-2024-5274: Type Confusion in V8
- CVE-2024-5493: Heap buffer overflow in WebRTC
- CVE-2024-5494: Use after free in Dawn
- CVE-2024-5495: Use after free in Dawn
- CVE-2024-5496: Use after free in Media Session
- CVE-2024-5499: Out of bounds write in Streams API
more... | qt6-webengine
more detail |
2024-06-18 | VuXML ID 453aa0fc-2d91-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 21 security fixes:
- [342456991] High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24
- [339171223] High CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz on 2024-05-07
- [340196361] High CVE-2024-5832: Use after free in Dawn. Reported by wgslfuzz on 2024-05-13
- [342602616] High CVE-2024-5833: Type Confusion in V8. Reported by @ginggilBesel on 2024-05-24
- [342840932] High CVE-2024-5834: Inappropriate implementation in Dawn. Reported by gelatin dessert on 2024-05-26
- [341991535] High CVE-2024-5835: Heap buffer overflow in Tab Groups. Reported by Weipeng Jiang (@Krace) of VRI on 2024-05-22
- [341875171] High CVE-2024-5836: Inappropriate Implementation in DevTools. Reported by Allen Ding on 2024-05-21
- [342415789] High CVE-2024-5837: Type Confusion in V8. Reported by Anonymous on 2024-05-23
- [342522151] High CVE-2024-5838: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-24
- [340122160] Medium CVE-2024-5839: Inappropriate Implementation in Memory Allocator. Reported by Micky on 2024-05-13
- [41492103] Medium CVE-2024-5840: Policy Bypass in CORS. Reported by Matt Howard on 2024-01-17
- [326765855] Medium CVE-2024-5841: Use after free in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-02-26
- [40062622] Medium CVE-2024-5842: Use after free in Browser UI. Reported by Sven Dysthe (@svn_dy) on 2023-01-12
- [333940412] Medium CVE-2024-5843: Inappropriate implementation in Downloads. Reported by hjy79425575 on 2024-04-12
- [331960660] Medium CVE-2024-5844: Heap buffer overflow in Tab Strip. Reported by Sri on 2024-04-01
- [340178596] Medium CVE-2024-5845: Use after free in Audio. Reported by anonymous on 2024-05-13
- [341095523] Medium CVE-2024-5846: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-16
- [341313077] Medium CVE-2024-5847: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-18
more... | chromium ungoogled-chromium
more detail |
2024-06-15 | VuXML ID 219aaa1e-2aff-11ef-ab37-5404a68ad561
The traefik authors report:
There is a vulnerability in Go managing various Is methods
(IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses.
They didn't work as expected returning false for addresses
which would return true in their traditional IPv4 forms.
more... | traefik
more detail |
2024-06-15 | VuXML ID a5c64f6f-2af3-11ef-a77e-901b0e9408dc
The Go project reports:
archive/zip: mishandling of corrupt central directory record
The archive/zip package's handling of certain types of
invalid zip files differed from the behavior of most zip
implementations. This misalignment could be exploited to
create an zip file with contents that vary depending on the
implementation reading the file. The archive/zip package now
rejects files containing these errors.
net/netip: unexpected behavior from Is methods for
IPv4-mapped IPv6 addresses
The various Is methods (IsPrivate, IsLoopback, etc) did
not work as expected for IPv4-mapped IPv6 addresses,
returning false for addresses which would return true in
their traditional IPv4 forms.
more... | go121 go122
more detail |
2024-06-13 | VuXML ID 92cd1c03-2940-11ef-bc02-001b217b3468
Gitlab reports:
ReDoS in gomod dependency linker
ReDoS in CI interpolation (fix bypass)
ReDoS in Asana integration issue mapping when webhook is called
XSS and content injection when viewing raw XHTML files on iOS devices
Missing agentk request validation could cause KAS to panic
more... | gitlab-ce gitlab-ee
more detail |
2024-06-11 | VuXML ID 479df73e-2838-11ef-9cab-4ccc6adda413
David Edmundson reports:
KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
based purely on the host, allowing all local connections. This allows
another user on the same machine to gain access to the session
manager.
A well crafted client could use the session restore feature to execute
arbitrary code as the user on the next boot.
more... | plasma5-plasma-workspace plasma6-plasma-workspace
more detail |
2024-06-10 | VuXML ID 5f608c68-276c-11ef-8caa-0897988a1c07
Composer project reports:
The status, reinstall and remove commands with packages
installed from source via git containing specially crafted
branch names in the repository can be used to execute
code.
The composer install command running inside a git/hg
repository which has specially crafted branch names can
lead to command injection. So this requires cloning
untrusted repositories.
more... | php81-composer php82-composer php83-composer
more detail |
2024-06-07 | VuXML ID 91929399-249e-11ef-9296-b42e991fc52e
security-advisories@github.com reports:
Kanboard is project management software that focuses on the Kanban
methodology. The vuln is in app/Controller/ProjectPermissionController.php
function addUser(). The users permission to add users to a project
only get checked on the URL parameter project_id. If the user is
authorized to add users to this project the request gets processed.
The users permission for the POST BODY parameter project_id does
not get checked again while processing. An attacker with the
'Project Manager' on a single project may take over any
other project. The vulnerability is fixed in 1.2.37.
more... | kanboard
more detail |
2024-06-05 | VuXML ID 14908bda-232b-11ef-b621-00155d645102
Cyrus IMAP 3.8.3 Release Notes states:
Fixed CVE-2024-34055: Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.
The IMAP protocol allows for command arguments to be LITERALs of negotiated length, and for these the server allocates memory to receive the content before instructing the client to proceed. The allocated memory is released when the whole command has been received and processed.
The IMAP protocol has a number commands that specify an unlimited number of arguments, for example SEARCH. Each of these arguments can be a LITERAL, for which memory will be allocated and not released until the entire command has been received and processed. This can run a server out of memory, with varying consequences depending on the server's OOM policy.
more... | cyrus-imapd25 cyrus-imapd30 cyrus-imapd32 cyrus-imapd34 cyrus-imapd36 cyrus-imapd38
more detail |
2024-06-03 | VuXML ID b058380e-21a4-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 11 security fixes:
- [339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
- [338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
- [338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
- [338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
- [339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
- [339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
- [339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11
more... | chromium ungoogled-chromium
more detail |
2024-05-29 | VuXML ID 320a19f7-1ddd-11ef-a2ae-8c164567ca3c
The nginx development team reports:
This update fixes the following vulnerabilities:
- Stack overflow and use-after-free in HTTP/3
- Buffer overwrite in HTTP/3
- Memory disclosure in HTTP/3
- NULL pointer dereference in HTTP/3
more... | nginx nginx-devel
more detail |
2024-05-29 | VuXML ID 6926d038-1db4-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20
more... | chromium ungoogled-chromium
more detail |
2024-05-28 | VuXML ID 73a697d7-1d0f-11ef-a490-84a93843eb75
The OpenSSL project reports:
Use After Free with SSL_free_buffers (low).
Calling the OpenSSL API function SSL_free_buffers may cause
memory to be accessed that was previously freed in some situations
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-05-25 | VuXML ID 04e78f32-04b2-4c23-bfae-72600842d317
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-4948.
more... | electron29
more detail |
2024-05-25 | VuXML ID 43d1c381-a3e5-4a1d-b3ed-f37b61a451af
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-4948.
- Security: backported fix for CVE-2024-3914.
- Security: backported fix for CVE-2024-4060.
- Security: backported fix for CVE-2024-4058.
- Security: backported fix for CVE-2024-4558.
more... | electron28
more detail |
2024-05-24 | VuXML ID f5fa174d-19de-11ef-83d8-4ccc6adda413
Andy Shaw reports:
The OAuth1 implementation in QtNetworkAuth created nonces using
a PRNG that was seeded with a predictable seed.
This means that an attacker that can somehow control the time of
the first OAuth1 flow of the process has a high chance of predicting
the nonce used in said OAuth flow.
more... | qt5-networkauth qt6-networkauth
more detail |
2024-05-22 | VuXML ID 8247af0d-183b-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 15 security fixes:
- [336012573] High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang on 2024-04-21
- [338908243] High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-06
- [335613092] High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop) on 2024-04-18
- [338161969] High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz on 2024-05-01
- [340221135] High CVE-2024-4947: Type Confusion in V8. Reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on 2024-05-13
- [333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
- [326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
- [40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06
more... | chromium ungoogled-chromium
more detail |
2024-05-22 | VuXML ID f848ef90-1848-11ef-9850-001b217b3468
Gitlab reports:
1-click account takeover via XSS in the code editor in gitlab.com
A DOS vulnerability in the 'description' field of the runner
CSRF via K8s cluster-integration
Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match
Redos on wiki render API/Page
Resource exhaustion and denial of service with test_report API calls
Guest user can view dependency lists of private projects through job artifacts
Stored XSS via PDFjs
more... | gitlab-ce gitlab-ee
more detail |
2024-05-21 | VuXML ID 9bcff2c4-1779-11ef-b489-b42e991fc52e
security-advisories@github.com reports:
Openfire's administrative console, a web-based
application, was found to be vulnerable to a path traversal attack
via the setup environment. This permitted an unauthenticated user
to use the unauthenticated Openfire Setup Environment in an already
configured Openfire environment to access restricted pages in the
Openfire Admin Console reserved for administrative users. This
vulnerability affects all versions of Openfire that have been
released since April 2015, starting with version 3.10.0. The problem
has been patched in Openfire release 4.7.5 and 4.6.8, and further
improvements will be included in the yet-to-be released first version
on the 4.8 branch (which is expected to be version 4.8.0). Users
are advised to upgrade. If an Openfire upgrade isnt available for
a specific release, or isnt quickly actionable, users may see the
linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
more... | openfire
more detail |
2024-05-21 | VuXML ID e020b0fd-1751-11ef-a490-84a93843eb75
The Roundcube project reports:
cross-site scripting (XSS) vulnerability in handling SVG
animate attributes.
cross-site scripting (XSS) vulnerability in handling list
columns from user preferences.
more... | roundcube
more detail |
2024-05-19 | VuXML ID d58455cc-159e-11ef-83d8-4ccc6adda413
Backports for 2 security bugs in Chromium:
- CVE-2024-3157: Out of bounds write in Compositing
- CVE-2024-3516: Heap buffer overflow in ANGLE
more... | qt5-webengine
more detail |
2024-05-18 | VuXML ID f393b5a7-1535-11ef-8064-c5610a6efffb
Tor Project reports:
When building anonymizing circuits to or from an onion
service with 'lite' vanguards (the default) enabled, the
circuit manager code would build the circuits with one
hop too few.
When 'full' vanguards are enabled, some circuits are
supposed to be built with an extra hop to minimize the
linkability of the guard nodes. In some circumstances,
the circuit manager would build circuits with one hop
too few, making it easier for an adversary to discover
the L2 and L3 guards of the affected clients and
services.
more... | arti
more detail |
2024-05-17 | VuXML ID a431676c-f86c-4371-b48a-b7d2b0bec3a3
Electron developers report:
This update fixes the following vulnerability:
- Backported fix for CVE-2024-22017.
more... | electron29
more detail |
2024-05-17 | VuXML ID b88aa380-1442-11ef-a490-84a93843eb75
The OpenSSL project reports:
Excessive time spent checking DSA keys and parameters (Low)
Checking excessively long DSA keys or parameters may be very
slow.
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-05-15 | VuXML ID c6f03ea6-12de-11ef-83d8-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 16 security bugs in Chromium:
- CVE-2024-2625: Object lifecycle issue in V8
- CVE-2024-2626: Out of bounds read in Swiftshader
- CVE-2024-2885: Use after free in Dawn
- CVE-2024-2887: Type Confusion in WebAssembly
- CVE-2024-3157: Out of bounds write in Compositing
- CVE-2024-3159: Out of bounds memory access in V8
- CVE-2024-3516: Heap buffer overflow in ANGLE
- CVE-2024-3837: Use after free in QUIC
- CVE-2024-3839: Out of bounds read in Fonts
- CVE-2024-3914: Use after free in V8
- CVE-2024-3840: Insufficient policy enforcement in Site Isolation
- CVE-2024-4058: Type Confusion in ANGLE
- CVE-2024-4060: Use after free in Dawn
- CVE-2024-4331: Use after free in Picture In Picture
- CVE-2024-4368: Use after free in Dawn
- CVE-2024-4671: Use after free in Visuals
more... | qt6-webengine
more detail |
2024-05-15 | VuXML ID e79cc4e2-12d7-11ef-83d8-4ccc6adda413
Andy Shaw reports:
QStringConverter has an invalid pointer being passed as a callback
which can allow modification of the stack. Qt itself is not vulnerable
to remote attack however an application using QStringDecoder either
directly or indirectly can be vulnerable.
This requires:
- the attacker be able to tell the application a specific codec to use
- the attacker be able to feed the application data in a specific way to cause the desired modification
- the attacker what in the stack will get modified, which requires knowing the build of the application (and not all builds will be vulnerable)
- the modification do anything in particular that is useful to the attacker, besides maybe crashing the application
Qt does not automatically use any of those codecs, so this needs the application
to implement something using QStringDecoder to be vulnerable.
more... | qt6-base
more detail |
2024-05-14 | VuXML ID 5afd64ae-122a-11ef-8eed-1c697a616631
Intel reports:
Potential security vulnerabilities in some Intel Trust Domain
Extensions (TDX) module software may allow escalation of
privilege. Improper input validation in some Intel TDX module
software before version 1.5.05.46.698 may allow a privileged user to
potentially enable escalation of privilege via local access. Intel
is releasing firmware updates to mitigate these potential
vulnerabilities.
A potential security vulnerability in some Intel Processors may
allow information disclosure. Hardware logic contains race
conditions in some Intel Processors that may allow an authenticated
user to potentially enable partial information disclosure via local
access. Intel is releasing microcode updates to mitigate this
potential vulnerability.
A potential security vulnerability in Intel Core Ultra Processors
may allow denial of service. Sequence of processor instructions
leads to unexpected behavior in Intel Core Ultra Processors may
allow an authenticated user to potentially enable denial of service
via local access. Intel is releasing microcode updates to mitigate
this potential vulnerability.
more... | cpu-microcode-intel
more detail |
2024-05-14 | VuXML ID 8e0e8b56-11c6-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [339458194] High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09
more... | chromium ungoogled-chromium
more detail |
2024-05-13 | VuXML ID d3847eba-114b-11ef-9c21-901b0e9408dc
The Go project reports:
net: malformed DNS message can cause infinite loop
A malformed DNS message in response to a query can cause
the Lookup functions to get stuck in an infinite loop.
more... | go121 go122
more detail |
2024-05-13 | VuXML ID f2d8342f-1134-11ef-8791-6805ca2fa271
PowerDNS Security Advisory reports:
When incoming DNS over HTTPS support is enabled using the nghttp2 provider,
and queries are routed to a tcp-only or DNS over TLS backend, an attacker can
trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR
or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a
Denial of Service. DNS over HTTPS is not enabled by default, and backends are using
plain DNS (Do53) by default.
more... | dnsdist
more detail |
2024-05-12 | VuXML ID 3cf8ea44-1029-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07
more... | chromium ungoogled-chromium
more detail |
2024-05-09 | VuXML ID d53c30c1-0d7b-11ef-ba02-6cc21735f730
PostgreSQL project reports:
A security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs, potentially allowing authenticated database
users to see data they shouldn't. If this is of concern in your
installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql
for each of your databases. See the link for details.
more... | postgresql-server
more detail |
2024-05-09 | VuXML ID ec994672-5284-49a5-a7fc-93c02126e5fb
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-3914.
- Security: backported fix for CVE-2024-4558.
more... | electron29
more detail |
2024-05-09 | VuXML ID ee6936da-0ddd-11ef-9c21-901b0e9408dc
Tailscale team reports:
In Tailscale versions earlier than 1.66.0, exit nodes,
subnet routers, and app connectors, could allow inbound
connections to other tailnet nodes from their local area
network (LAN). This vulnerability only affects Linux exit
nodes, subnet routers, and app connectors in tailnets where
ACLs allow "src": "*", such as with default ACLs.
more... | tailscale
more detail |
2024-05-09 | VuXML ID fbc2c629-0dc5-11ef-9850-001b217b3468
Gitlab reports:
ReDoS in branch search when using wildcards
ReDoS in markdown render pipeline
Redos on Discord integrations
Redos on Google Chat Integration
Denial of Service Attack via Pin Menu
DoS by filtering tags and branches via the API
MR approval via CSRF in SAML SSO
Banned user from groups can read issues updates via the api
Require confirmation before linking JWT identity
View confidential issues title and description of any public project via export
SSRF via Github importer
more... | gitlab-ce gitlab-ee
more detail |
2024-05-08 | VuXML ID 059a99a9-45e0-492b-b9f9-5a79573c8eb6
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-4060.
- Security: backported fix for CVE-2024-4058.
more... | electron29
more detail |
2024-05-02 | VuXML ID 4a1e2bad-0836-11ef-9fd2-1c697a616631
HiddenLayer Research reports:
Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system.
more... | R
more detail |
2024-05-02 | VuXML ID f69415aa-086e-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [335003891] High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16
- [333508731] High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
more... | chromium ungoogled-chromium
more detail |
2024-05-01 | VuXML ID da4adc02-07f4-11ef-960d-5404a68ad561
The openSUSE project reports:
The problematic function in question is putSDN() in mail.c. The static variable `cp` is used as an index for a fixed-sized buffer `ibuf`. There is a range check: `if ( cp >= HDR_BUF_LEN ) ...` but under certain circumstances, cp can be incremented beyond the buffer size, leading to a buffer overwrite
more... | ko-hcode
more detail |
2024-04-28 | VuXML ID 5da8b1e6-0591-11ef-9e00-080027957747
GLPI team reports:
GLPI 10.0.15 Changelog
- [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
- [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)
more... | glpi
more detail |
2024-04-28 | VuXML ID b3affee8-04d1-11ef-8928-901b0ef714d4
GitHub Advisory Database:
Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.
more... | py310-social-auth-app-django py311-social-auth-app-django py38-social-auth-app-django py39-social-auth-app-django
more detail |
2024-04-25* | VuXML ID 0309c898-3aed-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.
more... | glpi
more detail |
2024-04-25* | VuXML ID 07aecafa-3b12-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID 09eef008-3b16-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
more... | glpi
more detail |
2024-04-25* | VuXML ID 0ba61fcc-3b38-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
more... | glpi
more detail |
2024-04-25* | VuXML ID 190176ce-3b3a-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
more... | glpi
more detail |
2024-04-25* | VuXML ID 27a230a2-3b11-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID 3a63f478-3b10-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID 5acd95db-3b16-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
more... | glpi
more detail |
2024-04-25* | VuXML ID 675e5098-3b15-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
more... | glpi
more detail |
2024-04-25* | VuXML ID 68958e18-ed94-11ed-9688-b42e991fc52e
glpi Project reports:
Multiple vulnerabilities found and fixed in this version:
- High CVE-2023-28849: SQL injection and Stored XSS via inventory agent request.
- High CVE-2023-28632: Account takeover by authenticated user.
- High CVE-2023-28838: SQL injection through dynamic reports.
- Moderate CVE-2023-28852: Stored XSS through dashboard administration.
- Moderate CVE-2023-28636: Stored XSS on external links.
- Moderate CVE-2023-28639: Reflected XSS in search pages.
- Moderate CVE-2023-28634: Privilege Escalation from technician to super-admin.
- Low CVE-2023-28633: Blind Server-Side Request Forgery (SSRF) in RSS feeds.
more... | glpi
more detail |
2024-04-25* | VuXML ID 695b2310-3b3a-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
more... | glpi
more detail |
2024-04-25* | VuXML ID 6a467439-3b38-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.
more... | glpi
more detail |
2024-04-25 | VuXML ID 7a42852d-0347-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [332546345] Critical CVE-2024-4058: Type Confusion in ANGLE. Reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02
- [333182464] High CVE-2024-4059: Out of bounds read in V8 API. Reported by Eirik on 2024-04-08
- [333420620] High CVE-2024-4060: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
more... | chromium ungoogled-chromium
more detail |
2024-04-25* | VuXML ID 7f163c81-3b12-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.
more... | glpi
more detail |
2024-04-25* | VuXML ID 832fd11b-3b11-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID aec9cbe0-3b0f-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID b3695b08-3b3a-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
more... | glpi
more detail |
2024-04-25* | VuXML ID b3aae7ea-3aef-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID b64edef7-3b10-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID b7abdb0f-3b15-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
more... | glpi
more detail |
2024-04-25* | VuXML ID d222241d-91cc-11ea-82b8-4c72b94353b5
MITRE Corporation reports:
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
more... | glpi
more detail |
2024-04-25* | VuXML ID d3f60db0-3aea-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
more... | glpi
more detail |
2024-04-24 | VuXML ID 1af16f2b-023c-11ef-8791-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2024-02: if recursive forwarding is configured,
crafted responses can lead to a denial of service in Recursor
more... | powerdns-recursor
more detail |
2024-04-24 | VuXML ID b857606c-0266-11ef-8681-001b217b3468
Gitlab reports:
GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider
Path Traversal leads to DoS and Restricted File Read
Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search
Personal Access Token scopes not honoured by GraphQL subscriptions
Domain based restrictions bypass using a crafted email address
more... | gitlab-ce gitlab-ee
more detail |
2024-04-24 | VuXML ID bdfa6c04-027a-11ef-9c21-901b0e9408dc
Matrix developers report:
Weakness in auth chain indexing allows DoS from remote
room members through disk fill and high CPU usage. (High severity)
more... | py310-matrix-synapse py311-matrix-synapse py38-matrix-synapse py39-matrix-synapse
more detail |
2024-04-23 | VuXML ID 2ce1a2f1-0177-11ef-a45e-08002784c58d
sp2ip reports:
If attacker-supplied data is provided to the Ruby regex
compiler, it is possible to extract arbitrary heap data
relative to the start of the text, including pointers and
sensitive strings.
more... | ruby ruby31 ruby32 ruby33
more detail |
2024-04-22 | VuXML ID 304d92c3-00c5-11ef-bd52-080027bff743
GitHub Security Lab reports:
stb_image.h and stb_vorbis libraries contain several memory access violations of different severity
- Wild address read in stbi__gif_load_next (GHSL-2023-145).
- Multi-byte read heap buffer overflow in stbi__vertical_flip (GHSL-2023-146).
- Disclosure of uninitialized memory in stbi__tga_load (GHSL-2023-147).
- Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148).
- Null pointer dereference in stbi__convert_format (GHSL-2023-149).
- Possible double-free or memory leak in stbi__load_gif_main (GHSL-2023-150).
- Null pointer dereference because of an uninitialized variable (GHSL-2023-151).
- 0 byte write heap buffer overflow in start_decoder (GHSL-2023-165)
- Multi-byte write heap buffer overflow in start_decoder (GHSL-2023-166)
- Heap buffer out of bounds write in start_decoder (GHSL-2023-167)
- Off-by-one heap buffer write in start_decoder (GHSL-2023-168)
- Attempt to free an uninitialized memory pointer in vorbis_deinit (GHSL-2023-169)
- Null pointer dereference in vorbis_deinit (GHSL-2023-170)
- Out of bounds heap buffer write (GHSL-2023-171)
- Wild address read in vorbis_decode_packet_rest (GHSL-2023-172)
more... | sdl2_sound
more detail |
2024-04-22 | VuXML ID bb49f1fa-00da-11ef-92b7-589cfc023192
GLPI team reports:
GLPI 10.0.13 Changelog
- [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
- [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
- [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
- [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
- [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
- [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)
more... | glpi
more detail |
2024-04-22 | VuXML ID ed688880-00c4-11ef-92b7-589cfc023192
GLPI team reports:
GLPI 10.0.11 Changelog
- [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
- [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
- [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
more... | glpi
more detail |
2024-04-22 | VuXML ID faccf131-00d9-11ef-92b7-589cfc023192
GLPI team reports:
GLPI 10.0.12 Changelog
- [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
- [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)
more... | glpi
more detail |
2024-04-21 | VuXML ID 9bed230f-ffc8-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 23 security fixes:
- [331358160] High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
- [331383939] High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
- [330759272] High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
- [326607008] High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24
- [41491379] Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15
- [328278717] Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06
- [41491859] Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16
- [41493458] Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22
- [330376742] Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19
- [41486690] Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24
- [40058873] Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23
- [323583084] Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03
- [40064754] Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23
- [328690293] Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08
more... | chromium ungoogled-chromium
more detail |
2024-04-19 | VuXML ID 4ebdd56b-fe72-11ee-bc57-00e081b7aa2d
Jenkins Security Advisory:
Description
(Medium) SECURITY-3386 / CVE-2023-48795
Terrapin SSH vulnerability in Jenkins CLI client
more... | jenkins jenkins-lts
more detail |
2024-04-19 | VuXML ID ecafc4af-fe8a-11ee-890c-08002784c58d
BÃ
ÂaÃ
¼ej PawÃ
Âowski reports:
A vulnerability in the HTML parser of ClamAV could allow
an unauthenticated, remote attacker to cause a denial of
service (DoS) condition on an affected device. The
vulnerability is due to an issue in the C to Rust foreign
function interface. An attacker could exploit this
vulnerability by submitting a crafted file containing HTML
content to be scanned by ClamAV on an affected device. An
exploit could allow the attacker to cause the ClamAV
scanning process to terminate, resulting in a DoS
condition on the affected software.
more... | clamav
more detail |
2024-04-18 | VuXML ID f90bf863-e43c-4db3-b5a8-d9603684657a
Electron develpers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-3515.
- Security: backported fix for CVE-2024-3516.
- Security: backported fix for CVE-2024-3157.
- Security: backported fix for CVE-2024-1580.
more... | electron27 electron28 electron29
more detail |
2024-04-16 | VuXML ID 080936ba-fbb7-11ee-abc8-6960f2492b1d
Simon Tatham reports:
ECDSA signatures using 521-bit keys (the NIST P521 curve,
otherwise known as ecdsa-sha2-nistp521) were generated with biased
random numbers. This permits an attacker in possession of a few
dozen signatures to RECOVER THE PRIVATE KEY.
Any 521-bit ECDSA private key that PuTTY or Pageant has used to
sign anything should be considered compromised.
Additionally, if you have any 521-bit ECDSA private keys that
you've used with PuTTY, you should consider them to be
compromised: generate new keys, and remove the old public keys
from any authorized_keys files.
A second, independent scenario is that the adversary is an operator
of an SSH server to which the victim authenticates (for remote login
or file copy), [...] and the victim uses the same private key for
SSH connections to other services operated by other entities. Here,
the rogue server operator (who would otherwise have no way to
determine the victim's private key) can derive the victim's private
key, and then use it for unauthorized access to those other
services. If the other services include Git services, then again it
may be possible to conduct supply-chain attacks on software
maintained in Git. This also affects, for example, FileZilla before
3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and
TortoiseSVN through 1.14.6.
more... | filezilla putty putty-nogtk
more detail |
2024-04-16 | VuXML ID 6d82c5e9-fc24-11ee-a689-04421a1baf97
This update includes 3 security fixes:
- High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
- High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
- Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
- High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs
more... | php81 php82 php83
more detail |
2024-04-15 | VuXML ID cdb5e0e3-fafc-11ee-9c21-901b0e9408dc
The Go project reports:
http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and
process all HEADERS and CONTINUATION frames on a
connection. When a request's headers exceed MaxHeaderBytes,
we don't allocate memory to store the excess headers but we
do parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of header data, all
associated with a request which is going to be
rejected. These headers can include Huffman-encoded data
which is significantly more expensive for the receiver to
decode than for an attacker to send.
more... | go121 go122
more detail |
2024-04-12 | VuXML ID 7314942b-0889-46f0-b02b-2c60aabe4a82
Chrome Releases reports:
This update includes 3 security fixes:
- [331237485] High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26
- [328859176] High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao (zx) Pham and Toan (suto) Pham of Qrious Secure on 2024-03-09
- [331123811] High CVE-2024-3515: Use after free in Dawn. Reported by wgslfuzz on 2024-03-25
more... | chromium ungoogled-chromium
more detail |
2024-04-11 | VuXML ID 02be46c1-f7cc-11ee-aa6b-b42e991fc52e
cve@mitre.org reports:
latchset jose through version 11 allows attackers to cause
a denial of service (CPU consumption) via a large p2c (aka
PBES2 Count) value.
more... | jose
more detail |
2024-04-11 | VuXML ID 31617e47-7eec-4c60-9fdf-8aee61622bab
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-3159.
more... | electron27 electron28
more detail |
2024-04-11 | VuXML ID 7c217849-f7d7-11ee-a490-84a93843eb75
The OpenSSL project reports:
Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32
more detail |
2024-04-11 | VuXML ID c092be0e-f7cc-11ee-aa6b-b42e991fc52e
security@golang.org reports:
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts
of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS
and CONTINUATION frames on a connection. When a request's
headers exceed MaxHeaderBytes, no memory is allocated to store the
excess headers, but they are still parsed. This permits an attacker
to cause an HTTP/2 endpoint to read arbitrary amounts of header
data, all associated with a request which is going to be rejected.
These headers can include Huffman-encoded data which is significantly
more expensive for the receiver to decode than for an attacker to
send. The fix sets a limit on the amount of excess header frames
we will process before closing a connection.
more... | forgejo
more detail |
2024-04-11 | VuXML ID dad6294c-f7c1-11ee-bb77-001b217b3468
Gitlab reports:
Stored XSS injected in diff viewer
Stored XSS via autocomplete results
Redos on Integrations Chat Messages
Redos During Parse Junit Test Report
more... | gitlab-ce
more detail |
2024-04-11 | VuXML ID f0ba7008-2bbd-11ef-b4ca-814a3d504243
The forgejo team reports:
CVE-2024-24789:
The archive/zip package's handling of certain types of invalid
zip files differs from the behavior of most zip implementations.
This misalignment could be exploited to create an zip file with
contents that vary depending on the implementation reading the
file.
The OAuth2 implementation does not always require authentication
for public clients, a requirement of RFC 6749 Section 10.2. A
malicious client can impersonate another client and obtain access
to protected resources if the impersonated client fails to, or is
unable to, keep its client credentials confidential.
more... | forgejo
more detail |
2024-04-10 | VuXML ID ea4a2dfc-f761-11ee-af2c-589cfc0f81b0
The Wordpress team reports:
A cross-site scripting (XSS) vulnerability affecting the Avatar block type
more... | de-wordpress-de_DE fr-wordpress-fr_FR ja-wordpress-ja ru-wordpress-ru_RU wordpress zh-wordpress-zh_CN zh-wordpress-zh_TW
more detail |
2024-04-05 | VuXML ID 8e6f684b-f333-11ee-a573-84a93843eb75
The Apache httpd project reports:
HTTP/2 DoS by memory exhaustion on endless continuation frames
HTTP Response Splitting in multiple modules
more... | apache24 mod_http2
more detail |
2024-04-05 | VuXML ID c2431c4e-622c-4d92-996d-d8b5258ae8c9
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-2885.
- Security: backported fix for CVE-2024-2883.
- Security: backported fix for CVE-2024-2887.
- Security: backported fix for CVE-2024-2886.
more... | electron27 electron28
more detail |
2024-04-04 | VuXML ID 4a026b6c-f2b8-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
- [329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17
- [330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
more... | chromium ungoogled-chromium
more detail |
2024-04-04 | VuXML ID 57561cfc-f24b-11ee-9730-001fc69cd6dc
The X.Org project reports:
-
CVE-2024-31080: Heap buffer overread/data leakage in
ProcXIGetSelectedEvents
The ProcXIGetSelectedEvents() function uses the byte-swapped
length of the return data for the amount of data to return to
the client, if the client has a different endianness than
the X server.
- CVE-2024-31081: Heap buffer overread/data leakage in
ProcXIPassiveGrabDevice
The ProcXIPassiveGrabDevice() function uses the byte-swapped
length of the return data for the amount of data to return to
the client, if the client has a different endianness than
the X server.
- CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
The ProcRenderAddGlyphs() function calls the AllocateGlyph()
function to store new glyphs sent by the client to the X server.
AllocateGlyph() would return a new glyph with refcount=0 and
a re-used glyph would end up not changing the refcount at all.
The resulting glyph_new array would thus have multiple entries
pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a
use-after-free when the same glyph pointer is then later used.
more... | xephyr xorg-nextserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2024-04-02 | VuXML ID 2e3bea0c-f110-11ee-bc57-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3379 / CVE-2024-22201
HTTP/2 denial of service vulnerability in bundled Jetty
more... | jenkins jenkins-lts
more detail |
2024-04-01* | VuXML ID 21a854cc-cac1-11ee-b7a7-353f1e043d9a
Simon Kelley reports:
If DNSSEC validation is enabled, then an attacker who can force a
DNS server to validate a specially crafted signed domain can use a
lot of CPU in the validator. This only affects dnsmasq installations
with DNSSEC enabled.
Stichting NLnet Labs reports:
The KeyTrap [CVE-2023-50387] vulnerability works by using a
combination of Keys (also colliding Keys), Signatures and number of
RRSETs on a malicious zone. Answers from that zone can force a
DNSSEC validator down a very CPU intensive and time costly
validation path.
The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a
malicious zone with multiple NSEC3 RRSETs to force a DNSSEC
validator down a very CPU intensive and time costly NSEC3 hash
calculation path.
more... | bind9-devel bind916 bind918 dnsmasq dnsmasq-devel FreeBSD powerdns-recursor unbound
more detail |
2024-03-31 | VuXML ID d58726ff-ef5e-11ee-8d8e-080027a5b8e9
Mediawiki reports:
(T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.
(T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET
request to Special:MovePage on pages with thousands of subpages.
more... | mediawiki139 mediawiki140 mediawiki141
more detail |
2024-03-29 | VuXML ID bdcd041e-5811-4da3-9243-573a9890fdb1
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2625.
more... | electron27 electron28
more detail |
2024-03-28 | VuXML ID d2992bc2-ed18-11ee-96dc-001b217b3468
Gitlab reports:
Stored-XSS injected in Wiki page via Banzai pipeline
DOS using crafted emojis
more... | gitlab-ce
more detail |
2024-03-27 | VuXML ID 814af1be-ec63-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 7 security fixes:
- [327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
- [328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
- [330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
- [330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21
more... | chromium ungoogled-chromium
more detail |
2024-03-26 | VuXML ID 34f98d06-eb56-11ee-8007-6805ca2fa271
Quiche Releases reports:
This release includes 2 security fixes:
-
CVE-2024-1410: Unbounded storage of information related to
connection ID retirement, in quiche. Reported by Marten
Seeman (@marten-seeman)
-
CVE-2024-1765: Unlimited resource allocation by QUIC
CRYPTO frames flooding in quiche. Reported by Marten
Seeman (@marten-seeman)
more... | quiche
more detail |
2024-03-26* | VuXML ID 6d31ef38-df85-11ee-abf1-6c3be5272acd
Grafana Labs reports:
The vulnerability impacts Grafana Cloud and Grafana Enterprise instances,
and it is exploitable if a user who should not be able to access all data
sources is granted permissions to create a data source.
By default, only organization Administrators are allowed to create a data
source and have full access to all data sources. All other users need to be
explicitly granted permission to create a data source, which then means they
could exploit this vulnerability.
When a user creates a data source via the
API,
they can specify data source UID. If the UID is set to an asterisk (*),
the user gains permissions to query, update, and delete all data sources
in the organization. The exploit, however, does not stretch across
organizations â to exploit the vulnerability in several organizations, a user
would need permissions to create data sources in each organization.
The vulnerability comes from a lack of UID validation. When evaluating
permissions, we interpret an asterisk (*) as a wild card for all resources.
Therefore, we should treat it as a reserved value, and not allow the creation
of a resource with the UID set to an asterisk.
The CVSS score for this vulnerability is
6 Medium.
more... | grafana grafana9
more detail |
2024-03-26 | VuXML ID 8b3be705-eba7-11ee-99b3-589cfc0f81b0
phpMyFAQ team reports:
The phpMyFAQ Team has learned of multiple security issues that'd
been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains
cross-site scripting (XSS), SQL injection and bypass
vulnerabilities.
more... | phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2024-03-26 | VuXML ID f661184a-eb90-11ee-92fc-1c697a616631
GNU Emacs developers report:
Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.
- Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
- New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
- Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
- LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
- Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
more... | emacs emacs-canna emacs-nox
more detail |
2024-03-22 | VuXML ID 80815c47-e84f-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01
- [40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22
- [41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21
- [41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03
- [41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02
- [41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07
- [41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29
more... | chromium ungoogled-chromium
more detail |
2024-03-21 | VuXML ID 7a7129ef-e790-11ee-a1c0-0050569f0b83
Shibboleth Developers report:
The Identity Provider's CAS support relies on a function in the
Spring Framework to parse CAS service URLs and append the ticket
parameter.
more... | shibboleth-idp
more detail |
2024-03-20 | VuXML ID a8448963-e6f5-11ee-a784-dca632daf43b
MongoDB, Inc. reports:
A security vulnerability was found where a server process
running MongoDB 3.2.6 or later will allow incoming connections
to skip peer certificate validation if the server process was
started with TLS enabled (net.tls.mode set to allowTLS,
preferTLS, or requireTLS) and without a net.tls.CAFile
configured (CVE-2024-1351).
more... | mongodb44 mongodb50 mongodb60 mongodb70
more detail |
2024-03-18 | VuXML ID 05b7180b-e571-11ee-a1c0-0050569f0b83
The Varnish Development Team reports:
A denial of service attack can be performed on Varnish Cacher servers
that have the HTTP/2 protocol turned on. An attacker can let the
servers HTTP/2 connection control flow window run out of credits
indefinitely and prevent progress in the processing of streams,
retaining the associated resources.
more... | varnish7
more detail |
2024-03-17 | VuXML ID 0a48e552-e470-11ee-99b3-589cfc0f81b0
The Amavis project reports:
Emails which consist of multiple parts (`Content-Type: multipart/*`)
incorporate boundary information stating at which point one part ends and the
next part begins.
A boundary is announced by an Content-Type header's `boundary` parameter. To
our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a
parser should handle multiple boundary parameters that contain conflicting
values. As a result, there is no canonical choice which of the values should or
should not be used for mime part decomposition.
more... | amavisd-new
more detail |
2024-03-16 | VuXML ID 1ad3d264-e36b-11ee-9c27-40b034429ecf
Typo3 developers reports:
All versions are security releases and contain important security fixes - read the corresponding security advisories here:
- Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451
- Code Execution in TYPO3 Install Tool CVE-2024-22188
- Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118
- Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119
- Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120
- Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121
more... | typo3-11 typo3-12
more detail |
2024-03-14 | VuXML ID 49dd9362-4473-48ae-8fac-e1b69db2dedf
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2173.
more... | electron27 electron28
more detail |
2024-03-12 | VuXML ID b6dd9d93-e09b-11ee-92fc-1c697a616631
Intel reports:
2024.1 IPU - Intel Processor Bus Lock Advisory
A potential security vulnerability in the bus lock regulator
mechanism for some Intel Processors may allow denial of service. Intel
is releasing firmware updates to mitigate this potential
vulnerability.
2024.1 IPU - Intel Processor Return Predictions Advisory
A potential security vulnerability in some Intel Processors may
allow information disclosure.
2024.1 IPU - Intel Atom Processor Advisory
A potential security vulnerability in some Intel Atom Processors
may allow information disclosure.
2024.1 IPU - Intel Xeon Processor Advisory
A potential security vulnerability in some 3rd and 4th Generation
Intel Xeon Processors when using Intel Software Guard Extensions (SGX)
or Intel Trust Domain Extensions (TDX) may allow escalation of
privilege.
2024.1 IPU OOB - Intel Xeon D Processor Advisory
A potential security vulnerability in some Intel Xeon D Processors
with Intel Software Guard Extensions (SGX) may allow information
disclosure.
more... | cpu-microcode-intel
more detail |
2024-03-09 | VuXML ID c2ad8700-de25-11ee-9190-84a93843eb75
NLNet Labs reports:
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes. Due to an
unchecked condition, the code that trims the text of the EDE records
could loop indefinitely. This happens when Unbound would reply with
attached EDE information on a positive reply and the client's buffer
size is smaller than the needed space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option
is used; non default configuration.
more... | unbound
more detail |
2024-03-07 | VuXML ID b2caae55-dc38-11ee-96dc-001b217b3468
Gitlab reports:
Bypassing CODEOWNERS approval allowing to steal protected variables
Guest with manage group access tokens can rotate and see group access token with owner permissions
more... | gitlab-ce
more detail |
2024-03-07 | VuXML ID e74da31b-276a-4a22-9772-17dd42b97559
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-25062.
more... | electron27 electron28
more detail |
2024-03-06 | VuXML ID b1b039ec-dbfc-11ee-9165-901b0e9408dc
The Go project reports reports:
crypto/x509: Verify panics on certificates with an
unknown public key algorithm
Verifying a certificate chain which contains a
certificate with an unknown public key algorithm will
cause Certificate.Verify to panic.
net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total
size of the parsed form were not applied to the memory consumed
while reading a single form line. This permitted a maliciously
crafted input containing very long lines to cause allocation of
arbitrarily large amounts of memory, potentially leading to memory
exhaustion.
net/http, net/http/cookiejar: incorrect forwarding
of sensitive headers and cookies on HTTP redirect
When following an HTTP redirect to a domain which
is not a subdomain match or exact match of the initial
domain, an http.Client does not forward sensitive headers
such as "Authorization" or "Cookie". For example, a
redirect from foo.com to www.foo.com will forward the
Authorization header, but a redirect to bar.com will not.
html/template: errors returned from MarshalJSON methods
may break template escaping
If errors returned from MarshalJSON methods contain user
controlled data, they may be used to break the contextual
auto-escaping behavior of the html/template package, allowing
for subsequent actions to inject unexpected content into
templates.
net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments
(text within parentheses) within display names. Since this is a
misalignment with conforming address parsers, it can result in
different trust decisions being made by programs using different
parsers.
more... | go121 go122
more detail |
2024-03-06 | VuXML ID fd3401a1-b6df-4577-917a-2c22fee99d34
Chrome Releases reports:
This update includes 3 security fixes:
- [325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19
- [325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19
- [325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20
more... | chromium ungoogled-chromium
more detail |
2024-03-04 | VuXML ID 0ef3398e-da21-11ee-b23a-080027a5b8e9
Django reports:
CVE-2024-27351: Potential regular expression denial-of-service in
django.utils.text.Truncator.words().
more... | py310-django32 py310-django42 py310-django50 py311-django32 py311-django42 py311-django50 py39-django32 py39-django42
more detail |
2024-03-01 | VuXML ID 46a9eb0f-d7d2-11ee-bb12-001b217b3468
support@hackerone.com reports:
On Linux, Node.js ignores certain environment variables if those
may have been set by an unprivileged user while the process is
running with elevated privileges with the only exception of
CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this
exception, Node.js incorrectly applies this exception even when
certain other capabilities have been set. This allows unprivileged
users to inject code that inherits the process's elevated
privileges.
more... | null
more detail |
2024-03-01 | VuXML ID 77a6f1c9-d7d2-11ee-bb12-001b217b3468
Node.js reports:
Code injection and privilege escalation through Linux capabilities- (High)
http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
Path traversal by monkey-patching Buffer internals- (High)
setuid() does not drop all privileges due to io_uring - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
more... | node node16 node18 node20 node21
more detail |
2024-02-29 | VuXML ID 31bb1b8d-d6dc-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11
- [323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05
more... | chromium ungoogled-chromium
more detail |
2024-02-29 | VuXML ID 3567456a-6b17-41f7-ba7f-5cd3efb2b7c9
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1670.
more... | electron27 electron28
more detail |
2024-02-28 | VuXML ID 02e33cd1-c655-11ee-8613-08002784c58d
Hiroki Kurosawa reports:
curl inadvertently kept the SSL session ID for connections
in its cache even when the verify status (OCSP stapling)
test failed. A subsequent transfer to the same hostname
could then succeed if the session ID cache was still
fresh, which then skipped the verify status check.
more... | curl
more detail |
2024-02-28 | VuXML ID 3dada2d5-4e17-4e39-97dd-14fdbd4356fb
sep@nlnetlabs.nl reports:
Due to a mistake in error checking, Routinator will terminate when
an incoming RTR connection is reset by the peer too quickly after
opening.
more... | null
more detail |
2024-02-24 | VuXML ID 2a470712-d351-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
- [41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
- [41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
- [41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
- [41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
- [40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
- [41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by BartÃ
Âomiej Wacko on 2023-12-21
- [40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
more... | chromium ungoogled-chromium
more detail |
2024-02-24 | VuXML ID 5ecfb588-d2f4-11ee-ad82-dbdfaa8acfc2
Problem Description:
- The Wiki page did not sanitize author name
- the reviewer name on a "dismiss review" comment is also affected
- the migration page has some spots
more... | gitea
more detail |
2024-02-23 | VuXML ID 255bf44c-d298-11ee-9c27-40b034429ecf
c-ares project reports:
Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.
more... | c-ares
more detail |
2024-02-23 | VuXML ID 80ad6d6c-b398-457f-b88f-bf6be0bbad44
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1283.
- Security: backported fix for CVE-2024-1284.
more... | electron27
more detail |
2024-02-23 | VuXML ID 979dc373-d27d-11ee-8b84-b42e991fc52e
Suricata team reports:
Multiple vulnerabilities fixed in the last release of suricata.
No details have been disclosed yet
more... | suricata
more detail |
2024-02-22 | VuXML ID 03bf5157-d145-11ee-acee-001b217b3468
Gitlab reports:
Stored-XSS in user's profile page
User with "admin_group_members" permission can invite other groups to gain owner access
ReDoS issue in the Codeowners reference extractor
LDAP user can reset password using secondary email and login using direct authentication
Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard
Users with the Guest role can change Custom dashboard projects settings for projects in the victim group
Group member with sub-maintainer role can change title of shared private deploy keys
Bypassing approvals of CODEOWNERS
more... | gitlab-ce
more detail |
2024-02-20 | VuXML ID 6a851dc0-cfd2-11ee-ac09-6c3be5272acd
Grafana Labs reports:
The vulnerability impacts instances where
Grafana basic authentication is enabled.
Grafana has a
verify_email_enabled configuration option. When this option is enabled,
users are required to confirm their email addresses before the sign-up process
is complete. However, the email is only checked at the time of the sign-up.
No further verification is carried out if a userâÂÂs email address is updated
after the initial sign-up. Moreover, Grafana allows using an email address
as the userâÂÂs login name, and no verification is ever carried out for this email
address.
This means that even if the
verify_email_enabled configuration option is enabled, users can use
unverified email addresses to log into Grafana if the email address
has been changed after the sign up, or if an email address is set as the login
name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
more... | grafana grafana10 grafana9
more detail |
2024-02-16 | VuXML ID e15ba624-cca8-11ee-84ca-b42e991fc52e
cve@mitre.org reports:
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155
when RFC 9276 guidance is skipped) allows remote attackers to cause
a denial of service (CPU consumption for SHA-1 computations) via
DNSSEC responses in a random subdomain attack, aka the "NSEC3"
issue. The RFC 5155 specification implies that an algorithm must
perform thousands of iterations of a hash function in certain
situations.
CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035,
6840, and related RFCs) allow remote attackers to cause a denial
of service (CPU consumption) via one or more DNSSEC responses, aka
the "KeyTrap" issue. One of the concerns is that, when
there is a zone with many DNSKEY and RRSIG records, the protocol
specification implies that an algorithm must evaluate all combinations
of DNSKEY and RRSIG records.
more... | powerdns-recursor
more detail |
2024-02-15 | VuXML ID bd7592a1-cbfd-11ee-a42a-5404a6f3ca32
Problem Description:
Even with RequireSignInView enabled, anonymous users can use docker pull
to fetch public images.
more... | gitea
more detail |
2024-02-15 | VuXML ID c97a4ecf-cc25-11ee-b0ee-0050569f0b83
The nginx development team reports:
When using HTTP/3 a segmentation fault might occur in a
worker process while processing a specially crafted QUIC session.
more... | nginx-devel
more detail |
2024-02-14* | VuXML ID 43768ff3-c683-11ee-97d0-001b217b3468
Git community reports:
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities
more... | eza libgit2
more detail |
2024-02-14 | VuXML ID 46a29f83-cb47-11ee-b609-002590c1f29c
Problem Description:
The jail(2) system call has not limited a visiblity of allocated
TTYs (the kern.ttys sysctl). This gives rise to an information
leak about processes outside the current jail.
Impact:
Attacker can get information about TTYs allocated on the host
or in other jails. Effectively, the information printed by "pstat
-t" may be leaked.
more... | FreeBSD-kernel
more detail |
2024-02-14 | VuXML ID 4edbea45-cb0c-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix.
more... | chromium ungoogled-chromium
more detail |
2024-02-14 | VuXML ID c62285cb-cb46-11ee-b609-002590c1f29c
Problem Description:
`bhyveload -h ` may be used to grant loader access
to the directory tree on the host. Affected versions
of bhyveload(8) do not make any attempt to restrict loader's access
to , allowing the loader to read any file the host user
has access to.
Impact:
In the bhyveload(8) model, the host supplies a userboot.so to
boot with, but the loader scripts generally come from the guest
image. A maliciously crafted script could be used to exfiltrate
sensitive data from the host accessible to the user running
bhyhveload(8), which is often the system root.
more... | FreeBSD
more detail |
2024-02-12 | VuXML ID 388eefc0-c93f-11ee-92ce-4ccc6adda413
Google reports:
A heap buffer overflow exists in readstat_convert.
more... | readstat
more detail |
2024-02-12 | VuXML ID f161a5ad-c9bd-11ee-b7a7-353f1e043d9a
Austin Hackers Anonymous report:
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.
[...] it is in a routine that is predominantly used for development and
testing. It is not likely to appear in production code.
more... | openexr
more detail |
2024-02-11 | VuXML ID cb22a9a6-c907-11ee-8d1c-40b034429ecf
Spreadsheet-ParseExcel reports:
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files.
Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability
due to passing unvalidated input from a file into a string-type eval "eval".
Specifically, the issue stems from the evaluation of Number format strings
(not to be confused with printf-style format strings) within the Excel parsing logic.
more... | p5-Spreadsheet-ParseExcel
more detail |
2024-02-11 | VuXML ID cbfc1591-c8c0-11ee-b45a-589cfc0f81b0
phpMyFAQ team reports:
phpMyFAQ doesn't implement sufficient checks to avoid XSS when
storing on attachments filenames. The 'sharing FAQ' functionality
allows any unauthenticated actor to misuse the phpMyFAQ application
to send arbitrary emails to a large range of targets. phpMyFAQ's
user removal page allows an attacker to spoof another user's
detail, and in turn make a compelling phishing case for removing
another user's account.
more... | phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2024-02-08 | VuXML ID 19047673-c680-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
- [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2024-02-08 | VuXML ID 19e6dd1b-c6a5-11ee-9cd0-6cc21735f730
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
more... | postgresql-server
more detail |
2024-02-08 | VuXML ID 33ba2241-c68e-11ee-9ef3-001999f8d30b
Copmposer reports:
Code execution and possible privilege escalation via
compromised InstalledVersions.php or installed.php.
Several files within the local working directory are
included during the invocation of Composer and in the
context of the executing user.
As such, under certain conditions arbitrary code
execution may lead to local privilege escalation, provide
lateral user movement or malicious code execution when
Composer is invoked within a directory with tampered
files.
All Composer CLI commands are affected, including
composer.phar's self-update.
more... | php81-composer php82-composer php83-composer
more detail |
2024-02-08 | VuXML ID 6b2cba6a-c6a5-11ee-97d0-001b217b3468
Gitlab reports:
Restrict group access token creation for custom roles
Project maintainers can bypass group's scan result policy block_branch_modification setting
ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax
Resource exhaustion using GraphQL vulnerabilitiesCountByDay
more... | gitlab-ce
more detail |
2024-02-07 | VuXML ID 68ae70c5-c5e5-11ee-9768-08002784c58d
The ClamAV project reports:
- CVE-2024-20290
-
A vulnerability in the OLE2 file format parser of ClamAV
could allow an unauthenticated, remote attacker to cause
a denial of service (DoS) condition on an affected
device. This vulnerability is due to an incorrect check
for end-of-string values during scanning, which may
result in a heap buffer over-read. An attacker could
exploit this vulnerability by submitting a crafted file
containing OLE2 content to be scanned by ClamAV on an
affected device. A successful exploit could allow the
attacker to cause the ClamAV scanning process to
terminate, resulting in a DoS condition on the affected
software and consuming available system resources.
- CVE-2024-20328
-
Fixed a possible command injection vulnerability in the
"VirusEvent" feature of ClamAV's ClamD
service. To fix this issue, we disabled the '%f' format
string parameter. ClamD administrators may continue to
use the `CLAM_VIRUSEVENT_FILENAME` environment variable,
instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly
in the clamd.conf "VirusEvent" command.
more... | clamav clamav-lts
more detail |
2024-02-07 | VuXML ID e0f6215b-c59e-11ee-a6db-080027a5b8e9
Django reports:
CVE-2024-24680:Potential denial-of-service in intcomma template filter.
more... | py310-django32 py310-django42 py311-django32 py311-django42 py311-django50 py39-django32 py39-django42
more detail |
2024-02-02 | VuXML ID 72d6d757-c197-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 17 security fixes:
- [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
- [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
- [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
- [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
- [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦æ³æ¹é 家 on 2023-11-25
- [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
- [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
- [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
- [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
more... | chromium ungoogled-chromium
more detail |
2024-02-02 | VuXML ID dc9e5237-c197-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
- [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
- [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2024-02-01 | VuXML ID 13a8c4bf-cb2b-48ec-b49c-a3875c72b3e8
Electron developers reports:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0807.
more... | electron26 electron27 electron28
more detail |
2024-01-31 | VuXML ID 10dee731-c069-11ee-9190-84a93843eb75
The OpenSSL project reports:
Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
PKCS12 Decoding crashes (CVE-2024-0727)
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32
more detail |
2024-01-31 | VuXML ID 67c2eb06-5579-4595-801b-30355be24654
cve@mitre.org reports:
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product
was renamed), there is an unchecked buffer size during a memcpy in
the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h).
Remote attackers can leverage this vulnerability to cause a denial
of service via a crafted input file, as well as achieve remote code
execution.
more... | lizard
more detail |
2024-01-31 | VuXML ID bbcb1584-c068-11ee-bdd6-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 3 security bugs in Chromium:
- [1505080] High CVE-2024-0807: Use after free in WebAudio
- [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
more... | qt5-webengine qt6-webengine
more detail |
2024-01-29 | VuXML ID a11e7dd1-bed4-11ee-bdd6-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 8 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
more... | qt5-webengine
more detail |
2024-01-29 | VuXML ID a25b323a-bed9-11ee-bdd6-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 15 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1500856] High CVE-2023-6346: Use after free in WebAudio
- [1494461] High CVE-2023-6347: Use after free in Mojo
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1502102] High CVE-2023-6703: Use after free in Blink
- [1505708] High CVE-2023-6705: Use after free in WebRTC
- [1500921] High CVE-2023-6706: Use after free in FedCM
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1506923] High CVE-2024-0225: Use after free in WebGPU
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
more... | qt6-webengine
more detail |
2024-01-26 | VuXML ID 61fe903b-bc2e-11ee-b06e-001b217b3468
Gitlab reports:
Arbitrary file write while creating workspace
ReDoS in Cargo.toml blob viewer
Arbitrary API PUT requests via HTML injection in user's name
Disclosure of the public email in Tags RSS Feed
Non-Member can update MR Assignees of owned MRs
more... | gitlab-ce
more detail |
2024-01-26 | VuXML ID b5e22ec5-bc4b-11ee-b0b5-b42e991fc52e
Multiple vulnerabilities in ssh and golang
-
CVE-2023-45286: HTTP request body disclosure in go-resty
disclosure across requests.
-
CVE-2023-48795: The SSH transport protocol with certain
OpenSSH extensions, found in OpenSSH before 9.6 and
other products, allows remote attackers to bypass
integrity checks.
more... | rclone
more detail |
2024-01-24 | VuXML ID 8b03d274-56ca-489e-821a-cf32f07643f0
Jenkins Security Advisory:
Description
(Critical) SECURITY-3314 / CVE-2024-23897
Arbitrary file read vulnerability through the CLI can lead to RCE
Description
(High) SECURITY-3315 / CVE-2024-23898
Cross-site WebSocket hijacking vulnerability in the CLI
more... | jenkins jenkins-lts
more detail |
2024-01-23 | VuXML ID 9532a361-b84d-11ee-b0d7-84a93843eb75
TinyMCE reports:
Special characters in unescaped text nodes can trigger mXSS
when using TinyMCE undo/redo, getContentAPI, resetContentAPI,
and Autosave plugin
more... | roundcube tinymce
more detail |
2024-01-22 | VuXML ID fedf7e71-61bd-49ec-aaf0-6da14bdbb319
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of packets containing nested
MIME entities can cause Zeek to spend large amounts of
time parsing the entities.
more... | zeek
more detail |
2024-01-19 | VuXML ID 2264566a-a890-46eb-a895-7881dd220bd0
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0519.
more... | electron26
more detail |
2024-01-18* | VuXML ID a8326b61-eda0-4c03-9a5b-49ebd8f41c1a
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0518.
- Security: backported fix for CVE-2024-0517.
more... | electron26 electron27
more detail |
2024-01-17 | VuXML ID 1bc07be0-b514-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
- [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
more... | chromium ungoogled-chromium
more detail |
2024-01-16 | VuXML ID 7467c611-b490-11ee-b903-001fc69cd6dc
The X.Org project reports:
- CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent
and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit
for each logical button currently down. Buttons can be arbitrarily
mapped to any value up to 255 but the X.Org Server was only
allocating space for the device's number of buttons,
leading to a heap overflow if a bigger value was used.
- CVE-2024-0229: Reattaching to different master device may lead
to out-of-bounds memory access
If a device has both a button class and a key class and
numButtons is zero, we can get an out-of-bounds write due
to event under-allocation in the DeliverStateNotifyEvent
function.
- CVE-2024-21885: Heap buffer overflow in
XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to
store up to MAXDEVICES (256) xXIHierarchyInfo structures in info.
If a device with a given ID was removed and a new device with
the same ID added both in the same operation,
the single device ID will lead to two info structures being
written to info.
Since this case can occur for every device ID at once,
a total of two times MAXDEVICES info structures might be written
to the allocation, leading to a heap buffer overflow.
- CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device
is disabled and it moves the device from the inputInfo.devices
linked list to the inputInfo.off_devices linked list.
However, its link/unlink operation has an issue during the recursive
call to DisableDevice() due to the prev pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
more... | xephyr xorg-nextserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2024-01-12 | VuXML ID 28b42ef5-80cd-440c-904b-b7fbca74c73d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0224.
- Security: backported fix for CVE-2024-0225.
- Security: backported fix for CVE-2024-0223.
- Security: backported fix for CVE-2024-0222.
more... | electron26 electron27
more detail |
2024-01-12 | VuXML ID 4c8c2218-b120-11ee-90ec-001b217b3468
Gitlab reports:
Account Takeover via Password Reset without user interactions
Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
Bypass CODEOWNERS approval removal
Workspaces able to be created under different root namespace
Commit signature validation ignores headers after signature
more... | gitlab-ce
more detail |
2024-01-11 | VuXML ID 8337251b-b07b-11ee-b0d7-84a93843eb75
SO-AND-SO reports:
The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32
more detail |
2024-01-10 | VuXML ID ec8e4040-afcd-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
more... | chromium ungoogled-chromium
more detail |
2024-01-07 | VuXML ID e2f981f1-ad9e-11ee-8b55-4ccc6adda413
Andy Shaw reports:
A potential integer overflow has been discovered in Qt's HTTP2
implementation. If the HTTP2 implementation receives more than 4GiB
in total headers, or more than 2GiB for any given header pair, then
the internal buffers may overflow.
more... | qt5-network qt6-base
more detail |
2024-01-06 | VuXML ID 1f0d0024-ac9c-11ee-8e91-1c697a013f4b
Mantis 2.25.8 release reports:
Security and maintenance release
- 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
- 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
more... | mantis-php74 mantis-php80 mantis-php81 mantis-php82 mantis-php83
more detail |
2024-01-04 | VuXML ID 0cee4f9c-5efb-4770-b917-f4e4569e8bec
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6704.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
more... | electron26
more detail |
2024-01-04 | VuXML ID 3ee577a9-aad4-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 6 security fixes:
- [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
- [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
- [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
more... | chromium ungoogled-chromium
more detail |
2024-01-04 | VuXML ID d1b20e09-dbdf-432b-83c7-89f0af76324a
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6706.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
- Security: backported fix for CVE-2023-6704.
more... | electron27
more detail |
2024-01-02 | VuXML ID 13d83980-9f18-11ee-8e38-002590c1f29c
Problem Description:
The SSH protocol executes an initial handshake between the
server and the client. This protocol handshake includes the
possibility of several extensions allowing different options to be
selected. Validation of the packets in the handshake is done through
sequence numbers.
Impact:
A man in the middle attacker can silently manipulate handshake
messages to truncate extension negotiation messages potentially
leading to less secure client authentication algorithms or deactivating
keystroke timing attack countermeasures.
more... | FreeBSD
more detail |
2023-12-31* | VuXML ID 2fe004f5-83fd-11ee-9f5d-31909fb2f495
The OpenVPN community project team reports:
CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
Reported by Niccolo Belli and WIPocket (Github #400, #417).
CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)
more... | openvpn openvpn-devel
more detail |
2023-12-22 | VuXML ID 7015ab21-9230-490f-a2fe-f7557e3de25d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6508.
- Security: backported fix for CVE-2023-7024.
more... | electron26 electron27
more detail |
2023-12-21 | VuXML ID 1b2a8e8a-9fd5-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19
more... | chromium ungoogled-chromium
more detail |
2023-12-21 | VuXML ID b2765c89-a052-11ee-bed2-596753f1a87c
The Gitea team reports:
Update golang.org/x/crypto
more... | gitea
more detail |
2023-12-19 | VuXML ID 0f7598cc-9fe2-11ee-b47f-901b0e9408dc
Upstream reports:
Security fix:
- Update golang.org/x/crypto, which includes a fix for CVE-2023-48795.
more... | nebula
more detail |
2023-12-19 | VuXML ID 76c2110b-9e97-11ee-ae23-a0f3c100ae18
Slurm releases notes:
Description
CVE-2023-49933 through CVE-2023-49938
Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available
and address a number of recently-discovered security issues.
They've been assigned CVE-2023-49933 through CVE-2023-49938.
more... | slurm-wlm
more detail |
2023-12-19 | VuXML ID 91955195-9ebb-11ee-bc14-a703705db3a6
Simon Tatham reports:
PuTTY version 0.80 [contains] one security fix [...] for a newly discovered security issue known as the 'Terrapin'
attack, also numbered CVE-2023-48795. The issue affects widely-used
OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
cipher system, and 'encrypt-then-MAC' mode.
In order to benefit from the fix, you must be using a fixed version
of PuTTY _and_ a server with the fix, so that they can agree to
adopt a modified version of the protocol. [...]
more... | putty putty-nogtk
more detail |
2023-12-17 | VuXML ID fd47fcfe-ec69-4000-b9ce-e5e62102c1c7
Nick Vatamane reports:
Design documents with matching document IDs, from databases on the
same cluster, may share a mutable Javascript environment when using
various design document functions.
more... | couchdb
more detail |
2023-12-14* | VuXML ID 9cbbc506-93c1-11ee-8e38-002590c1f29c
Problem Description:
As part of its stateful TCP connection tracking implementation,
pf performs sequence number validation on inbound packets. This
makes it difficult for a would-be attacker to spoof the sender and
inject packets into a TCP stream, since crafted packets must contain
sequence numbers which match the current connection state to avoid
being rejected by the firewall.
A bug in the implementation of sequence number validation means
that the sequence number is not in fact validated, allowing an
attacker who is able to impersonate the remote host and guess the
connection's port numbers to inject packets into the TCP stream.
Impact:
An attacker can, with relatively little effort, inject packets
into a TCP stream destined to a host behind a pf firewall. This
could be used to implement a denial-of-service attack for hosts
behind the firewall, for example by sending TCP RST packets to the
host.
more... | FreeBSD-kernel
more detail |
2023-12-14 | VuXML ID e2fb85ce-9a3c-11ee-af26-001b217b3468
Gitlab reports:
Smartcard authentication allows impersonation of arbitrary user using user's public certificate
When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge
The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags
Project maintainer can escalate to Project owner using project access token rotate API
Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content
Unvalidated timeSpent value leads to unable to load issues on Issue board
Developer can bypass predefined variables via REST API
Auditor users can create merge requests on projects they don't have access to
more... | gitlab-ce
more detail |
2023-12-13 | VuXML ID 502c9f72-99b3-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 9 security fixes:
- [1501326] High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10
- [1502102] High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14
- [1504792] High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23
- [1505708] High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28
- [1500921] High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09
- [1504036] Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21
more... | chromium ungoogled-chromium
more detail |
2023-12-13 | VuXML ID 8eefff69-997f-11ee-8e38-002590c1f29c
Problem Description:
In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve
the performance of IO_APPEND writes, that is, writes which add data
to the end of a file and so extend its size. This uncovered an old
bug in some routines which copy userspace data into the kernel.
The bug also affects the NFS client's implementation of direct I/O;
however, this implementation is disabled by default by the
vfs.nfs.nfs_directio_enable sysctl and is only used to handle
synchronous writes.
Impact:
When a program running on an affected system appends data to a
file via an NFS client mount, the bug can cause the NFS client to
fail to copy in the data to be written but proceed as though the
copy operation had succeeded. This means that the data to be written
is instead replaced with whatever data had been in the packet buffer
previously. Thus, an unprivileged user with access to an affected
system may abuse the bug to trigger disclosure of sensitive
information. In particular, the leak is limited to data previously
stored in mbufs, which are used for network transmission and
reception, and for certain types of inter-process communication.
The bug can also be triggered unintentionally by system
applications, in which case the data written by the application to an
NFS mount may be corrupted. Corrupted data is written over the
network to the NFS server, and thus also susceptible to being snooped
by other hosts on the network.
Note that the bug exists only in the NFS client; the version and
implementation of the server has no effect on whether a given system
is affected by the problem.
more... | FreeBSD-kernel
more detail |
2023-12-13 | VuXML ID 972568d6-3485-40ab-80ff-994a8aaf9683
The X.Org project reports:
- CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org
server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the
device. When a logical device switch happens (e.g. moving
from a touchpad to a mouse), the server re-calculates the
information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation
only allocated enough memory for a single XKB action
rather instead of enough for the newly active physical
device's number of button. As a result, querying or
changing the XKB button actions results in out-of-bounds
memory reads and writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
- CVE-2023-6478/ZDI-CAN-22561: X.Org server:
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-12-11 | VuXML ID 4405e9ad-97fe-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 10 security fixes:
- [1497984] High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy Kim(@cassidy6564) on 2023-10-31
- [1494565] High CVE-2023-6509: Use after free in Side Panel Search. Reported by Khalil Zhani on 2023-10-21
- [1480152] Medium CVE-2023-6510: Use after free in Media Capture. Reported by [pwn2car] on 2023-09-08
- [1478613] Low CVE-2023-6511: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-09-04
- [1457702] Low CVE-2023-6512: Inappropriate implementation in Web Browser UI. Reported by Om Apip on 2023-06-24
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2023-12-10 | VuXML ID 2bc376c0-977e-11ee-b4bc-b42e991fc52e
security@apache.org reports:
Authorization Bypass Through User-Controlled Key vulnerability in
Apache ZooKeeper. If SASL Quorum Peer authentication is enabled
in ZooKeeper (quorum.auth.enableSasl=true), the authorization is
done by verifying that the instance part in SASL authentication ID
is listed in zoo.cfg server list. The instance part in SASL auth
ID is optional and if it's missing, like 'eve@EXAMPLE.COM',
the authorization check will be skipped.As a result an arbitrary
endpoint could join the cluster and begin propagating counterfeit
changes to the leader, essentially giving it complete read-write
access to the data tree.Quorum Peer authentication is not enabled
by default.
Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,
which fixes the issue.
Alternately ensure the ensemble election/quorum communication is
protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
more... | zookeeper
more detail |
2023-12-09 | VuXML ID bbda3d16-968e-11ee-b780-b42e991fc52e
cve@mitre.org reports:
strongSwan before 5.9.12 has a buffer overflow and possible
unauthenticated remote code execution via a DH public value that
exceeds the internal buffer in charon-tkm's DH proxy. The
earliest affected version is 5.3.0. An attack can occur via a
crafted IKE_SA_INIT message.
more... | null
more detail |
2023-12-07 | VuXML ID e07a7754-12a4-4661-b852-fd221d68955f
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6350.
- Security: backported fix for CVE-2023-6351.
more... | electron25
more detail |
2023-12-02 | VuXML ID f25a34b1-910d-11ee-a1a2-641c67a117d8
Varnish Cache Project reports:
A denial of service attack can be performed on Varnish Cache servers
that have the HTTP/2 protocol turned on. An attacker can create a large
volume of streams and immediately reset them without ever reaching the
maximum number of concurrent streams allowed for the session, causing
the Varnish server to consume unnecessary resources processing requests
for which the response will not be delivered.
more... | varnish6 varnish7
more detail |
2023-12-01 | VuXML ID 302fc846-860f-482e-a8f6-ee9f254dfacf
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6345.
- Security: backported fix for CVE-2023-6346.
- Security: backported fix for CVE-2023-6347.
more... | electron25
more detail |
2023-12-01 | VuXML ID 3b14b2b4-9014-11ee-98b3-001b217b3468
Gitlab reports:
XSS and ReDoS in Markdown via Banzai pipeline of Jira
Members with admin_group_member custom permission can add members with higher role
Release Description visible in public projects despite release set as project members only through atom response
Manipulate the repository content in the UI (CVE-2023-3401 bypass)
External user can abuse policy bot to gain access to internal projects
Client-side DOS via Mermaid Flowchart
Developers can update pipeline schedules to use protected branches even if they don't have permission to merge
Users can install Composer packages from public projects even when Package registry is turned off
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
Guest users can react (emojis) on confidential work items which they cant see in a project
more... | gitlab-ce
more detail |
2023-12-01 | VuXML ID 7e1a508f-7167-47b0-b9fc-95f541933a86
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6345.
- Security: backported fix for CVE-2023-6346.
- Security: backported fix for CVE-2023-6347.
- Security: backported fix for CVE-2023-6350.
more... | electron26
more detail |
2023-11-29 | VuXML ID 8cdd38c7-8ebb-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 7 security fixes:
- [1491459] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
- [1494461] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
- [1500856] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
- [1501766] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
- [1501770] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
- [1505053] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2023-11-26 | VuXML ID 388e6557-8c80-11ee-9ee3-84a93843eb75
The MariaDB project reports:
Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
more... | mariadb1011-server mariadb105-server mariadb106-server
more detail |
2023-11-24 | VuXML ID a62c0c50-8aa0-11ee-ac0d-00e0670f2660
strongSwan reports:
A vulnerability in charon-tkm related to processing
DH public values was discovered in strongSwan
that can result in a buffer overflow and potentially
remote code execution. All versions since
5.3.0 are affected.
more... | strongswan
more detail |
2023-11-22 | VuXML ID 147353a3-c33b-46d1-b751-e72c0d7f29df
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5997.
more... | electron25 electron26
more detail |
2023-11-16 | VuXML ID 0da4db89-84bf-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1497997] High CVE-2023-5997: Use after free in Garbage Collection. Reported by Anonymous on 2023-10-31
- [1499298] High CVE-2023-6112: Use after free in Navigation. Reported by Sergei Glazunov of Google Project Zero on 2023-11-04
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2023-11-16 | VuXML ID a30f1a12-117f-4dac-a1d0-d65eaf084953
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5996.
more... | electron25 electron26
more detail |
2023-11-15 | VuXML ID 7cc003cb-83b9-11ee-957d-b42e991fc52e
security-advisories@github.com reports:
Weak Authentication in Session Handling in typo3/cms-core:
In typo3 installations there are always
at least two different sites. Eg. first.example.org and
second.example.com. In affected versions a session cookie
generated for the first site can be reused on the second site
without requiring additional authentication. This
vulnerability has been addressed in versions 8.7.55, 9.5.44,
10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
Information Disclosure in Install Tool in typo3/cms-install:
In affected versions the login screen of the standalone
install tool discloses the full path of the transient data
directory (e.g. /var/www/html/var/transient/). This applies
to composer-based scenarios only - classic non-composer
installations are not affected. This issue has been addressed
in version 12.4.8. Users are advised to upgrade. There are
no known workarounds for this vulnerability.
By-passing Cross-Site Scripting Protection in HTML Sanitizer:
In affected versions DOM processing instructions are not
handled correctly. This allows bypassing the cross-site
scripting mechanism of typo3/html-sanitizer. This
vulnerability has been addressed in versions 1.5.3 and 2.1.4.
Users are advised to upgrade. There are no known workarounds
for this vulnerability.
more... | typo3-11 typo3-12
more detail |
2023-11-09 | VuXML ID 0f445859-7f0e-11ee-94b4-6cc21735f730
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
more... | postgresql-server
more detail |
2023-11-09 | VuXML ID 31f45d06-7f0e-11ee-94b4-6cc21735f730
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
more... | postgresql-server
more detail |
2023-11-09 | VuXML ID 5558dded-a870-4fbe-8b0a-ba198db47007
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-5849.
- Security: backported fix for CVE-2023-5482.
more... | electron25 electron26
more detail |
2023-11-09 | VuXML ID bbb18fcb-7f0d-11ee-94b4-6cc21735f730
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
more... | postgresql-server
more detail |
2023-11-08 | VuXML ID 4ade0c4d-7e83-11ee-9a8c-00155d01f201
cve@mitre.org reports:
Multiple signed integers overflow in function au_read_header in
src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c
in Libsndfile, allows an attacker to cause Denial of Service or
other unspecified impacts.
more... | libsndfile
more detail |
2023-11-08 | VuXML ID 5afcc9a4-7e04-11ee-8e38-002590c1f29c
Problem Description:
For line-buffered streams the __sflush() function did not
correctly update the FILE object's write space member when the
write(2) system call returns an error.
Impact:
Depending on the nature of an application that calls libc's
stdio functions and the presence of errors returned from the write(2)
system call (or an overridden stdio write routine) a heap buffer
overfly may occur. Such overflows may lead to data corruption or
the execution of arbitrary code at the privilege level of the calling
program.
more... | FreeBSD
more detail |
2023-11-08 | VuXML ID 77fc311d-7e62-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1497859] High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30
more... | chromium ungoogled-chromium
more detail |
2023-11-08 | VuXML ID a5956603-7e4f-11ee-9df6-84a93843eb75
The OpenSSL project reports:
Excessive time spent in DH check / generation with large Q
parameter value (low).
Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
more... | openssl openssl-quictls openssl111 openssl31 openssl31-quictls
more detail |
2023-11-08 | VuXML ID f4464e49-7e04-11ee-8e38-002590c1f29c
Problem Description:
Casper services allow limiting operations that a process can
perform. Each service maintains a specific list of permitted
operations. Certain operations can be further restricted, such as
specifying which domain names can be resolved. During the verification
of limits, the service must ensure that the new set of constraints
is a subset of the previous one. In the case of the cap_net service,
the currently limited set of domain names was fetched incorrectly.
Impact:
In certain scenarios, if only a list of resolvable domain names
was specified without setting any other limitations, the application
could submit a new list of domains including include entries not
previously in the list.
more... | FreeBSD
more detail |
2023-11-05 | VuXML ID a1a1f81c-7c13-11ee-bcf1-f8b156b6dcc8
Frank-Z7 reports:
Heap buffer overflow when vorbis-tools/oggenc converts
WAV files to Ogg files.
more... | vorbis-tools
more detail |
2023-11-03 | VuXML ID a1e27775-7a61-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 15 security fixes:
- [1492698] High CVE-2023-5480: Inappropriate implementation in Payments. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2023-10-14
- [1492381] High CVE-2023-5482: Insufficient data validation in USB. Reported by DarkNavy on 2023-10-13
- [1492384] High CVE-2023-5849: Integer overflow in USB. Reported by DarkNavy on 2023-10-13
- [1281972] Medium CVE-2023-5850: Incorrect security UI in Downloads. Reported by Mohit Raj (shadow2639) on 2021-12-22
- [1473957] Medium CVE-2023-5851: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-08-18
- [1480852] Medium CVE-2023-5852: Use after free in Printing. Reported by [pwn2car] on 2023-09-10
- [1456876] Medium CVE-2023-5853: Incorrect security UI in Downloads. Reported by Hafiizh on 2023-06-22
- [1488267] Medium CVE-2023-5854: Use after free in Profiles. Reported by Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ on 2023-10-01
- [1492396] Medium CVE-2023-5855: Use after free in Reading Mode. Reported by ChaobinZhang on 2023-10-13
- [1493380] Medium CVE-2023-5856: Use after free in Side Panel. Reported by Weipeng Jiang (@Krace) of VRI on 2023-10-17
- [1493435] Medium CVE-2023-5857: Inappropriate implementation in Downloads. Reported by Will Dormann on 2023-10-18
- [1457704] Low CVE-2023-5858: Inappropriate implementation in WebApp Provider. Reported by Axel Chong on 2023-06-24
- [1482045] Low CVE-2023-5859: Incorrect security UI in Picture In Picture. Reported by Junsung Lee on 2023-09-13
more... | chromium qt6-webengine ungoogled-chromium
more detail |
2023-11-02 | VuXML ID 4f370c80-79ce-11ee-be8e-589cfc0f81b0
phpmyfaq developers report:
XSS
Insufficient session expiration
more... | phpmyfaq-php80 phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2023-11-02 | VuXML ID fe7ac70a-792b-11ee-bf9a-a04a5edf46d9
Frank-Z7 reports:
Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out"
configuration options enabled raises a global-buffer-overflow bug,
which could allow a remote attacker to conduct a denial-of-service
attack or other unspecified effect on a crafted file.
more... | optipng
more detail |
2023-11-01 | VuXML ID a612c25f-788a-11ee-8d57-001b217b3468
Gitlab reports:
Disclosure of CI/CD variables using Custom project templates
GitLab omnibus DoS crash via OOM with CI Catalogs
Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service
DoS - Blocking FIFO files in Tar archives
Titles exposed by service-desk template
Approval on protected environments can be bypassed
Version information disclosure when super_sidebar_logged_out feature flag is enabled
Add abuse detection for search syntax filter pipes
more... | gitlab-ce
more detail |
2023-11-01 | VuXML ID d2505ec7-78ea-11ee-9131-6f01853956d5
VMware reports:
This update includes 2 security fixes:
- High CVE-2023-34058: SAML token signature bypass vulnerability
- High CVE-2023-34059: File descriptor hijack vulnerability in the vmware-user-suid-wrapper
more... | open-vm-tools open-vm-tools-nox11
more detail |
2023-10-27 | VuXML ID 386a14bb-1a21-41c6-a2cf-08d79213379b
Tim Wojtulewicz of Corelight reports:
A specially-crafted SSL packet could cause Zeek to
leak memory and potentially crash.
A specially-crafted series of FTP packets could cause
Zeek to log entries for requests that have already been
completed, using resources unnecessarily and potentially
causing Zeek to lose other traffic.
A specially-crafted series of SSL packets could cause
Zeek to output a very large number of unnecessary alerts
for the same record.
A specially-crafted series of SSL packets could cause
Zeek to generate very long ssl_history fields in the
ssl.log, potentially using a large amount of memory due
to unbounded state growth
A specially-crafted IEEE802.11 packet could cause
Zeek to overflow memory and potentially crash
more... | zeek
more detail |
2023-10-27 | VuXML ID db33e250-74f7-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [1491296] High CVE-2023-5472: Use after free in Profiles. Reported by @18楼梦æ³æ¹é 家 on 2023-10-10
more... | chromium ungoogled-chromium
more detail |
2023-10-25 | VuXML ID 9e2fdfc7-e237-4393-9fa5-2d50908c66b3
The X.Org project reports:
- ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write
in XIChangeDeviceProperty/RRChangeOutputProperty
When prepending values to an existing property an
invalid offset calculation causes the existing values to
be appended at the wrong offset. The resulting memcpy()
would write into memory outside the heap-allocated
array.
- ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in
DestroyWindow
This vulnerability requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod"). If the pointer
is warped from one screen to the root window of the other
screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves
that reference in place, other windows may then trigger a
use-after-free bug when they are destroyed.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-10-25 | VuXML ID a8fb8e3a-730d-11ee-ab61-b42e991fc52e
The squid-cache project reports:
- Denial of Service in FTP
- Request/Response smuggling in HTTP/1.1 and ICAP
- Denial of Service in HTTP Digest Authentication
more... | squid
more detail |
2023-10-24 | VuXML ID 4a4712ae-7299-11ee-85eb-84a93843eb75
SO-AND-SO reports:
Moderate severity: A bug has been identified in the processing
of key and initialisation vector (IV) lengths. This can lead to
potential truncation or overruns during the initialisation of
some symmetric ciphers.
more... | openssl openssl-quictls openssl31
more detail |
2023-10-23 | VuXML ID 22df5074-71cd-11ee-85eb-84a93843eb75
Oracle reports:
This Critical Patch Update contains 37 new security patches, plus
additional third party patches noted below, for Oracle MySQL. 9 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
more... | mysql-connector-c++ mysql-connector-j mysql-connector-odbc mysql57-server mysql80-server
more detail |
2023-10-19 | VuXML ID 9000591b-483b-45ac-9c87-b3df3a4198ec
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5218.
more... | electron25 electron26
more detail |
2023-10-19 | VuXML ID f923205f-6e66-11ee-85eb-84a93843eb75
The Apache httpd project reports:
- CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST
- CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0
- CVE-2023-31122: mod_macro buffer over-read
more... | apache24
more detail |
2023-10-18 | VuXML ID 1ee26d45-6ddb-11ee-9898-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3291 / CVE-2023-36478, CVE-2023-44487
HTTP/2 denial of service vulnerability in bundled Jetty
more... | jenkins jenkins-lts
more detail |
2023-10-18 | VuXML ID 8706e097-6db7-11ee-8744-080027f5fec9
Redis core team reports:
The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to
bypass desired Unix socket permissions on startup.
more... | redis redis-devel redis62 redis70
more detail |
2023-10-18 | VuXML ID d2ad7647-6dd9-11ee-85eb-84a93843eb75
The Roundcube project reports:
cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages
more... | roundcube
more detail |
2023-10-18 | VuXML ID e14b9870-62a4-11ee-897b-000bab9f87f1
Request Tracker reports:
CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.
CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.
CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.
more... | rt44 rt50
more detail |
2023-10-16 | VuXML ID f8c2f741-6be1-11ee-b33a-a04a5edf46d9
The moonlight-embedded project reports:
Moonlight Embedded v2.6.1 fixed CVE-2023-42799, CVE-2023-42800,
and CVE-2023-42801.
more... | moonlight-embedded
more detail |
2023-10-14 | VuXML ID 7a1b2624-6a89-11ee-af06-5404a68ad561
The traefik authors report:
There is a vulnerability in GO managing HTTP/2 requests, which
impacts Traefik. This vulnerability could be exploited to cause
a denial of service.
more... | traefik
more detail |
2023-10-14 | VuXML ID ae0ee356-6ae1-11ee-bfb6-8c164567ca3c
The libcue team reports:
There is a vulnerability to out-of-bounds array access.
more... | libcue
more detail |
2023-10-12 | VuXML ID 199cdb4d-690d-11ee-9ed0-001fc69cd6dc
The X.Org project reports:
- CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
- An out-of-bounds read is located in ParseComment() when reading from
a memory buffer instead of a file, as it continued to look for the
closing comment marker past the end of the buffer.
- CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
- A corrupted colormap section may cause libXpm to read out of bounds.
more... | libXpm
more detail |
2023-10-12 | VuXML ID 4281b712-ad6b-4c21-8f66-619a9150691f
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5187.
more... | electron25
more detail |
2023-10-12 | VuXML ID bd92f1ab-690c-11ee-9ed0-001fc69cd6dc
The X.Org project reports:
- CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
- When libX11 is processing the reply from the X server to the XkbGetMap
request, if it detected the number of symbols in the new map was less
than the size of the buffer it had allocated, it always added room for
128 more symbols, instead of the actual size needed. While the
_XkbReadBufferCopyKeySyms() helper function returned an error if asked
to copy more keysyms into the buffer than there was space allocated for,
the caller never checked for an error and assumed the full set of keysyms
was copied into the buffer and could then try to read out of bounds when
accessing the buffer. libX11 1.8.7 has been patched to both fix the size
allocated and check for error returns from _XkbReadBufferCopyKeySyms().
- CVE-2023-43786: stack exhaustion in XPutImage
- When splitting a single line of pixels into chunks that fit in a single
request (not using the BIG-REQUESTS extension) to send to the X server,
the code did not take into account the number of bits per pixel, so would
just loop forever finding it needed to send more pixels than fit in the
given request size and not breaking them down into a small enough chunk to
fit. An XPM file was provided that triggered this bug when loaded via
libXpm's XpmReadFileToPixmap() function, which in turn calls XPutImage()
and hit this bug.
- CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow
- When creating an image, there was no validation that the multiplication
of the caller-provided width by the visual's bits_per_pixel did not
overflow and thus result in the allocation of a buffer too small to hold
the data that would be copied into it. An XPM file was provided that
triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function,
which in turn calls XCreateImage() and hit this bug.i
more... | libX11
more detail |
2023-10-11 | VuXML ID 040e69f1-6831-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. A logged
user from any profile can hijack the Kanban feature to alter any
user field, and end-up with stealing its account. Users are advised
to upgrade to version 10.0.10. There are no known workarounds for
this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 07ee8c14-68f1-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 20 security fixes:
- [1487110] Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦æ³æ¹é 家 on 2023-09-27
- [1062251] Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17
- [1414936] Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11
- [1476952] Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30
- [1425355] Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17
- [1458934] Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28
- [1474253] Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20
- [1483194] Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15
- [1471253] Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09
- [1395164] Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02
- [1472404] Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12
- [1472558] Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13
- [1357442] Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29
- [1484000] Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18
more... | chromium qt6-webengine ungoogled-chromium
more detail |
2023-10-11 | VuXML ID 10e86b16-6836-11ee-b06f-0050569ceb3a
From the GLPI 10.0.10 Changelog:
You will find below security issues fixed in this bugfixes version:
[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
The mentioned CVE is invalid
more... | glpi
more detail |
2023-10-11 | VuXML ID 1fe40200-6823-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Versions
of the software starting with 9.2.0 and prior to 10.0.8 have an
incorrect rights check on a on a file accessible by an authenticated
user, allows access to the view all KnowbaseItems. Version 10.0.8
has a patch for this issue.
more... | glpi
more detail |
2023-10-11 | VuXML ID 20302cbc-6834-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. An
unauthenticated user can enumerate users logins. Users are advised
to upgrade to version 10.0.10. There are no known workarounds for
this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 257e1bf0-682f-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a Free Asset and IT Management Software package, Data center
management, ITIL Service Desk, licenses tracking and software
auditing. An administrator can trigger SQL injection via dashboards
administration. This vulnerability has been patched in version
10.0.9.
more... | glpi
more detail |
2023-10-11 | VuXML ID 40173815-6827-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Versions
of the software starting with 0.68 and prior to 10.0.8 have an
incorrect rights check on a on a file accessible by an authenticated
user. This allows access to the list of all users and their personal
information. Users should upgrade to version 10.0.8 to receive a
patch.
more... | glpi
more detail |
2023-10-11 | VuXML ID 548a4163-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 0.80 and prior to version 10.0.8, Computer Virtual Machine
form and GLPI inventory request can be used to perform a SQL injection
attack. Version 10.0.8 has a patch for this issue. As a workaround,
one may disable native inventory.
more... | glpi
more detail |
2023-10-11 | VuXML ID 54e5573a-6834-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. The lack
of path filtering on the GLPI URL may allow an attacker to transmit
a malicious URL of login page that can be used to attempt a phishing
attack on user credentials. Users are advised to upgrade to version
10.0.10. There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 6851f3bb-6833-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. An API
user can enumerate sensitive fields values on resources on which
he has read access. Users are advised to upgrade to version 10.0.10.
There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 6f6518ab-6830-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. UI layout
preferences management can be hijacked to lead to SQL injection.
This injection can be use to takeover an administrator account.
Users are advised to upgrade to version 10.0.10. There are no known
workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 717efd8a-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 9.5.0 and prior to version 10.0.8, an incorrect rights
check on a on a file accessible by an authenticated user (or not
for certain actions), allows a threat actor to interact, modify,
or see Dashboard data. Version 10.0.8 contains a patch for this
issue.
more... | glpi
more detail |
2023-10-11 | VuXML ID 894f2491-6834-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. The ITIL
actors input field from the Ticket form can be used to perform a
SQL injection. Users are advised to upgrade to version 10.0.10.
There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 95c4ec45-6831-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. An API
user that have read access on users resource can steal accounts of
other users. Users are advised to upgrade to version 10.0.10.
There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 95fde6bc-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 9.5.0 and prior to version 10.0.8, an incorrect rights
check on a file allows an unauthenticated user to be able to access
dashboards data. Version 10.0.8 contains a patch for this issue.
more... | glpi
more detail |
2023-10-11 | VuXML ID ae8b1445-6833-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. A user
with write access to another user can make requests to change the
latter's password and then take control of their account.
Users are advised to upgrade to version 10.0.10. There are no known
work around for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID b14a6ddc-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 9.4.0 and prior to version 10.0.8, a malicious link can
be crafted by an unauthenticated user that can exploit a reflected
XSS in case any authenticated user opens the crafted link. Users
should upgrade to version 10.0.8 to receive a patch.
more... | glpi
more detail |
2023-10-11* | VuXML ID d6c19e8c-6806-11ee-9464-b42e991fc52e
The curl team reports:
This flaw makes curl overflow a heap based buffer in the
SOCKS5 proxy handshake. When curl is asked to pass along
the hostname to the SOCKS5 proxy to allow that to resolve
the address instead of it getting done by curl itself, the
maximum length that hostname can be is 255 bytes. If the
hostname is detected to be longer than 255 bytes, curl
switches to local name resolving and instead passes on the
resolved address only to the proxy. Due to a bug, the
local variable that means "let the host resolve the name"
could get the wrong value during a slow SOCKS5 handshake,
and contrary to the intention, copy the too long hostname
to the target buffer instead of copying just the resolved
address there.
more... | cmake-core curl
more detail |
2023-10-11 | VuXML ID df71f5aa-6831-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. The document
upload process can be diverted to delete some files. Users are
advised to upgrade to version 10.0.10. There are no known workarounds
for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID e44e5ace-6820-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 10.0.0 and prior to version 10.0.8, GLPI inventory
endpoint can be used to drive a SQL injection attack. By default,
GLPI inventory endpoint requires no authentication. Version 10.0.8
has a patch for this issue. As a workaround, one may disable native
inventory.
more... | glpi
more detail |
2023-10-10 | VuXML ID bf545001-b96d-42e4-9d2e-60fdee204a43
Kazuo Okuhu reports:
H2O is vulnerable to the HTTP/2 Rapid Reset attack.
An attacker might be able to consume more than adequate amount of
processing power of h2o and the backend servers by mounting the
attack.
more... | h2o h2o-devel
more detail |
2023-10-05 | VuXML ID 4f254817-6318-11ee-b2ff-080027de9982
Django reports:
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator.
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-10-04 | VuXML ID 162a675b-6251-11ee-8e38-002590c1f29c
Problem Description:
On CPU 0 the check for the SMCCC workaround is called before
SMCCC support has been initialized.
Impact:
No speculative execution workarounds are installed on CPU 0.
more... | FreeBSD-kernel
more detail |
2023-10-04 | VuXML ID 4e45c45b-629e-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1485829] High CVE-2023-5346: Type Confusion in V8. Reported by Amit Kumar on 2023-09-22
more... | chromium ungoogled-chromium
more detail |
2023-10-04 | VuXML ID 915855ad-283d-4597-b01e-e0bf611db78b
Trendmicro ZDI reports:
Integer Underflow Remote Code Execution Vulnerability
The specific flaw exists within the parsing of SPF macros.
When parsing SPF macros, the process does not properly
validate user-supplied data, which can result in an integer
underflow before writing to memory. An attacker can leverage
this vulnerability to execute code in the context of the
service account.
more... | libspf2
more detail |
2023-10-04 | VuXML ID e261e71c-6250-11ee-8e38-002590c1f29c
Problem Description:
The syscall checked only for the CAP_READ and CAP_WRITE
capabilities on the input and output file descriptors, respectively.
Using an offset is logically equivalent to seeking, and the syscall
must additionally require the CAP_SEEK capability.
Impact:
A sandboxed process with only read or write but no seek capability
on a file descriptor may be able to read data from or write data
to an arbitrary location within the file corresponding to that file
descriptor.
more... | FreeBSD-kernel
more detail |
2023-10-04 | VuXML ID fefcd340-624f-11ee-8e38-002590c1f29c
Problem Description:
In certain cases using the truncate or ftruncate system call
to extend a file size populates the additional space in the file
with unallocated data from the underlying disk device, rather than
zero bytes.
Impact:
A user with write access to files on a msdosfs file system may
be able to read unintended data (for example, from a previously
deleted file).
more... | FreeBSD-kernel
more detail |
2023-10-02 | VuXML ID e59fed96-60da-11ee-9102-000c29de725b
Mediawikwi reports:
(T264765, CVE-2023-PENDING) SECURITY: Users without correct permission
are incorrectly shown MediaWiki:Missing-revision-permission.
(T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
self-redirects with variants conversion.
(T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped
messages leading to potential XSS.
(T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page
message is assumed to yield a valid title.
(T340221, CVE-2023-PENDING) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
(T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X
intermediate revisions by the same user not shown") ignores username
suppression.
(T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML
file to Special:Upload (non-standard configuration).
more... | mediawiki135 mediawiki139 mediawiki140
more detail |
2023-09-30* | VuXML ID 2bcd6ba4-d8e2-42e5-9033-b50b722821fb
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5217.
more... | electron22 electron24 electron25 libvpx
more detail |
2023-09-30* | VuXML ID 33922b84-5f09-11ee-b63d-0897988a1c07
Composer project reports:
Description: Users publishing a composer.phar to a
public web-accessible server where the composer.phar can
be executed as a php file may be impacted if PHP also has
register_argc_argv enabled in php.ini.
Workaround: Make sure register_argc_argv is disabled
in php.ini, and avoid publishing composer.phar to the web
as this really should not happen.
more... | php80-composer php80-composer2 php81-composer php81-composer2 php82-composer php82-composer2 php83-composer php83-composer2
more detail |
2023-09-29 | VuXML ID 6d9c6aae-5eb1-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 10 security fixes:
- [1486441] High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25
- [1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
- [1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
more... | chromium qt6-webengine ungoogled-chromium
more detail |
2023-09-29 | VuXML ID 6e0ebb4a-5e75-11ee-a365-001b217b3468
Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project
Group import allows impersonation of users in CI pipelines
Developers can bypass code owners approval by changing a MR's base branch
Leaking source code of restricted project through a fork
Third party library Consul requires enable-script-checks to be False to enable patch
Service account not deleted when namespace is deleted allowing access to internal projects
Enforce SSO settings bypassed for public projects for Members without identity
Removed project member can write to protected branches
Unauthorised association of CI jobs for Machine Learning experiments
Force pipelines to not have access to protected variables and will likely fail using tags
Maintainer can create a fork relationship between existing projects
Disclosure of masked CI variables via processing CI/CD configuration of forks
Asset Proxy Bypass using non-ASCII character in asset URI
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
Removed Developer can continue editing the source code of a public project
A project reporter can leak owner's Sentry instance projects
Math rendering in markdown can escape container and hijack clicks
more... | gitlab-ce
more detail |
2023-09-27 | VuXML ID af065e47-5d62-11ee-bbae-1c61b4739ac9
xrdp team reports:
Access to the font glyphs in xrdp_painter.c is not bounds-checked.
Since some of this data is controllable by the user, this can result
in an out-of-bounds read within the xrdp executable. The vulnerability
allows an out-of-bounds read within a potentially privileged process.
On non-Debian platforms, xrdp tends to run as root. Potentially an
out-of-bounds write can follow the out-of-bounds read. There is no
denial-of-service impact, providing xrdp is running in forking mode. This
issue has been addressed in release 0.9.23.1. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
more... | xrdp
more detail |
2023-09-27 | VuXML ID c9ff1150-5d63-11ee-bbae-1c61b4739ac9
xrdp team reports:
In versions prior to 0.9.23 improper handling of session establishment
errors allows bypassing OS-level session restrictions. The `auth_start_session`
function can return non-zero (1) value on, e.g., PAM error which may result
in session restrictions such as max concurrent sessions per user by PAM
(ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't
use restrictions by PAM are not affected. This issue has been addressed in
release version 0.9.23. Users are advised to upgrade. There are no known
workarounds for this issue.
more... | xrdp
more detail |
2023-09-27 | VuXML ID ea9d1fd2-5d24-11ee-8507-b42e991fc52e
sep@nlnetlabs.nl reports:
NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a
possible path traversal vulnerability in the optional, off-by-default
keep-rrdp-responses feature that allows users to store the content
of responses received for RRDP requests. The location of these
stored responses is constructed from the URL of the request. Due
to insufficient sanitation of the URL, it is possible for an attacker
to craft a URL that results in the response being stored outside
of the directory specified for it.
more... | routinator
more detail |
2023-09-25 | VuXML ID 402fccd0-5b6d-11ee-9898-00e081b7aa2d
Jenkins Security Advisory:
Description
(Medium) SECURITY-3261 / CVE-2023-43494
Builds can be filtered by values of sensitive build variables
(High) SECURITY-3245 / CVE-2023-43495
Stored XSS vulnerability
(High) SECURITY-3072 / CVE-2023-43496
Temporary plugin file created with insecure permissions
(Low) SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)
Temporary uploaded file created with insecure permissions
more... | jenkins jenkins-lts
more detail |
2023-09-23 | VuXML ID 732282a5-5a10-11ee-bca0-001999f8d30b
Mailpit author reports:
Update Go modules to address CVE-2023-42821 (go markdown module DoS).
more... | mailpit
more detail |
2023-09-21 | VuXML ID 4fd7a2fc-5860-11ee-a1b3-dca632daf43b
Google Chrome reports:
Heap buffer overflow in WebP ... allowed a remote attacker to perform an out of bounds memory write ...
more... | webp
more detail |
2023-09-20 | VuXML ID 58a738d4-57af-11ee-8c58-b42e991fc52e
chrome-cve-admin@google.com reports:
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write
via a crafted HTML page. (Chromium security severity: Critical)
The Tor browser is based on Firefox and GeckoView and uses also
libwep so it is affected by this bug.
more... | tor-browser
more detail |
2023-09-19 | VuXML ID 32a4896a-56da-11ee-9186-001b217b3468
Gitlab reports:
Attacker can abuse scan execution policies to run pipelines as another user
more... | gitlab-ce
more detail |
2023-09-16 | VuXML ID 11982747-544c-11ee-ac3e-a04a5edf46d9
NLnet Labs report:
This release fixes two issues in Routinator that can be exploited
remotely by rogue RPKI CAs and repositories. We therefore advise all
users of Routinator to upgrade to this release at their earliest
convenience.
The first issue, CVE-2022-39915, can lead to Routinator crashing
when trying to decode certain illegal RPKI objects.
The second issue, CVE-2022-39916, only affects users that have the
rrdp-keep-responses option enabled which allows storing all received
RRDP responses on disk. Because the file name for these responses is
derived from the URI and the path wasn't checked properly, a RRDP URI
could be constructed that results in the response stored outside the
directory, possibly overwriting existing files.
more... | routinator
more detail |
2023-09-16 | VuXML ID b5508c08-547a-11ee-85eb-84a93843eb75
The Roundcube webmail project reports:
cross-site scripting (XSS) vulnerability in handling of
linkrefs in plain text messages
more... | roundcube
more detail |
2023-09-13 | VuXML ID 3693eca5-f0d3-453c-9558-2353150495bb
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4572.
- Security: backported fix for CVE-2023-4762.
- Security: backported fix for CVE-2023-4863.
more... | electron22
more detail |
2023-09-13 | VuXML ID 4bc66a81-89d2-4696-a04b-defd2eb77783
VSCode developers report:
Visual Studio Code Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.
VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.
more... | vscode
more detail |
2023-09-13 | VuXML ID 773ce35b-eabb-47e0-98ca-669b2b98107a
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4763.
- Security: backported fix for CVE-2023-4762.
- Security: backported fix for CVE-2023-4761.
- Security: backported fix for CVE-2023-4863.
more... | electron24 electron25
more detail |
2023-09-13 | VuXML ID 833b469b-5247-11ee-9667-080027f5fec9
selmelc on hackerone reports:
When curl retrieves an HTTP response, it stores the
incoming headers so that they can be accessed later via
the libcurl headers API.
However, curl did not have a limit in how many or how
large headers it would accept in a response, allowing a
malicious server to stream an endless series of headers
and eventually cause curl to run out of heap memory.
more... | curl
more detail |
2023-09-13 | VuXML ID 88754d55-521a-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 16 security fixes:
- [1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoüs Munk School on 2023-09-06
- [1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
- [1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29
- [1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14
- [1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18
- [1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09
- [1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29
- [1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30
- [1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04
- [1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06
- [1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09
more... | chromium ungoogled-chromium
more detail |
2023-09-12 | VuXML ID 8eefa87f-31f1-496d-bf8e-2b465b6e4e8a
Tim Wojtulewicz of Corelight reports:
File extraction limits were not correctly enforced
for files containing large amounts of missing bytes.
Sessions are sometimes not cleaned up completely
within Zeek during shutdown, potentially causing a crash
when using the -B dpd flag for debug logging.
A specially-crafted HTTP packet can cause Zeek's
filename extraction code to take a long time to process
the data.
A specially-crafted series of FTP packets made up of
a CWD request followed by a large amount of ERPT requests
may cause Zeek to spend a long time logging the commands.
A specially-crafted VLAN packet can cause Zeek to
overflow memory and potentially crash.
more... | zeek
more detail |
2023-09-10 | VuXML ID 4061a4b2-4fb1-11ee-acc7-0151f07bc899
The Gitea team reports:
check blocklist for emails when adding them to account
more... | gitea
more detail |
2023-09-10 | VuXML ID 482bb980-99a3-11ee-b5f7-6bd56600d90c
The Gitea team reports:
Fix missing check
Do some missing checks
By crafting an API request, attackers can access the contents of
issues even though the logged-in user does not have access rights to
these issues.
more... | gitea
more detail |
2023-09-07 | VuXML ID 6c72b13f-4d1d-11ee-a7f1-080027f5fec9
yangbodong22011 reports:
Redis does not correctly identify keys accessed by SORT_RO
and, as a result, may grant users executing this command
access to keys that are not explicitly authorized by the
ACL configuration.
more... | redis redis-devel redis70
more detail |
2023-09-07 | VuXML ID 924cb116-4d35-11ee-8e38-002590c1f29c
Problem Description:
The net80211 subsystem would fallback to the multicast key for unicast
traffic in the event the unicast key was removed. This would result in
buffered unicast traffic being exposed to any stations with access to the
multicast key.
Impact:
As described in the "Framing Frames: Bypassing Wi-Fi Encryption by
Manipulating Transmit Queues" paper, an attacker can induce an access point
to buffer frames for a client, deauthenticate the client (causing the unicast
key to be removed from the access point), and subsequent flushing of the
buffered frames now encrypted with the multicast key. This would give the
attacker access to the data.
more... | FreeBSD-kernel
more detail |
2023-09-07 | VuXML ID a57472ba-4d84-11ee-bf05-000c29de725b
Python reports:
gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable
to a bypass of the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were post-handshake
TLS encrypted data.
more... | python310 python311 python38 python39
more detail |
2023-09-07 | VuXML ID beb36f39-4d74-11ee-985e-bff341e78d94
The Go project reports:
cmd/go: go.mod toolchain directive allows arbitrary
execution
The go.mod toolchain directive, introduced in Go 1.21,
could be leveraged to execute scripts and binaries
relative to the root of the module when the "go" command
was executed within the module. This applies to modules
downloaded using the "go" command from the module proxy,
as well as modules downloaded directly using VCS software.
html/template: improper handling of HTML-like comments
within script contexts
The html/template package did not properly handle
HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in
crypto/tls: panic when processing post-handshake message
on QUIC connections
Processing an incomplete post-handshake message for a QUIC
connection caused a panic.
more... | go120 go121
more detail |
2023-09-07 | VuXML ID d35373ae-4d34-11ee-8e38-002590c1f29c
Problem Description:
With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6
fragment headers would be reassembled, and then immediately processed. That
is, a packet with multiple fragment extension headers would not be recognized
as the correct ultimate payload. Instead a packet with multiple IPv6 fragment
headers would unexpectedly be interpreted as a fragmented packet, rather than
as whatever the real payload is.
Impact:
IPv6 fragments may bypass firewall rules written on the assumption all
fragments have been reassembled and, as a result, be forwarded or processed
by the host.
more... | FreeBSD-kernel
more detail |
2023-09-06 | VuXML ID df0a2fd1-4c92-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1476403] High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by DarkNavy on 2023-08-28
- [1473247] High CVE-2023-4762: Type Confusion in V8. Reported by Rong Jian of VRI on 2023-08-16
- [1469928] High CVE-2023-4763: Use after free in Networks. Reported by anonymous on 2023-08-03
- [1447237] High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan Kurniawan (sourc7) on 2023-05-20
more... | chromium ungoogled-chromium
more detail |
2023-09-04 | VuXML ID 8fd4f40a-4b7d-11ee-aa2a-080027de9982
Django reports:
CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri().
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py38-django32 py38-django41 py38-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-09-01 | VuXML ID aaea7b7c-4887-11ee-b164-001b217b3468
Gitlab reports:
Privilege escalation of "external user" to internal access through group service account
Maintainer can leak sentry token by changing the configured URL (fix bypass)
Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners
Information disclosure via project import endpoint
Developer can leak DAST scanners "Site Profile" request headers and auth password
Project forking outside current group
User is capable of creating Model experiment and updating existing run's status in public project
ReDoS in bulk import API
Pagination for Branches and Tags can be skipped leading to DoS
Internal Open Redirection Due to Improper handling of "../" characters
Subgroup Member With Reporter Role Can Edit Group Labels
Banned user can delete package registries
more... | gitlab-ce
more detail |
2023-08-31 | VuXML ID 06492bd5-085a-4cc0-9743-e30164bdcb1c
Snyk reports:
This affects all versions of package Flask-Security.
When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`.
This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`.
**Note:** Flask-Security is not maintained anymore.
more... | py310-flask-security py311-flask-security py37-flask-security py38-flask-security py39-flask-security
more detail |
2023-08-31 | VuXML ID 09b7cd39-47bd-11ee-8e38-002590c1f29c
Problem Description:
A flaw in the backwards-compatibility key exchange route allows a
pointer to be freed twice.
Impact:
A remote, unauthenticated attacker may be able to cause a denial of
service, or possibly remote code execution.
Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of
OpenSSH, and are not affected. FreeBSD 13.2-BETA1 and later include the
fix.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 17efbe19-4e72-426a-8016-2b4e001c1378
A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.
A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.
For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.
For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.
more... | py310-wagtail py311-wagtail py37-wagtail py38-wagtail py39-wagtail
more detail |
2023-08-31 | VuXML ID 181f5e49-b71d-4527-9464-d4624d69acc3
Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary.
Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies").
This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.
more... | py310-treq py311-treq py37-treq py38-treq py39-treq
more detail |
2023-08-31 | VuXML ID 1a15b928-5011-4953-8133-d49e24902fe1
Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks.
more... | py310-WsgiDAV py311-WsgiDAV py37-WsgiDAV py38-WsgiDAV py39-WsgiDAV
more detail |
2023-08-31 | VuXML ID 1e37fa3e-5988-4991-808f-eae98047e2af
Glyph reports:
HTTPie is a command-line HTTP client.
HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage.
Before 3.1.0, HTTPie didn't distinguish between cookies and hosts they belonged.
This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website.
Users are advised to upgrade.
There are no known workarounds.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.
more... | py310-httpie py311-httpie py37-httpie py38-httpie py39-httpie
more detail |
2023-08-31 | VuXML ID 252f40cb-618c-47f4-a2cf-1abf30cffbbe
praetorian-colby-morgan reports:
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9.
It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
more... | py310-Flask-Cors py311-Flask-Cors py37-Flask-Cors py38-Flask-Cors py39-Flask-Cors
more detail |
2023-08-31 | VuXML ID 291d0953-47c1-11ee-8e38-002590c1f29c
Problem Description:
The server may cause ssh-agent to load shared libraries other than
those required for PKCS#11 support. These shared libraries may have
side effects that occur on load and unload (dlopen and dlclose).
Impact:
An attacker with access to a server that accepts a forwarded
ssh-agent connection may be able to execute code on the machine running
ssh-agent. Note that the attack relies on properties of operating
system-provided libraries. This has been demonstrated on other
operating systems; it is unknown whether this attack is possible using
the libraries provided by a FreeBSD installation.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 29f050e9-3ef4-4c5f-8204-503b41caf181
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
- Security: backported fix for CVE-2023-4430.
- Security: backported fix for CVE-2023-4572.
more... | electron24
more detail |
2023-08-31 | VuXML ID 2ad25820-c71a-4e6c-bb99-770c66fe496d
When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.
There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.
Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.
These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.
If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.
If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;
patching that downloader middlware may be necessary as well.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID 2def7c4b-736f-4754-9f03-236fcb586d91
A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents.
For both images and documents, files are loaded into memory during upload for additional processing.
A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
It can only be exploited by admin users with permission to upload images or documents.
Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.
more... | py310-wagtail py311-wagtail py37-wagtail py38-wagtail py39-wagtail
more detail |
2023-08-31 | VuXML ID 3dabf5b8-47c0-11ee-8e38-002590c1f29c
Problem Description:
Each fragment of an IPv6 packet contains a fragment header which
specifies the offset of the fragment relative to the original packet,
and each fragment specifies its length in the IPv6 header. When
reassembling the packet, the kernel calculates the complete IPv6 payload
length. The payload length must fit into a 16-bit field in the IPv6
header.
Due to a bug in the kernel, a set of carefully crafted packets can
trigger an integer overflow in the calculation of the reassembled
packet's payload length field.
Impact:
Once an IPv6 packet has been reassembled, the kernel continues
processing its contents. It does so assuming that the fragmentation
layer has validated all fields of the constructed IPv6 header. This bug
violates such assumptions and can be exploited to trigger a remote
kernel panic, resulting in a denial of service.
more... | FreeBSD-kernel
more detail |
2023-08-31 | VuXML ID 3fcab88b-47bc-11ee-8e38-002590c1f29c
Problem Description:
When GELI reads a key file from a standard input, it doesn't store it
anywhere. If the user tries to initialize multiple providers at once,
for the second and subsequent devices the standard input stream will be
already empty. In this case, GELI silently uses a NULL key as the user
key file. If the user used only a key file without a user passphrase,
the master key was encrypted with an empty key file. This might not be
noticed if the devices were also decrypted in a batch operation.
Impact:
Some GELI providers might be silently encrypted with a NULL key
file.
more... | FreeBSD-kernel
more detail |
2023-08-31 | VuXML ID 41af0277-47bf-11ee-8e38-002590c1f29c
Problem Description:
pam_krb5 authenticates the user by essentially running kinit(1) with
the password, getting a `ticket-granting ticket' (tgt) from the Kerberos
KDC (Key Distribution Center) over the network, as a way to verify the
password.
Normally, the system running the pam_krb5 module will also have a
keytab, a key provisioned by the KDC. The pam_krb5 module will use the
tgt to get a service ticket and validate it against the keytab, ensuring
the tgt is valid and therefore, the password is valid.
However, if a keytab is not provisioned on the system, pam_krb5 has
no way to validate the response from the KDC, and essentially trusts the
tgt provided over the network as being valid.
Impact:
In a non-default FreeBSD installation that leverages pam_krb5 for
authentication and does not have a keytab provisioned, an attacker that
is able to control both the password and the KDC responses can return a
valid tgt, allowing authentication to occur for any user on the
system.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 4eb5dccb-923c-4f18-9cd4-b53f9e28d4d7
kmike and nramirezuy report:
Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID 579c7489-c23d-454a-b0fc-ed9d80ea46e0
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
more... | electron22
more detail |
2023-08-31 | VuXML ID 67fe5e5b-549f-4a2a-9834-53f60eaa415e
ranjit-git reports:
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID 692a5fd5-bb25-4df4-8a0e-eb91581f2531
subnix reports:
The Flask-Caching extension through 2.0.2 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.
If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
more... | py310-flask-caching py311-flask-caching py37-flask-caching py38-flask-caching py39-flask-caching
more detail |
2023-08-31 | VuXML ID 83b29e3f-886f-439f-b9a8-72e014479ff9
yeisonvargasf reports:
dparse is a parser for Python dependency files.
dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service.
All the users parsing index server URLs with dparse are impacted by this vulnerability.
Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.
more... | py310-dparse py311-dparse py37-dparse py38-dparse py39-dparse
more detail |
2023-08-31 | VuXML ID 970dcbe0-a947-41a4-abe9-7aaba87f41fe
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
- Security: backported fix for CVE-2023-4429.
- Security: backported fix for CVE-2023-4430.
- Security: backported fix for CVE-2023-4572.
more... | electron25
more detail |
2023-08-31 | VuXML ID 97c1b0f7-47b9-11ee-8e38-002590c1f29c
Problem Description:
Multiple security vulnerabilities have been discovered in the Heimdal
implementation of the Kerberos 5 network authentication
protocols and KDC.
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
- CVE-2019-14870 Validate client attributes in protocol-transition
- CVE-2019-14870 Apply forwardable policy in protocol-transition
- CVE-2019-14870 Always lookup impersonate client in DB
Impact:
A malicious actor with control of the network between a client and a
service using Kerberos for authentication can impersonate either the
client or the service, enabling a man-in-the-middle (MITM) attack
circumventing mutual authentication.
Note that, while CVE-2022-44640 is a severe vulnerability, possibly
enabling remote code execution on other platforms, the version of
Heimdal included with the FreeBSD base system cannot be exploited in
this way on FreeBSD.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 9b0d9832-47c1-11ee-8e38-002590c1f29c
Problem Description:
The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
the patch for that advisory.
Impact:
The impact described in FreeBSD-SA-23:04.pam_krb5 persists.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID a005aea9-47bb-11ee-8e38-002590c1f29c
Problem Description:
ping reads raw IP packets from the network to process responses in
the pr_pack() function. As part of processing a response ping has to
reconstruct the IP header, the ICMP header and if present a "quoted
packet," which represents the packet that generated an ICMP error.
The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers
for further processing. In so doing, it fails to take into account the
possible presence of IP option headers following the IP header in either
the response or the quoted packet. When IP options are present,
pr_pack() overflows the destination buffer by up to 40 bytes.
Impact:
The memory safety bugs described above can be triggered by a remote
host, causing the ping program to crash.
The ping process runs in a capability mode sandbox on all affected
versions of FreeBSD and is thus very constrained in how it can interact
with the rest of the system at the point where the bug can occur.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID a5403af6-225e-48ba-b233-bd95ad26434a
Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID ab437561-47c0-11ee-8e38-002590c1f29c
Problem Description:
The fwctl driver implements a state machine which is executed when
the guest accesses certain x86 I/O ports. The interface lets the guest
copy a string into a buffer resident in the bhyve process' memory. A
bug in the state machine implementation can result in a buffer
overflowing when copying this string.
Impact:
A malicious, privileged software running in a guest VM can exploit
the buffer overflow to achieve code execution on the host in the bhyve
userspace process, which typically runs as root. Note that bhyve runs
in a Capsicum sandbox, so malicious code is constrained by the
capabilities available to the bhyve process.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID b8a52e5a-483d-11ee-971d-3df00e0f9020
Thomas Waldmann reports:
A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.
The attack requires an attacker to be able to
- insert files (with no additional headers) into backups
- gain write access to the repository
This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.
more... | py310-borgbackup py311-borgbackup py312-borgbackup py37-borgbackup py38-borgbackup py39-borgbackup
more detail |
2023-08-31 | VuXML ID c2c89dea-2859-4231-8f3b-012be0d475ff
domiee13 reports:
A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic.
Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler.
The manipulation of the argument object.caption leads to cross site scripting.
The attack may be launched remotely.
Upgrading to version 3.16 is able to address this issue.
The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7.
It is recommended to apply a patch to fix this issue.
VDB-215906 is the identifier assigned to this vulnerability.
more... | py310-django-photologue py311-django-photologue py37-django-photologue py38-django-photologue py39-django-photologue
more detail |
2023-08-31 | VuXML ID c8eb4c40-47bd-11ee-8e38-002590c1f29c
Problem Description:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304)
A timing based side channel exists in the OpenSSL RSA Decryption
implementation.
Use-after-free following BIO_new_NDEF (CVE-2023-0215)
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support
the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
BIO onto the front of it to form a BIO chain, and then returns the new head
of the BIO chain to the caller. Under certain conditions, for example if a
CMS recipient public key is invalid, the new filter BIO is freed and the
function returns a NULL result indicating a failure. However, in this case,
the BIO chain is not properly cleaned up and the BIO passed by the caller
still retains internal pointers to the previously freed filter BIO.
Double free after calling PEM_read_bio_ex (CVE-2022-4450)
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data. In
this case PEM_read_bio_ex() will return a failure code but will populate the
header argument with a pointer to a buffer that has already been freed.
Impact:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
Timing Oracle in RSA Decryption (CVE-2022-4304)
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
Use-after-free following BIO_new_NDEF (CVE-2023-0215)
A use-after-free will occur under certain conditions. This will most likely
result in a crash.
Double free after calling PEM_read_bio_ex (CVE-2022-4450)
A double free may occur. This will most likely lead to a crash. This could be
exploited by an attacker who has the ability to supply malicious PEM files
for parsing to achieve a denial of service attack.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID c9b3324f-8e03-4ae3-89ce-8098cdc5bfa9
Ben Caller reports:
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability.
If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
more... | py310-markdown2 py311-markdown2 py37-markdown2 py38-markdown2 py39-markdown2
more detail |
2023-08-31 | VuXML ID cdc685b5-1724-49a1-ad57-2eaab68e9cc0
Red Hat reports:
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Ben Caller reports:
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.
Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.
By crafting malicious input, an attacker can cause a denial of service.
more... | py310-pygments py310-pygments-25 py311-pygments py311-pygments-25 py37-pygments py37-pygments-25 py38-pygments py38-pygments-25 py39-pygments py39-pygments-25
more detail |
2023-08-31 | VuXML ID cf6f3465-e996-4672-9458-ce803f29fdb7
TheGrandPew reports:
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds.
For example, an attack might use elementname@ or elementname- with an onclick attribute.
more... | py310-markdown2 py311-markdown2 py37-markdown2 py38-markdown2 py39-markdown2
more detail |
2023-08-31 | VuXML ID e31a8f8e-47bf-11ee-8e38-002590c1f29c
Problem Description:
When using ssh-add(1) to add smartcard keys to ssh-agent(1) with
per-hop destination constraints, a logic error prevented the constraints
from being sent to the agent resulting in keys being added to the agent
without constraints.
Impact:
A malicious server could leverage the keys provided by a forwarded
agent that would normally not be allowed due to the logic error.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID e831dd5a-7d8e-4818-aa1f-17dd495584ec
lebr0nli reports:
Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
more... | py310-httpx013 py311-httpx013 py37-httpx013 py38-httpx013 py39-httpx013
more detail |
2023-08-30 | VuXML ID 22fffa69-46fa-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1472492] High CVE-2023-4572: Use after free in MediaStream. Reported by fwnfwn(@_fwnfwn) on 2023-08-12
more... | chromium ungoogled-chromium
more detail |
2023-08-27 | VuXML ID 36a37c92-44b1-11ee-b091-6162c1274384
The Gitea team reports:
Fix API leaking Usermail if not logged in
The API should only return the real Mail of a User, if the
caller is logged in. The check do to this don't work. This PR
fixes this. This not really a security issue, but can lead to
Spam.
more... | gitea
more detail |
2023-08-24 | VuXML ID 5999fc39-72d0-4b99-851c-ade7ff7125c3
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4071.
- Security: backported fix for CVE-2023-4070.
- Security: backported fix for CVE-2023-4075.
- Security: backported fix for CVE-2023-4076.
- Security: backported fix for CVE-2023-4074.
- Security: backported fix for CVE-2023-4072.
- Security: backported fix for CVE-2023-4068.
- Security: backported fix for CVE-2023-4073.
- Security: backported fix for CVE-2023-4355.
- Security: backported fix for CVE-2023-4354.
- Security: backported fix for CVE-2023-4353.
- Security: backported fix for CVE-2023-4351.
more... | electron25
more detail |
2023-08-24 | VuXML ID 5fa332b9-4269-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [1469542] High CVE-2023-4430: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2023-08-02
- [1469754] High CVE-2023-4429: Use after free in Loader. Reported by Anonymous on 2023-08-03
- [1470477] High CVE-2023-4428: Out of bounds memory access in CSS. Reported by Francisco Alonso (@revskills) on 2023-08-06
- [1470668] High CVE-2023-4427: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-08-07
- [1469348] Medium CVE-2023-4431: Out of bounds memory access in Fonts. Reported by Microsoft Security Researcher on 2023-08-01
more... | chromium ungoogled-chromium
more detail |
2023-08-24 | VuXML ID 99bc2966-55be-4411-825f-b04017a4c100
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4355.
- Security: backported fix for CVE-2023-4354.
- Security: backported fix for CVE-2023-4353.
- Security: backported fix for CVE-2023-4352.
- Security: backported fix for CVE-2023-4351.
more... | electron22 electron24
more detail |
2023-08-23 | VuXML ID ddd3fcc9-2bdd-11ee-9af4-589cfc0f81b0
phpmyfaq developers report:
Cross Site Scripting vulnerability
CSV injection vulnerability
more... | phpmyfaq-php80 phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2023-08-17 | VuXML ID 5666688f-803b-4cf0-9cb1-08c088f2225a
Chrome Releases reports:
This update includes 26 security fixes:
- [1448548] High CVE-2023-2312: Use after free in Offline. Reported by avaue at S.S.L. on 2023-05-24
- [1458303] High CVE-2023-4349: Use after free in Device Trust Connectors. Reported by Weipeng Jiang (@Krace) of VRI on 2023-06-27
- [1454817] High CVE-2023-4350: Inappropriate implementation in Fullscreen. Reported by Khiem Tran (@duckhiem) on 2023-06-14
- [1465833] High CVE-2023-4351: Use after free in Network. Reported by Guang and Weipeng Jiang of VRI on 2023-07-18
- [1452076] High CVE-2023-4352: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-06-07
- [1458046] High CVE-2023-4353: Heap buffer overflow in ANGLE. Reported by Christoph Diehl / Microsoft Vulnerability Research on 2023-06-27
- [1464215] High CVE-2023-4354: Heap buffer overflow in Skia. Reported by Mark Brand of Google Project Zero on 2023-07-12
- [1468943] High CVE-2023-4355: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-07-31
- [1449929] Medium CVE-2023-4356: Use after free in Audio. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-05-30
- [1458911] Medium CVE-2023-4357: Insufficient validation of untrusted input in XML. Reported by Igor Sak-Sakovskii on 2023-06-28
- [1466415] Medium CVE-2023-4358: Use after free in DNS. Reported by Weipeng Jiang (@Krace) of VRI on 2023-07-20
- [1443722] Medium CVE-2023-4359: Inappropriate implementation in App Launcher. Reported by @retsew0x01 on 2023-05-09
- [1462723] Medium CVE-2023-4360: Inappropriate implementation in Color. Reported by Axel Chong on 2023-07-07
- [1465230] Medium CVE-2023-4361: Inappropriate implementation in Autofill. Reported by Thomas Orlita on 2023-07-17
- [1316379] Medium CVE-2023-4362: Heap buffer overflow in Mojom IDL. Reported by Zhao Hai of NanJing Cyberpeace TianYu Lab on 2022-04-14
- [1367085] Medium CVE-2023-4363: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2022-09-23
- [1406922] Medium CVE-2023-4364: Inappropriate implementation in Permission Prompts. Reported by Jasper Rebane on 2023-01-13
- [1431043] Medium CVE-2023-4365: Inappropriate implementation in Fullscreen. Reported by Hafiizh on 2023-04-06
- [1450784] Medium CVE-2023-4366: Use after free in Extensions. Reported by asnine on 2023-06-02
- [1467743] Medium CVE-2023-4367: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
- [1467751] Medium CVE-2023-4368: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
more... | chromium ungoogled-chromium
more detail |
2023-08-17 | VuXML ID 759a5599-3ce8-11ee-a0d1-84a93843eb75
Oracle reports:
This Critical Patch Update contains 24 new security patches for Oracle
MySQL. 11 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring
user credentials.
more... | mysql-client57 mysql-client80 mysql-connector-c++ mysql-server57 mysql-server80
more detail |
2023-08-16 | VuXML ID 51a59f36-3c58-11ee-b32e-080027f5fec9
Steve Smith reports:
There is a possible denial of service vulnerability in the
HFS+ file parser.
more... | clamav clamav-lts
more detail |
2023-08-16 | VuXML ID 8e561cfe-3c59-11ee-b32e-080027f5fec9
The ClamAV project reports:
There is a possible denial of service vulnerability in the
AutoIt file parser.
more... | clamav-lts
more detail |
2023-08-14 | VuXML ID a6986f0f-3ac0-11ee-9a88-206a8a720317
SO-AND-SO reports:
When issuing a ticket for a TGS renew or validate request, copy
only the server field from the outer part of the header ticket
to the new ticket. Copying the whole structure causes the
enc_part pointer to be aliased to the header ticket until
krb5_encrypt_tkt_part() is called, resulting in a double-free
if handle_authdata() fails..
more... | krb5 krb5-121 krb5-devel
more detail |
2023-08-14 | VuXML ID b1ac663f-3aa9-11ee-b887-b42e991fc52e
TYPO3 reports:
TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer
TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution
TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin
more... | typo3-11-php80 typo3-11-php81 typo3-12-php80 typo3-12-php81
more detail |
2023-08-11* | VuXML ID f3a35fb8-2d70-47c9-a516-6aad7eb222b1
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3732.
- Security: backported fix for CVE-2023-3728.
- Security: backported fix for CVE-2023-3730.
more... | electron22 electron23 electron24 electron25
more detail |
2023-08-10 | VuXML ID 59a43a73-3786-11ee-94b4-6cc21735f730
PostgreSQL Project reports
PostgreSQL 15 introduced the MERGE command, which fails to test
new rows against row security policies defined for UPDATE and
SELECT. If UPDATE and SELECT policies forbid some row that
INSERT policies do not forbid, a user could store such rows.
Subsequent consequences are application-dependent. This
affects only databases that have used CREATE POLICY to define
a row security policy.
more... | postgresql-server
more detail |
2023-08-10 | VuXML ID cfd2a634-3785-11ee-94b4-6cc21735f730
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
more... | postgresql-server
more detail |
2023-08-05 | VuXML ID 441e1e1a-27a5-11ee-a156-080027f5fec9
The Samba Team reports:
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability
-
When parsing Spotlight mdssvc RPC packets, one encoded
data structure is a key-value style dictionary where
keys are character strings and values can be any of
the supported types in the mdssvc protocol. Due to a
lack of type checking in callers of the function
dalloc_value_for_key(), which returns the object
associated with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer. As RPC worker
processes are shared among multiple client connections,
a malicious client can crash the worker process
affecting all other clients that are also served by this
worker.
- CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
-
When doing NTLM authentication, the client sends replies
to cryptographic challenges back to the server. These
replies have variable length. Winbind did not properly
bounds-check the lan manager response length, which
despite the lan manager version no longer being used is
still part of the protocol. If the system is running
Samba's ntlm_auth as authentication backend for services
like Squid (or a very unusual configuration with
FreeRADIUS), the vulnarebility is remotely exploitable.
If not so configured, or to exploit this vulnerability
locally, the user must have access to the privileged
winbindd UNIX domain socket (a subdirectory with name
'winbindd_privileged' under "state directory", as set in
the smb.conf). This access is normally only given so
special system services like Squid or FreeRADIUS, use
this feature.
- CVE-2023-34968: Spotlight server-side Share Path Disclosure
-
As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targeted by
the RPC request. Samba returns the real server-side
share path at this point, as well as returning the
absolute server-side path of results in search queries
by clients. Known server side paths could be used to
mount subsequent more serious security attacks or could
disclose confidential information that is part of the
path. To mitigate the issue, Samba will replace the
real server-side path with a fake path constructed from
the sharename.
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability
-
When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.
This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
"spotlight = yes".
- CVE-2023-3347: SMB2 packet signing not enforced
-
SMB2 packet signing is not enforced if an admin
configured "server signing = required" or for SMB2
connections to Domain Controllers where SMB2 packet
signing is mandatory. SMB2 packet signing is a
mechanism that ensures the integrity and authenticity of
data exchanged between a client and a server using the
SMB2 protocol. It provides protection against certain
types of attacks, such as man-in-the-middle attacks,
where an attacker intercepts network traffic and
modifies the SMB2 messages. Both client and server of
an SMB2 connection can require that signing is being
used. The server-side setting in Samba to configure
signing to be required is "server signing = required".
Note that on an Samba AD DCs this is also the default
for all SMB2 connections. Unless the client requires
signing which would result in signing being used on the
SMB2 connection, sensitive data might have been modified
by an attacker. Clients connecting to IPC$ on an AD DC
will require signed connections being used, so the
integrity of these connections was not affected.
more... | samba413 samba416
more detail |
2023-08-04 | VuXML ID 6e4e8e87-9fb8-4e32-9f8e-9b4303f4bfd5
Chrome Releases reports:
This update includes 17 security fixes:
- [1466183] High CVE-2023-4068: Type Confusion in V8. Reported by Jerry on 2023-07-20
- [1465326] High CVE-2023-4069: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-07-17
- [1462951] High CVE-2023-4070: Type Confusion in V8. Reported by Jerry on 2023-07-07
- [1458819] High CVE-2023-4071: Heap buffer overflow in Visuals. Reported by Guang and Weipeng Jiang of VRI on 2023-06-28
- [1464038] High CVE-2023-4072: Out of bounds read and write in WebGL. Reported by Apple Security Engineering and Architecture (SEAR) on 2023-07-12
- [1456243] High CVE-2023-4073: Out of bounds memory access in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-06-20
- [1464113] High CVE-2023-4074: Use after free in Blink Task Scheduling. Reported by Anonymous on 2023-07-12
- [1457757] High CVE-2023-4075: Use after free in Cast. Reported by Cassidy Kim(@cassidy6564) on 2023-06-25
- [1459124] High CVE-2023-4076: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2023-06-29
- [1451146] Medium CVE-2023-4077: Insufficient data validation in Extensions. Reported by Anonymous on 2023-06-04
- [1461895] Medium CVE-2023-4078: Inappropriate implementation in Extensions. Reported by Anonymous on 2023-07-04
more... | chromium ungoogled-chromium
more detail |
2023-08-02 | VuXML ID 78f2e491-312d-11ee-85f2-bd89b893fcb4
The Go project reports:
crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause
a client/server to expend significant CPU time verifying
signatures. Limit this by restricting the size of RSA keys
transmitted during handshakes to <= 8192 bits.
net/http: insufficient sanitization of Host header
The HTTP/1 client did not fully validate the contents of
the Host header. A maliciously crafted Host header could
inject additional headers or entire requests. The HTTP/1
client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.
cmd/go: cgo code injection
The go command may generate unexpected code at build
time when using cgo. This may result in unexpected
behavior when running a go program which uses cgo.
runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary
had the setuid/setgid bit set. On Unix platforms, if a
setuid/setgid binary was executed with standard I/O file
descriptors closed, opening any files could result in
unexpected content being read/written with elevated
prilieges. Similarly if a setuid/setgid program was
terminated, either via panic or signal, it could leak the
contents of its registers.
cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time
when using cgo. This may occur when running "go get" on a
malicious module, or when running any other command which
builds untrusted code. This is can by triggered by linker
flags, specified via a "#cgo LDFLAGS" directive.
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous
characters when inserted into CSS contexts. Templates
containing multiple actions separated by a '/' character
could result in unexpectedly closing the CSS context and
allowing for injection of unexpected HMTL, if executed
with untrusted input.
html/template: improper handling of JavaScript whitespace
Not all valid JavaScript whitespace characters were
considered to be whitespace. Templates containing
whitespace characters outside of the character set
"\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that
also contain actions may not be properly sanitized
during execution.
html/template: improper handling of empty HTML attributes
Templates containing actions in unquoted HTML attributes
(e.g. "attr={{.}}") executed with empty input could
result in output that would have unexpected results when
parsed due to HTML normalization rules. This may allow
injection of arbitrary attributes into tags.
more... | go119 go120
more detail |
2023-08-02 | VuXML ID fa239535-30f6-11ee-aef9-001b217b3468
Gitlab reports:
ReDoS via ProjectReferenceFilter in any Markdown fields
ReDoS via AutolinkFilter in any Markdown fields
Regex DoS in Harbor Registry search
Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality
Stored XSS in Web IDE Beta via crafted URL
securityPolicyProjectAssign mutation does not authorize security policy project ID
An attacker can run pipeline jobs as arbitrary user
Possible Pages Unique Domain Overwrite
Access tokens may have been logged when a query was made to an endpoint
Reflected XSS via PlantUML diagram
The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code
Invalid 'start_sha' value on merge requests page may lead to Denial of Service
Developers can create pipeline schedules on protected branches even if they don't have access to merge
Potential DOS due to lack of pagination while loading license data
Leaking emails of newly created users
more... | gitlab-ce
more detail |
2023-07-31 | VuXML ID bad6588e-2fe0-11ee-a0d1-84a93843eb75
The OpenSSL project reports:
Checking excessively long DH keys or parameters may be very slow
(severity: Low).
more... | openssl openssl30 openssl31
more detail |
2023-07-26 | VuXML ID a0321b74-031d-485c-bb76-edd75256a6f0
Jenkins Security Advisory:
Description
(High) SECURITY-3188 / CVE-2023-39151
Stored XSS vulnerability
more... | jenkins jenkins-lts
more detail |
2023-07-23 | VuXML ID ab0bab3c-2927-11ee-8608-07b8d3947721
The Gitea team reports:
Disallow javascript, vbscript and data (data uri images still
work) url schemes even if all other schemes are allowed
more... | gitea
more detail |
2023-07-21 | VuXML ID 887eb570-27d3-11ee-adba-c80aa9043978
OpenSSH project reports:
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
more... | openssh-portable openssh-portable-gssapi openssh-portable-hpn
more detail |
2023-07-20 | VuXML ID 2f22927f-26ea-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 20 security fixes:
- [1454086] High CVE-2023-3727: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-06-12
- [1457421] High CVE-2023-3728: Use after free in WebRTC. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-06-23
- [1453465] High CVE-2023-3730: Use after free in Tab Groups. Reported by @ginggilBesel on 2023-06-09
- [1450899] High CVE-2023-3732: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-06-02
- [1450203] Medium CVE-2023-3733: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-31
- [1450376] Medium CVE-2023-3734: Inappropriate implementation in Picture In Picture. Reported by Thomas Orlita on 2023-06-01
- [1394410] Medium CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts. Reported by Ahmed ElMasry on 2022-11-29
- [1434438] Medium CVE-2023-3736: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2023-04-19
- [1446754] Medium CVE-2023-3737: Inappropriate implementation in Notifications. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2023-05-19
- [1434330] Medium CVE-2023-3738: Inappropriate implementation in Autofill. Reported by Hafiizh on 2023-04-18
- [1405223] Low CVE-2023-3740: Insufficient validation of untrusted input in Themes. Reported by Fardeen Siddiqui on 2023-01-06
more... | chromium ungoogled-chromium
more detail |
2023-07-19* | VuXML ID 1ba034fb-ca38-11ed-b242-d4c9ef517024
The OpenSSL project reports:
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
more... | openssl openssl-quic openssl30 openssl31 virtualbox-ose
more detail |
2023-07-19 | VuXML ID bc90e894-264b-11ee-a468-80fa5b29d485
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via RDP to compromise Oracle VM VirtualBox. Successful
attacks of this vulnerability can result in takeover of Oracle VM
VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity
and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
more... | virtualbox-ose
more detail |
2023-07-19 | VuXML ID cf40e8b7-264d-11ee-a468-80fa5b29d485
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable
vulnerability allows low privileged attacker with logon to the
infrastructure where Oracle VM VirtualBox executes to compromise
Oracle VM VirtualBox. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle VM VirtualBox. Note:
This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score
5.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
more... | virtualbox-ose
more detail |
2023-07-19 | VuXML ID f32b1fbd-264d-11ee-a468-80fa5b29d485
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable
vulnerability allows high privileged attacker with logon to the
infrastructure where Oracle VM VirtualBox executes to compromise
Oracle VM VirtualBox. Successful attacks require human interaction
from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.
CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
more... | virtualbox-ose
more detail |
2023-07-18 | VuXML ID c70c3dc3-258c-11ee-b37b-901b0e9408dc
Matrix Developers reports:
The Export Chat feature includes certain attacker-controlled elements in the
generated document without sufficient escaping, leading to stored XSS.
more... | element-web
more detail |
2023-07-16 | VuXML ID 41c60e16-2405-11ee-a0d1-84a93843eb75
The OpenSSL project reports:
The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.
more... | openssl30 openssl31
more detail |
2023-07-14 | VuXML ID 3446e45d-a51b-486f-9b0e-e4402d91fed6
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3422.
- Security: backported fix for CVE-2023-3421.
- Security: backported fix for CVE-2023-3420.
more... | electron22
more detail |
2023-07-10 | VuXML ID 0e254b4a-1f37-11ee-a475-080027f5fec9
Redis core team reports:
A specially crafted Lua script executing in Redis can
trigger a heap overflow in the cjson and cmsgpack
libraries, and result in heap corruption and potentially
remote code execution.
more... | redis redis-devel redis60 redis62
more detail |
2023-07-10 | VuXML ID 6fae2d6c-1f38-11ee-a475-080027f5fec9
Redis core team reports:
Extracting key names from a command and a list of
arguments may, in some cases, trigger a heap overflow and
result in reading random heap memory, heap corruption and
potentially remote code execution. Specifically: using
COMMAND GETKEYS* and validation of key names in ACL rules.
more... | redis redis-devel
more detail |
2023-07-10 | VuXML ID b67d768c-1f53-11ee-82ed-4ccc6adda413
Albin EldstÃÂ¥l-Ahrens reports:
An out-of-bounds read on a heap buffer in the importshp plugin may
allow an attacker to read sensitive data via a crafted DBF file.
more... | librecad
more detail |
2023-07-08* | VuXML ID b31f7029-817c-4c1f-b7d3-252de5283393
SUSE reports:
cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.
more... | py310-suds py311-suds py37-suds py38-suds py39-suds
more detail |
2023-07-06 | VuXML ID d1681df3-421e-4a63-95b4-a3d6e29d395d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3422.
- Security: backported fix for CVE-2023-3421.
- Security: backported fix for CVE-2023-3420.
more... | electron23 electron24
more detail |
2023-07-05 | VuXML ID 01eeea33-1afa-11ee-8a9b-b42e991fc52e
cve@mitre.org reports:
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2
that allows users to store malicious values that may be executed
by other users at a later time via get_request in lib/function.php.
more... | phpldapadmin-php80 phpldapadmin-php81
more detail |
2023-07-05 | VuXML ID 8ea24413-1b15-11ee-9331-570525adb7f1
The Gitea team reports:
If redirect_to parameter has set value starting with
\\example.com redirect will be created with header Location:
/\\example.com that will redirect to example.com domain.
more... | gitea
more detail |
2023-07-05 | VuXML ID b3f77aae-241c-11ee-9684-c11c23f7b0f9
The Gitea team reports:
Test if container blob is accessible before mounting.
Set type="password" on all auth_token fields
Seen when migrating from other hosting platforms.
Prevents exposing the token to screen capture/cameras/eyeballs.
Prevents the browser from saving the value in its autocomplete
dictionary, which often is not secure.
more... | gitea
more detail |
2023-07-05 | VuXML ID d8972bcd-1b64-11ee-9cd6-001b217b3468
Gitlab reports:
A user can change the name and path of some public GitLab groups
more... | gitlab-ce
more detail |
2023-07-03 | VuXML ID 4ee7fa77-19a6-11ee-8a05-080027eda32c
Django reports:
CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py38-django32 py38-django41 py38-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-07-01 | VuXML ID 95dad123-180e-11ee-86ba-080027eda32c
Mediawiki reports:
(T335203, CVE-2023-29197) Upgrade guzzlehttp/psr7 to >= 1.9.1/2.4.5.
(T335612, CVE-2023-36674) Manualthumb bypasses badFile lookup.
(T332889, CVE-2023-36675) XSS in BlockLogFormatter due to unsafe message
use.
more... | mediawiki135 mediawiki138 mediawiki139
more detail |
2023-06-30 | VuXML ID 3117e6cd-1772-11ee-9cd6-001b217b3468
Gitlab reports:
ReDoS via EpicReferenceFilter in any Markdown fields
New commits to private projects visible in forks created while project was public
New commits to private projects visible in forks created while project was public
Maintainer can leak masked webhook secrets by manipulating URL masking
Information disclosure of project import errors
Sensitive information disclosure via value stream analytics controller
Bypassing Code Owners branch protection rule in GitLab
HTML injection in email address
Webhook token leaked in Sidekiq logs if log format is 'default'
Private email address of service desk issue creator disclosed via issues API
more... | gitlab-ce
more detail |
2023-06-30 | VuXML ID d821956f-1753-11ee-ad66-1c61b4739ac9
Daiyuu Nobori reports:
The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code.
The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways.
The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc.
- CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
- CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
- CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process
- CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person
- CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process
- CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read
more... | softether softether-devel
more detail |
2023-06-27 | VuXML ID 06428d91-152e-11ee-8b14-dbdd62da85fb
oss-fuzz reports:
heap buffer overflow in internal_huf_decompress.
Cary Phillips reports:
v3.1.9 - Patch release that addresses [...] also OSS-fuzz 59382 Heap-buffer-overflow in internal_huf_decompress
Kimball Thurston reports:
Fix scenario where malformed dwa file could read past end of buffer - fixes OSS-Fuzz 59382
more... | openexr
more detail |
2023-06-27 | VuXML ID ad05a737-14bd-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1452137] High CVE-2023-3420: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-06-07
- [1447568] High CVE-2023-3421: Use after free in Media. Reported by Piotr Bania of Cisco Talos on 2023-05-22
- [1450397] High CVE-2023-3422: Use after free in Guest View. Reported by asnine on 2023-06-01
more... | chromium ungoogled-chromium
more detail |
2023-06-23 | VuXML ID fdbe9aec-118b-11ee-908a-6c3be5272acd
Grafana Labs reports:
Grafana validates Azure Active Directory accounts based on the email claim.
On Azure AD, the profile email field is not unique across Azure AD tenants.
This can enable a Grafana account takeover and authentication bypass when
Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
more... | grafana grafana10 grafana8 grafana9
more detail |
2023-06-22 | VuXML ID 770d88cc-f6dc-4385-bdfe-497f8080c3fb
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3215.
- Security: backported fix for CVE-2023-3216.
- Security: backported fix for CVE-2023-0698.
- Security: backported fix for CVE-2023-0932.
more... | electron22
more detail |
2023-06-22 | VuXML ID a03b2d9e-b3f2-428c-8f66-21092ed2ba94
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3215.
- Security: backported fix for CVE-2023-3216.
more... | electron23 electron24
more detail |
2023-06-16 | VuXML ID 3bf6795c-d44c-4033-9b37-ed2e30f34fca
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-2724.
- Security: backported fix for CVE-2023-2725.
- Security: backported fix for CVE-2023-2721.
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2934.
- Security: backported fix for CVE-2023-2930.
more... | electron23
more detail |
2023-06-16 | VuXML ID 3c3d3dcb-bef7-4d20-9580-b4216b5ff6a2
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-2724.
- Security: backported fix for CVE-2023-2723.
- Security: backported fix for CVE-2023-2725.
- Security: backported fix for CVE-2023-2721.
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2930.
more... | electron22
more detail |
2023-06-16 | VuXML ID 734b8f46-773d-4fef-bed3-61114fe8e4c5
The X.Org project reports:
- Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]
The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check
that the values provided for the Request, Event, or Error IDs are
within the bounds of the arrays that those functions write to, using
those IDs as array indexes. Instead they trusted that they were called
with values provided by an Xserver that was adhering to the bounds
specified in the X11 protocol, as all X servers provided by X.Org do.
As the protocol only specifies a single byte for these values, an
out-of-bounds value provided by a malicious server (or a malicious
proxy-in-the-middle) can only overwrite other portions of the Display
structure and not write outside the bounds of the Display structure
itself. Testing has found it is possible to at least cause the client
to crash with this memory corruption.
more... | libX11
more detail |
2023-06-16 | VuXML ID aae2ab45-2d21-4cd5-a53b-07ec933400ac
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2934.
- Security: backported fix for CVE-2023-2930.
more... | electron24
more detail |
2023-06-14 | VuXML ID b4db7d78-bb62-4f4c-9326-6e9fc2ddd400
Jenkins Security Advisory:
Description
(High) SECURITY-3135 / CVE-2023-35141
CSRF protection bypass vulnerability
more... | jenkins jenkins-lts
more detail |
2023-06-13 | VuXML ID 1567be8c-0a15-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [1450568] Critical CVE-2023-3214: Use after free in Autofill payments. Reported by Rong Jian of VRI on 2023-06-01
- [1446274] High CVE-2023-3215: Use after free in WebRTC. Reported by asnine on 2023-05-17
- [1450114] High CVE-2023-3216: Type Confusion in V8. Reported by 5n1p3r0010 from Topsec ChiXiao Lab on 2023-05-31
- [1450601] High CVE-2023-3217: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2023-06-01
more... | chromium ungoogled-chromium
more detail |
2023-06-13 | VuXML ID f0250129-fdb8-41ed-aa9e-661ff5026845
VSCode developers reports:
VS Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
more... | vscode
more detail |
2023-06-12 | VuXML ID f7e9a1cc-0931-11ee-94b4-6cc21735f730
Shibboleth consortium reports:
An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a server-side request forgery (SSRF) vulnerability.
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.
more... | xmltooling
more detail |
2023-06-09 | VuXML ID fdca9418-06f0-11ee-abe2-ecf4bbefc954
Neil Pang reports:
HiCA was injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine.
more... | acme.sh
more detail |
2023-06-08 | VuXML ID d86becfe-05a4-11ee-9d4a-080027eda32c
Python reports:
gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded
to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well
as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal
based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with
shell=True.
gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter
argument that allows limiting tar features than may be surprising or dangerous, such as creating
files outside the destination directory.
gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to
acquire the runtime head lock.
gh-100892: Fixed a crash due to a race while iterating over thread states in clearing
threading.local.
more... | python310 python311 python37 python38 python39
more detail |
2023-06-07 | VuXML ID 12741b1f-04f9-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [1450481] High CVE-2023-3079: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-06-01
more... | chromium ungoogled-chromium
more detail |
2023-06-07 | VuXML ID 652064ef-056f-11ee-8e16-6c3be5272acd
Grafana Labs reports:
We have discovered a vulnerability with GrafanaâÂÂs data source query
endpoints that could end up crashing a Grafana instance.
If you have public dashboards (PD) enabled, we
are scoring this as a CVSS 7.5 High.
If you have disabled PD, this vulnerability is still a risk,
but triggering the issue requires data source read privileges
and access to the Grafana API through a developer script.
more... | grafana grafana9
more detail |
2023-06-07 | VuXML ID 6c1de144-056f-11ee-8e16-6c3be5272acd
Grafana Labs reports:
Grafana can allow an attacker in the Viewer role
to send alerts by API Alert - Test. This option,
however, is not available in the user panel UI for the Viewer role.
The CVSS score for this vulnerability is 4.1 Medium
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
more... | grafana grafana8 grafana9
more detail |
2023-06-07 | VuXML ID cdb5338d-04ec-11ee-9c88-001b217b3468
Gitlab reports:
Stored-XSS with CSP-bypass in Merge requests
ReDoS via FrontMatterFilter in any Markdown fields
ReDoS via InlineDiffFilter in any Markdown fields
ReDoS via DollarMathPostFilter in Markdown fields
DoS via malicious test report artifacts
Restricted IP addresses can clone repositories of public projects
Reflected XSS in Report Abuse Functionality
Privilege escalation from maintainer to owner by importing members from a project
Bypassing tags protection in GitLab
Denial of Service using multiple labels with arbitrarily large descriptions
Ability to use an unverified email for public and commit emails
Open Redirection Through HTTP Response Splitting
Disclosure of issue notes to an unauthorized user when exporting a project
Ambiguous branch name exploitation
more... | gitlab-ce
more detail |
2023-06-06 | VuXML ID 2f38c6a2-04a4-11ee-8cb0-e41f13b9c674
cve@mitre.org reports:
qpress before PierreLvx/qpress 20220819 and before version 11.3,
as used in Percona XtraBackup and other products, allows directory
traversal via ../ in a .qp file.
more... | qpress xtrabackup8
more detail |
2023-06-06 | VuXML ID bfca647c-0456-11ee-bafd-b42e991fc52e
Kanboard is project management software that focuses on the Kanban
methodology. The last update includes 4 vulnerabilities:
security-advisories@github.com reports:
- Missing access control in internal task links feature
- Stored Cross site scripting in the Task External Link Functionality in Kanboard
- Missing Access Control allows User to move and duplicate tasks in Kanboard
- Parameter based Indirect Object Referencing leading to private file exposure in Kanboard
more... | php80-kanboard
more detail |
2023-05-31 | VuXML ID eb9a3c57-ff9e-11ed-a0d1-84a93843eb75
The OpenSSL project reports:
Severity: Moderate. Processing some specially crafted ASN.1
object identifiers or data containing them may be very slow.
more... | openssl openssl-quictls openssl30 openssl31
more detail |
2023-05-31 | VuXML ID fd87a250-ff78-11ed-8290-a8a1599412c6
Chrome Releases reports:
This update includes 16 security fixes:
- [1410191] High CVE-2023-2929: Out of bounds write in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-25
- [1443401] High CVE-2023-2930: Use after free in Extensions. Reported by asnine on 2023-05-08
- [1444238] High CVE-2023-2931: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-10
- [1444581] High CVE-2023-2932: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-11
- [1445426] High CVE-2023-2933: Use after free in PDF. Reported by Quang Nguyá»Â
n (@quangnh89) of Viettel Cyber Security and Nguyen Phuong on 2023-05-15
- [1429720] High CVE-2023-2934: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-04-01
- [1440695] High CVE-2023-2935: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-27
- [1443452] High CVE-2023-2936: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-05-08
- [1413813] Medium CVE-2023-2937: Inappropriate implementation in Picture In Picture. Reported by NDevTK on 2023-02-08
- [1416350] Medium CVE-2023-2938: Inappropriate implementation in Picture In Picture. Reported by Alesandro Ortiz on 2023-02-15
- [1427431] Medium CVE-2023-2939: Insufficient data validation in Installer. Reported by ycdxsb from VARAS@IIE on 2023-03-24
- [1426807] Medium CVE-2023-2940: Inappropriate implementation in Downloads. Reported by Axel Chong on 2023-03-22
- [1430269] Low CVE-2023-2941: Inappropriate implementation in Extensions API. Reported by Jasper Rebane on 2023-04-04
more... | chromium ungoogled-chromium
more detail |
2023-05-30 | VuXML ID 79514fcd-feb4-11ed-92b5-b42e991fc52e
security-advisories@github.com reports:
Kanboard is project management software that focuses on the Kanban
methodology. Due to improper handling of elements under the
`contentEditable` element, maliciously crafted clipboard content
can inject arbitrary HTML tags into the DOM. A low-privileged
attacker with permission to attach a document on a vulnerable
Kanboard instance can trick the victim into pasting malicious
screenshot data and achieve cross-site scripting if CSP is improperly
configured. This issue has been patched in version 1.2.29.
more... | php80-kanboard
more detail |
2023-05-28 | VuXML ID 5d1b1a0a-fd36-11ed-a0d1-84a93843eb75
The MariaDB project reports:
MariaDB Server is vulnerable to Denial of Service. It is possible for
function spider_db_mbase::print_warnings to dereference a null pointer.
more... | mariadb1011-server mariadb103-server mariadb104-server mariadb105-server mariadb106-server
more detail |
2023-05-21 | VuXML ID 7d6be8d4-f812-11ed-a7ff-589cfc0f81b0
phpmyfaq developers report:
Multiple XSS vulnerabilities
more... | phpmyfaq
more detail |
2023-05-19 | VuXML ID 1ab7357f-a3c2-406a-89fb-fd00e49a71b5
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of FTP packets with a CMD
command with a large path followed by a very large number
of replies could cause Zeek to spend a long time processing
the data.
A specially-crafted with a truncated header can cause
Zeek to overflow memory and potentially crash.
A specially-crafted series of SMTP packets can cause
Zeek to generate a very large number of events and take
a long time to process them.
A specially-crafted series of POP3 packets containing
MIME data can cause Zeek to spend a long time dealing
with each individual file ID.
more... | zeek
more detail |
2023-05-19 | VuXML ID a4f8bb03-f52f-11ed-9859-080027083a05
Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:
This update fixes 4 security vulnerabilities:
- Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
- Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
- Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
- Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19
more... | curl
more detail |
2023-05-18 | VuXML ID b09d77d0-b27c-48ae-b69b-9641bb68b39e
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-29469
more... | electron22 electron23
more detail |
2023-05-17 | VuXML ID bea52545-f4a7-11ed-8290-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [1444360] Critical CVE-2023-2721: Use after free in Navigation. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2023-05-10
- [1400905] High CVE-2023-2722: Use after free in Autofill UI. Reported by Rong Jian of VRI on 2022-12-14
- [1435166] High CVE-2023-2723: Use after free in DevTools. Reported by asnine on 2023-04-21
- [1433211] High CVE-2023-2724: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-14
- [1442516] High CVE-2023-2725: Use after free in Guest View. Reported by asnine on 2023-05-04
- [1442018] Medium CVE-2023-2726: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-03
more... | chromium ungoogled-chromium
more detail |
2023-05-13 | VuXML ID 4a08a4fb-f152-11ed-9c88-001b217b3468
Gitlab reports:
Smuggling code changes via merge requests with refs/replace
more... | gitlab-ce
more detail |
2023-05-12 | VuXML ID ec63bc8e-f092-11ed-85ca-001517a2e1a4
Piwigo reports:
Piwigo is affected by multiple SQL injection issues.
more... | piwigo
more detail |
2023-05-11 | VuXML ID 4b636f50-f011-11ed-bbae-6cc21735f730
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
more... | postgresql-server
more detail |
2023-05-11 | VuXML ID fbb5a260-f00f-11ed-bbae-6cc21735f730
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
more... | postgresql-server
more detail |
2023-05-10 | VuXML ID 7913fe6d-2c6e-40ba-a7d7-35696f3db2b6
secure@microsoft.com reports:
Visual Studio Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
more... | vscode
more detail |
2023-05-08 | VuXML ID 96b2d4db-ddd2-11ed-b6ea-080027f5fec9
Redis core team reports:
Authenticated users can use the HINCRBYFLOAT command to
create an invalid hash field that may later crash Redis on
access.
more... | redis redis6 redis62
more detail |
2023-05-06 | VuXML ID 89fdbd85-ebd2-11ed-9c88-001b217b3468
Gitlab reports:
Malicious Runner Attachment via GraphQL
more... | gitlab-ce
more detail |
2023-05-05 | VuXML ID d55e1b4d-eadc-11ed-9cc0-080027de9982
Django reports:
CVE-2023-31047: Potential bypass of validation when uploading multiple
files using one form field.
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py37-django32 py38-django32 py38-django41 py38-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-05-03 | VuXML ID 246174d3-e979-11ed-8290-a8a1599412c6
Chrome Releases reports:
This update includes 15 security fixes:
- [1423304] Medium CVE-2023-2459: Inappropriate implementation in Prompts. Reported by Rong Jian of VRI on 2023-03-10
- [1419732] Medium CVE-2023-2460: Insufficient validation of untrusted input in Extensions. Reported by Martin Bajanik, Fingerprint[.]com on 2023-02-27
- [1350561] Medium CVE-2023-2461: Use after free in OS Inputs. Reported by @ginggilBesel on 2022-08-06
- [1375133] Medium CVE-2023-2462: Inappropriate implementation in Prompts. Reported by Alesandro Ortiz on 2022-10-17
- [1406120] Medium CVE-2023-2463: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2023-01-10
- [1418549] Medium CVE-2023-2464: Inappropriate implementation in PictureInPicture. Reported by Thomas Orlita on 2023-02-23
- [1399862] Medium CVE-2023-2465: Inappropriate implementation in CORS. Reported by @kunte_ctf on 2022-12-10
- [1385714] Low CVE-2023-2466: Inappropriate implementation in Prompts. Reported by Jasper Rebane (popstonia) on 2022-11-17
- [1413586] Low CVE-2023-2467: Inappropriate implementation in Prompts. Reported by Thomas Orlita on 2023-02-07
- [1416380] Low CVE-2023-2468: Inappropriate implementation in PictureInPicture. Reported by Alesandro Ortiz on 2023-02-15
more... | chromium ungoogled-chromium
more detail |
2023-05-02 | VuXML ID 4ffcccae-e924-11ed-9c88-001b217b3468
Gitlab reports:
Privilege escalation for external users when OIDC is enabled under certain conditions
Account takeover through open redirect for Group SAML accounts
Users on banned IP addresses can still commit to projects
User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables
The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.
Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.
The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.
XSS and content injection and iframe injection when viewing raw files on iOS devices
Authenticated users can find other users by their private email
more... | gitlab-ce
more detail |
2023-04-30 | VuXML ID 4da51989-5a8b-4eb9-b442-46d94ec0802d
Elijah Glover reports:
Malformed HTTP/1.1 requests can crash worker processes.
occasionally locking up child workers and causing denial of
service, and an outage dropping any open connections.
more... | h2o h2o-devel
more detail |
2023-04-29 | VuXML ID 02562a78-e6b7-11ed-b0ce-b42e991fc52e
security@ubuntu.com reports:
Sensitive data could be exposed in logs of cloud-init before version
23.1.2. An attacker could use this information to find hashed
passwords and possibly escalate their privilege.
more... | cloud-init cloud-init-devel
more detail |
2023-04-28* | VuXML ID 25872b25-da2d-11ed-b715-a1e76793953b
cve@mitre.org reports:
In Artifex Ghostscript through 10.01.0, there is a buffer overflow
leading to potential corruption of data internal to the PostScript
interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode,
TBCPEncode, and TBCPDecode. If the write buffer is filled to one
byte less than full, and one then tries to write an escaped character,
two bytes are written.
more... | ghostscript ghostscript7-base ghostscript7-commfont ghostscript7-jpnfont ghostscript7-korfont ghostscript7-x11 ghostscript8-base ghostscript8-x11 ghostscript9-agpl-base
more detail |
2023-04-26 | VuXML ID 0b85b1cd-e468-11ed-834b-6c3be5272acd
Grafana Labs reports:
An issue in how go handles backticks (`) with Javascript can lead to
an injection of arbitrary code into go templates. While Grafana Labs software
contains potentially vulnerable versions of go, we have not identified any
exploitable use cases at this time.
The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).
more... | grafana grafana8 grafana9
more detail |
2023-04-26 | VuXML ID 5e257b0d-e466-11ed-834b-6c3be5272acd
Grafana Labs reports:
When setting up Grafana, there is an option to enable
JWT authentication. Enabling this will allow users to authenticate towards
the Grafana instance with a special header (default X-JWT-Assertion
).
In Grafana, there is an additional way to authenticate using JWT called
URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header,
which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 Medium
more... | grafana grafana9
more detail |
2023-04-26 | VuXML ID c676bb1b-e3f8-11ed-b37b-901b0e9408dc
Matrix developers report:
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP
client into a web page. Prior to version 3.71.0, plain text messages
containing HTML tags are rendered as HTML in the search results.
To exploit this, an attacker needs to trick a user into searching
for a specific message containing an HTML injection payload. No
cross-site scripting attack is possible due to the hardcoded content
security policy. Version 3.71.0 of the SDK patches over the issue.
As a workaround, restarting the client will clear the HTML injection.
more... | element-web
more detail |
2023-04-26 | VuXML ID d2c6173f-e43b-11ed-a1d7-002590f2a714
git developers reports:
This update includes 2 security fixes:
- CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)
- CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on
more... | git git-lite git-tiny
more detail |
2023-04-25 | VuXML ID 4ee322e9-e363-11ed-b934-b42e991fc52e
security-advisories@github.com reports:
Jellyfin is a free-software media system. Versions starting with
10.8.0 and prior to 10.8.10 and prior have a directory traversal
vulnerability inside the `ClientLogController`, specifically
`/ClientLog/Document`. When combined with a cross-site scripting
vulnerability (CVE-2023-30627), this can result in file write and
arbitrary code execution. Version 10.8.10 has a patch for this
issue. There are no known workarounds.
more... | jellyfin
more detail |
2023-04-24 | VuXML ID bb528d7c-e2c6-11ed-a3e6-589cfc0f81b0
phpmyfaq developers report:
XSS
email address manipulation
more... | phpmyfaq
more detail |
2023-04-22* | VuXML ID f504a8d2-e105-11ed-85f6-84a93843eb75
Oracle reports:
This Critical Patch Update contains 34 new security patches, plus
additional third party patches noted below, for Oracle MySQL. 11 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
more... | mysql-client57 mysql-client80 mysql-connector-java mysql-server57 mysql-server80
more detail |
2023-04-20 | VuXML ID 90c48c04-d549-4fc0-a503-4775e32d438e
Chrome Releases reports:
This update includes 8 security fixes:
- [1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [1424337] High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
- [1432603] High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-12
- [1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
more... | chromium ungoogled-chromium
more detail |
2023-04-16 | VuXML ID 0bd7f07b-dc22-11ed-bf28-589cfc0f81b0
The libxml2 project reports:
Hashing of empty dict strings isn't deterministic
Fix null deref in xmlSchemaFixupComplexType
more... | libxml2
more detail |
2023-04-15 | VuXML ID 6f0327d4-9902-4042-9b68-6fc2266944bc
Chrome Releases reports:
This update includes 2 security fixes:
- [1432210] High CVE-2023-2033: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-11
more... | chromium ungoogled-chromium
more detail |
2023-04-15 | VuXML ID e8b20517-dbb6-11ed-bf28-589cfc0f81b0
The mod_gnutls project reports:
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions
from 0.9.0 to 0.12.0 (including) did not properly fail blocking
read operations on TLS connections when the transport hit timeouts.
Instead it entered an endless loop retrying the read operation,
consuming CPU resources. This could be exploited for denial of
service attacks. If trace level logging was enabled, it would also
produce an excessive amount of log output during the loop, consuming
disk space.
more... | ap24-mod_gnutls
more detail |
2023-04-12 | VuXML ID 96d6809a-81df-46d4-87ed-2f78c79f06b1
Tim Wojtulewicz of Corelight reports:
Receiving DNS responses from async DNS requests (via
A specially-crafted stream of FTP packets containing a
command reply with many intermediate lines can cause Zeek
to spend a large amount of time processing data.
A specially-crafted set of packets containing extremely
large file offsets cause cause the reassembler code to
allocate large amounts of memory.
The DNS manager does not correctly expire responses
that don't contain any data, such those containing NXDOMAIN
or NODATA status codes. This can lead to Zeek allocating
large amounts of memory for these responses and never
deallocating them.
A specially-crafted stream of RDP packets can cause
Zeek to spend large protocol validation.
A specially-crafted stream of SMTP packets can cause
Zeek to spend large amounts of time processing data.
more... | zeek
more detail |
2023-04-10 | VuXML ID 2acdf364-9f8d-4aaf-8d1b-867fdfd771c6
macosforgebot reports:
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
more... | py310-kerberos py311-kerberos py37-kerberos py38-kerberos py39-kerberos
more detail |
2023-04-10 | VuXML ID 374793ad-2720-4c4a-b86c-fc4a1780deac
ret2libc reports:
psutil (aka python-psutil) through 5.6.5 can have a double free.
This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
more... | py310-psutil121 py311-psutil121 py37-psutil121 py38-psutil121 py39-psutil121
more detail |
2023-04-10 | VuXML ID a32ef450-9781-414b-a944-39f2f61677f2
alex reports:
Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers.
This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python.
This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.
This now correctly raises an exception.
This issue has been present since `update_into` was originally introduced in cryptography 1.8.
more... | py310-cryptography py311-cryptography py37-cryptography py38-cryptography py39-cryptography
more detail |
2023-04-10 | VuXML ID b54abe9d-7024-4d10-98b2-180cf1717766
matheusbrat reports:
The Beaker library through 1.12.1 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
more... | py310-beaker py311-beaker py37-beaker py38-beaker py39-beaker
more detail |
2023-04-10 | VuXML ID c1a8ed1c-2814-4260-82aa-9e37c83aac93
pyca/cryptography's wheels include a statically linked copy of OpenSSL.
The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue.
More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL.
Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
more... | py310-cryptography py311-cryptography py37-cryptography py38-cryptography py39-cryptography
more detail |
2023-04-10 | VuXML ID e1b77733-a982-442e-8796-a200571bfcf2
abeluck reports:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed.
Files would remain in the bucket exposing the data.
This issue affects directly data confidentiality.
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers.
Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes.
This issue affects mainly the service availability.
more... | py310-ansible py311-ansible py37-ansible py38-ansible py39-ansible
more detail |
2023-04-10 | VuXML ID f418cd50-561a-49a2-a133-965d03ede72a
Tapas jena reports:
A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory.
Any secret information in an async status file will be readable by a malicious user on that system.
This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
more... | py310-ansible py311-ansible py37-ansible py38-ansible py39-ansible
more detail |
2023-04-10* | VuXML ID faf7c1d0-f5bb-47b4-a6a8-ef57317b9766
NVD reports:
An issue was discovered in the FFmpeg package, where
vp3_decode_frame in libavcodec/vp3.c lacks check of the
return value of av_malloc() and will cause a null pointer
dereference, impacting availability.
A null pointer dereference issue was discovered in
'FFmpeg' in decode_main_header() function of
libavformat/nutdec.c file. The flaw occurs because the
function lacks check of the return value of
avformat_new_stream() and triggers the null pointer
dereference error, causing an application to crash.
A vulnerability classified as problematic has been found
in ffmpeg. This affects an unknown part of the file
libavcodec/rpzaenc.c of the component QuickTime RPZA Video
Encoder. The manipulation of the argument y_size leads to
out-of-bounds read. It is possible to initiate the attack
remotely. The name of the patch is
92f9b28ed84a77138105475beba16c146bdaf984. It is recommended
to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-213543.
more... | avidemux emby-server emby-server-devel ffmpeg ffmpeg4 handbrake mythtv mythtv-frontend
more detail |
2023-04-09 | VuXML ID 0a38a0d9-757f-4ac3-9561-b439e933dfa9
Snyk reports:
This affects the package celery before 5.2.2.
It by default trusts the messages and metadata stored in backends (result stores).
When reading task metadata from the backend, the data is deserialized.
Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
more... | py39-celery
more detail |
2023-04-09 | VuXML ID 15dae5cc-9ee6-4577-a93e-2ab57780e707
Tom Wolters reports:
When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry.
These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.
more... | py39-sentry-sdk
more detail |
2023-04-09 | VuXML ID 17083017-d993-43eb-8aaf-7138f4486d1c
jwang-a reports:
An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5.
It allows local attackers to escape the sandbox.
An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability.
The specific flaw exists within the virtual memory manager.
The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block.
An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code on the host machine.
more... | py39-unicorn
more detail |
2023-04-09 | VuXML ID 187ab98e-2953-4495-b379-4060bd4b75ee
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 44.1.1_1.
more... | py27-setuptools44
more detail |
2023-04-09 | VuXML ID 1b38aec4-4149-4c7d-851c-3c4de3a1fbd0
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.
more... | py39-setuptools
more detail |
2023-04-09 | VuXML ID 24da150a-33e0-4fee-b4ee-2c6b377d3395
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.
more... | py39-setuptools58
more detail |
2023-04-09 | VuXML ID 28a37df6-ba1a-4eed-bb64-623fc8e8dfd0
SCH227 reports:
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
more... | py39-py
more detail |
2023-04-09 | VuXML ID 326b2f3e-6fc7-4661-955d-a772760db9cf
Thibaut Goetghebuer-Planchon reports:
The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.
Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.
An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.
It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.
This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).
more... | py310-tflite py311-tflite py37-tflite py38-tflite py39-tflite
more detail |
2023-04-09 | VuXML ID 3f6d6181-79b2-4d33-bb1e-5d3f9df0c1d1
drago-balto reports:
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner.
The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665).
CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
more... | py39-redis
more detail |
2023-04-09 | VuXML ID 43e9ffd4-d6e0-11ed-956f-7054d21a9e2a
Philipp Jeitner and Haya Shulman report:
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.
The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
more... | py39-pycares
more detail |
2023-04-09 | VuXML ID 52311651-f100-4720-8c62-0887dad6d321
Jingyi Shi reports:
The 'AvgPoolOp' function takes an argument `ksize` that must be positive but is not checked.
A negative `ksize` can trigger a `CHECK` failure and crash the program.
more... | py310-tensorflow py311-tensorflow py37-tensorflow py38-tensorflow py39-tensorflow
more detail |
2023-04-09 | VuXML ID 845f8430-d0ee-4134-ae35-480a3e139b8a
jimlinntu reports:
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
more... | py39-joblib
more detail |
2023-04-09 | VuXML ID 8aa6340d-e7c6-41e0-b2a3-3c9e9930312a
drago-balto reports:
redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.
NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
more... | py39-redis
more detail |
2023-04-09 | VuXML ID 8ccff771-ceca-43a0-85ad-3e595e73b425
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
more... | py39-sqlalchemy11
more detail |
2023-04-09 | VuXML ID 93db4f92-9997-4f4f-8614-3963d9e2b0ec
Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.
more... | py310-slixmpp py311-slixmpp py37-slixmpp py38-slixmpp py39-slixmpp
more detail |
2023-04-09 | VuXML ID 951b513a-9f42-436d-888d-2162615d0fe4
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.
more... | py310-pymatgen py311-pymatgen py37-pymatgen py38-pymatgen py39-pymatgen
more detail |
2023-04-09 | VuXML ID a0509648-65ce-4a1b-855e-520a75bd2549
Utkarsh Gupta reports:
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0.
By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
more... | py310-cinder py311-cinder py37-cinder py38-cinder py39-cinder
more detail |
2023-04-09 | VuXML ID ae132c6c-d716-11ed-956f-7054d21a9e2a
Kang Hong Jin, Neophytos Christou, Ã¥ÂÂÃ¥ÂÂ溠and Pattarakrit Rattankul report:
Another instance of CVE-2022-35935, where `SobolSample` is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
Pattarakrit Rattankul reports:
Another instance of CVE-2022-35991, where `TensorListScatter` and `TensorListScatterV2` crash via non scalar inputs in`element_shape`, was found in eager mode and fixed.
more... | py310-tensorflow py311-tensorflow py37-tensorflow py38-tensorflow py39-tensorflow
more detail |
2023-04-09 | VuXML ID b692a49c-9ae7-4958-af21-cbf8f5b819ea
asolino reports:
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
more... | py310-impacket py311-impacket py37-impacket py38-impacket py39-impacket
more detail |
2023-04-09 | VuXML ID d2293e22-4390-42c2-a323-34cca2066000
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
more... | py39-sqlalchemy12
more detail |
2023-04-09 | VuXML ID d82bcd2b-5cd6-421c-8179-b3ff0231029f
Yakun Zhang of Baidu Security reports:
An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service
more... | py310-tflite py311-tflite py37-tflite py38-tflite py39-tflite
more detail |
2023-04-09 | VuXML ID de970aef-d60e-466b-8e30-1ae945a047f1
DarkTinia reports:
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).
**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
more... | py39-configobj
more detail |
2023-04-09 | VuXML ID e5d117b3-2153-4129-81ed-42b0221afa78
Jorge Rosillo reports:
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.
This affects all XML parsing in the codebase.
more... | py39-OWSLib
more detail |
2023-04-09 | VuXML ID e87a9326-dd35-49fc-b20b-f57cbebaae87
ztauras reports:
Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.
more... | py310-nicotine-plus py311-nicotine-plus py37-nicotine-plus py38-nicotine-plus py39-nicotine-plus
more detail |
2023-04-09 | VuXML ID f4a94232-7864-4afb-bbf9-ff2dc8e288d1
Duncan Thomas reports:
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
more... | py310-cinder py311-cinder py37-cinder py38-cinder py39-cinder
more detail |
2023-04-09 | VuXML ID f767d615-01db-47e9-b4ab-07bb8d3409fd
OpenStack project reports:
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0.
When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element.
This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume.
Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint.
more... | py39-cinder
more detail |
2023-04-07 | VuXML ID 02e51cb3-d7e4-11ed-9f7a-5404a68ad561
The Go project reports:
HTTP and MIME header parsing can allocate large amounts
of memory, even when parsing small inputs, potentially
leading to a denial of service. Certain unusual patterns
of input data can cause the common function used to parse
HTTP and MIME headers to allocate substantially more
memory than required to hold the parsed headers. An
attacker can exploit this behavior to cause an HTTP
server to allocate large amounts of memory from a small
request, potentially leading to memory exhaustion and a
denial of service. With fix, header parsing now correctly
allocates only the memory required to hold parsed headers.
more... | traefik
more detail |
2023-04-07 | VuXML ID 348ee234-d541-11ed-ad86-a134a566f1e6
The Go project reports:
go/parser: infinite loop in parsing
Calling any of the Parse functions on Go source code
which contains //line directives with very large line
numbers can cause an infinite loop due to integer
overflow.
html/template: backticks not treated as string delimiters
Templates did not properly consider backticks (`) as
Javascript string delimiters, and as such did not escape
them as expected. Backticks are used, since ES6, for JS
template literals. If a template contained a Go template
action within a Javascript template literal, the contents
of the action could be used to terminate the literal,
injecting arbitrary Javascript code into the Go template.
As ES6 template literals are rather complex, and
themselves can do string interpolation, we've decided
to simply disallow Go template actions from being used
inside of them (e.g. "var a = {{.}}"), since there is no
obviously safe way to allow this behavior. This takes the
same approach as github.com/google/safehtml.
Template.Parse will now return an Error when it encounters
templates like this, with a currently unexported ErrorCode
with a value of 12. This ErrorCode will be exported in the
next major release.
net/http, net/textproto: denial of service from excessive
memory allocation
HTTP and MIME header parsing could allocate large
amounts of memory, even when parsing small inputs.
Certain unusual patterns of input data could cause the
common function used to parse HTTP and MIME headers to
allocate substantially more memory than required to hold
the parsed headers. An attacker can exploit this
behavior to cause an HTTP server to allocate large
amounts of memory from a small request, potentially
leading to memory exhaustion and a denial of service.
Header parsing now correctly allocates only the memory
required to hold parsed headers.
net/http, net/textproto, mime/multipart: denial of service
from excessive resource consumption
Multipart form parsing can consume large amounts of CPU
and memory when processing form inputs containing very
large numbers of parts. This stems from several causes:
mime/multipart.Reader.ReadForm limits the total memory a
parsed multipart form can consume. ReadForm could
undercount the amount of memory consumed, leading it to
accept larger inputs than intended. Limiting total
memory does not account for increased pressure on the
garbage collector from large numbers of small
allocations in forms with many parts. ReadForm could
allocate a large number of short-lived buffers, further
increasing pressure on the garbage collector. The
combination of these factors can permit an attacker to
cause an program that parses multipart forms to consume
large amounts of CPU and memory, potentially resulting
in a denial of service. This affects programs that use
mime/multipart.Reader.ReadForm, as well as form parsing
in the net/http package with the Request methods
FormFile, FormValue, ParseMultipartForm, and
PostFormValue. ReadForm now does a better job of
estimating the memory consumption of parsed forms, and
performs many fewer short-lived allocations. In
addition, mime/multipart.Reader now imposes the
following limits on the size of parsed forms: Forms
parsed with ReadForm may contain no more than 1000
parts. This limit may be adjusted with the environment
variable GODEBUG=multipartmaxparts=. Form parts parsed
with NextPart and NextRawPart may contain no more than
10,000 header fields. In addition, forms parsed with
ReadForm may contain no more than 10,000 header fields
across all parts. This limit may be adjusted with the
environment variable GODEBUG=multipartmaxheaders=.
more... | go119 go120
more detail |
2023-04-07 | VuXML ID e86b8e4d-d551-11ed-8d1e-005056a311d1
The Samba Team reports:
An incomplete access check on dnsHostName allows
authenticated but otherwise unprivileged users to
delete this attribute from any object in the directory.
The Samba AD DC administration tool, when operating
against a remote LDAP server, will by default send
new or reset passwords over a signed-only connection.
The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
CVE-2018-10919 Confidential attribute disclosure via
LDAP filters was insufficient and an attacker may be
able to obtain confidential BitLocker recovery keys
from a Samba AD DC.
Installations with such secrets in their Samba AD
should assume they have been obtained and need replacing.
more... | samba416 samba417 samba418
more detail |
2023-04-05 | VuXML ID 3d5581ff-d388-11ed-8581-a8a1599412c6
Chrome Releases reports:
This update includes 16 security fixes:
- [1414018] High CVE-2023-1810: Heap buffer overflow in Visuals. Reported by Weipeng Jiang (@Krace) of VRI on 2023-02-08
- [1420510] High CVE-2023-1811: Use after free in Frames. Reported by Thomas Orlita on 2023-03-01
- [1418224] Medium CVE-2023-1812: Out of bounds memory access in DOM Bindings. Reported by Shijiang Yu on 2023-02-22
- [1423258] Medium CVE-2023-1813: Inappropriate implementation in Extensions. Reported by Axel Chong on 2023-03-10
- [1417325] Medium CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2023-02-18
- [1278708] Medium CVE-2023-1815: Use after free in Networking APIs. Reported by DDV_UA on 2021-12-10
- [1413919] Medium CVE-2023-1816: Incorrect security UI in Picture In Picture. Reported by NDevTK on 2023-02-08
- [1418061] Medium CVE-2023-1817: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2023-02-22
- [1223346] Medium CVE-2023-1818: Use after free in Vulkan. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research, Eric Lawrence, Microsoft, Patrick Walker (@HomeSen), and Kirtikumar Anandrao Ramchandani on 2021-06-24
- [1406588] Medium CVE-2023-1819: Out of bounds read in Accessibility. Reported by Microsoft Edge Team on 2023-01-12
- [1408120] Medium CVE-2023-1820: Heap buffer overflow in Browser History. Reported by raven at KunLun lab on 2023-01-17
- [1413618] Low CVE-2023-1821: Inappropriate implementation in WebShare. Reported by Axel Chong on 2023-02-07
- [1066555] Low CVE-2023-1822: Incorrect security UI in Navigation. Reported by ê°Âì°짠on 2020-04-01
- [1406900] Low CVE-2023-1823: Inappropriate implementation in FedCM. Reported by Jasper Rebane (popstonia) on 2023-01-13
more... | chromium ungoogled-chromium
more detail |
2023-04-01 | VuXML ID 466ba8bd-d033-11ed-addf-080027eda32c
Mediawikwi reports:
(T285159, CVE-2023-PENDING) SECURITY: X-Forwarded-For header allows
brute-forcing autoblocked IP addresses.
(T326946, CVE-2020-36649) SECURITY: Bundled PapaParse copy in
VisualEditor has known ReDos.
(T330086, CVE-2023-PENDING) SECURITY: OATHAuth allows replay attacks when
MediaWiki is configured without ObjectCache; Insecure Default Configuration.
more... | mediawiki135 mediawiki138 mediawiki139
more detail |
2023-03-31 | VuXML ID 54006796-cf7b-11ed-a5d5-001b217b3468
Gitlab reports:
Cross-site scripting in "Maximum page reached" page
Private project guests can read new changes using a fork
Mirror repository error reveals password in Settings UI
DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint
Unauthenticated users can view Environment names from public projects limited to project members only
Copying information to the clipboard could lead to the execution of unexpected commands
Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL
Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release
Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown
MR for security reports are available to everyone
API timeout when searching for group issues
Unauthorised user can add child epics linked to victim's epic in an unrelated group
GitLab search allows to leak internal notes
Ambiguous branch name exploitation in GitLab
Improper permissions checks for moving an issue
Private project branches names can be leaked through a fork
more... | gitlab-ce
more detail |
2023-03-30 | VuXML ID 6bd2773c-cf1a-11ed-bd44-080027f5fec9
ooooooo_q reports:
The Time parser mishandles invalid strings that have
specific characters. It causes an increase in execution
time for parsing strings to Time objects.
more... | ruby ruby27 ruby30 ruby31 ruby32 rubygem-time
more detail |
2023-03-30 | VuXML ID 9b60bba1-cf18-11ed-bd44-080027f5fec9
Dominic Couture reports:
A ReDoS issue was discovered in the URI component. The URI
parser mishandles invalid URLs that have specific
characters. It causes an increase in execution time for
parsing strings to URI objects.
more... | ruby ruby27 ruby30 ruby31 ruby32 rubygem-uri
more detail |
2023-03-30 | VuXML ID dc33795f-ced7-11ed-b1fe-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2023-02: Deterred spoofing attempts
can lead to authoritative servers being marked unavailable
more... | powerdns-recursor
more detail |
2023-03-29 | VuXML ID 425b9538-ce5f-11ed-ade3-d4c9ef517024
The OpenSSL project reports:
Severity: low
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.
The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.
more... | openssl openssl-quic openssl30 openssl31
more detail |
2023-03-29 | VuXML ID 5b0ae405-cdc7-11ed-bb39-901b0e9408dc
Matrix developers report:
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk
to patch a pair of High severity vulnerabilities (CVE-2023-28427 /
GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv
for matrix-react-sdk).
The issues involve prototype pollution via events containing special strings
in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk
and matrix-react-sdk, potentially impacting the consumer's ability to process data
safely.
more... | cinny element-web
more detail |
2023-03-29 | VuXML ID 955eb3cc-ce0b-11ed-825f-6c3be5272acd
Grafana Labs reports:
When a user adds a Graphite data source, they can then use the data source
in a dashboard. This capability contains a feature to use Functions. Once
a function is selected, a small tooltip appears when hovering over the name
of the function. This tooltip allows you to delete the selected Function
from your query or show the Function Description. However, no sanitization
is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker
could host a Graphite instance with modified Function Descriptions containing
XSS payloads. When the victim uses it in a query and accidentally hovers
over the Function Description, an attacker-controlled XSS payload
will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium
(CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
more... | grafana grafana8 grafana9
more detail |
2023-03-29 | VuXML ID 96d84238-b500-490b-b6aa-2b77090a0410
The X.Org project reports:
- ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Local Privilege Escalation Vulnerability
If a client explicitly destroys the compositor overlay window (aka COW),
the Xserver would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-03-28 | VuXML ID e4181981-ccf1-11ed-956f-7054d21a9e2a
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
more... | py39-sqlalchemy10
more detail |
2023-03-26 | VuXML ID 2991178f-cbe8-11ed-956f-7054d21a9e2a
Red Hat Security Response Team reports:
Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.
more... | py39-Elixir
more detail |
2023-03-26* | VuXML ID 70d0d2ec-cb62-11ed-956f-7054d21a9e2a
NIST reports:
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
more... | py39-rencode
more detail |
2023-03-26 | VuXML ID c13a8c17-cbeb-11ed-956f-7054d21a9e2a
TeamSeri0us reports:
An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
more... | py39-lmdb
more detail |
2023-03-24 | VuXML ID 2fdb053c-ca25-11ed-9d7e-080027f5fec9
ooooooo_q reports:
Carefully crafted input can cause header parsing in Rack
to take an unexpected amount of time, possibly resulting
in a denial of service attack vector. Any applications
that parse headers using Rack (virtually all Rails
applications) are impacted.
more... | rubygem-rack rubygem-rack16 rubygem-rack22
more detail |
2023-03-24 | VuXML ID 6bacd9fd-ca56-11ed-bc52-589cfc0f81b0
phpmyfaq developers report:
XSS
weak passwords
privilege escalation
Captcha bypass
more... | phpmyfaq
more detail |
2023-03-24 | VuXML ID dec6b8e9-c9fe-11ed-bb39-901b0e9408dc
Dino team reports:
Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows
attackers to modify the personal bookmark store via a crafted
message. The attacker can change the display of group chats or
force a victim to join a group chat; the victim may then be tricked
into disclosing sensitive information.
more... | dino
more detail |
2023-03-23 | VuXML ID 1b15a554-c981-11ed-bb39-901b0e9408dc
Tailscale team reports:
A vulnerability identified in the implementation of Tailscale SSH in FreeBSD
allowed commands to be run with a higher privilege group ID than that specified
by Tailscale SSH access rules.
more... | tailscale
more detail |
2023-03-23 | VuXML ID 38f213b6-8f3d-4067-91ef-bf14de7ba518
The X.Org project reports:
- CVE-2022-46285: Infinite loop on unclosed comments
When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.
This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team.
The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148
- CVE-2022-44617: Runaway loop on width of 0 and enormous height
When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a denial
of service to the calling program when given a small crafted XPM file to parse.
This issue was found by Martin Ettl.
The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28
and
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d
- CVE-2022-4883: compression commands depend on $PATH
By default, on all platforms except MinGW, libXpm will detect if a filename
ends in .Z or .gz, and will when reading such a file fork off an uncompress
or gunzip command to read from via a pipe, and when writing such a file will
fork off a compress or gzip command to write to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those privileges.
This issue was found by Alan Coopersmith of the Oracle Solaris team.
more... | libXpm
more detail |
2023-03-22 | VuXML ID c8b334e0-6e83-4575-81d1-f9d5803ceb07
Chrome Releases reports:
This update includes 8 security fixes:
- [1421773] High CVE-2023-1528: Use after free in Passwords. Reported by Wan Choi of Seoul National University on 2023-03-07
- [1419718] High CVE-2023-1529: Out of bounds memory access in WebHID. Reported by anonymous on 2023-02-27
- [1419831] High CVE-2023-1530: Use after free in PDF. Reported by The UK's National Cyber Security Centre (NCSC) on 2023-02-27
- [1415330] High CVE-2023-1531: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2023-02-13
- [1421268] High CVE-2023-1532: Out of bounds read in GPU Video. Reported by Mark Brand of Google Project Zero on 2023-03-03
- [1422183] High CVE-2023-1533: Use after free in WebProtect. Reported by Weipeng Jiang (@Krace) of VRI on 2023-03-07
- [1422594] High CVE-2023-1534: Out of bounds read in ANGLE. Reported by Jann Horn and Mark Brand of Google Project Zero on 2023-03-08
more... | chromium ungoogled-chromium
more detail |
2023-03-21 | VuXML ID a60cc0e4-c7aa-11ed-8a4b-080027f5fec9
Yupeng Yang reports:
Authenticated users can use the MSETNX command to trigger
a runtime assertion and termination of the Redis server
process.
more... | redis redis-devel
more detail |
2023-03-20 | VuXML ID 0d7d104c-c6fb-11ed-8a4b-080027f5fec9
Harry Sintonen reports:
- CVE-2023-27533
-
curl supports communicating using the TELNET protocol
and as a part of this it offers users to pass on user
name and "telnet options" for the server
negotiation.
Due to lack of proper input scrubbing and without it
being the documented functionality, curl would pass on
user name and telnet options to the server as
provided. This could allow users to pass in carefully
crafted content that pass on content or do option
negotiation without the application intending to do
so. In particular if an application for example allows
users to provide the data or parts of the data.
- CVE-2023-27534
-
curl supports SFTP transfers. curl's SFTP implementation
offers a special feature in the path component of URLs:
a tilde (~) character as the first path element in the
path to denotes a path relative to the user's home
directory. This is supported because of wording in the
once proposed to-become RFC draft that was to dictate
how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did
however not only replace it when it is used stand-alone
as the first path element but also wrongly when used as
a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using
the user dan (with home directory /home/dan) would then
quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering
or worse.
- CVE-2023-27535
-
libcurl would reuse a previously created FTP connection
even when one or more options had been changed that
could have made the effective user a very different one,
thus leading to the doing the second transfer with wrong
credentials.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, several FTP settings
were left out from the configuration match checks,
making them match too easily. The settings in questions
are CURLOPT_FTP_ACCOUNT,
CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and
CURLOPT_USE_SSL level.
- CVE-2023-27536
-
ibcurl would reuse a previously created connection even
when the GSS delegation (CURLOPT_GSSAPI_DELEGATION)
option had been changed that could have changed the
user's permissions in a second transfer.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, this GSS delegation
setting was left out from the configuration match
checks, making them match too easily, affecting
krb5/kerberos/negotiate/GSSAPI transfers.
- CVE-2023-27537
-
libcurl supports sharing HSTS data between separate
"handles". This sharing was introduced without
considerations for do this sharing across separate
threads but there was no indication of this fact in the
documentation.
Due to missing mutexes or thread locks, two threads
sharing the same HSTS data could end up doing a
double-free or use-after-free.
- CVE-2023-27538
-
libcurl would reuse a previously created connection even
when an SSH related option had been changed that should
have prohibited reuse.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, two SSH settings
were left out from the configuration match checks,
making them match too easily.
more... | curl
more detail |
2023-03-16 | VuXML ID 72583cb3-a7f9-11ed-bd9e-589cfc0f81b0
phpMyAdmin Team reports:
PMASA-2023-1 XSS vulnerability in drag-and-drop upload
more... | phpMyAdmin phpMyAdmin-php80 phpMyAdmin-php81 phpMyAdmin-php82 phpMyAdmin5 phpMyAdmin5-php80 phpMyAdmin5-php81 phpMyAdmin5-php82
more detail |
2023-03-11 | VuXML ID 8edeb3c1-bfe7-11ed-96f5-3497f65b111b
The Apache httpd project reports:
- CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org).
HTTP Response Smuggling vulnerability in Apache HTTP Server
via mod_proxy_uwsgi. This issue affects Apache HTTP Server:
from 2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
- CVE-2023-25690: HTTP request splitting with mod_rewrite
and mod_proxy (cve.mitre.org).
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along
with some form of RewriteRule or ProxyPassMatch in which a
non-specific pattern matches some portion of the user-supplied
request-target (URL) data and is then re-inserted into the
proxied request-target using variable substitution.
more... | apache24
more detail |
2023-03-09 | VuXML ID d357f6bb-0af4-4ac9-b096-eeec183ad829
Chrome Releases reports:
This update includes 40 security fixes:
- [1411210] High CVE-2023-1213: Use after free in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-30
- [1412487] High CVE-2023-1214: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-02-03
- [1417176] High CVE-2023-1215: Type Confusion in CSS. Reported by Anonymous on 2023-02-17
- [1417649] High CVE-2023-1216: Use after free in DevTools. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-02-21
- [1412658] High CVE-2023-1217: Stack buffer overflow in Crash reporting. Reported by sunburst of Ant Group Tianqiong Security Lab on 2023-02-03
- [1413628] High CVE-2023-1218: Use after free in WebRTC. Reported by Anonymous on 2023-02-07
- [1415328] High CVE-2023-1219: Heap buffer overflow in Metrics. Reported by Sergei Glazunov of Google Project Zero on 2023-02-13
- [1417185] High CVE-2023-1220: Heap buffer overflow in UMA. Reported by Sergei Glazunov of Google Project Zero on 2023-02-17
- [1385343] Medium CVE-2023-1221: Insufficient policy enforcement in Extensions API. Reported by Ahmed ElMasry on 2022-11-16
- [1403515] Medium CVE-2023-1222: Heap buffer overflow in Web Audio API. Reported by Cassidy Kim(@cassidy6564) on 2022-12-24
- [1398579] Medium CVE-2023-1223: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-12-07
- [1403539] Medium CVE-2023-1224: Insufficient policy enforcement in Web Payments API. Reported by Thomas Orlita on 2022-12-25
- [1408799] Medium CVE-2023-1225: Insufficient policy enforcement in Navigation. Reported by Roberto Ffrench-Davis @Lihaft on 2023-01-20
- [1013080] Medium CVE-2023-1226: Insufficient policy enforcement in Web Payments API. Reported by Anonymous on 2019-10-10
- [1348791] Medium CVE-2023-1227: Use after free in Core. Reported by @ginggilBesel on 2022-07-31
- [1365100] Medium CVE-2023-1228: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2022-09-18
- [1160485] Medium CVE-2023-1229: Inappropriate implementation in Permission prompts. Reported by Thomas Orlita on 2020-12-20
- [1404230] Medium CVE-2023-1230: Inappropriate implementation in WebApp Installs. Reported by Axel Chong on 2022-12-30
- [1274887] Medium CVE-2023-1231: Inappropriate implementation in Autofill. Reported by Yan Zhu, Brave on 2021-11-30
- [1346924] Low CVE-2023-1232: Insufficient policy enforcement in Resource Timing. Reported by Sohom Datta on 2022-07-24
- [1045681] Low CVE-2023-1233: Insufficient policy enforcement in Resource Timing. Reported by Soroush Karami on 2020-01-25
- [1404621] Low CVE-2023-1234: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-01-03
- [1404704] Low CVE-2023-1235: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-03
- [1374518] Low CVE-2023-1236: Inappropriate implementation in Internals. Reported by Alesandro Ortiz on 2022-10-14
more... | chromium ungoogled-chromium
more detail |
2023-03-09 | VuXML ID f68bb358-be8e-11ed-9215-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3037 / CVE-2023-27898
XSS vulnerability in plugin manager
(Medium) SECURITY-3030 / CVE-2023-24998 (upstream issue), CVE-2023-27900 (MultipartFormDataParser), CVE-2023-27901 (StaplerRequest)
DoS vulnerability in bundled Apache Commons FileUpload library
(Medium) SECURITY-1807 / CVE-2023-27902
Workspace temporary directories accessible through directory browser
(Low) SECURITY-3058 / CVE-2023-27903
Temporary file parameter created with insecure permissions
(Low) SECURITY-2120 / CVE-2023-27904
Information disclosure through error stack traces related to agents
more... | jenkins jenkins-lts
more detail |
2023-03-08 | VuXML ID 6678211c-bd47-11ed-beb0-1c1b0d9ea7e6
The Apache Openoffice project reports:
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
more... | apache-openoffice apache-openoffice-devel
more detail |
2023-03-08 | VuXML ID 742279d6-bdbe-11ed-a179-2b68e9d12706
The Go project reports:
crypto/elliptic: incorrect P-256 ScalarMult and
ScalarBaseMult results
The ScalarMult and ScalarBaseMult methods of the P256
Curve may return an incorrect result if called with some
specific unreduced scalars (a scalar larger than the
order of the curve).
more... | go119 go120
more detail |
2023-03-08 | VuXML ID bed545c6-bdb8-11ed-bca8-a33124f1beb1
Mantis 2.25.6 release reports:
Security and maintenance release
- 0031086: Private issue summary disclosure (CVE-2023-22476)
- 0030772: Update (bundled) moment.js to 2.29.4 (CVE-2022-31129)
- 0030791: Allow adding relation type noopener/noreferrer to outgoing links
more... | mantis-php74 mantis-php80 mantis-php81 mantis-php82
more detail |
2023-03-06 | VuXML ID f0798a6a-bbdb-11ed-ba99-080027f5fec9
Aaron Patterson reports:
The Multipart MIME parsing code in Rack limits the number
of file parts, but does not limit the total number of
parts that can be uploaded. Carefully crafted requests can
abuse this and cause multipart parsing to take longer than
expected.
more... | rubygem-rack rubygem-rack16 rubygem-rack22
more detail |
2023-03-05 | VuXML ID be233fc6-bae7-11ed-a4fb-080027f5fec9
Harry Sintonen and Patrick Monnerat report:
- CVE-2023-23914
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality fail when multiple URLs are
requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure
clear-text HTTP step even when HTTP is provided in the
URL. This HSTS mechanism would however surprisingly be
ignored by subsequent transfers when done on the same
command line because the state would not be properly
carried on.
- CVE-2023-23915
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality to behave incorrectly when
multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of
using an insecure clear-text HTTP step even when HTTP is
provided in the URL. This HSTS mechanism would however
surprisingly fail when multiple transfers are done in
parallel as the HSTS cache file gets overwritten by the
most recently completed transfer. A later HTTP-only
transfer to the earlier host name would then *not* get
upgraded properly to HSTS.
- CVE-2023-23916
-
An allocation of resources without limits or throttling
vulnerability exists in curl < v7.88.0 based on the
"chained" HTTP compression algorithms, meaning
that a server response can be compressed multiple times
and potentially with different algorithms. The number of
acceptable "links" in this "decompression
chain" was capped, but the cap was implemented on a
per-header basis allowing a malicious server to insert a
virtually unlimited number of compression steps simply
by using many headers. The use of such a decompression
chain could result in a "malloc bomb", making
curl end up spending enormous amounts of allocated heap
memory, or trying to and returning out of memory errors.
more... | curl
more detail |
2023-03-04 | VuXML ID 3f9b6943-ba58-11ed-bbbd-00e0670f2660
strongSwan reports:
A vulnerability related to certificate verification in TLS-based EAP methods
was discovered in strongSwan that results in a denial of service
but possibly even remote code execution. Versions 5.9.8 and 5.9.9
may be affected.
more... | strongswan
more detail |
2023-03-03 | VuXML ID f7c5b3a9-b9fb-11ed-99c6-001b217b3468
Gitlab reports:
Stored XSS via Kroki diagram
Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings
Improper validation of SSO and SCIM tokens while managing groups
Maintainer can leak Datadog API key by changing Datadog site
Clipboard based XSS in the title field of work items
Improper user right checks for personal snippets
Release Description visible in public projects despite release set as project members only
Group integration settings sensitive information exposed to project maintainers
Improve pagination limits for commits
Gitlab Open Redirect Vulnerability
Maintainer may become an Owner of a project
more... | gitlab-ce
more detail |
2023-03-01 | VuXML ID 6dccc186-b824-11ed-b695-6c3be5272acd
Grafana Labs reports:
During an internal audit of Grafana on January 1, a member of the security
team found a stored XSS vulnerability affecting the core text plugin.
The stored XSS vulnerability requires several user interactions in order
to be fully exploited. The vulnerability was possible due to ReactâÂÂs render
cycle that will pass through the unsanitized HTML code, but in the next cycle,
the HTML is cleaned up and saved in GrafanaâÂÂs database.
The CVSS score for this vulnerability is 6.4 Medium
(CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
more... | grafana grafana9
more detail |
2023-03-01 | VuXML ID b17bce48-b7c6-11ed-b304-080027f5fec9
The Redis core team reports:
- CVE-2023-25155
-
Specially crafted SRANDMEMBER, ZRANDMEMBER, and
HRANDFIELD commands can trigger an integer overflow,
resulting in a runtime assertion and termination of the
Redis server process.
- CVE-2022-36021
-
String matching commands (like SCAN or KEYS) with a
specially crafted pattern to trigger a denial-of-service
attack on Redis, causing it to hang and consume 100% CPU
time.
more... | redis redis-devel redis6 redis62
more detail |
2023-03-01 | VuXML ID e2a8e2bd-b808-11ed-b695-6c3be5272acd
Grafana Labs reports:
During an internal audit of Grafana on January 25, a member of the security
team found a stored XSS vulnerability affecting the core geomap plugin.
The stored XSS vulnerability was possible because map attributions werenâÂÂt
properly sanitized, allowing arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
more... | grafana grafana8 grafana9
more detail |
2023-03-01 | VuXML ID e7841611-b808-11ed-b695-6c3be5272acd
Grafana Labs reports:
During an internal audit of Grafana on January 30, a member
of the engineering team found a stored XSS vulnerability affecting
the TraceView panel.
The stored XSS vulnerability was possible because the value of a spanâÂÂs
attributes/resources were not properly sanitized, and this will be rendered
when the spanâÂÂs attributes/resources are expanded.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
more... | grafana grafana8 grafana9
more detail |
2023-02-27 | VuXML ID a75929bd-b6a4-11ed-bad6-080027f5fec9
Xi Lu reports:
- CVE-2022-48337
-
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the
system C library function in its implementation of the
etags program. For example, a victim may use the
"etags -u *" command (suggested in the etags
documentation) in a situation where the current working
directory has contents that depend on untrusted input.
- CVE-2022-48338
-
An issue was discovered in GNU Emacs through 28.2. In
ruby-mode.el, the ruby-find-library-file function has a
local command injection vulnerability. The
ruby-find-library-file function is an interactive
function, and bound to C-c C-f. Inside the function, the
external command gem is called through
shell-command-to-string, but the feature-name parameters
are not escaped. Thus, malicious Ruby source files may
cause commands to be executed.
- CVE-2022-48339
-
An issue was discovered in GNU Emacs through
28.2. htmlfontify.el has a command injection
vulnerability. In the hfy-istext-command function, the
parameter file and parameter srcdir come from external
input, and parameters are not escaped. If a file name or
directory name contains shell metacharacters, code may
be executed.
more... | emacs emacs-canna emacs-devel emacs-devel-nox emacs-nox
more detail |
2023-02-24 | VuXML ID c682923d-b444-11ed-9268-b42e991fc52e
MITRE reports:
FreeRDP based clients on unix systems using
`/parallel` command line switch might read uninitialized
data and send it to the server the client is currently
connected to. FreeRDP based server implementations are not
affected.
more... | freerdp
more detail |
2023-02-24 | VuXML ID dd271de6-b444-11ed-9268-b42e991fc52e
MITRE reports:
All FreeRDP based clients when using the `/video`
command line switch might read uninitialized data, decode
it as audio/video and display the result. FreeRDP based
server implementations are not affected.
more... | freerdp
more detail |
2023-02-22 | VuXML ID 4d6b5ea9-bc64-4e77-a7ee-d62ba68a80dd
Chrome Releases reports:
This update includes 10 security fixes:
- [1415366] Critical CVE-2023-0941: Use after free in Prompts. Reported by Anonymous on 2023-02-13
- [1414738] High CVE-2023-0927: Use after free in Web Payments API. Reported by Rong Jian of VRI on 2023-02-10
- [1309035] High CVE-2023-0928: Use after free in SwiftShader. Reported by Anonymous on 2022-03-22
- [1399742] High CVE-2023-0929: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2022-12-09
- [1410766] High CVE-2023-0930: Heap buffer overflow in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-27
- [1407701] High CVE-2023-0931: Use after free in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-17
- [1413005] High CVE-2023-0932: Use after free in WebRTC. Reported by Omri Bushari (Talon Cyber Security) on 2023-02-05
- [1404864] Medium CVE-2023-0933: Integer overflow in PDF. Reported by Zhiyi Zhang from Codesafe Team of Legendsec at QI-ANXIN
more... | chromium ungoogled-chromium
more detail |
2023-02-21 | VuXML ID 21f12de8-b1db-11ed-b0f4-002590f2a714
git team reports:
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
more... | git
more detail |
2023-02-21 | VuXML ID 2fcca7e4-b1d7-11ed-b0f4-002590f2a714
The git team reports:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(,
%>(, %>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
more... | git
more detail |
2023-02-21 | VuXML ID 421c0af9-b206-11ed-9fe5-f4a47516fb57
Libde265 developer reports:
This release fixes the known CVEs below. Many of them are actually caused by the same underlying issues that manifest in different ways.
more... | libde265
more detail |
2023-02-21 | VuXML ID 7a425536-74f7-4ce4-9768-0079a9d44d11
Tim Wojtulewicz of Corelight reports:
Receiving DNS responses from async DNS requests (via
the lookup_addr, etc BIF methods) with the TTL set to
zero could cause the DNS manager to eventually stop being
able to make new requests.
Specially-crafted FTP packets with excessively long
usernames, passwords, or other fields could cause log
writes to use large amounts of disk space.
The find_all and find_all_ordered BIF methods could
take extremely large amounts of time to process incoming
data depending on the size of the input.
more... | zeek
more detail |
2023-02-21 | VuXML ID 8fafbef4-b1d9-11ed-b0f4-002590f2a714
git team reports:
gitattributes are used to define unique attributes corresponding
to paths in your repository. These attributes are defined by
.gitattributes file(s) within your repository.
The parser used to read these files has multiple integer
overflows, which can occur when parsing either a large number
of patterns, a large number of attributes, or attributes with
overly-long names.
These overflows may be triggered via a malicious
.gitattributes file. However, Git automatically splits lines at
2KB when reading .gitattributes from a file, but not when parsing
it from the index. Successfully exploiting this vulnerability
depends on the location of the .gitattributes file in question.
This integer overflow can result in arbitrary heap reads
and writes, which may result in remote code execution.
more... | git
more detail |
2023-02-21 | VuXML ID 9548d6ed-b1da-11ed-b0f4-002590f2a714
git team reports:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
more... | git
more detail |
2023-02-20 | VuXML ID 5048ed45-b0f1-11ed-ab04-9106b1b896dd
The Gitea team reports:
This PR refactors and improves the password hashing code within
gitea and makes it possible for server administrators to set the
password hashing parameters.
In addition it takes the opportunity to adjust the settings for
pbkdf2 in order to make the hashing a little stronger.
Add command to bulk set must-change-password
As part of administration sometimes it is appropriate to
forcibly tell users to update their passwords.
This PR creates a new command gitea admin user
must-change-password which will set the MustChangePassword flag on
the provided users.
more... | gitea
more detail |
2023-02-19 | VuXML ID 428922c9-b07e-11ed-8700-5404a68ad561
The Go project reports:
A request smuggling attack is possible when using
MaxBytesHandler. When using MaxBytesHandler, the body of
an HTTP request is not fully consumed. When the server
attempts to read HTTP2 frames from the connection, it
will instead be reading the body of the HTTP request,
which could be attacker-manipulated to represent
arbitrary HTTP2 requests.
more... | traefik
more detail |
2023-02-16 | VuXML ID 27c822a0-addc-11ed-a9ee-dca632b19f10
The Rundeck project reports:
This release updates both Community and Enterprise with the latest Log4J
to address CVE-2021-44832 by updating it to 2.17.1.
more... | rundeck3
more detail |
2023-02-16 | VuXML ID fd792048-ad91-11ed-a879-080027f5fec9
Simon Scannell reports:
- CVE-2023-20032
-
Fixed a possible remote code execution vulnerability in the HFS+ file parser.
- CVE-2023-20052
-
Fixed a possible remote information leak vulnerability in the DMG file parser.
more... | clamav clamav-lts
more detail |
2023-02-15 | VuXML ID 3d73e384-ad1f-11ed-983c-83fe35862e3a
The Go project reports:
path/filepath: path traversal in filepath.Clean on Windows
On Windows, the filepath.Clean function could transform
an invalid path such as a/../c:/b into the valid path
c:\b. This transformation of a relative (if invalid)
path into an absolute path could enable a directory
traversal attack. The filepath.Clean function will now
transform this path into the relative (but still
invalid) path .\c:\b.
net/http, mime/multipart: denial of service from excessive
resource consumption
Multipart form parsing with
mime/multipart.Reader.ReadForm can consume largely
unlimited amounts of memory and disk files. This also
affects form parsing in the net/http package with the
Request methods FormFile, FormValue, ParseMultipartForm,
and PostFormValue.
crypto/tls: large handshake records may cause panics
Both clients and servers may send large TLS handshake
records which cause servers and clients,
respectively, to panic when attempting to construct responses.
net/http: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause
excessive CPU consumption in the HPACK decoder,
sufficient to cause a denial of service from a small
number of small requests.
more... | go119 go120
more detail |
2023-02-14 | VuXML ID 9c9ee9a6-ac5e-11ed-9323-080027d3a315
Django reports:
CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.
more... | py310-django32 py310-django40 py310-django41 py37-django32 py38-django32 py38-django40 py38-django41 py39-django32 py39-django40 py39-django41
more detail |
2023-02-13 | VuXML ID 0a7a5dfb-aba4-11ed-be2c-001cc0382b2f
The GnuTLS project reports:
A vulnerability was found that the response times to malformed RSA
ciphertexts in ClientKeyExchange differ from response times of
ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext
processing is affected.
more... | gnutls
more detail |
2023-02-13 | VuXML ID 8e20430d-a72b-11ed-a04f-40b034455553
MinIO reports:
A security issue was found where an unprivileged user is
able to create service accounts for root or other admin
users and then is able to assume their access policies
via the generated credentials.
more... | minio
more detail |
2023-02-12 | VuXML ID 3eccc968-ab17-11ed-bd9e-589cfc0f81b0
phpmyfaq developers report:
a bypass to flood admin with FAQ proposals
stored XSS in questions
stored HTML injections
weak passwords
more... | phpmyfaq
more detail |
2023-02-10 | VuXML ID 310ca30e-a951-11ed-8314-a8a1599412c6
Chrome Releases reports:
This release contains 15 security fixes, including:
- [1402270] High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18
- [1341541] High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on 2022-07-03
- [1403573] High CVE-2023-0698: Out of bounds read in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2022-12-25
- [1371859] Medium CVE-2023-0699: Use after free in GPU. Reported by 7o8v and Cassidy Kim(@cassidy6564) on 2022-10-06
- [1393732] Medium CVE-2023-0700: Inappropriate implementation in Download. Reported by Axel Chong on 2022-11-26
- [1405123] Medium CVE-2023-0701: Heap buffer overflow in WebUI. Reported by Sumin Hwang of SSD Labs on 2023-01-05
- [1316301] Medium CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14
- [1405574] Medium CVE-2023-0703: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-07
- [1385982] Low CVE-2023-0704: Insufficient policy enforcement in DevTools. Reported by Rhys Elsmore and Zac Sims of the Canva security team on 2022-11-18
- [1238642] Low CVE-2023-0705: Integer overflow in Core. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-11
more... | chromium ungoogled-chromium
more detail |
2023-02-09 | VuXML ID 7a8b6170-a889-11ed-bbae-6cc21735f730
PostgreSQL Project reports:
A modified, unauthenticated server can send an
unterminated string during the establishment of Kerberos
transport encryption. When a libpq client application
has a Kerberos credential cache and doesn't explicitly
disable option gssencmode, a server can cause libpq to
over-read and report an error message containing
uninitialized bytes from and following its receive
buffer. If libpq's caller somehow makes that message
accessible to the attacker, this achieves a disclosure
of the over-read bytes. We have not confirmed or ruled
out viability of attacks that arrange for a crash or for
presence of notable, confidential information in
disclosed bytes.
more... | postgresql12-client postgresql13-client postgresql14-client postgresql15-client
more detail |
2023-02-09 | VuXML ID e6281d88-a7a7-11ed-8d6a-6c3be5272acd
Grafana Labs reports:
A third-party penetration test of Grafana found a vulnerability
in the snapshot functionality. The value of the originalUrl parameter
is automatically generated. The purpose of the presented originalUrl parameter
is to provide a user who views the snapshot with the possibility to click
on the Local Snapshot button in the Grafana web UI
and be presented with the dashboard that the snapshot captured. The value
of the originalUrl parameter can be arbitrarily chosen by a malicious user that
creates the snapshot. (Note: This can be done by editing the query thanks
to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM
(CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
more... | grafana grafana8 grafana9
more detail |
2023-02-09 | VuXML ID ecffb881-a7a7-11ed-8d6a-6c3be5272acd
Grafana Labs reports:
On 2022-12-16 during an internal audit of Grafana, a member of the security
team found a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to SVG-files weren't properly
sanitized and allowed arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
more... | grafana grafana8 grafana9
more detail |
2023-02-08 | VuXML ID 1dd84344-a7da-11ed-86e9-d4c9ef517024
The OpenBSD project reports:
A malicious certificate revocation list or timestamp response token
would allow an attacker to read arbitrary memory.
more... | libressl libressl-devel
more detail |
2023-02-08 | VuXML ID 6cc63bf5-a727-4155-8ec4-68b626475e68
The X.org project reports:
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-02-08 | VuXML ID b34c1947-a749-11ed-b24b-1c61b4739ac9
MITRE reports:
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
more... | tightvnc
more detail |
2023-02-07 | VuXML ID 648a432c-a71f-11ed-86e9-d4c9ef517024
The OpenSSL project reports:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High):
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate):
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate):
A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer.
Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate):
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications.
Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate):
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer
to a buffer that has already been freed. If the caller also frees this buffer
then a double free will occur. This will most likely lead to a crash. This
could be exploited by an attacker who has the ability to supply malicious PEM
files for parsing to achieve a denial of service attack.
Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate):
An invalid pointer dereference on read can be triggered when an
application tries to load malformed PKCS7 data with the
d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
NULL dereference validating DSA public key (CVE-2023-0217) (Moderate):
An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
EVP_PKEY_public_check() function. This will most likely lead
to an application crash. This function can be called on public
keys supplied from untrusted sources which could allow an attacker
to cause a denial of service attack.
NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate):
A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.
more... | openssl openssl-devel openssl-quictls
more detail |
2023-02-06 | VuXML ID c49a880d-a5bb-11ed-aab5-080027de9982
Django reports:
CVE-2023-23969: Potential denial-of-service via Accept-Language headers.
more... | py310-django32 py310-django40 py310-django41 py37-django32 py38-django32 py38-django40 py38-django41 py39-django32 py39-django40 py39-django41
more detail |
2023-02-04 | VuXML ID 01823528-a4c1-11ed-b6af-b42e991fc52e
NIST reports:
jackson-databind before 2.13.0 allows a Java StackOverflow
exception and denial of service via a large depth of nested
objects.
more... | kafka
more detail |
2023-02-04 | VuXML ID d835c54f-a4bd-11ed-b6af-b42e991fc52e
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
more... | node_exporter
more detail |
2023-02-02 | VuXML ID 8dd438ed-a338-11ed-b48b-589cfc0f81b0
The Asterisk project reports:
AST-2022-007: Remote Crash Vulnerability in H323 channel add on
AST-2022-008: Use after free in res_pjsip_pubsub.c
AST-2022-009: GetConfig AMI Action can read files outside of
Asterisk directory
more... | asterisk18
more detail |
2023-02-02 | VuXML ID c3fb48cc-a2ff-11ed-8fbc-6cf0490a8c18
StÃÂéphane Bruckert
If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.
more... | py310-spotipy py311-spotipy py37-spotipy py38-spotipy py39-spotipy
more detail |
2023-02-01 | VuXML ID 2b5fc9c4-eaca-46e0-83d0-9b10c51c4b1b
Tim Wojtulewicz of Corelight reports:
A missing field in the SMB FSControl script-land record could
cause a heap buffer overflow when receiving packets containing
those header types.
Receiving a series of packets that start with HTTP/1.0
and then switch to HTTP/0.9 could cause Zeek to spend a
large amount of time processing the packets.
Receiving large numbers of FTP commands sequentially
from the network with bad data in them could cause Zeek
to spend a large amount of time processing the packets,
and generate a large amount of events.
more... | zeek
more detail |
2023-02-01 | VuXML ID ee890be3-a1ec-11ed-a81d-001b217b3468
Gitlab reports:
Denial of Service via arbitrarily large Issue descriptions
CSRF via file upload allows an attacker to take over a repository
Sidekiq background job DoS by uploading malicious CI job artifact zips
Sidekiq background job DoS by uploading a malicious Helm package
more... | gitlab-ce
more detail |
2023-01-30 | VuXML ID 791a09c5-a086-11ed-954d-b42e991fc52e
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
more... | prometheus
more detail |
2023-01-30 | VuXML ID 98f78c7a-a08e-11ed-946e-002b67dfc673
Plex Security Team reports:
We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.
Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.
more... | plexmediaserver plexmediaserver-plexpass
more detail |
2023-01-25 | VuXML ID 3d0a3eb0-9ca3-11ed-a925-3065ec8fd3ec
Chrome Releases reports:
This release contains 6 security fixes, including:
- [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
- [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
- [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
- [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14
more... | chromium ungoogled-chromium
more detail |
2023-01-25 | VuXML ID b0e1fa2b-9c86-11ed-9296-002b67dfc673
re2c reports:
re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.
more... | re2c
more detail |
2023-01-24 | VuXML ID b8a0fea2-9be9-11ed-8acf-0800277bb8a8
The Gitea team reports:
Prevent multiple To recipients: Change the mailer interface to
prevent leaking of possible hidden email addresses when sending
to multiple recipients.
more... | gitea
more detail |
2023-01-23 | VuXML ID 28b69630-9b10-11ed-97a6-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
more... | powerdns-recursor
more detail |
2023-01-23 | VuXML ID 7844789a-9b1f-11ed-9a3f-b42e991fc52e
MITRE reports:
NLnet Labs Krill supports direct access to the RRDP repository
content through its built-in web server at the "/rrdp" endpoint.
Prior to 0.12.1 a direct query for any existing directory under
"/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml"
as would be expected, causes Krill to crash. If the built-in "/rrdp"
endpoint is exposed directly to the internet, then malicious remote
parties can cause the publication server to crash. The repository
content is not affected by this, but the availability of the server
and repository can cause issues if this attack is persistent and is
not mitigated. .
more... | krill
more detail |
2023-01-23 | VuXML ID b6f7ad7d-9b19-11ed-9a3f-b42e991fc52e
Mitre reports:
etserver and etclient have predictable logfile names in
/tmp and they are world-readable logfiles
more... | eternalterminal
more detail |
2023-01-23 | VuXML ID bba3f684-9b1d-11ed-9a3f-b42e991fc52e
MITRE reports:
It seems #90 is not completely fixed in 7.8.
(that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed).
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a
partial absolute pathname (omitting the initial /etc), even
though it was intended to only read a file in the /etc/awstats/awstats.conf format.
NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
more... | awstats
more detail |
2023-01-21 | VuXML ID a3b10c9b-99d9-11ed-aa55-d05099fed512
Peter Ammon reports:
fish is a command line shell. fish version 3.1.0 through
version 3.3.1 is vulnerable to arbitrary code execution.
git repositories can contain per-repository
configuration that change the behavior of git, including
running arbitrary commands. When using the default
configuration of fish, changing to a directory
automatically runs git commands in order to display
information about the current repository in the prompt.
If an attacker can convince a user to change their
current directory into one controlled by the attacker,
such as on a shared file system or extracted archive,
fish will run arbitrary commands under the attacker's
control. This problem has been fixed in fish 3.4.0. Note
that running git in these directories, including using
the git tab completion, remains a potential trigger for
this issue. As a workaround, remove the
fish_git_prompt function from the prompt.
more... | fish
more detail |
2023-01-21 | VuXML ID dc49f6dc-99d2-11ed-86e9-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 37 new security patches for
Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network withouti
requiring user credentials.
more... | mysql-client57 mysql-client80 mysql-connector-c++ mysql-connector-odbc mysql-server57 mysql-server80
more detail |
2023-01-20 | VuXML ID 005dfb48-990d-11ed-b9d3-589cfc0f81b0
phpmyfaq developers report:
phpMyFAQ does not implement sufficient checks to avoid a stored
XSS in "Add new question"
phpMyFAQ does not implement sufficient checks to avoid a stored XSS
in admin user page
phpMyFAQ does not implement sufficient checks to avoid a stored XSS
in FAQ comments
phpMyFAQ does not implement sufficient checks to avoid a blind
stored XSS in admin open question page
phpMyFAQ does not implement sufficient checks to avoid a reflected
XSS in the admin backend login
phpMyFAQ does not implement sufficient checks to avoid stored XSS
on user, category, FAQ, news and configuration admin backend
phpMyFAQ does not implement sufficient checks to avoid weak passwords
more... | phpmyfaq
more detail |
2023-01-19 | VuXML ID 95176ba5-9796-11ed-bfbf-080027f5fec9
Aaron Patterson reports:
- CVE-2022-44570
-
Carefully crafted input can cause the Range header
parsing component in Rack to take an unexpected amount
of time, possibly resulting in a denial of service
attack vector. Any applications that deal with Range
requests (such as streaming applications, or
applications that serve files) may be impacted.
- CVE-2022-44571
-
Carefully crafted input can cause Content-Disposition
header parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
- CVE-2022-44572
-
Carefully crafted input can cause RFC2183 multipart
boundary parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
more... | rubygem-rack rubygem-rack16 rubygem-rack22
more detail |
2023-01-17 | VuXML ID 00919005-96a3-11ed-86e9-d4c9ef517024
The Apache httpd project reports:
mod_dav out of bounds read, or write of zero byte (CVE-2006-20001)
(moderate)
mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)
mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response
splitting (CVE-2022-37436) (moderate)
more... | apache24
more detail |
2023-01-16 | VuXML ID 5fa68bd9-95d9-11ed-811a-080027f5fec9
The Redis core team reports:
- CVE-2022-35977
-
Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic.
- CVE-2023-22458
-
Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service.
more... | redis redis-devel redis6 redis62
more detail |
2023-01-16 | VuXML ID 9d9e9439-959e-11ed-b464-b42e991fc52e
CIRCL reports:
- CVE-2022-41966: XStream serializes Java objects to XML
and back again.
Versions prior to 1.4.20 may allow a remote attacker
to terminate the application with a stack
overflow error, resulting in a denial of
service only via manipulation the
processed input stream.
- CVE-2022-40151: If the parser is running on user
supplied input, an attacker may supply content that
causes the parser to crash by stackoverflow. This
effect may support a denial of service attack.
more... | keycloak
more detail |
2023-01-14 | VuXML ID 847f16e5-9406-11ed-a925-3065ec8fd3ec
The Tor Project reports:
TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through
This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a).
Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.
more... | tor
more detail |
2023-01-12 | VuXML ID 76e2fcce-92d2-11ed-a635-080027f5fec9
lu4nx reports:
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the system
C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *"
command (suggested in the ctags documentation) in a
situation where the current working directory has contents
that depend on untrusted input.
more... | emacs emacs-canna emacs-devel emacs-devel-nox emacs-nox
more detail |
2023-01-11 | VuXML ID 3a023570-91ab-11ed-8950-001b217b3468
Gitlab reports:
Race condition on gitlab.com enables verified email forgery and third-party account hijacking
DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint
Maintainer can leak sentry token by changing the configured URL
Maintainer can leak masked webhook secrets by changing target URL of the webhook
Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP
Group access tokens continue to work after owner loses ability to revoke them
Users' avatar disclosure by user ID in private GitLab instances
Arbitrary Protocol Redirection in GitLab Pages
Regex DoS due to device-detector parsing user agents
Regex DoS in the Submodule Url Parser
more... | gitlab-ce
more detail |
2023-01-11 | VuXML ID 53caf29b-9180-11ed-acbe-b42e991fc52e
Cassandra tema reports:
This release contains 6 security fixes including
- CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
- CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
- CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
- CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
more... | cassandra3
more detail |
2023-01-11 | VuXML ID 60624f63-9180-11ed-acbe-b42e991fc52e
Marcus Eriksson reports:
When running Apache Cassandra with
the following configuration:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
it is possible for an attacker to execute arbitrary code on
the host. The attacker would need to have enough permissions
to create user defined functions in the cluster to be able
to exploit this.
more... | cassandra3
more detail |
2023-01-11 | VuXML ID 9fa7b139-c1e9-409e-bed0-006aadcf5845
The X.org project reports:
- CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack
overflow
The swap handler for the XTestFakeInput request of the XTest extension
may corrupt the stack if GenericEvents with lengths larger than 32 bytes
are sent through a the XTestFakeInput request.
This issue does not affect systems where client and server use the same
byte order.
- CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab
out-of-bounds access
The handler for the XIPassiveUngrab request accesses out-of-bounds
memory when invoked with a high keycode or button code.
- CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify
use-after-free
The handler for the XvdiSelectVideoNotify request may write to memory
after it has been freed.
- CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes
use-after-free
The handler for the ScreenSaverSetAttributes request may write to memory
after it has been freed.
- CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty
out-of-bounds access
The handler for the XIChangeProperty request has a length-validation
issues, resulting in out-of-bounds memory reads and potential
information disclosure.
- CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free
The XkbCopyNames function left a dangling pointer to freed memory,
resulting in out-of-bounds memory access on subsequent XkbGetKbdByName
requests.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-01-11 | VuXML ID b3fd12ea-917a-11ed-acbe-b42e991fc52e
mindrot project reports:
There is an integer overflow that
occurs with very large log_rounds values, first reported by
Marcus Rathsfeld.
more... | cassandra3
more detail |
2023-01-10 | VuXML ID 7b929503-911d-11ed-a925-3065ec8fd3ec
Chrome Releases reports:
This release contains 17 security fixes, including:
- [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
- [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
- [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
- [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
- [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
- [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
- [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
- [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
- [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
- [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
- [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
- [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
- [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
- [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12
more... | chromium ungoogled-chromium
more detail |
2023-01-09* | VuXML ID 59c284f4-8d2e-11ed-9ce0-b42e991fc52e
cacti team reports:
A command injection vulnerability allows an
unauthenticated user to execute arbitrary code on a server
running Cacti, if a specific data source was selected for
any monitored device.
more... | cacti
more detail |
2023-01-05 | VuXML ID 541696ed-8d12-11ed-af80-ecf4bbc0bda0
C. Michael Pilato reports:
security fix: escape revision view copy paths (#311) [CVE-2023-22464]
security fix: escape revision view changed paths (#311) [CVE-2023-22456]
more... | py37-viewvc-devel py38-viewvc-devel py39-viewvc-devel
more detail |
2023-01-03 | VuXML ID 5b2eac07-8b4d-11ed-8b23-a0f3c100ae18
Marc Lehmann reports:
The biggest issue is resolving CVE-2022-4170, which allows command
execution inside urxvt from within the terminal (that means anything that
can output text in the terminal can start commands in the context of the
urxvt process, even remotely).
more... | rxvt-unicode
more detail |
2023-01-02 | VuXML ID 86c330fe-bbae-4ca7-85f7-5321e627a4eb
The Gitea team reports:
Remove ReverseProxy authentication from the API
Support Go Vulnerability Management
Forbid HTML string tooltips
more... | gitea
more detail |
2022-12-29 | VuXML ID 140a20e1-8769-11ed-b074-002b67dfc673
Webtrees reports:
GEDCOM imports containing errors and HTML displayed unescaped.
more... | webtrees
more detail |
2022-12-29 | VuXML ID d379aa14-8729-11ed-b988-080027d3a315
Mediawikwi reports:
(T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files not world readable.
more... | mediawiki135 mediawiki138 mediawiki139
more detail |
2022-12-27 | VuXML ID 4b60c3d9-8640-11ed-a762-482ae324f959
Netdata reports:
GHSA-xg38-3vmw-2978: Netdata Streaming Alert Command Injection
GHSA-jx85-39cw-66f2: Netdata Streaming Authentication Bypass
more... | netdata
more detail |
2022-12-24 | VuXML ID 1f0421b1-8398-11ed-973d-002b67dfc673
FreeRDP reports:
GHSA-5w4j-mrrh-jjrm: Out of bound read in zgfx decoder.
GHSA-99cm-4gw7-c8jh: Undefined behaviour in zgfx decoder.
GHSA-387j-8j96-7q35: Division by zero in urbdrc channel.
GHSA-mvxm-wfj2-5fvh: Missing length validation in urbdrc channel.
GHSA-qfq2-82qr-7f4j: Heap buffer overflow in urbdrc channel.
GHSA-c5xq-8v35-pffg: Missing path sanitation with `drive` channel.
GHSA-pmv3-wpw4-pw5h: Missing input length validation in `drive` channel.
more... | freerdp
more detail |
2022-12-22 | VuXML ID d0da046a-81e6-11ed-96ca-0800277bb8a8
The Gitea team reports:
Do not allow Ghost access to limited visible user/org
Fix package access for admins and inactive users
more... | gitea
more detail |
2022-12-17 | VuXML ID d9e154c9-7de9-11ed-adca-080027d3a315
TYPO3 reports:
TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling.
TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login.
TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset.
TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework.
TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration.
TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer.
more... | typo3-11-php81 typo3-12-php81
more detail |
2022-12-14 | VuXML ID 0f99a30c-7b4b-11ed-9168-080027f5fec9
Daniel Stenberg reports:
- CVE-2022-32221: POST following PUT confusion
-
When doing HTTP(S) transfers, libcurl might erroneously
use the read callback
(
CURLOPT_READFUNCTION ) to ask for data to
send, even when the CURLOPT_POSTFIELDS
option has been set, if the same handle previously was
used to issue a PUT request which used that
callback. This flaw may surprise the application and
cause it to misbehave and either send off the wrong data
or use memory after free or similar in the subsequent
POST request. The problem exists in the
logic for a reused handle when it is changed from a PUT
to a POST.
- CVE-2022-35260: .netrc parser out-of-bounds access
-
curl can be told to parse a .netrc file for
credentials. If that file ends in a line with
consecutive non-white space letters and no newline, curl
could read past the end of the stack-based buffer, and
if the read works, write a zero byte possibly beyond its
boundary. This will in most cases cause a segfault or
similar, but circumstances might also cause different
outcomes. If a malicious user can provide a custom netrc
file to an application or otherwise affect its contents,
this flaw could be used as denial-of-service.
- CVE-2022-42915: HTTP proxy double-free
-
f curl is told to use an HTTP proxy for a transfer with
a non-HTTP(S) URL, it sets up the connection to the
remote server by issuing a CONNECT request to the proxy,
and then tunnels the rest of protocol through. An HTTP
proxy might refuse this request (HTTP proxies often only
allow outgoing connections to specific port numbers,
like 443 for HTTPS) and instead return a non-200
response code to the client. Due to flaws in the
error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the
URL for the transfer: dict, gopher, gophers, ldap,
ldaps, rtmp, rtmps, telnet
- CVE-2022-42916: HSTS bypass via IDN
-
curl's HSTS check could be bypassed to trick it to keep
using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS directly instead of using an
insecure clear-text HTTP step even when HTTP is provided
in the URL. This mechanism could be bypassed if the host
name in the given URL uses IDN characters that get
replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002
(IDEOGRAPHIC FULL STOP) instead of the common ASCII full
stop (U+002E) .. Like this: http://curlãÂÂseãÂÂ
more... | curl
more detail |
2022-12-14 | VuXML ID 83eb9374-7b97-11ed-be8f-3065ec8fd3ec
Chrome Releases reports:
This release contains 8 security fixes, including:
- [1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15
- [1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30
- [1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07
- [1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22
- [1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09
more... | chromium ungoogled-chromium
more detail |
2022-12-12 | VuXML ID 439f3f81-7a49-11ed-97ac-589cfc0f81b0
phpmyfaq developers report:
an authenticated SQL injection when adding categories in the admin backend
a stored cross-site scripting vulnerability in the category name
a stored cross-site scripting vulnerability in the admin logging
a stored cross-site scripting vulnerability in the FAQ title
a PostgreSQL based SQL injection for the lang parameter
a SQL injection when storing an instance name in the admin backend
a SQL injection when adding attachments in the admin backend
a stored cross-site scripting vulnerability when adding users by admins
a missing "secure" flag for cookies when using TLS
a cross-site request forgery / cross-site scripting vulnerability when saving new questions
a reflected cross-site scripting vulnerability in the admin backend
more... | phpmyfaq
more detail |
2022-12-10 | VuXML ID 508da89c-78b9-11ed-854f-5404a68ad561
The Traefik project reports:
This update is recommended for all traefik users and provides following important security fixes:
- CVE-2022-23469: Authorization header displayed in the debug logs
- CVE-2022-46153: Routes exposed with an empty TLSOption in traefik
more... | traefik
more detail |
2022-12-10 | VuXML ID ba94433c-7890-11ed-859e-1c61b4739ac9
xrdp project reports:
This update is recommended for all xrdp users and provides following important security fixes:
- CVE-2022-23468
- CVE-2022-23477
- CVE-2022-23478
- CVE-2022-23479
- CVE-2022-23480
- CVE-2022-23481
- CVE-2022-23483
- CVE-2022-23482
- CVE-2022-23484
- CVE-2022-23493
These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.
more... | xrdp
more detail |
2022-12-07 | VuXML ID 050eba46-7638-11ed-820d-080027d3a315
Python reports:
gh-100001: python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
name resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
gh-98739: Update bundled libexpat to 2.5.0.
gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
script. The script no longer uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
more... | python310 python311 python37 python38 python39
more detail |
2022-12-06 | VuXML ID 6f5192f5-75a7-11ed-83c0-411d43ce7fe4
The Go project reports:
os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
The os.DirFS function and http.Dir type provide access to a
tree of files rooted at a given directory. These functions
permitted access to Windows device files under that root. For
example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.
In addition, on Windows, an os.DirFS for the directory \(the root
of the current drive) can permit a maliciously crafted path to escape
from the drive and access any path on the system.
The behavior of os.DirFS("") has changed. Previously, an empty root
was treated equivalently to "/", so os.DirFS("").Open("tmp") would
open the path "/tmp". This now returns an error.
net/http: limit canonical header cache by bytes, not entries
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total number
of entries in this cache is capped, an attacker sending very large
keys can cause the server to allocate approximately 64 MiB per open
connection.
more... | go118 go119
more detail |
2022-12-03 | VuXML ID 2899da38-7300-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1394403] High CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29
Google is aware that an exploit for CVE-2022-4262 exists in the wild.
more... | chromium ungoogled-chromium
more detail |
2022-12-01 | VuXML ID 0c52abde-717b-11ed-98ca-40b034429ecf
rpm project reports:
Fix intermediate symlinks not verified (CVE-2021-35939).
Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521).
Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)
more... | rpm4
more detail |
2022-12-01 | VuXML ID 3cde510a-7135-11ed-a28b-bff032704f00
Gitlab reports:
DAST API scanner exposes Authorization headers in vulnerabilities
Group IP allow-list not fully respected by the Package Registry
Deploy keys and tokens may bypass External Authorization service if it is enabled
Repository import still allows to import 40 hexadecimal branches
Webhook secret tokens leaked in webhook logs
Maintainer can leak webhook secret token by changing the webhook URL
Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP
Release names visible in public projects despite release set as project members only
Sidekiq background job DoS by uploading malicious NuGet packages
SSRF in Web Terminal advertise_address
more... | gitlab-ce
more detail |
2022-11-30 | VuXML ID 5f7ed6ea-70a7-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 28 security fixes, including:
- [1379054] High CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
- [1381401] High CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-11-04
- [1361066] High CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
- [1379242] High CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
- [1376099] High CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
- [1377783] High CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
- [1378564] High CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
- [1382581] High CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
- [1368739] Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
- [1251790] Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
- [1358647] Medium CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
- [1373025] Medium CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
- [1377165] Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
- [1381217] Medium CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
- [1340879] Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
- [1344647] Medium CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
- [1378997] Medium CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
- [1373941] Medium CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
- [1344514] Medium CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
- [1354518] Medium CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
- [1370562] Medium CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
- [1371926] Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06
more... | chromium ungoogled-chromium
more detail |
2022-11-25 | VuXML ID 8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1392715] High CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22
Google is aware that an exploit for CVE-2022-4135 exists in the wild.
more... | chromium ungoogled-chromium
more detail |
2022-11-24 | VuXML ID 658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of HTTP 0.9 packets can
cause Zeek to spend large amounts of time processing the
packets.
A specially-crafted FTP packet can cause Zeek to spend
large amounts of time processing the command.
A specially-crafted IPv6 packet can cause Zeek to
overflow memory and potentially crash.
more... | zeek
more detail |
2022-11-24 | VuXML ID 84ab03b6-6c20-11ed-b519-080027f5fec9
Hiroshi Tokumaru reports:
If an application that generates HTTP responses using the
cgi gem with untrusted user input, an attacker can exploit
it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object
were not checked properly. If an application creates a
CGI::Cookie object based on user input, an
attacker may exploit it to inject invalid attributes in
Set-Cookie header. We think such applications
are unlikely, but we have included a change to check
arguments for CGI::Cookie#initialize
preventatively.
more... | ruby ruby27 ruby30 ruby31 ruby32 rubygem-cgi
more detail |
2022-11-24 | VuXML ID b6a84729-6bd0-11ed-8d9a-b42e991fc52e
GitHub advisories reports:
Multiple vulnerabilities found in advancecomp including:
- Three segmentation faults.
- Heap buffer overflow via le_uint32_read at /lib/endianrw.h.
- Three more heap buffer overflows.
more... | advancecomp
more detail |
2022-11-22 | VuXML ID e0f26ac5-6a17-11ed-93e7-901b0e9408dc
Tailscale team reports:
A vulnerability identified in the Tailscale client allows a
malicious website to access the peer API, which can then be used
to access Tailscale environment variables.
more... | tailscale
more detail |
2022-11-18 | VuXML ID 556fdf03-6785-11ed-953b-002b67dfc673
Apache Tomcat reports:
If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
The CVSS score for this vulnerability is 7.5 High
more... | tomcat tomcat-devel tomcat10 tomcat101 tomcat85 tomcat9
more detail |
2022-11-15 | VuXML ID 094e4a5b-6511-11ed-8c5e-206a8a720317
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:
Due to an integer overflow vulnerabilities in PAC parsing
An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.
On 32-bit platforms an authenticated attacker may be able to
cause heap corruption resulting in an RCE.
more... | krb5 krb5-119 krb5-120 krb5-devel
more detail |
2022-11-12 | VuXML ID 0a80f159-629b-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
When using the forget password on the login page, a POST request is made
to the /api/user/password/sent-reset-email URL. When the username
or email does not exist, a JSON response contains a âÂÂuser not foundâ message.
The CVSS score for this vulnerability is 5.3 Moderate
more... | grafana grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 35d1e192-628e-11ed-8c5e-641c67a117d8
IPython project reports:
IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some
default values in order to prevent potential Execution with Unnecessary
Privileges.
more... | py310-ipython py311-ipython py37-ipython py38-ipython py39-ipython
more detail |
2022-11-12 | VuXML ID 4e60d660-6298-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On July 4th as a result of an internal security audit we have discovered
a bypass in the plugin signature verification by exploiting a versioning flaw.
We believe that this vulnerability is rated at CVSS 6.1
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 6877e164-6296-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On September 7th as a result of an internal security audit we have discovered
that Grafana could leak the authentication cookie of users to plugins. After
further analysis the vulnerability impacts data source and plugin proxy
endpoints under certain conditions.
We believe that this vulnerability is rated at CVSS 6.8
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 6eb6a442-629a-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
Grafana admins can invite other members to the organization they are
an admin for. When admins add members to the organization, non existing users
get an email invite, existing members are added directly to the organization.
When an invite link is sent, it allows users to sign up with whatever
username/email address the user chooses and become a member of the organization.
The CVSS score for this vulnerability is 6.4 Moderate
more... | grafana grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 6f6c9420-6297-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On June 26 a security researcher contacted Grafana Labs to disclose
a vulnerability with the GitLab data source plugin that could leak the API key
to GitLab. After further analysis the vulnerability impacts data source
and plugin proxy endpoints with authentication tokens but under some conditions.
We believe that this vulnerability is rated at CVSS 4.9
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 909a80ba-6294-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On September 7, as a result of an internal security audit, we discovered
a security vulnerability in GrafanaâÂÂs basic authentication related to the usage
of username and email address.
n Grafana, a userâÂÂs username and email address are unique fields, which
means no other user can have the same username or email address as another user.
In addition, a user can have an email address as a username, and the Grafana
login allows users to sign in with either username or email address. This
creates an unusual behavior, where user_1 can register with one email
address and user_2 can register their username as user_1âÂÂs
email address. As a result, user_1 would be prevented from signing
in to Grafana, since user_1 password wonâÂÂt match with user_2
email address.
The CVSS score for this vulnerability is 4.3 moderate
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
more... | grafana grafana8 grafana9
more detail |
2022-11-12 | VuXML ID db895ed0-6298-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
Internal security audit identified a race condition in the Grafana codebase,
which allowed an unauthenticated user to query an arbitrary endpoint in Grafana.
A race condition in the
HTTP context creation could make a HTTP request being assigned
the authentication/authorization middlewares of another call. Under heavy load
it is possible that a call protected by a privileged middleware receives instead
the middleware of a public query. As a result, an unauthenticated user can
successfully query protected endpoints.
The CVSS score for this vulnerability is 9.8 Critical
more... | grafana grafana9
more detail |
2022-11-11 | VuXML ID f5a48a7a-61d3-11ed-9094-589cfc0f81b0
phpmyfaq developers report:
a pre-auth SQL injection in then saving user comments
a reflected cross-site scripting vulnerability in the search
a stored cross-site scripting vulnerability in the meta data administration
a weak password requirement
more... | phpmyfaq
more detail |
2022-11-09 | VuXML ID 5b8d8dee-6088-11ed-8c5e-641c67a117d8
Varnish Cache Project reports:
A request forgery attack can be performed on Varnish Cache servers that
have the HTTP/2 protocol turned on. An attacker may introduce
characters through the HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to
produce invalid HTTP/1 requests to the backend. This may in turn be
used to successfully exploit vulnerabilities in a server behind the
Varnish server.
more... | varnish6 varnish7
more detail |
2022-11-09 | VuXML ID 60d4d31a-a573-41bd-8c1e-5af7513c1ee9
Tim Wojtulewicz of Corelight reports:
Fix an issue where a specially-crafted FTP packet can
cause Zeek to spend large amounts of time attempting to
search for valid commands in the data stream.
Fix a possible overflow in the Zeek dictionary code
that may lead to a memory leak.
Fix an issue where a specially-crafted packet can
cause Zeek to spend large amounts of time reporting
analyzer violations.
Fix a possible assert and crash in the HTTP analyzer
when receiving a specially crafted packet.
Fix an issue where a specially-crafted HTTP or SMTP
packet can cause Zeek to spend a large amount of time
attempting to search for filenames within the packet data.
Fix two separate possible crashes when converting
processed IP headers for logging via the raw_packet event
handlers.
more... | zeek
more detail |
2022-11-09 | VuXML ID 6b04476f-601c-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 10 security fixes, including:
- [1377816] High CVE-2022-3885: Use after free in V8. Reported by gzobqq@ on 2022-10-24
- [1372999] High CVE-2022-3886: Use after free in Speech Recognition. Reported by anonymous on 2022-10-10
- [1372695] High CVE-2022-3887: Use after free in Web Workers. Reported by anonymous on 2022-10-08
- [1375059] High CVE-2022-3888: Use after free in WebCodecs. Reported by Peter Nemeth on 2022-10-16
- [1380063] High CVE-2022-3889: Type Confusion in V8. Reported by anonymous on 2022-11-01
- [1380083] High CVE-2022-3890: Heap buffer overflow in Crashpad. Reported by anonymous on 2022-11-01
more... | chromium ungoogled-chromium
more detail |
2022-11-09 | VuXML ID b10d1afa-6087-11ed-8c5e-641c67a117d8
Varnish Cache Project reports:
A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the backend.
Among the headers that can be filtered this way are both Content-Length
and Host, making it possible for an attacker to both break the HTTP/1
protocol framing, and bypass request to host routing in VCL.
more... | varnish7
more detail |
2022-11-08 | VuXML ID 9c399521-5f80-11ed-8ac4-b42e991fc52e
Mitre reports:
flaw was found in darkhttpd. Invalid error handling allows
remote attackers to cause denial-of-service by accessing a
file with a large modification date. The highest threat
from this vulnerability is to system availability.
more... | darkhttpd
more detail |
2022-11-07 | VuXML ID 3310014a-5ef9-11ed-812b-206a8a720317
SO-AND-SO reports:
Sudo 1.8.0 through 1.9.12, with the crypt() password backend,
contains a plugins/sudoers/auth/passwd.c array-out-of-bounds
error that can result in a heap-based buffer over-read. This
can be triggered by arbitrary local users with access to sudo
by entering a password of seven characters or fewer. The impact
could vary depending on the system libraries, compiler,
and processor architecture.
more... | sudo
more detail |
2022-11-05 | VuXML ID 16f7ec68-5cce-11ed-9be7-454b1dd82c64
Gitlab reports:
DAST analyzer sends custom request headers with every request
Stored-XSS with CSP-bypass via scoped labels' color
Maintainer can leak Datadog API key by changing integration URL
Uncontrolled resource consumption when parsing URLs
Issue HTTP requests when users view an OpenAPI document and click buttons
Command injection in CI jobs via branch name in CI pipelines
Open redirection
Prefill variables do not check permission of the project in external CI config
Disclosure of audit events to insufficiently permissioned group and project members
Arbitrary GFM references rendered in Jira issue description leak private/confidential resources
Award emojis API for an internal note is accessible to users without access to the note
Open redirect in pipeline artifacts when generating HTML documents
Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines
Project-level Secure Files can be written out of the target directory
more... | gitlab-ce
more detail |
2022-11-03 | VuXML ID b278783f-5c1d-11ed-a21f-001fc69cd6dc
Pixman reports: for release 0.42.2
Avoid integer overflow leading to out-of-bounds write
more... | pixman
more detail |
2022-11-01 | VuXML ID 0844671c-5a09-11ed-856e-d4c9ef517024
The OpenSSL project reports:
X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) (High):
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking.
X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
(High): A buffer overrun can be triggered in X.509 certificate
verification, specifically in name constraint checking.
more... | openssl-devel
more detail |
2022-11-01 | VuXML ID 26b1100a-5a27-11ed-abfe-29ac76ec31b5
The Go project reports:
syscall, os/exec: unsanitized NUL in environment
variables
On Windows, syscall.StartProcess and os/exec.Cmd did not
properly check for invalid environment variable values. A
malicious environment variable value could exploit this
behavior to set a value for a different environment
variable. For example, the environment variable string
"A=B\x00C=D" set the variables "A=B" and "C=D".
more... | go118 go119
more detail |
2022-10-30 | VuXML ID 4b9c1c17-587c-11ed-856e-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 37 new security patches for
Oracle MySQL. 11 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials
more... | mysql-client57 mysql-client80 mysql-connector-c++ mysql-connector-odbc mysql-server57 mysql-server80
more detail |
2022-10-28 | VuXML ID 1225c888-56ea-11ed-b5c3-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1378239] High CVE-2022-3723: Type Confusion in V8. Reported by Jan VojteÃ
¡ek, Milánek, and Przemek Gmerek of Avast on 2022-10-25
more... | chromium ungoogled-chromium
more detail |
2022-10-25 | VuXML ID 1c5f3fd7-54bf-11ed-8d1e-005056a311d1
The Samba Team reports:
The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.
more... | samba412 samba413 samba416
more detail |
2022-10-25 | VuXML ID b4ef02f4-549f-11ed-8ad9-3065ec8fd3ec
Chrome Releases reports:
This release contains 14 security fixes, including:
- [1369871] High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30
- [1354271] High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19
- [1365330] High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19
- [1343384] Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
- [1345275] Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18
- [1351177] Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09
- [1352817] Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14
- [1355560] Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23
- [1327505] Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20
- [1350111] Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04
more... | chromium ungoogled-chromium
more detail |
2022-10-22 | VuXML ID 68fcee9b-5259-11ed-89c9-0800276af896
From libudisks 2.9.4 NEWS:
udiskslinuxblock: Fix leaking cleartext block interface
more... | libudisks
more detail |
2022-10-21 | VuXML ID c253c4aa-5126-11ed-8a21-589cfc0f81b0
phpmyfaq developers report:
phpMyFAQ does not implement sufficient checks to avoid
CSRF when logging out an user.
more... | phpmyfaq
more detail |
2022-10-20 | VuXML ID d6d088c9-5064-11ed-bade-080027881239
Python reports:
gh-97616: Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses
a shell to run openssl commands. Issue reported and initial fix by
Caleb Shortt. Patch by Victor Stinner.
more... | python310 python37 python38 python39
more detail |
2022-10-19 | VuXML ID 676d4f16-4fb3-11ed-a374-8c164567ca3c
NGINX Development Team reports:
Two security issues were identified in the ngx_http_mp4_module,
which might allow an attacker to cause a worker process crash
or worker process memory disclosure by using a specially crafted
mp4 file, or might have potential other impact (CVE-2022-41741,
CVE-2022-41742).
more... | nginx nginx-devel
more detail |
2022-10-18 | VuXML ID 2523bc76-4f01-11ed-929b-002590f2a714
This release contains 2 security fixes:
CVE-2022-39253
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
CVE-2022-39260
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
more... | git git-lite git-tiny
more detail |
2022-10-18 | VuXML ID 7392e1e3-4eb9-11ed-856e-d4c9ef517024
The OpenSSL project reports:
Using a Custom Cipher with NID_undef may lead to NULL encryption (low)
more... | openssl-devel
more detail |
2022-10-15 | VuXML ID d713d709-4cc9-11ed-a621-0800277bb8a8
The Gitea team reports:
Sanitize and Escape refs in git backend
Bump golang.org/x/text
Update bluemonday
more... | gitea
more detail |
2022-10-12 | VuXML ID 127674c6-4a27-11ed-9f93-002b67dfc673
The Roundcube project reports:
Description:
Remote code execution vulnerability in
roundcube-thunderbird_labels when tb_label_modify_labels is enabled.
Workaround:
If you cannot upgrade to roundcube-thunderbird_labels-1.4.13 disable the
tb_label_modify_labels config option.
more... | roundcube-thunderbird_labels
more detail |
2022-10-12 | VuXML ID 7cb12ee0-4a13-11ed-8ad9-3065ec8fd3ec
Chrome Releases reports:
This release contains 6 security fixes:
- [1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16
- [1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26
- [1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22
- [1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13
- [1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17
- [1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30
more... | chromium ungoogled-chromium
more detail |
2022-10-11 | VuXML ID f9140ad4-4920-11ed-a07e-080027f5fec9
The Samba Team reports:
- CVE-2022-2031
-
The KDC and the kpasswd service share a single account
and set of keys, allowing them to decrypt each other's
tickets. A user who has been requested to change their
password can exploit this to obtain and use tickets to
other services.
- CVE-2022-32744
-
The KDC accepts kpasswd requests encrypted with any key
known to it. By encrypting forged kpasswd requests with
its own key, a user can change the passwords of other
users, enabling full domain takeover.
- CVE-2022-32745
-
Samba AD users can cause the server to access
uninitialised data with an LDAP add or modify request,
usually resulting in a segmentation fault.
- CVE-2022-32746
-
The AD DC database audit logging module can be made to
access LDAP message values that have been freed by a
preceding database module, resulting in a
use-after-free. This is only possible when modifying
certain privileged attributes, such as
userAccountControl.
- CVE-2022-32742
-
SMB1 Client with write access to a share can cause
server memory contents to be written into a file or
printer.
more... | samba412 samba413
more detail |
2022-10-10 | VuXML ID 0ae56f3e-488c-11ed-bb31-b42e99a1b9c3
Lahav Schlesinger reported a bug related to online
certificate revocation checking that can lead to a
denial-of-service attack
.
more... | strongswan
more detail |
2022-10-07* | VuXML ID c2a89e8f-44e9-11ed-9215-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-2886 / CVE-2022-41224
Jenkins 2.367 through 2.369 (both inclusive) does not escape
tooltips of the l:helpIcon UI component used for some help icons on
the Jenkins web UI.
This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control tooltips for this
component.
Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.
more... | jenkins
more detail |
2022-10-07 | VuXML ID e4133d8b-ab33-451a-bc68-3719de73d54a
Due to a mistake in error handling, data in RRDP snapshot and delta files
that isnâÂÂt correctly base 64 encoded is treated as a fatal error and causes
Routinator to exit.
Worst case impact of this vulnerability is denial of service for the RPKI
data that Routinator provides to routers. This may stop your network from
validating route origins based on RPKI data. This vulnerability does not
allow an attacker to manipulate RPKI data. We are not aware of exploitation
of this vulnerability at this point in time.
Starting with release 0.11.3, Routinator handles encoding errors by rejecting
the snapshot or delta file and continuing with validation. In case of an
invalid delta file, it will try using the snapshot instead. If a snapshot file
is invalid, the update of the repository will fail and an update through rsync
is attempted.
.
more... | routinator
more detail |
2022-10-06 | VuXML ID f4f15051-4574-11ed-81a1-080027881239
Django reports:
CVE-2022-41323: Potential denial-of-service vulnerability in
internationalized URLs.
more... | py310-django32 py310-django40 py310-django41 py37-django32 py38-django32 py38-django40 py38-django41 py39-django32 py39-django40 py39-django41
more detail |
2022-10-04 | VuXML ID 854c2afb-4424-11ed-af97-adcabf310f9b
The Go project reports:
archive/tar: unbounded memory consumption when reading
headers
Reader.Read did not set a limit on the maximum size of
file headers. A maliciously crafted archive could cause
Read to allocate unbounded amounts of memory, potentially
causing resource exhaustion or panics. Reader.Read now
limits the maximum size of header blocks to 1 MiB.
net/http/httputil: ReverseProxy should not forward
unparseable query parameters
Requests forwarded by ReverseProxy included the raw
query parameters from the inbound request, including
unparseable parameters rejected by net/http. This could
permit query parameter smuggling when a Go proxy
forwards a parameter with an unparseable value.
ReverseProxy will now sanitize the query parameters in
the forwarded query when the outbound request's Form
field is set after the ReverseProxy.Director function
returns, indicating that the proxy has parsed the query
parameters. Proxies which do not parse query parameters
continue to forward the original query parameters
unchanged.
regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be
as high as 40,000, making relatively small regexps consume
much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB
memory footprint. Regular expressions whose
representation would use more space than that are now
rejected. Normal use of regular expressions is
unaffected.
more... | go118 go119
more detail |
2022-10-04 | VuXML ID d487d4fc-43a8-11ed-8b01-b42e991fc52e
Zyantific reports:
Zydis users of versions v3.2.0 and older
that use the string functions provided in zycore in order to
append untrusted user data to the formatter buffer within
their custom formatter hooks can run into heap buffer
overflows. Older versions of Zydis failed to properly
initialize the string object within the formatter buffer,
forgetting to initialize a few fields, leaving their value
to chance. This could then in turn cause zycore functions
like ZyanStringAppend to make incorrect calculations for the
new target size, resulting in heap memory corruption.
more... | zydis
more detail |
2022-10-02 | VuXML ID 67057b48-41f4-11ed-86c3-080027881239
Mediawiki reports:
(T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
in an IP range check on Special:Contributions..
(T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
of hidden users.
(T307278, CVE-2022-41766) SECURITY: On action=rollback the message
"alreadyrolled" can leak revision deleted user name.
more... | mediawiki135 mediawiki137 mediawiki138
more detail |
2022-09-30 | VuXML ID 04422df1-40d8-11ed-9be7-454b1dd82c64
Gitlab reports:
Denial of Service via cloning an issue
Arbitrary PUT request as victim user through Sentry error list
Content injection via External Status Checks
Project maintainers can access Datadog API Key from logs
Unsafe serialization of Json data could lead to sensitive data leakage
Import bug allows importing of private local git repos
Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)
Unauthorized users able to create issues in any project
Bypass group IP restriction on Dependency Proxy
Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system
Disclosure of Todo details to guest users
A user's primary email may be disclosed through group member events webhooks
Content manipulation due to branch/tag name confusion with the default branch name
Leakage of email addresses in WebHook logs
Specially crafted output makes job logs inaccessible
Enforce editing approval rules on project level
more... | gitlab-ce
more detail |
2022-09-30 | VuXML ID d459c914-4100-11ed-9bc7-3065ec8fd3ec
Chrome Releases reports:
This release contains 3 security fixes, including:
- [1366813] High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22
- [1366399] High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21
more... | chromium
more detail |
2022-09-29 | VuXML ID 5a1c2e06-3fb7-11ed-a402-b42e991fc52e
A vulnerability named 'Non-Responsive Delegation Attack'
(NRDelegation Attack) has been discovered in various DNS
resolving software. The NRDelegation Attack works by having
a malicious delegation with a considerable number of non
responsive nameservers. The attack starts by querying a
resolver for a record that relies on those unresponsive
nameservers. The attack can cause a resolver to spend a lot
of time/resources resolving records under a malicious
delegation point where a considerable number of unresponsive
NS records reside. It can trigger high CPU usage in some
resolver implementations that continually look in the cache
for resolved NS records in that delegation.
.
more... | unbound
more detail |
2022-09-28 | VuXML ID cb902a77-3f43-11ed-9402-901b0e9408dc
Matrix developers report:
Two critical severity vulnerabilities in end-to-end encryption were
found in the SDKs which power Element, Beeper, Cinny, SchildiChat,
Circuli, Synod.im and any other clients based on matrix-js-sdk,
matrix-ios-sdk or matrix-android-sdk2.
more... | cinny element-web
more detail |
2022-09-27 | VuXML ID 0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9
Debian Security Advisory reports:
Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.
more... | expat
more detail |
2022-09-27 | VuXML ID 18529cb0-3e9c-11ed-9bc7-3065ec8fd3ec
Chrome Releases reports:
This release contains 20 security fixes, including:
- [1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
- [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
- [1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
- [1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
- [1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
- [1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
- [1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
- [1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
- [1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
- [1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
- [1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
- [1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
- [1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
- [1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
- [1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
- [1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
more... | chromium
more detail |
2022-09-26 | VuXML ID f9ada0b5-3d80-11ed-9330-080027f5fec9
Mikhail Evdokimov (aka konata) reports:
Due to inconsistent handling of internal URIs Squid is
vulnerable to Exposure of Sensitive Information about
clients using the proxy. This problem allows a trusted
client to directly access cache manager information
bypassing the manager ACL protection. The available cache
manager information contains records of internal network
structure, client credentials, client identity and client
traffic behaviour.
more... | squid
more detail |
2022-09-21 | VuXML ID 95e6e6ca-3986-11ed-8e0c-6c3be5272acd
Grafana Labs reports:
On August 9 an internal security review identified a vulnerability
in the Grafana which allows an escalation from Admin privileges
to Server Admin when Auth proxy authentication is used.
Auth proxy allows to authenticate a user by only providing the username
(or email) in a X-WEBAUTH-USER HTTP header: the trust assumption
is that a front proxy will take care of authentication and that Grafana server
is publicly reachable only with this front proxy.
Datasource proxy breaks this assumption:
- it is possible to configure a fake datasource pointing to a localhost
Grafana install with a
X-WEBAUTH-USER HTTP header containing
admin username.
- This fake datasource can be called publicly via this proxying feature.
The CVSS score for this vulnerability is 6.6 Moderate
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-09-21 | VuXML ID f1f637d1-39eb-11ed-ab44-080027f5fec9
The Redis core team reports:
Executing a XAUTOCLAIM command on a stream key in a
specific state, with a specially crafted COUNT argument,
may cause an integer overflow, a subsequent heap overflow,
and potentially lead to remote code execution. The problem
affects Redis versions 7.0.0 or newer.
more... | redis
more detail |
2022-09-19 | VuXML ID 656b0152-faa9-4755-b08d-aee4a774bd04
Tim Wojtulewicz of Corelight reports:
Fix a possible overflow and crash in the ICMP analyzer
when receiving a specially crafted packet.
Fix a possible overflow and crash in the IRC analyzer
when receiving a specially crafted packet.
Fix a possible overflow and crash in the SMB analyzer
when receiving a specially crafted packet.
Fix two possible crashes when converting IP headers for
output via the raw_packet event.
more... | zeek
more detail |
2022-09-16 | VuXML ID aeb4c85b-3600-11ed-b52d-589cfc007716
Puppet reports:
The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.
more... | puppetdb6 puppetdb7
more detail |
2022-09-14 | VuXML ID b59847e0-346d-11ed-8fe9-3065ec8fd3ec
Chrome Releases reports:
This release includes 11 security fixes, including:
- [1358381] High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-08-31
- [1358090] High CVE-2022-3196: Use after free in PDF. Reported by triplepwns on 2022-08-30
- [1358075] High CVE-2022-3197: Use after free in PDF. Reported by triplepwns on 2022-08-30
- [1355682] High CVE-2022-3198: Use after free in PDF. Reported by MerdroidSG on 2022-08-23
- [1355237] High CVE-2022-3199: Use after free in Frames. Reported by Anonymous on 2022-08-22
- [1355103] High CVE-2022-3200: Heap buffer overflow in Internals. Reported by Richard Lorenz, SAP on 2022-08-22
- [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in DevTools. Reported by NDevTK on 2022-07-09
more... | chromium
more detail |
2022-09-12 | VuXML ID 4ebaa983-3299-11ed-95f8-901b0e9408dc
Dendrite team reports:
Events retrieved from a remote homeserver using /get_missing_events did
not have their signatures verified correctly. This could potentially allow
a remote homeserver to provide invalid/modified events to Dendrite via this
endpoint.
Note that this does not apply to events retrieved through other endpoints
(e.g. /event, /state) as they have been correctly verified.
Homeservers that have federation disabled are not vulnerable.
more... | dendrite
more detail |
2022-09-11 | VuXML ID f75722ce-31b0-11ed-8b56-0800277bb8a8
The Gitea team reports:
Double check CloneURL is acceptable
Add more checks in migration code
more... | gitea
more detail |
2022-09-08 | VuXML ID 80e057e7-2f0a-11ed-978f-fcaa147e860e
Python reports:
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal),
16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number
of digits in string form is above a limit to avoid potential denial of service attacks
due to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when
an URI path starts with //. Vulnerability discovered, and initial fix proposed, by
Hamza Avvan.
more... | python310 python37 python38 python39
more detail |
2022-09-07 | VuXML ID 6fea7103-2ea4-11ed-b403-3dae8ac60d3e
The Go project reports:
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever
waiting for a clean shutdown that was preempted by a
subsequent fatal error. This failure mode could be
exploited to cause a denial of service.
net/url: JoinPath does not strip relative path components
in all circumstances
JoinPath and URL.JoinPath would not remove ../ path
components appended to a relative path.
more... | go118 go119
more detail |
2022-09-03 | VuXML ID f38d25ac-2b7a-11ed-a1ef-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1358134] High CVE-2022-3075: Insufficient data validation in Mojo. Reported by Anonymous on 2022-08-30
Google is aware that an exploit of CVE-2022-3075 exists in the wild.
more... | chromium
more detail |
2022-09-01 | VuXML ID 5418b360-29cc-11ed-a6d4-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.
more... | powerdns-recursor
more detail |
2022-09-01 | VuXML ID 827b95ff-290e-11ed-a2e7-6c3be5272acd
Grafana Labs reports:
On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for âÂÂprintingâ of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-08-31 | VuXML ID a1323a76-28f1-11ed-a72a-002590c1f29c
Problem Description:
zlib through 1.2.12 has a heap-based buffer over-read or buffer
overflow in inflate in inflate.c via a large gzip header extra
field.
Impact:
Applications that call inflateGetHeader may be vulnerable to a
buffer overflow. Note that inflateGetHeader is not used by anything
in the FreeBSD base system, but may be used by third party
software.
more... | FreeBSD
more detail |
2022-08-31 | VuXML ID e4d93d07-297a-11ed-95f8-901b0e9408dc
Matrix developers report:
The vulnerabilities give an adversary who you share a
room with the ability to carry out a denial-of-service
attack against the affected clients, making it not show all
of a user's rooms or spaces and/or causing minor temporary
corruption.
more... | cinny element-web
more detail |
2022-08-31 | VuXML ID f2043ff6-2916-11ed-a1ef-3065ec8fd3ec
Chrome Releases reports:
This release contains 24 security fixes, including:
- [1340253] Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
- [1343348] High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
- [1341539] High CVE-2022-3040: Use after free in Layout. Reported by Anonymous on 2022-07-03
- [1345947] High CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
- [1338553] High CVE-2022-3042: Use after free in PhoneHub. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
- [1336979] High CVE-2022-3043: Heap buffer overflow in Screen Capture. Reported by @ginggilBesel on 2022-06-16
- [1051198] High CVE-2022-3044: Inappropriate implementation in Site Isolation. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-02-12
- [1339648] High CVE-2022-3045: Insufficient validation of untrusted input in V8. Reported by Ben Noordhuis on 2022-06-26
- [1346245] High CVE-2022-3046: Use after free in Browser Tag. Reported by Rong Jian of VRI on 2022-07-21
- [1342586] Medium CVE-2022-3047: Insufficient policy enforcement in Extensions API. Reported by Maurice Dauer on 2022-07-07
- [1303308] Medium CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen. Reported by Andr.Ess on 2022-03-06
- [1316892] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
- [1337132] Medium CVE-2022-3050: Heap buffer overflow in WebUI. Reported by Zhihua Yao of KunLun Lab on 2022-06-17
- [1345245] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
- [1346154] Medium CVE-2022-3052: Heap buffer overflow in Window Manager. Reported by Khalil Zhani on 2022-07-21
- [1267867] Medium CVE-2022-3053: Inappropriate implementation in Pointer Lock. Reported by Jesper van den Ende (Pelican Party Studios) on 2021-11-08
- [1290236] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools. Reported by Kuilin Li on 2022-01-24
- [1351969] Medium CVE-2022-3055: Use after free in Passwords. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-11
- [1329460] Low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Reported by Anonymous on 2022-05-26
- [1336904] Low CVE-2022-3057: Inappropriate implementation in iframe Sandbox. Reported by Gareth Heyes on 2022-06-16
- [1337676] Low CVE-2022-3058: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-06-20
more... | chromium
more detail |
2022-08-30 | VuXML ID e6b994e2-2891-11ed-9be7-454b1dd82c64
Gitlab reports:
Remote Command Execution via GitHub import
Stored XSS via labels color
Content injection via Incidents Timeline description
Lack of length validation in Snippets leads to Denial of Service
Group IP allow-list not fully respected by the Package Registry
Abusing Gitaly.GetTreeEntries calls leads to denial of service
Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags
Regular Expression Denial of Service via special crafted input
Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events
Regex backtracking through the Commit message field
Read repository content via LivePreview feature
Denial of Service via the Create branch API
Denial of Service via Issue preview
IDOR in Zentao integration leaked issue details
Brute force attack may guess a password even when 2FA is enabled
more... | gitlab-ce
more detail |
2022-08-26 | VuXML ID 3110b29e-c82d-4287-9f6c-db82bb883b1e
Tim Wojtulewicz of Corelight reports:
Fix a possible overflow and crash in the ARP analyzer
when receiving a specially crafted packet. Due to the
possibility of this happening with packets received from
the network, this is a potential DoS vulnerability.
Fix a possible overflow and crash in the Modbus analyzer
when receiving a specially crafted packet. Due to the
possibility of this happening with packets received from
the network, this is a potential DoS vulnerability.
Fix two possible crashes when converting IP headers for
output via the raw_packet event. Due to the possibility of
this happening with packets received from the network, this
is a potential DoS vulnerability. Note that the raw_packet
event is not enabled by default so these are likely
low-severity issues.
Fix an abort related to an error related to the ordering
of record fields when processing DNS EDNS headers via events.
Due to the possibility of this happening with packets
received from the network, this is a potential DoS
vulnerability. Note that the dns_EDNS events are not
implemented by default so this is likely a low-severity
issue.
more... | zeek
more detail |
2022-08-25 | VuXML ID 36d10af7-248d-11ed-856e-d4c9ef517024
The MariaDB project reports:
Multiple vulnerabilities, mostly segfaults, in
the server component
more... | mariadb103-server mariadb104-server mariadb105-server mariadb106-server
more detail |
2022-08-25* | VuXML ID d658042c-1c98-11ed-95f8-901b0e9408dc
Dendrite team reports:
The power level parsing within gomatrixserverlib was failing to parse the "events_default"
key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.
In rooms where the "events_default" power level had been changed, this could result in
events either being incorrectly authorised or rejected by Dendrite servers.
more... | dendrite
more detail |
2022-08-23 | VuXML ID 8a0cd618-22a0-11ed-b1e7-001b217b3468
Gitlab reports:
Remote Command Execution via Github import
more... | gitlab-ce
more detail |
2022-08-20 | VuXML ID 03bb8373-2026-11ed-9d70-080027240888
Drupal reports:
CVE-2022-31175: Cross-site scripting (XSS) caused by the editor
instance destroying process.
more... | drupal9
more detail |
2022-08-17 | VuXML ID f12368a8-1e05-11ed-a1ef-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
- [1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
- [1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
- [1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
- [1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
- [1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
- [1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
- [1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
- [1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
- [1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
more... | chromium
more detail |
2022-08-14 | VuXML ID e2e7faf9-1b51-11ed-ae46-002b67dfc673
Apache Tomcat reports:
The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
more... | tomcat tomcat-devel tomcat10 tomcat85 tomcat9
more detail |
2022-08-12 | VuXML ID 75c073cc-1a1d-11ed-bea0-48ee0c739857
The XFCE project reports:
Added mime type check to the gst-thumbnailer plugin
to fix an undisclosed vulnerability.
more... | xfce4-tumbler
more detail |
2022-08-10 | VuXML ID 02fb9764-1893-11ed-9b22-002590c1f29c
Problem Description:
A particular case of memory sharing is mishandled in the virtual
memory system. This is very similar to SA-21:08.vm, but with a
different root cause.
Impact:
An unprivileged local user process can maintain a mapping of a page
after it is freed, allowing that process to read private data
belonging to other processes or the kernel.
more... | FreeBSD-kernel
more detail |
2022-08-10 | VuXML ID 21f43976-1887-11ed-9911-40b034429ecf
Openwall oss-security reports:
We have discovered a critical arbitrary file write vulnerability
in the rsync utility that allows malicious remote servers to write
arbitrary files inside the directories of connecting peers.
The server chooses which files/directories are sent to the client.
Due to the insufficient controls inside the do_server_recv function
a malicious rysnc server (or Man-in-The-Middle attacker) can
overwrite arbitrary files in the rsync client target directory and
subdirectories.
more... | rsync
more detail |
2022-08-10 | VuXML ID 5028c1ae-1890-11ed-9b22-002590c1f29c
Problem Description:
When dumping core and saving process information, proc_getargv()
might return an sbuf which have a sbuf_len() of 0 or -1, which is not
properly handled.
Impact:
An out-of-bound read can happen when user constructs a specially
crafted ps_string, which in turn can cause the kernel to crash.
more... | FreeBSD-kernel
more detail |
2022-08-10* | VuXML ID 5ddbe47b-1891-11ed-9b22-002590c1f29c
Problem Description:
The aio_aqueue function, used by the lio_listio system call, fails
to release a reference to a credential in an error case.
Impact:
An attacker may cause the reference count to overflow, leading to a
use after free (UAF).
more... | FreeBSD-kernel
more detail |
2022-08-10 | VuXML ID 8eaaf135-1893-11ed-9b22-002590c1f29c
Problem Description:
The implementation of lib9p's handling of RWALK messages was
missing a bounds check needed when unpacking the message contents.
The missing check means that the receipt of a specially crafted
message will cause lib9p to overwrite unrelated memory.
Impact:
The bug can be triggered by a malicious bhyve guest kernel to
overwrite memory in the bhyve(8) process. This could potentially lead
to user-mode code execution on the host, subject to bhyve's Capsicum
sandbox.
more... | FreeBSD
more detail |
2022-08-10 | VuXML ID c3610f39-18f1-11ed-9854-641c67a117d8
Varnish Cache Project reports:
A denial of service attack can be performed against Varnish Cache
servers by specially formatting the reason phrase of the backend response
status line. In order to execute an attack, the attacker would have to
be able to influence the HTTP/1 responses that the Varnish Server
receives from its configured backends. A successful attack would cause
the Varnish Server to assert and automatically restart.
more... | varnish7
more detail |
2022-08-09 | VuXML ID 1cd0c17a-17c0-11ed-91a5-080027f5fec9
The GnuTLS project reports:
When gnutls_pkcs7_verify cannot verify signature against
given trust list, it starts creating a chain of
certificates starting from identified signer up to known
root. During the creation of this chain the signer
certificate gets freed which results in double free when
the same signer certificate is freed at the end of the
algorithm.
more... | gnutls
more detail |
2022-08-08 | VuXML ID 9b9a5f6e-1755-11ed-adef-589cfc01894a
wolfSSL blog reports:
In release 5.4.0 there were 3 vulnerabilities listed as
fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS
1.0/1.2 denial of service attack and the other a ciphertext attack on
ECC/DH operations. The last vulnerability listed was a public
disclosure of a previous attack on AMD devices fixed since wolfSSL
version 5.1.0. Coordination of the disclosure of the attack was done
responsibly, in cooperation with the researchers, waiting for the
public release of the attack details since it affects multiple
security libraries.
more... | wolfssl
more detail |
2022-08-05 | VuXML ID 3b47104f-1461-11ed-a0c5-080027240888
Django reports:
CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.
more... | py310-django32 py310-django40 py38-django32 py38-django40 py39-django32 py39-django40
more detail |
2022-08-05 | VuXML ID 8bec3994-104d-11ed-a7ac-0800273f11ea
The Gitea team reports:
Use git.HOME_PATH for Git HOME directory
Add write check for creating Commit status
Remove deprecated SSH ciphers from default
more... | gitea
more detail |
2022-08-05 | VuXML ID bc43a578-14ec-11ed-856e-d4c9ef517024
NLnet Labs reports:
novel type of the "ghost domain names" attack. The vulnerability
works by targeting an Unbound instance. Unbound is queried for a
rogue domain name when the cached delegation information is about to
expire. The rogue nameserver delays the response so that the cached
delegation information is expired. Upon receiving the delayed answer
containing the delegation information, Unbound overwrites the now
expired entries. This action can be repeated when the delegation
information is about to expire making the rogue delegation
information ever-updating.
novel type of the "ghost domain names" attack. The vulnerability
works by targeting an Unbound instance. Unbound is queried for a
subdomain of a rogue domain name. The rogue nameserver returns
delegation information for the subdomain that updates Unbound's
delegation cache. This action can be repeated before expiry of the
delegation information by querying Unbound for a second level
subdomain which the rogue nameserver provides new delegation
information.
more... | unbound
more detail |
2022-08-05 | VuXML ID df29c391-1046-11ed-a7ac-0800273f11ea
The Gitea team reports:
Add write check for creating Commit status
Check for permission when fetching user controlled issues
more... | gitea
more detail |
2022-08-03 | VuXML ID 96a41723-133a-11ed-be3b-3065ec8fd3ec
Chrome Releases reports:
This release contains 27 security fixes, including:
- [1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
- [1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
- [1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
- [1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
- [1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
- [1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
- [1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
- [1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
- [1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
- [1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
- [1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
- [1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
- [1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
- [1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
- [1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
- [1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
- [1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
- [1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
- [1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
- [1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
- [1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
- [1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27
more... | chromium
more detail |
2022-08-02 | VuXML ID 7f8d5435-125a-11ed-9a69-10c37b4ac2ea
The Go project reports:
encoding/gob & math/big: decoding big.Float and
big.Rat can panic
Decoding big.Float and big.Rat types can panic if the
encoded message is too short.
more... | go117 go118
more detail |
2022-07-30 | VuXML ID 4c26f668-0fd2-11ed-a83d-001b217b3468
Gitlab reports:
Revoke access to confidential notes todos
Pipeline subscriptions trigger new pipelines with the wrong author
Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email
Import via git protocol allows to bypass checks on repository
Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages
Maintainer can leak Packagist and other integration access tokens by changing integration URL
Unauthenticated access to victims Grafana datasources through path traversal
Unauthorized users can filter issues by contact and organization
Malicious Maintainer may change the visibility of project or a group
Stored XSS in job error messages
Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant
Non project members can view public project's Deploy Keys
IDOR in project with Jira integration leaks project owner's other projects Jira issues
Group Bot Users and Tokens not deleted after group deletion
Email invited members can join projects even after the member lock has been enabled
Datadog integration returns user emails
more... | gitlab-ce
more detail |
2022-07-21 | VuXML ID 8e150606-08c9-11ed-856e-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 34 new security patches plus
additional third party patches noted below for Oracle MySQL. 10 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
more... | mysql-client80 mysql-server56 mysql-server57 mysql-server80
more detail |
2022-07-21 | VuXML ID e1387e95-08d0-11ed-be26-001999f8d30b
Oracle reports:
Easily exploitable vulnerability allows high privileged
attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox.
Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle VM VirtualBox.
more... | virtualbox-ose
more detail |
2022-07-20 | VuXML ID 27cc4258-0805-11ed-8ac1-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1336266] High CVE-2022-2477: Use after free in Guest View. Reported by anonymous on 2022-06-14
- [1335861] High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13
- [1329987] High CVE-2022-2479: Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
- [1339844] High CVE-2022-2480: Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
- [1341603] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
- [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
more... | chromium
more detail |
2022-07-18 | VuXML ID 871d93f9-06aa-11ed-8d5f-080027f5fec9
The Redis core team reports:
A specially crafted XAUTOCLAIM command on a stream key in
a specific state may result with heap overflow, and
potentially remote code execution.
more... | redis
more detail |
2022-07-15 | VuXML ID 0859e6d5-0415-11ed-a53b-6c3be5272acd
Grafana Labs reports:
It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-07-15 | VuXML ID 0c367e98-0415-11ed-a53b-6c3be5272acd
Grafana Labs reports:
An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)
more... | grafana grafana8 grafana9
more detail |
2022-07-13 | VuXML ID a4f2416c-02a0-11ed-b817-10c37b4ac2ea
The Go project reports:
net/http: improper sanitization of Transfer-Encoding
header
The HTTP/1 client accepted some invalid
Transfer-Encoding headers as indicating a "chunked"
encoding. This could potentially allow for request
smuggling, but only if combined with an intermediate
server that also improperly failed to reject the header
as invalid.
When httputil.ReverseProxy.ServeHTTP was called with a
Request.Header map containing a nil value for the
X-Forwarded-For header, ReverseProxy would set the client
IP as the value of the X-Forwarded-For header, contrary to
its documentation. In the more usual case where a Director
function set the X-Forwarded-For header value to nil,
ReverseProxy would leave the header unmodified as
expected.
compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large
number of concatenated 0-length compressed files can
cause a panic due to stack exhaustion.
encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct
which has a nested field that uses the any field tag can
cause a panic due to stack exhaustion.
encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML
document can cause a panic due to stack exhaustion.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains
deeply nested structures can cause a panic due to stack
exhaustion.
path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of
path separators can cause a panic due to stack
exhaustion.
io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of
path separators can cause a panic due to stack
exhaustion.
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code
which contains deeply nested types or declarations can
cause a panic due to stack exhaustion.
more... | go117 go118
more detail |
2022-07-12 | VuXML ID b99f99f6-021e-11ed-8c6f-000c29ffbb6c
The git project reports:
Git is vulnerable to privilege escalation in all platforms.
An unsuspecting user could still be affected by the issue
reported in CVE-2022-24765, for example when navigating as
root into a shared tmp directory that is owned by them, but
where an attacker could create a git repository.
more... | git
more detail |
2022-07-10 | VuXML ID 830855f3-ffcc-11ec-9d41-d05099c8b5a7
mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../
directory traversal during the ZIP archive cleaning process. This
primarily affects mat2 web instances, in which clients could obtain
sensitive information via a crafted archive.
more... | mat2
more detail |
2022-07-09 | VuXML ID d1b35142-ff4a-11ec-8be3-001b217b3468
Gitlab reports:
Remote Command Execution via Project Imports
XSS in ZenTao integration affecting self hosted instances without strict CSP
XSS in project settings page
Unallowed users can read unprotected CI variables
IP allow-list bypass to access Container Registries
2FA status is disclosed to unauthenticated users
CI variables provided to runners outside of a group's restricted IP range
IDOR in sentry issues
Reporters can manage issues in error tracking
Regular Expression Denial of Service via malicious web server responses
Unauthorized read for conan repository
Open redirect vulnerability
Group labels are editable through subproject
Release titles visible for any users if group milestones are associated with any project releases
Restrict membership by email domain bypass
Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint
more... | gitlab-ce
more detail |
2022-07-08* | VuXML ID b9210706-feb0-11ec-81fa-1c697a616631
Node.js reports:
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
(Medium)(CVE-2022-32213)
The llhttp parser in the http module does not correctly parse and
validate Transfer-Encoding headers. This can lead to HTTP Request
Smuggling (HRS).
HTTP Request Smuggling - Improper Delimiting of Header Fields
(Medium)(CVE-2022-32214)
The llhttp parser in the http module does not strictly use the CRLF
sequence to delimit HTTP requests. This can lead to HTTP Request
Smuggling (HRS).
HTTP Request Smuggling - Incorrect Parsing of Multi-line
Transfer-Encoding (Medium)(CVE-2022-32215)
The llhttp parser in the http module does not correctly handle
multi-line Transfer-Encoding headers. This can lead to HTTP Request
Smuggling (HRS).
DNS rebinding in --inspect via invalid IP addresses
(High)(CVE-2022-32212)
The IsAllowedHost check can easily be bypassed because IsIPAddress
does not properly check if an IP address is invalid or not. When an
invalid IPv4 address is provided (for instance 10.0.2.555 is
provided), browsers (such as Firefox) will make DNS requests to the
DNS server, providing a vector for an attacker-controlled DNS server
or a MITM who can spoof DNS responses to perform a rebinding attack
and hence connect to the WebSocket debugger, allowing for arbitrary
code execution. This is a bypass of CVE-2021-22884.
Attempt to read openssl.cnf from /home/iojs/build/ upon startup
(Medium)(CVE-2022-32222)
When Node.js starts on linux based systems, it attempts to read
/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf,
which ordinarily doesn't exist. On some shared systems an attacker may
be able create this file and therefore affect the default OpenSSL
configuration for other users.
OpenSSL - AES OCB fails to encrypt some bytes
(Medium)(CVE-2022-2097)
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly
optimised implementation will not encrypt the entirety of the data
under some circumstances. This could reveal sixteen bytes of data that
was preexisting in the memory that wasn't written. In the special case
of "in place" encryption, sixteen bytes of the plaintext would be
revealed. Since OpenSSL does not support OCB based cipher suites for
TLS and DTLS, they are both unaffected.
more... | node node14 node16
more detail |
2022-07-07 | VuXML ID 744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec
Chrome Releases reports:
This release contains 4 security fixes, including:
- [1341043] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
- [1336869] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
- [1327087] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
more... | chromium
more detail |
2022-07-05 | VuXML ID a28e8b7e-fc70-11ec-856e-d4c9ef517024
The OpenSSL project reports:
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
more... | openssl openssl-devel
more detail |
2022-07-05* | VuXML ID f0e45968-faff-11ec-856e-d4c9ef517024
The OpenSSL project reports:
The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation.
SSL/TLS servers or other servers using 2048 bit RSA private keys running
on machines supporting AVX512IFMA instructions of the X86_64 architecture
are affected by this issue.
more... | openssl-devel
more detail |
2022-07-04 | VuXML ID 5be19b0d-fb85-11ec-95cd-080027b24e86
SO-AND-SO reports:
CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) arguments.
more... | py310-django32 py310-django40 py37-django32 py38-django32 py38-django40 py39-django32 py39-django40
more detail |
2022-07-03 | VuXML ID 5ab54ea0-fa94-11ec-996c-080027b24e86
Mediawiki reports:
(T308471) Username is not escaped in the "welcomeuser" message.
(T308473) Username not escaped in the contributions-title message.
(T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.
(T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
more... | mediawiki135 mediawiki137 mediawiki138
more detail |
2022-06-29 | VuXML ID 07c0d782-f758-11ec-acaa-901b0e9408dc
Matrix developers report:
This release fixes a vulnerability with Synapse's URL preview feature. URL previews
of some web pages can lead to unbounded recursion, causing the request to either fail,
or in some cases crash the running Synapse process.
Note that:
- Homeservers with the url_preview_enabled configuration option set to false
(the default value) are unaffected.
- Instances with the enable_media_repo configuration option set to false are
also unaffected, as this also disables the URL preview functionality.
more... | py310-matrix-synapse py311-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse
more detail |
2022-06-27 | VuXML ID ae5722a6-f5f0-11ec-856e-d4c9ef517024
The cURL project reports:
- CVE-2022-32205: Set-Cookie denial of service
- CVE-2022-32206: HTTP compression denial of service
- CVE-2022-32207: Unpreserved file permissions
- CVE-2022-32208: FTP-KRB bad message verification
more... | curl
more detail |
2022-06-22 | VuXML ID 25be46f0-f25d-11ec-b62a-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)
Multiple XSS vulnerabilities
(Medium) SECURITY-2566 / CVE-2022-34174
Observable timing discrepancy allows determining username validity
(Medium) Unauthorized view fragment access
SECURITY-2777 / CVE-2022-34175
more... | jenkins jenkins-lts
more detail |
2022-06-22 | VuXML ID 4eeb93bf-f204-11ec-8fbd-d4c9ef517024
The OpenSSL project reports:
Circumstances where the c_rehash script does not properly
sanitise shell metacharacters to prevent command injection were
found by code review.
more... | openssl openssl-devel openssl-quictls
more detail |
2022-06-22 | VuXML ID b2a4c5f1-f1fe-11ec-bcd2-3065ec8fd3ec
Chrome Releases reports:
This release contains 14 security fixes, including:
- [1335458] Critical CVE-2022-2156: Use after free in Base. Reported by Mark Brand of Google Project Zero on 2022-06-11
- [1327312] High CVE-2022-2157: Use after free in Interest groups. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-19
- [1321078] High CVE-2022-2158: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-04-29
- [1116450] Medium CVE-2022-2160: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-08-14
- [1330289] Medium CVE-2022-2161: Use after free in WebApp Provider. Reported by Zhihua Yao of KunLun Lab on 2022-05-30
- [1307930] Medium CVE-2022-2162: Insufficient policy enforcement in File System API. Reported by Abdelhamid Naceri (halov) on 2022-03-19
- [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
- [1268445] Low CVE-2022-2164: Inappropriate implementation in Extensions API. Reported by José Miguel Moreno Computer Security Lab (COSEC) at UC3M on 2021-11-10
- [1250993] Low CVE-2022-2165: Insufficient data validation in URL formatting. Reported by Rayyan Bijoora on 2021-09-19
more... | chromium
more detail |
2022-06-20 | VuXML ID ad37a349-ebb7-11ec-b9f7-21427354249d
Zeyu Zhang reports:
In mitmproxy 7.0.4 and below, a malicious client or server is able to
perform HTTP request smuggling attacks through mitmproxy. This means
that a malicious client/server could smuggle a request/response through
mitmproxy as part of another request/response's HTTP message body. While
mitmproxy would only see one request, the target server would see
multiple requests. A smuggled request is still captured as part of
another request's body, but it does not appear in the request list and
does not go through the usual mitmproxy event hooks, where users may
have implemented custom access control checks or input sanitization.
Unless you use mitmproxy to protect an HTTP/1 service, no action is required.
more... | mitmproxy
more detail |
2022-06-17 | VuXML ID 5d1e4f6a-ee4f-11ec-86c2-485b3931c969
Tor organization reports:
TROVE-2022-001
more... | tor
more detail |
2022-06-11 | VuXML ID 482456fb-e9af-11ec-93b6-318d1419ea39
Debian Security tracker reports:
ExifTool.pm in ExifTool before 12.38 mishandles a file special characters check, leading to command injection
more... | p5-Image-ExifTool
more detail |
2022-06-11 | VuXML ID 55cff5d2-e95c-11ec-ae20-001999f8d30b
XFCE Project reports:
Prevent executing possibly malicious .desktop files
from online sources (ftp://, http:// etc.).
more... | libexo
more detail |
2022-06-11 | VuXML ID b51cfaea-e919-11ec-9fba-080027240888
Numpy reports:
At most call-sites for PyArray_DescrNew, there are no validations of its return,
but an invalid address may be returned.
more... | py310-numpy py38-numpy py39-numpy
more detail |
2022-06-10* | VuXML ID 49adfbe5-e7d1-11ec-8fbd-d4c9ef517024
The Apache httpd project reports:
- CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop
mechanism. Apache HTTP Server 2.4.53 and earlier may not send the
X-Forwarded-* headers to the origin server based on client side
Connection header hop-by-hop mechanism. This may be used to bypass
IP based authentication on the origin server/application.
- CVE-2022-30556: Information Disclosure in mod_lua with websockets.
Apache HTTP Server 2.4.53 and earlier may return lengths to
applications calling r:wsread() that point past the end of the
storage allocated for the buffer.
- CVE-2022-30522: mod_sed denial of service. If Apache HTTP Server
2.4.53 is configured to do transformations with mod_sed in contexts
where the input to mod_sed may be very large, mod_sed may make
excessively large memory allocations and trigger an abort.
- CVE-2022-29404: Denial of service in mod_lua r:parsebody. In Apache
HTTP Server 2.4.53 and earlier, a malicious request to a lua script
that calls r:parsebody(0) may cause a denial of service due to no
default limit on possible input size.
- CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). Apache
HTTP Server 2.4.53 and earlier may crash or disclose information due
to a read beyond bounds in ap_strcmp_match() when provided with an
extremely large input buffer. While no code distributed with the
server can be coerced into such a call, third-party modules or lua
scripts that use ap_strcmp_match() may hypothetically be affected.
- CVE-2022-28614: read beyond bounds via ap_rwrite(). The ap_rwrite()
function in Apache HTTP Server 2.4.53 and earlier may read unintended
memory if an attacker can cause the server to reflect very large
input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts()
function.
- CVE-2022-28330: read beyond bounds in mod_isapi. Apache HTTP Server
2.4.53 and earlier on Windows may read beyond bounds when configured
to process requests with the mod_isapi module.
- CVE-2022-26377: mod_proxy_ajp: Possible request smuggling.
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it forwards
requests to.
more... | apache24
more detail |
2022-06-09 | VuXML ID c80ce2dd-e831-11ec-bcd2-3065ec8fd3ec
Chrome Releases reports:
This release contains 7 security fixes, including:
- [1326210] High CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17
- [1317673] High CVE-2022-2008: Out of bounds memory access in WebGL. Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19
- [1325298] High CVE-2022-2010: Out of bounds read in compositing. Reported by Mark Brand of Google Project Zero on 2022-05-13
- [1330379] High CVE-2022-2011: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-05-31
more... | chromium
more detail |
2022-06-07 | VuXML ID 15888c7e-e659-11ec-b7fe-10c37b4ac2ea
The Go project reports:
crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a
buffer larger than 1 << 32 - 1 bytes.
crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain
a randomly generated ticket_age_add. This allows an
attacker that can observe TLS handshakes to correlate
successive connections by comparing ticket ages during
session resumption.
os/exec: empty Cmd.Path can result in running unintended
binary on Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or
cmd.CombinedOutput are executed when Cmd.Path is unset
and, in the working directory, there are binaries named
either "..com" or "..exe", they will be executed.
path/filepath: Clean(`.\c:`) returns `c:` on Windows
On Windows, the filepath.Clean function could convert an
invalid path to a valid, absolute path. For example,
Clean(`.\c:`) returned `c:`.
more... | go117 go118
more detail |
2022-06-05 | VuXML ID a58f3fde-e4e0-11ec-8340-2d623369b8b5
Nils Bars reports:
During the processing of [a specially fuzzed disk image], an
out-of-bounds write is triggered and causes a segmentation fault
(SIGSEGV).
more... | e2fsprogs e2fsprogs-nobootfsck e2fsprogs-roothardlinks
more detail |
2022-06-04 | VuXML ID f414d69f-e43d-11ec-9ea4-001b217b3468
Gitlab reports:
Account take over via SCIM email change
Stored XSS in Jira integration
Quick action commands susceptible to XSS
IP allowlist bypass when using Trigger tokens
IP allowlist bypass when using Project Deploy Tokens
Improper authorization in the Interactive Web Terminal
Subgroup member can list members of parent group
Group member lock bypass
more... | gitlab-ce
more detail |
2022-06-03 | VuXML ID 204f1a7a-43df-412f-ad25-7dbe88f54fa4
Tim Wojtulewicz of Corelight reports:
Fix potential hang in the DNS analyzer when receiving
a specially-crafted packet. Due to the possibility of
this happening with packets received from the network,
this is a potential DoS vulnerability.
more... | zeek
more detail |
2022-05-24 | VuXML ID 40e2c35e-db99-11ec-b0cf-3065ec8fd3ec
Chrome Releases reports:
This release contains 32 security fixes, including:
- [1324864] Critical CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous on 2022-05-12
- [1320024] High CVE-2022-1854: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-27
- [1228661] High CVE-2022-1855: Use after free in Messaging. Reported by Anonymous on 2021-07-13
- [1323239] High CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
- [1227995] High CVE-2022-1857: Insufficient policy enforcement in File System API. Reported by Daniel Rhea on 2021-07-11
- [1314310] High CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad on 2022-04-07
- [1322744] High CVE-2022-1859: Use after free in Performance Manager. Reported by Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab on 2022-05-05
- [1297209] High CVE-2022-1860: Use after free in UI Foundations. Reported by @ginggilBesel on 2022-02-15
- [1316846] High CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani on 2022-04-16
- [1236325] Medium CVE-2022-1862: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2021-08-04
- [1292870] Medium CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg on 2022-02-01
- [1320624] Medium CVE-2022-1864: Use after free in WebApp Installs. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab on 2022-04-28
- [1289192] Medium CVE-2022-1865: Use after free in Bookmarks. Reported by Rong Jian of VRI on 2022-01-20
- [1292264] Medium CVE-2022-1866: Use after free in Tablet Mode. Reported by @ginggilBesel on 2022-01-29
- [1315563] Medium CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer. Reported by Michal Bentkowski of Securitum on 2022-04-12
- [1301203] Medium CVE-2022-1868: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-02-28
- [1309467] Medium CVE-2022-1869: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-23
- [1323236] Medium CVE-2022-1870: Use after free in App Service. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
- [1308199] Low CVE-2022-1871: Insufficient policy enforcement in File System API. Reported by Thomas Orlita on 2022-03-21
- [1310461] Low CVE-2022-1872: Insufficient policy enforcement in Extensions API. Reported by ChaobinZhang on 2022-03-26
- [1305394] Low CVE-2022-1873: Insufficient policy enforcement in COOP. Reported by NDevTK on 2022-03-11
- [1251588] Low CVE-2022-1874: Insufficient policy enforcement in Safe Browsing. Reported by hjy79425575 on 2021-09-21
- [1306443] Low CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK on 2022-03-15
- [1313600] Low CVE-2022-1876: Heap buffer overflow in DevTools. Reported by @ginggilBesel on 2022-04-06
more... | chromium
more detail |
2022-05-23 | VuXML ID 04fecc47-dad2-11ec-8fbd-d4c9ef517024
The MariaDB project reports:
MariaDB fixed 23 vulnerabilities across all supported versions
more... | mariadb103-client mariadb103-server mariadb104-client mariadb104-server mariadb105-client mariadb105-server mariadb106-client mariadb106-server
more detail |
2022-05-23* | VuXML ID add683be-bd76-11ec-a06f-d4c9ef517024
Oracle reports:
The 2022 April Critical Patch Update contains 43 new security
patches for Oracle MySQL. 11 of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.
more... | mysql57-server mysql80-client mysql80-server
more detail |
2022-05-19 | VuXML ID b2407db1-d79f-11ec-a15f-589cfc0f81b0
The ClamAV project reports:
Fixed a possible double-free vulnerability in the OLE2 file
parser. Issue affects versions 0.104.0 through 0.104.2. Issue
identified by OSS-Fuzz.
Fixed a possible infinite loop vulnerability in the CHM file
parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
version 0.103.5 and prior versions. Thank you to MichaÃ
 Dardas
for reporting this issue.
Fixed a possible NULL-pointer dereference crash in the scan
verdict cache check. Issue affects versions 0.103.4, 0.103.5,
0.104.1, and 0.104.2. Thank you to Alexander Patrakov and
Antoine Gatineau for reporting this issue.
Fixed a possible infinite loop vulnerability in the TIFF file
parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
version 0.103.5 and prior versions. The issue only occurs if the
"--alert-broken-media" ClamScan option is enabled. For ClamD,
the affected option is "AlertBrokenMedia yes", and for libclamav
it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank
you to MichaÃ
 Dardas for reporting this issue.
Fixed a possible memory leak in the HTML file parser /
Javascript normalizer. Issue affects versions 0.104.0 through
0.104.2 and LTS version 0.103.5 and prior versions. Thank you to
MichaÃ
 Dardas for reporting this issue.
Fixed a possible multi-byte heap buffer overflow write
vulnerability in the signature database load module. The fix was
to update the vendored regex library to the latest version.
Issue affects versions 0.104.0 through 0.104.2 and LTS version
0.103.5 and prior versions. Thank you to MichaÃ
 Dardas for
reporting this issue.
more... | clamav clamav-lts
more detail |
2022-05-15 | VuXML ID a1360138-d446-11ec-8ea1-10c37b4ac2ea
The Go project reports:
When called with a non-zero flags parameter, the
syscall.Faccessat function could incorrectly report that a
file is accessible. This bug only occurs on Linux systems.
more... | go go117
more detail |
2022-05-13 | VuXML ID 11e36890-d28c-11ec-a06f-d4c9ef517024
The curl project reports:
CVE-2022-27778: curl removes wrong file on error
CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27780: percent-encoded path separator in URL host
CVE-2022-27781: CERTINFO never-ending busy-loop
CVE-2022-27782: TLS and SSH connection too eager reuse
CVE-2022-30115: HSTS bypass via trailing dot
more... | curl
more detail |
2022-05-11 | VuXML ID 157ce083-d145-11ec-ab9b-6cc21735f730
The PostgreSQL project reports:
Confine additional operations within "security restricted
operation" sandboxes.
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW,
and pg_amcheck activated the "security restricted operation" protection
mechanism too late, or even not at all in some code paths.
A user having permission to create non-temporary objects within a
database could define an object that would execute arbitrary SQL
code with superuser permissions the next time that autovacuum
processed the object, or that some superuser ran one of the affected
commands against it.
more... | postgresql10-server postgresql11-server postgresql12-server postgresql13-server postgresql14-server
more detail |
2022-05-10 | VuXML ID ac91cf5e-d098-11ec-bead-3065ec8fd3ec
Chrome Releases reports:
This release contains 13 security fixes, including:
- [1316990] High CVE-2022-1633: Use after free in Sharesheet. Reported by Khalil Zhani on 2022-04-18
- [1314908] High CVE-2022-1634: Use after free in Browser UI. Reported by Khalil Zhani on 2022-04-09
- [1319797] High CVE-2022-1635: Use after free in Permission Prompts. Reported by Anonymous on 2022-04-26
- [1297283] High CVE-2022-1636: Use after free in Performance APIs. Reported by Seth Brenith, Microsoft on 2022-02-15
- [1311820] High CVE-2022-1637: Inappropriate implementation in Web Contents. Reported by Alesandro Ortiz on 2022-03-31
- [1316946] High CVE-2022-1638: Heap buffer overflow in V8 Internationalization. Reported by DoHyun Lee (@l33d0hyun) of DNSLab, Korea University on 2022-04-17
- [1317650] High CVE-2022-1639: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-19
- [1320592] High CVE-2022-1640: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-28
- [1305068] Medium CVE-2022-1641: Use after free in Web UI Diagnostics. Reported by Rong Jian of VRI on 2022-03-10
more... | chromium
more detail |
2022-05-06 | VuXML ID b9837fa1-cd72-11ec-98f1-6805ca0b3d42
Rainer Gerhards reports:
Modules for TCP syslog reception have a heap buffer
overflow when octet-counted framing is used. The attacker
can corrupt heap values, leading to data integrity issues
and availability impact. Remote code execution is unlikely
to happen but not impossible..
more... | rsyslog
more detail |
2022-05-05 | VuXML ID 647ac600-cc70-11ec-9cfc-10c37b4ac2ea
The gogs project reports:
Repository issues page allows HTML attachments with arbitrary
JS code.
more... | gogs
more detail |
2022-05-05 | VuXML ID 95ee401d-cc6a-11ec-9cfc-10c37b4ac2ea
The Gitea team reports:
Escape git fetch remote in
services/migrations/gitea_uploader.go
more... | gitea
more detail |
2022-05-05* | VuXML ID fceb2b08-cb76-11ec-a06f-d4c9ef517024
The OpenSSL project reports:
- The c_rehash script allows command injection (CVE-2022-1292)
(Moderate)
The c_rehash script does not properly sanitise shell
metacharacters to prevent command injection. This script is distributed
by some operating systems in a manner where it is automatically
executed. On such operating systems, an attacker could execute arbitrary
commands with the privileges of the script.
- OCSP_basic_verify may incorrectly verify the response signing
certificate (CVE-2022-1343) (Moderate)
The function
`OCSP_basic_verify` verifies the signer certificate on an OCSP response.
In the case where the (non-default) flag OCSP_NOCHECKS is used then the
response will be positive (meaning a successful verification) even in
the case where the response signing certificate fails to verify.
- Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)
(Low)
The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite
incorrectly uses the AAD data as the MAC key. This makes the MAC key
trivially predictable.
- Resource leakage when decoding certificates and keys (CVE-2022-1473)
(Low)
The OPENSSL_LH_flush() function, which empties a hash table,
containsa bug that breaks reuse of the memory occuppied by the removed
hash table entries.
more... | openssl openssl-devel openssl-quictls
more detail |
2022-05-03 | VuXML ID a8118db0-cac2-11ec-9288-0800270512f4
Simon Scannell reports:
The code vulnerability can be easily exploited by an
attacker by sending a malicious email to a victim that
uses RainLoop as a mail client. When the email is viewed
by the victim, the attacker gains full control over the
session of the victim and can steal any of their emails,
including those that contain highly sensitive information
such as passwords, documents, and password reset links.
more... | rainloop-community-php74 rainloop-community-php80 rainloop-community-php81 rainloop-php74 rainloop-php80 rainloop-php81
more detail |
2022-05-02 | VuXML ID 61bce714-ca0c-11ec-9cfc-10c37b4ac2ea
The Go project reports:
encoding/pem: fix stack overflow in Decode.
A large (more than 5 MB) PEM input can cause a stack
overflow in Decode, leading the program to crash.
crypto/elliptic: tolerate all oversized scalars in generic
P-256.
A crafted scalar input longer than 32 bytes can
cause P256().ScalarMult or P256().ScalarBaseMult to panic.
Indirect uses through crypto/ecdsa and crypto/tls are
unaffected. amd64, arm64, ppc64le, and s390x are
unaffected.
crypto/x509: non-compliant certificates can cause a panic
in Verify on macOS in Go 1.18.
Verifying certificate chains containing certificates
which are not compliant with RFC 5280 causes
Certificate.Verify to panic on macOS. These chains can be
delivered through TLS and can cause a crypto/tls or
net/http client to crash.
more... | go go117
more detail |
2022-04-30 | VuXML ID 9db93f3d-c725-11ec-9618-000d3ac47524
Ruby on Rails blog:
This is an announcement to let you know that Rails 7.0.2.4, 6.1.5.1,
6.0.4.8, and 5.2.7.1 have been released!
These are security releases so please update as soon as you can. Once
again we've made these releases based on the last release tag, so
hopefully upgrading will go smoothly.
The releases address two vulnerabilities, CVE-2022-22577, and
CVS-2022-27777. They are both XSS vulnerabilities, so please take a look
at the forum posts to see how (or if) they might possibly impact your
application.
more... | rubygem-actionpack52 rubygem-actionpack60 rubygem-actionpack61 rubygem-actionpack70 rubygem-actionview52 rubygem-actionview60 rubygem-actionview61 rubygem-actionview70
more detail |
2022-04-29 | VuXML ID 2220827b-c732-11ec-b272-901b0e934d69
hiredis maintainers report:
Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data.
When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX. If it can not, and the calloc() call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.
more... | hiredis
more detail |
2022-04-28 | VuXML ID 26f2123b-c6c6-11ec-b66f-3065ec8fd3ec
Chrome Releases reports:
This release contains 30 security fixes, including:
- [1313905] High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-04-06
- [1299261] High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park (SeHwa) on 2022-02-20
- [1305190] High CVE-2022-1479: Use after free in ANGLE. Reported by Jeonghoon Shin of Theori on 2022-03-10
- [1307223] High CVE-2022-1480: Use after free in Device API. Reported by @uwu7586 on 2022-03-17
- [1302949] High CVE-2022-1481: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-03-04
- [1304987] High CVE-2022-1482: Inappropriate implementation in WebGL. Reported by Christoph Diehl, Microsoft on 2022-03-10
- [1314754] High CVE-2022-1483: Heap buffer overflow in WebGPU. Reported by Mark Brand of Google Project Zero on 2022-04-08
- [1297429] Medium CVE-2022-1484: Heap buffer overflow in Web UI Settings. Reported by Chaoyuan Peng (@ret2happy) on 2022-02-15
- [1299743] Medium CVE-2022-1485: Use after free in File System API. Reported by Anonymous on 2022-02-22
- [1314616] Medium CVE-2022-1486: Type Confusion in V8. Reported by Brendon Tiszka on 2022-04-08
- [1304368] Medium CVE-2022-1487: Use after free in Ozone. Reported by Sri on 2022-03-09
- [1302959] Medium CVE-2022-1488: Inappropriate implementation in Extensions API. Reported by Thomas Beverley from Wavebox.io on 2022-03-04
- [1300561] Medium CVE-2022-1489: Out of bounds memory access in UI Shelf. Reported by Khalil Zhani on 2022-02-25
- [1301840] Medium CVE-2022-1490: Use after free in Browser Switcher. Reported by raven at KunLun lab on 2022-03-01
- [1305706] Medium CVE-2022-1491: Use after free in Bookmarks. Reported by raven at KunLun lab on 2022-03-12
- [1315040] Medium CVE-2022-1492: Insufficient data validation in Blink Editing. Reported by Michal Bentkowski of Securitum on 2022-04-11
- [1275414] Medium CVE-2022-1493: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-12-01
- [1298122] Medium CVE-2022-1494: Insufficient data validation in Trusted Types. Reported by Masato Kinugawa on 2022-02-17
- [1301180] Medium CVE-2022-1495: Incorrect security UI in Downloads. Reported by Umar Farooq on 2022-02-28
- [1306391] Medium CVE-2022-1496: Use after free in File Manager. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2022-03-15
- [1264543] Medium CVE-2022-1497: Inappropriate implementation in Input. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-10-29
- [1297138] Low CVE-2022-1498: Inappropriate implementation in HTML Parser. Reported by SeungJu Oh (@real_as3617) on 2022-02-14
- [1000408] Low CVE-2022-1499: Inappropriate implementation in WebAuthentication. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-04
- [1223475] Low CVE-2022-1500: Insufficient data validation in Dev Tools. Reported by Hoang Nguyen on 2021-06-25
- [1293191] Low CVE-2022-1501: Inappropriate implementation in iframe. Reported by Oriol Brufau on 2022-02-02
more... | chromium
more detail |
2022-04-28 | VuXML ID 92a4d881-c6cf-11ec-a06f-d4c9ef517024
The cURL project reports:
- OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
- Credential leak on redirect (CVE-2022-27774)
- Bad local IPv6 connection reuse (CVE-2022-27775)
- Auth/cookie leak on redirect (CVE-2022-27776)
more... | curl
more detail |
2022-04-27 | VuXML ID cc42db1c-c65f-11ec-ad96-0800270512f4
Aviv Yahav reports:
- CVE-2022-24735
-
By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject
Lua code that will execute with the (potentially higher)
privileges of another Redis user.
- CVE-2022-24736
-
An attacker attempting to load a specially crafted Lua
script can cause NULL pointer dereference which will
result with a crash of the redis-server process.
more... | redis redis-devel redis62
more detail |
2022-04-26 | VuXML ID 17a30a24-c579-11ec-bbbd-0800270512f4
Kazuhiro Ito reports:
Potential buffer overrun vulnerability is found in eb/multiplex.c.
more... | ja-eb
more detail |
2022-04-21 | VuXML ID a00c76d9-0c05-4d99-bef7-ae4521cb2a4d
Tim Wojtulewicz of Corelight reports:
Fix potential unbounded state growth in the FTP
analyzer when receiving a specially-crafted stream of
commands. This may lead to a buffer overflow and cause
Zeek to crash. Due to the possibility of this happening
with packets received from the network, this is a potential
DoS vulnerabilty.
more... | zeek
more detail |
2022-04-19 | VuXML ID b019585a-bfea-11ec-b46c-b42e991fc52e
RedHat reports:
An arbitrary file write vulnerability was found in GNU
gzip's zgrep utility. When zgrep is applied on the
attacker's chosen file name (for example, a crafted
file name), this can overwrite an attacker's content
to an arbitrary attacker-selected file. This flaw
occurs due to insufficient validation when processing
filenames with two or more newlines where selected
content and the target file names are embedded in
crafted multi-line file names. This flaw allows a
remote, low privileged attacker to force zgrep to
write arbitrary files on the system.
more... | gzip
more detail |
2022-04-17 | VuXML ID 2a314635-be46-11ec-a06f-d4c9ef517024
reports:
SMTP Command Injection in Appointment Emails via Newlines: as newlines
and special characters are not sanitized in the email value in the JSON
request, a malicious attacker can inject newlines to break out of the
`RCPT TO:` SMTP command and begin injecting
arbitrary SMTP commands.
more... | nextcloud-calendar
more detail |
2022-04-15 | VuXML ID a25ea27b-bced-11ec-87b5-3065ec8fd3ec
Chrome Releases reports:
This release contains 2 security fixes, including:
- [1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-0-13
more... | chromium
more detail |
2022-04-14 | VuXML ID 8838abf0-bc47-11ec-b516-0897988a1c07
The Asterisk project reports:
AST-2022-001 - When using STIR/SHAKEN, its possible
to download files that are not certificates. These files
could be much larger than what you would expect to
download.
AST-2022-002 - When using STIR/SHAKEN, its possible
to send arbitrary requests like GET to interfaces such
as localhost using the Identity header.
more... | asterisk16 asterisk18
more detail |
2022-04-14 | VuXML ID a5de43ed-bc49-11ec-b516-0897988a1c07
The Asterisk project reports:
Some databases can use backslashes to escape certain
characters, such as backticks. If input is provided to
func_odbc which includes backslashes it is possible for
func_odbc to construct a broken SQL query and the SQL
query to fail.
more... | asterisk16 asterisk18
more detail |
2022-04-13 | VuXML ID 06ed6a49-bad4-11ec-9cfe-0800270512f4
piao reports:
Due to a bug in an internal function that converts a String
to a Float, some convertion methods like Kernel#Float
and String#to_f could cause buffer over-read.
A typical consequence is a process termination due to
segmentation fault, but in a limited circumstances, it may
be exploitable for illegal memory read.
more... | ruby ruby27 ruby30 ruby31 ruby32
more detail |
2022-04-13 | VuXML ID 24a9bd2b-bb43-11ec-af81-0897988a1c07
Composer developers reports:
The Composer method VcsDriver::getFileContent() with
user-controlled $file or $identifier arguments is susceptible
to an argument injection vulnerability. It can be leveraged
to gain arbitrary command execution if the Mercurial or
the Git driver are used.
more... | php74-composer php74-composer2 php80-composer php80-composer2 php81-composer php81-composer2
more detail |
2022-04-13 | VuXML ID 3a1dc8c8-bb27-11ec-98d1-d43d7eed0ce2
Subversion project reports:
Subversion servers reveal 'copyfrom' paths that should be hidden according
to configured path-based authorization (authz) rules. When a node has been
copied from a protected location, users with access to the copy can see the
'copyfrom' path of the original. This also reveals the fact that the node
was copied. Only the 'copyfrom' path is revealed; not its contents. Both
httpd and svnserve servers are vulnerable.
While looking up path-based authorization rules, mod_dav_svn servers
may attempt to use memory which has already been freed.
more... | mod_dav_svn mod_dav_svn-lts subversion subversion-lts
more detail |
2022-04-13 | VuXML ID f22144d7-bad1-11ec-9cfe-0800270512f4
piao reports:
Due to a bug in the Regexp compilation process, creating
a Regexp object with a crafted source string could cause
the same memory to be freed twice. This is known as a
"double free" vulnerability. Note that, in general, it
is considered unsafe to create and use a Regexp object
generated from untrusted input. In this case, however,
following a comprehensive assessment, we treat this issue
as a vulnerability.
more... | ruby ruby30 ruby31 ruby32
more detail |
2022-04-12 | VuXML ID 0db46f84-b9fa-11ec-89df-080027240888
Django Release reports:
CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().
CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.
more... | py310-django22 py310-django32 py310-django40 py37-django22 py37-django32 py38-django22 py38-django32 py38-django40 py39-django22 py39-django32 py39-django40
more detail |
2022-04-12 | VuXML ID 6eb9cf14-bab0-11ec-8f59-4437e6ad11c4
Tavis Ormandy reports:
mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys
more... | mutt
more detail |
2022-04-12 | VuXML ID b582a85a-ba4a-11ec-8d1e-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07
- [1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21
- [1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
- [1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci (@sametbekmezci) on 2021-12-28
- [1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17
- [1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18
- [1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28
- [1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30
- [1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16
- [1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09
more... | chromium
more detail |
2022-04-07 | VuXML ID 27d39055-b61b-11ec-9ebc-1c697aa5a594
Problem Description:
The total size of the user-provided nmreq to nmreq_copyin() was
first computed and then trusted during the copyin. This
time-of-check to time-of-use bug could lead to kernel memory
corruption. [CVE-2022-23084]
A user-provided integer option was passed to nmreq_copyin() without
checking if it would overflow. This insufficient bounds checking
could lead to kernel memory corruption. [CVE-2022-23085]
Impact:
On systems configured to include netmap in their devfs_ruleset, a
privileged process running in a jail can affect the host
environment.
more... | FreeBSD-kernel
more detail |
2022-04-07 | VuXML ID 38f2e3a0-b61e-11ec-9ebc-1c697aa5a594
Problem Description:
Certain inputs can cause zlib's compression routine to overwrite an
internal buffer with compressed data. This issue may require the use
of uncommon or non-default compression parameters.
Impact:
The out-of-bounds write may result in memory corruption and an
application crash or kernel panic.
more... | FreeBSD
more detail |
2022-04-07 | VuXML ID 703c4761-b61d-11ec-9ebc-1c697aa5a594
Problem Description:
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and
mpt drivers allocated a buffer of a caller-specified size, but
copied to it a fixed size header. Other heap content would be
overwritten if the specified size was too small.
Impact:
Users with access to the mpr, mps or mpt device node may overwrite
heap data, potentially resulting in privilege escalation. Note that
the device node is only accessible to root and members of the operator
group.
more... | FreeBSD-kernel
more detail |
2022-04-07 | VuXML ID ba796b98-b61c-11ec-9ebc-1c697aa5a594
Problem Description:
The e1000 network adapters permit a variety of modifications to an
Ethernet packet when it is being transmitted. These include the
insertion of IP and TCP checksums, insertion of an Ethernet VLAN
header, and TCP segmentation offload ("TSO"). The e1000 device model
uses an on-stack buffer to generate the modified packet header when
simulating these modifications on transmitted packets.
When checksum offload is requested for a transmitted packet, the
e1000 device model used a guest-provided value to specify the checksum
offset in the on-stack buffer. The offset was not validated for
certain packet types.
Impact:
A misbehaving bhyve guest could overwrite memory in the bhyve
process on the host, possibly leading to code execution in the host
context.
The bhyve process runs in a Capsicum sandbox, which (depending on
the FreeBSD version and bhyve configuration) limits the impact of
exploiting this issue.
more... | FreeBSD-kernel
more detail |
2022-04-07 | VuXML ID d4cc994f-b61d-11ec-9ebc-1c697aa5a594
Problem Description:
The 802.11 beacon handling routine failed to validate the length of
an IEEE 802.11s Mesh ID before copying it to a heap-allocated
buffer.
Impact:
While a FreeBSD Wi-Fi client is in scanning mode (i.e., not
associated with a SSID) a malicious beacon frame may overwrite kernel
memory, leading to remote code execution.
more... | FreeBSD-kernel
more detail |
2022-04-05 | VuXML ID fe15f30a-b4c9-11ec-94a3-3065ec8fd3ec
Chrome Releases reports:
This release includes one security fix:
- [1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30
more... | chromium
more detail |
2022-04-04 | VuXML ID 79ea6066-b40e-11ec-8b93-080027b24e86
Mediawiki reports:
(T297543, CVE-2022-28202) Messages widthheight/widthheightpage/nbytes not
escaped when used in galleries or Special:RevisionDelete.
(T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite
recursion loop if it points to a local interwiki.
(T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many
file uploads with actor as a condition can result in a DoS.
(T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when
a page is used on a extremely large number of other pages.
more... | mediawiki135 mediawiki136 mediawiki137
more detail |
2022-04-04 | VuXML ID 8657eedd-b423-11ec-9559-001b217b3468
Gitlab reports:
Static passwords inadvertently set during OmniAuth-based registration
Stored XSS in notes
Stored XSS on Multi-word milestone reference
Denial of service caused by a specially crafted RDoc file
GitLab Pages access tokens can be reused on multiple domains
GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout
Incorrect include in pipeline definition exposes masked CI variables in UI
Regular expression denial of service in release asset link
Latest Commit details from private projects leaked to guest users via Merge Requests
CI/CD analytics are available even when public pipelines are disabled
Absence of limit for the number of tags that can be added to a runner can cause performance issues
Client DoS through rendering crafted comments
Blind SSRF Through Repository Mirroring
Bypass of branch restriction in Asana integration
Readable approval rules by Guest user
Redact InvalidURIError error messages
Project import maps members' created_by_id users based on source user ID
more... | gitlab-ce
more detail |
2022-04-03 | VuXML ID 3f321a5a-b33b-11ec-80c2-1bb2c6a00592
Petr MenÃ
¡ÃÂk reports:
Possible vulnerability [...] found in latest dnsmasq. It [was] found
with help of oss-fuzz Google project by me and short after that
independently also by Richard Johnson of Trellix Threat Labs.
It is affected only by DHCPv6 requests, which could be crafted to
modify already freed memory. [...] We think it might be triggered
remotely, but we do not think it could be used to execute remote
code.
more... | dnsmasq dnsmasq-devel
more detail |
2022-03-29 | VuXML ID 0ff80f41-aefe-11ec-b4b6-d05099c0c059
Youssef Rebahi-Gilbert reports:
When Gitea is built and configured for PAM authentication
it skips checking authorization completely. Therefore expired
accounts and accounts with expired passwords can still login.
more... | gitea
more detail |
2022-03-29 | VuXML ID 83466f76-aefe-11ec-b4b6-d05099c0c059
Andrew Thornton reports:
When a location containing backslashes is presented, the existing
protections against open redirect are bypassed, because browsers
will convert adjacent forward and backslashes within the location
to double forward slashes.
more... | gitea
more detail |
2022-03-29 | VuXML ID ab2d7f62-af9d-11ec-a0b8-3065ec8fd3ec
Chrome Releases reports:
This release contains 28 security fixes, including:
- [1292261] High CVE-2022-1125: Use after free in Portals.
Reported by Khalil Zhani on 2022-01-29
- [1291891] High CVE-2022-1127: Use after free in QR Code
Generator. Reported by anonymous on 2022-01-28
- [1301920] High CVE-2022-1128: Inappropriate implementation in
Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of
Shielder on 2022-03-01
- [1300253] High CVE-2022-1129: Inappropriate implementation in
Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on
2022-02-24
- [1142269] High CVE-2022-1130: Insufficient validation of
untrusted input in WebOTP. Reported by Sergey Toshin of
Oversecurity Inc. on 2020-10-25
- [1297404] High CVE-2022-1131: Use after free in Cast UI.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2022-02-15
- [1303410] High CVE-2022-1132: Inappropriate implementation in
Virtual Keyboard. Reported by Andr.Ess on 2022-03-07
- [1305776] High CVE-2022-1133: Use after free in WebRTC.
Reported by Anonymous on 2022-03-13
- [1308360] High CVE-2022-1134: Type Confusion in V8. Reported by
Man Yue Mo of GitHub Security Lab on 2022-03-21
- [1285601] Medium CVE-2022-1135: Use after free in Shopping Cart.
Reported by Wei Yuan of MoyunSec VLab on 2022-01-09
- [1280205] Medium CVE-2022-1136: Use after free in Tab Strip.
Reported by Krace on 2021-12-15
- [1289846] Medium CVE-2022-1137: Inappropriate implementation in
Extensions. Reported by Thomas Orlita on 2022-01-22
- [1246188] Medium CVE-2022-1138: Inappropriate implementation in
Web Cursor. Reported by Alesandro Ortiz on 2021-09-03
- [1268541] Medium CVE-2022-1139: Inappropriate implementation in
Background Fetch API. Reported by Maurice Dauer on 2021-11-10
- [1303253] Medium CVE-2022-1141: Use after free in File Manager.
Reported by raven at KunLun lab on 2022-03-05
- [1303613] Medium CVE-2022-1142: Heap buffer overflow in WebUI.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2022-03-07
- [1303615] Medium CVE-2022-1143: Heap buffer overflow in WebUI.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2022-03-07
- [1304145] Medium CVE-2022-1144: Use after free in WebUI.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2022-03-08
- [1304545] Medium CVE-2022-1145: Use after free in Extensions.
Reported by Yakun Zhang of Baidu Security on 2022-03-09
- [1290150] Low CVE-2022-1146: Inappropriate implementation in
Resource Timing. Reported by Sohom Datta on 2022-01-23
more... | chromium
more detail |
2022-03-27 | VuXML ID 2cda5c88-add4-11ec-9bc8-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.
more... | powerdns
more detail |
2022-03-27 | VuXML ID cb84b940-add5-11ec-9bc8-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.
more... | powerdns-recursor
more detail |
2022-03-25 | VuXML ID 323f900d-ac6d-11ec-a0b8-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1309225] High CVE-2022-1096: Type Confusion in V8. Reported by
anonymous on 2022-03-23
Google is aware that an exploit for CVE-2022-1096 exists in the wild.
more... | chromium
more detail |
2022-03-25 | VuXML ID 955f377e-7bc3-11ec-a51c-7533f219d428
Debian Security Advisory reports:
A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.
more... | p5-Image-ExifTool
more detail |
2022-03-22 | VuXML ID 61f416ff-aa00-11ec-b439-000d3a450398
The Tcpdump Group reports:
heap-based use-after-free in extract_slice()
more... | tcpslice
more detail |
2022-03-19 | VuXML ID e2af876f-a7c8-11ec-9a2a-002324b2fba8
The Go project reports:
regexp: stack exhaustion compiling deeply nested expressions
On 64-bit platforms, an extremely deeply nested expression can
cause regexp.Compile to cause goroutine stack exhaustion, forcing
the program to exit. Note this applies to very large expressions, on
the order of 2MB.
more... | go
more detail |
2022-03-17 | VuXML ID 45a72180-a640-11ec-a08b-85298243e224
David Sommerseth reports:
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.
more... | openvpn openvpn-mbedtls
more detail |
2022-03-16 | VuXML ID 3ba1ca94-a563-11ec-8be6-d4c9ef517024
The Weechat project reports:
After changing the options weechat.network.gnutls_ca_system or
weechat.network.gnutls_ca_user, the TLS verification function is lost.
Consequently, any connection to a server with TLS is made without
verifying the certificate, which could lead to a man-in-the-middle
attack. Connection to IRC servers with TLS is affected, as well as any
connection a server made by a plugin or a script using the function
hook_connect.
more... | weechat
more detail |
2022-03-16 | VuXML ID 5df757ef-a564-11ec-85fa-a0369f7f7be0
wordpress developers reports:
This security and maintenance release features 1 bug fix in addition to 3 security fixes.
Because this is a security release, it is recommended that you update your sites immediately.
All versions since WordPress 3.7 have also been updated.
The security team would like to thank the following people for responsively reporting
vulnerabilities, allowing them to be fixed in this release:
-Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency
-Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability
-Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor
more... | de-wordpress fr-wordpress ja-wordpress ru-wordpress th_TW-wordpress wordpress zh_CN-wordpress
more detail |
2022-03-16 | VuXML ID 8d20bd48-a4f3-11ec-90de-1c697aa5a594
Problem Description:
The paper "Fragment and Forge: Breaking Wi-Fi Through Frame
Aggregation and Fragmentation" reported a number of security
vulnerabilities in the 802.11 specification related to frame
aggregation and fragmentation.
Additionally, FreeBSD 12.x missed length validation of SSIDs and
Information Elements (IEs).
Impact:
As reported on the FragAttacks website, the "design flaws are hard
to abuse because doing so requires user interaction or is only
possible when using uncommon network settings." Under suitable
conditions an attacker may be able to extract sensitive data or inject
data.
more... | FreeBSD-kernel
more detail |
2022-03-16* | VuXML ID ea05c456-a4fd-11ec-90de-1c697aa5a594
The OpenSSL project reports:
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(High)
The BN_mod_sqrt() function, which computes a modular square root,
contains a bug that can cause it to loop forever for non-prime
moduli.
Internally this function is used when parsing certificates that
contain elliptic curve public keys in compressed form or explicit
elliptic curve parameters with a base point encoded in compressed
form.
It is possible to trigger the infinite loop by crafting a
certificate that has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate signature, any process that parses an externally
supplied certificate may thus be subject to a denial of service
attack. The infinite loop can also be reached when parsing crafted
private keys as they can contain explicit elliptic curve
parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from
customers
- Certificate authorities parsing certification requests from
subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker can control the parameter values are vulnerable to this DoS
issue.
more... | FreeBSD libressl libressl-devel openssl openssl-devel openssl-quictls
more detail |
2022-03-15 | VuXML ID 6601c08d-a46c-11ec-8be6-d4c9ef517024
The Apache httpd project reports:
mod_lua: Use of uninitialized value of in r:parsebody (moderate)
(CVE-2022-22719) A carefully crafted request body can cause a
read to a random memory area which could cause the process to crash.
HTTP request smuggling vulnerability (important) (CVE-2022-22720)
httpd fails to close inbound connection when errors are
encountered discarding the request body, exposing the server to HTTP
Request Smuggling
core: Possible buffer overflow with very large or unlimited
LimitXMLRequestBody (low) (CVE-2022-22721) If LimitXMLRequestBody
is set to allow request bodies larger than 350MB (defaults to 1M) on 32
bit systems an integer overflow happens which later causes out of
bounds writes.
mod_sed: Read/write beyond bounds (important) (CVE-2022-23924)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server
allows an attacker to overwrite heap memory with possibly attacker
provided data.
more... | apache24
more detail |
2022-03-15 | VuXML ID 857be71a-a4b0-11ec-95fc-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1299422] Critical CVE-2022-0971: Use after free in Blink
Layout. Reported by Sergei Glazunov of Google Project Zero on
2022-02-21
- [1301320] High CVE-2022-0972: Use after free in Extensions.
Reported by Sergei Glazunov of Google Project Zero on
2022-02-28
- [1297498] High CVE-2022-0973: Use after free in Safe Browsing.
Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
- [1291986] High CVE-2022-0974: Use after free in Splitscreen.
Reported by @ginggilBesel on 2022-01-28
- [1295411] High CVE-2022-0975: Use after free in ANGLE. Reported
by SeongHwan Park (SeHwa) on 2022-02-09
- [1296866] High CVE-2022-0976: Heap buffer overflow in GPU.
Reported by Omair on 2022-02-13
- [1299225] High CVE-2022-0977: Use after free in Browser UI.
Reported by Khalil Zhani on 2022-02-20
- [1299264] High CVE-2022-0978: Use after free in ANGLE. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2022-02-20
- [1302644] High CVE-2022-0979: Use after free in Safe Browsing.
Reported by anonymous on 2022-03-03
- [1302157] Medium CVE-2022-0980: Use after free in New Tab Page.
Reported by Krace on 2022-03-02
more... | chromium
more detail |
2022-03-10 | VuXML ID 5aaf534c-a069-11ec-acdc-14dae9d5a9d2
NVD reports:
Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.
more... | teeworlds
more detail |
2022-03-09 | VuXML ID 2823048d-9f8f-11ec-8c9c-001b217b3468
Gitlab reports:
Runner registration token disclosure through Quick Actions
Unprivileged users can add other users to groups through an API endpoint
Inaccurate display of Snippet contents can be potentially misleading to users
Environment variables can be leaked via the sendmail delivery method
Unauthenticated user enumeration on GraphQL API
Adding a mirror with SSH credentials can leak password
Denial of Service via user comments
more... | gitlab-ce
more detail |
2022-03-05 | VuXML ID 964c5460-9c66-11ec-ad3a-001999f8d30b
The Asterisk project reports:
AST-2022-004 - The header length on incoming STUN
messages that contain an ERROR-CODE attribute is not
properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use
with a malicious remote party.
AST-2022-005 - When acting as a UAC, and when placing
an outgoing call to a target that then forks Asterisk may
experience undefined behavior (crashes, hangs, etc) after
a dialog set is prematurely freed.
AST-2022-006 - If an incoming SIP message contains a
malformed multi-part body an out of bounds read access
may occur, which can result in undefined behavior. Note,
its currently uncertain if there is any externally
exploitable vector within Asterisk for this issue, but
providing this as a security issue out of caution.
more... | asterisk16 asterisk18
more detail |
2022-03-02 | VuXML ID e0914087-9a09-11ec-9e61-3065ec8fd3ec
Chrome Releases reports:
This release contains 28 security fixes, including:
- [1289383] High CVE-2022-0789: Heap buffer overflow in ANGLE.
Reported by SeongHwan Park (SeHwa) on 2022-01-21
- [1274077] High CVE-2022-0790: Use after free in Cast UI.
Reported by Anonymous on 2021-11-26
- [1278322] High CVE-2022-0791: Use after free in Omnibox.
Reported by Zhihua Yao of KunLun Lab on 2021-12-09
- [1285885] High CVE-2022-0792: Out of bounds read in ANGLE.
Reported by Jaehun Jeong (@n3sk) of Theori on 2022-01-11
- [1291728] High CVE-2022-0793: Use after free in Views. Reported
by Thomas Orlita on 2022-01-28
- [1294097] High CVE-2022-0794: Use after free in WebShare.
Reported by Khalil Zhani on 2022-02-04
- [1282782] High CVE-2022-0795: Type Confusion in Blink Layout.
Reported by 0x74960 on 2021-12-27
- [1295786] High CVE-2022-0796: Use after free in Media. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2022-02-10
- [1281908] High CVE-2022-0797: Out of bounds memory access in
Mojo. Reported by Sergei Glazunov of Google Project Zero on
2021-12-21
- [1283402] Medium CVE-2022-0798: Use after free in MediaStream.
Reported by Samet Bekmezci @sametbekmezci on 2021-12-30
- [1279188] Medium CVE-2022-0799: Insufficient policy enforcement
in Installer. Reported by Abdelhamid Naceri (halov) on
2021-12-12
- [1242962] Medium CVE-2022-0800: Heap buffer overflow in Cast UI.
Reported by Khalil Zhani on 2021-08-24
- [1231037] Medium CVE-2022-0801: Inappropriate implementation in
HTML parser. Reported by Michal Bentkowski of Securitum on
2021-07-20
- [1270052] Medium CVE-2022-0802: Inappropriate implementation in
Full screen mode. Reported by Irvan Kurniawan (sourc7) on
2021-11-14
- [1280233] Medium CVE-2022-0803: Inappropriate implementation in
Permissions. Reported by Abdulla Aldoseri on 2021-12-15
- [1264561] Medium CVE-2022-0804: Inappropriate implementation in
Full screen mode. Reported by Irvan Kurniawan (sourc7) on
2021-10-29
- [1290700] Medium CVE-2022-0805: Use after free in Browser
Switcher. Reported by raven at KunLun Lab on 2022-01-25
- [1283434] Medium CVE-2022-0806: Data leak in Canvas. Reported by
Paril on 2021-12-31
- [1287364] Medium CVE-2022-0807: Inappropriate implementation in
Autofill. Reported by Alesandro Ortiz on 2022-01-14
- [1292271] Medium CVE-2022-0808: Use after free in Chrome OS
Shell. Reported by @ginggilBesel on 2022-01-29
- [1293428] Medium CVE-2022-0809: Out of bounds memory access in
WebXR. Reported by @uwu7586 on 2022-02-03
more... | chromium
more detail |
2022-02-28 | VuXML ID a80c6273-988c-11ec-83ac-080027415d17
Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:
Fix off by one error
more... | cyrus-sasl
more detail |
2022-02-27 | VuXML ID 0eab001a-9708-11ec-96c9-589cfc0f81b0
The TYPO3 project reports:
The SVG sanitizer library enshrined/svg-sanitize before version
0.15.0 did not remove HTML elements wrapped in a CDATA section.
As a result, SVG content embedded in HTML (fetched as text/html)
was susceptible to cross-site scripting. Plain SVG files
(fetched as image/svg+xml) were not affected.
more... | typo3-10-php74 typo3-11-php74 typo3-11-php80 typo3-11-php81
more detail |
2022-02-24 | VuXML ID 5e1440c6-95af-11ec-b320-f8b156b6dcc8
The FLAC 1.3.4 release reports:
Fix 12 decoder bugs found by oss-fuzz.
Fix encoder bug CVE-2021-0561.
more... | flac
more detail |
2022-02-24 | VuXML ID 7695b0af-958f-11ec-9aa3-4ccc6adda413
Crypto++ 8.6 release notes reports:
The ElGamal implementation in Crypto++ through 8.5 allows plaintext
recovery because, during interaction between two cryptographic
libraries, a certain dangerous combination of the prime defined by
the receiver's public key, the generator defined by the receiver's
public key, and the sender's ephemeral exponents can lead to a
cross-configuration attack against OpenPGP.
more... | cryptopp
more detail |
2022-02-23 | VuXML ID 022dde12-8f4a-11ec-83ac-080027415d17
Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:
Escape password for SQL insert/update commands.
more... | cyrus-sasl-sql
more detail |
2022-02-22* | VuXML ID 1cd565da-455e-41b7-a5b9-86ad8e81e33e
Kenny Levinsen reports:
seatd-launch could use a user-specified socket path instead of the
internally generated socket path, and would unlink the socket path
before use to guard against collision with leftover sockets. This
meant that a caller could freely control what file path would be
unlinked and replaced with a user-owned seatd socket for the duration
of the session.
If seatd-launch had the SUID bit set, this could be used by a
malicious user to remove files with the privileges of the owner of
seatd-launch, which is likely root, and replace it with a user-owned
domain socket.
This does not directly allow retrieving the contents of existing
files, and the user-owned socket file is at the current time not
believed to be directly useful for further exploitation.
more... | seatd
more detail |
2022-02-22 | VuXML ID 85d976be-93e3-11ec-aaad-14dae9d5a9d2
NVD reports:
python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.
more... | py310-tuf py311-tuf py37-tuf py38-tuf py39-tuf
more detail |
2022-02-21 | VuXML ID 43ae57f6-92ab-11ec-81b4-2cf05d620ecc
The Qt Company reports:
Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.
Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.
more... | qt5-core
more detail |
2022-02-20 | VuXML ID 4d763c65-9246-11ec-9aa3-4ccc6adda413
Zhengjie Du reports:
There are some heap-buffer-overflows in mysofa2json of
libmysofa. They are in function loudness, mysofa_check and
readOHDRHeaderMessageDataLayout.
more... | libmysofa
more detail |
2022-02-18 | VuXML ID 096ab080-907c-11ec-bb14-002324b2fba8
The Go project reports:
crypto/elliptic: fix IsOnCurve for big.Int values that are not
valid coordinates
Some big.Int values that are not valid field elements (negative or
overflowing) might cause Curve.IsOnCurve to incorrectly return true.
Operating on those values may cause a panic or an invalid curve
operation. Note that Unmarshal will never return such values.
math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using
(*Rat).SetString due to an unhandled overflow.
cmd/go: prevent branches from materializing into versions
A branch whose name resembles a version tag (such as "v1.0.0" or
"subdir/v2.0.0-dev") can be considered a valid version by the go
command. Materializing versions from branches might be unexpected
and bypass ACLs that limit the creation of tags but not branches.
more... | go
more detail |
2022-02-18 | VuXML ID 27bf9378-8ffd-11ec-8be6-d4c9ef517024
MariaDB reports:
MariaDB reports 5 vulnerabilities in supported versions
resulting from fuzzing tests
more... | mariadb103-client mariadb103-server mariadb104-client mariadb104-server mariadb105-client mariadb105-server
more detail |
2022-02-17* | VuXML ID ff5606f7-8a45-11ec-8be6-d4c9ef517024
MariaDB reports:
MariaDB reports 5 vulnerabilities in supported versions
without further detailed information.
more... | mariadb103-client mariadb103-server mariadb104-client mariadb104-server mariadb105-client mariadb105-server
more detail |
2022-02-15 | VuXML ID e12432af-8e73-11ec-8bc4-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1290008] High CVE-2022-0603: Use after free in File Manager.
Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
- [1273397] High CVE-2022-0604: Heap buffer overflow in Tab
Groups. Reported by Krace on 2021-11-24
- [1286940] High CVE-2022-0605: Use after free in Webstore API.
Reported by Thomas Orlita on 2022-01-13
- [1288020] High CVE-2022-0606: Use after free in ANGLE. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2022-01-17
- [1250655] High CVE-2022-0607: Use after free in GPU. Reported by
0x74960 on 2021-09-17
- [1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported
by Sergei Glazunov of Google Project Zero on 2021-11-16
- [1296150] High CVE-2022-0609: Use after free in Animation.
Reported by Adam Weidemann and Clément Lecigne of Google'
Threat Analysis Group on 2022-02-10
- [1285449] Medium CVE-2022-0610: Inappropriate implementation in
Gamepad API. Reported by Anonymous on 2022-01-08
more... | chromium
more detail |
2022-02-15* | VuXML ID fc2a9541-8893-11ec-9d01-80ee73419af3
xrdp project reports:
An integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is accessible to a sesman server (listens by default on localhost when installing xrdp, but can be remote if configured otherwise) to execute code as root.
more... | xrdp xrdp-devel
more detail |
2022-02-13 | VuXML ID 24049967-88ec-11ec-88f5-901b0e934d69
Twisted developers report:
Cookie and Authorization headers are leaked when following cross-origin redirects in twited.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent .
more... | py310-twisted py37-twisted py38-twisted py39-twisted
more detail |
2022-02-12 | VuXML ID 972ba0e8-8b8a-11ec-b369-6c3be5272acd
Node.js reports:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__ . The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.
more... | node node14 node16
more detail |
2022-02-12 | VuXML ID cecbc674-8b83-11ec-b369-6c3be5272acd
Grafana Labs reports:
On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
more... | grafana6 grafana7 grafana8
more detail |
2022-02-12 | VuXML ID d4284c2e-8b83-11ec-b369-6c3be5272acd
Grafana Labs reports:
On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
more... | grafana6 grafana7 grafana8
more detail |
2022-02-12 | VuXML ID d71d154a-8b83-11ec-b369-6c3be5272acd
Grafana Labs reports:
On Jan. 18, an external security researcher, KürÃ
Âad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:
- /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
- /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
- /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.
We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
more... | grafana6 grafana7 grafana8
more detail |
2022-02-12 | VuXML ID d923fb0c-8c2f-11ec-aa85-0800270512f4
Marc CornellÃÂ reports:
Some prompt expansion sequences, such as %F, support 'arguments'
which are themselves expanded in case they contain colour values,
etc. This additional expansion would trigger PROMPT_SUBST evaluation,
if enabled. This could be abused to execute code the user didn't
expect. e.g., given a certain prompt configuration, an attacker
could trick a user into executing arbitrary code by having them
check out a Git branch with a specially crafted name.
more... | zsh
more detail |
2022-02-10 | VuXML ID 0b0ad196-1ee8-4a98-89b1-4d5d82af49a9
Jenkins Security Advisory:
Description
(Medium) SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)
DoS vulnerability in bundled XStream library
more... | jenkins jenkins-lts
more detail |
2022-02-08* | VuXML ID 58d6ed66-c2e8-11eb-9fb0-6451062f0f7a
The X.org project reports:
XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.
more... | libX11
more detail |
2022-02-04 | VuXML ID 3507bfb3-85d5-11ec-8c9c-001b217b3468
Gitlab reports:
Arbitrary POST requests via special HTML attributes in Jupyter Notebooks
DNS Rebinding vulnerability in Irker IRC Gateway integration
Missing certificate validation for external CI services
Blind SSRF Through Project Import
Open redirect vulnerability in Jira Integration
Issue link was disclosing the linked issue
Service desk email accessible by project non-members
Authenticated users can search other users by their private email
"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request
Deleting packages in bulk from package registries may cause table locks
Autocomplete enabled on specific pages
Possible SSRF due to not blocking shared address space
System notes reveals private project path when Issue is moved to a public project
Timeout for pages using Markdown
Certain branch names could not be protected
more... | gitlab-ce
more detail |
2022-02-03* | VuXML ID ee26f513-826e-11ec-8be6-d4c9ef517024
The Rust Security Response WG was notified that the
std::fs::remove_dir_all standard library function is vulnerable to a
race condition enabling symlink following (CWE-363). An attacker could
use this security issue to trick a privileged program into deleting
files and directories the attacker couldn't otherwise access or
delete.
more... | rust rust-nightly
more detail |
2022-02-02 | VuXML ID 1d3677a8-9143-42d8-84a3-0585644dff4b
Emil Lerner reports:
When receiving QUIC frames in certain order, HTTP/3 server-side
implementation of h2o can be misguided to treat uninitialized
memory as HTTP/3 frames that have been received. When h2o is
used as a reverse proxy, an attacker can abuse this vulnerability
to send internal state of h2o to backend servers controlled by
the attacker or third party. Also, if there is an HTTP endpoint
that reflects the traffic sent from the client, an attacker can
use that reflector to obtain internal state of h2o.
This internal state includes traffic of other connections in
unencrypted form and TLS session tickets.
This vulnerability exists in h2o server with HTTP/3
support, between commit 93af138 and d1f0f65. None of the
released versions of h2o are affected by this vulnerability.
more... | h2o-devel
more detail |
2022-02-02 | VuXML ID b1b6d623-83e4-11ec-90de-1c697aa5a594
Problem Description:
Under certain conditions involving use of the highlight buffer
while text is scrolling on the console, console data may overwrite
data structures associated with the system console or other kernel
memory.
Impact:
Users with access to the system console may be able to cause system
misbehaviour.
more... | FreeBSD
more detail |
2022-02-02 | VuXML ID e852f43c-846e-11ec-b043-3065ec8fd3ec
Chrome Releases reports:
This release contains 27 security fixes, including:
- [1284584] High CVE-2022-0452: Use after free in Safe Browsing.
Reported by avaue at S.S.L. on 2022-01-05
- [1284916] High CVE-2022-0453: Use after free in Reader Mode.
Reported by Rong Jian of VRI on 2022-01-06
- [1287962] High CVE-2022-0454: Heap buffer overflow in ANGLE.
Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on
2022-01-17
- [1270593] High CVE-2022-0455: Inappropriate implementation in
Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on
2021-11-16
- [1289523] High CVE-2022-0456: Use after free in Web Search.
Reported by Zhihua Yao of KunLun Lab on 2022-01-21
- [1274445] High CVE-2022-0457: Type Confusion in V8. Reported by
rax of the Group0x58 on 2021-11-29
- [1267060] High CVE-2022-0458: Use after free in Thumbnail Tab
Strip. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-11-05
- [1244205] High CVE-2022-0459: Use after free in Screen Capture.
Reported by raven (@raid_akame) on 2021-08-28
- [1250227] Medium CVE-2022-0460: Use after free in Window Dialog.
Reported by 0x74960 on 2021-09-16
- [1256823] Medium CVE-2022-0461: Policy bypass in COOP. Reported
by NDevTK on 2021-10-05
- [1270470] Medium CVE-2022-0462: Inappropriate implementation in
Scroll. Reported by Youssef Sammouda on 2021-11-16
- [1268240] Medium CVE-2022-0463: Use after free in Accessibility.
Reported by Zhihua Yao of KunLun Lab on 2021-11-09
- [1270095] Medium CVE-2022-0464: Use after free in Accessibility.
Reported by Zhihua Yao of KunLun Lab on 2021-11-14
- [1281941] Medium CVE-2022-0465: Use after free in Extensions.
Reported by Samet Bekmezci @sametbekmezci on 2021-12-22
- [1115460] Medium CVE-2022-0466: Inappropriate implementation in
Extensions Platform. Reported by David Erceg on 2020-08-12
- [1239496] Medium CVE-2022-0467: Inappropriate implementation in
Pointer Lock. Reported by Alesandro Ortiz on 2021-08-13
- [1252716] Medium CVE-2022-0468: Use after free in Payments.
Reported by Krace on 2021-09-24
- [1279531] Medium CVE-2022-0469: Use after free in Cast. Reported
by Thomas Orlita on 2021-12-14
- [1269225] Low CVE-2022-0470: Out of bounds memory access in V8.
Reported by Looben Yang on 2021-11-11
more... | chromium
more detail |
2022-02-01 | VuXML ID 8579074c-839f-11ec-a3b2-005056a311d1
The Samba Team reports:
- CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow
a directory to be created in an area of the server file system not
exported under the share definition.
- CVE-2021-44141: Information leak via symlinks of existance of files
or directories outside of the exported share.
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution.
- CVE-2022-0336: Samba AD users with permission to write to
an account can impersonate arbitrary services.
more... | samba413 samba414 samba415
more detail |
2022-01-29 | VuXML ID b0c83e1a-8153-11ec-84f9-641c67a117d8
Varnish Cache Project reports:
A request smuggling attack can be performed on HTTP/1 connections on
Varnish Cache servers. The smuggled request would be treated as an additional
request by the Varnish server, go through normal VCL processing, and injected
as a spurious response on the client connection.
more... | varnish4 varnish6
more detail |
2022-01-28 | VuXML ID 1aaaa5c6-804d-11ec-8be6-d4c9ef517024
The OpenSSL project reports:
BN_mod_exp may produce incorrect results on MIPS (Moderate)
There is a carry propagation bug in the MIPS32 and MIPS64 squaring
procedure. Many EC algorithms are affected, including some of the
TLS 1.3 default curves. Impact was not analyzed in detail, because the
pre-requisites for attack are considered unlikely and include reusing
private keys. Analysis suggests that attacks against RSA and DSA as a
result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible
(although very difficult) because most of the work necessary to deduce
information about a private key may be performed offline. The amount
of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have
to share the DH private key among multiple clients, which is no longer
an option since CVE-2016-0701.
more... | openssl openssl-devel openssl-quictls
more detail |
2022-01-28 | VuXML ID b6ef8a53-8062-11ec-9af3-fb232efe4d2e
Cary Phillips reports:
[OpenEXR Version 3.1.4 is a] patch release that [...]
addresses one public security vulnerability:
CVE-2021-45942 Heap-buffer-overflow in
Imf_3_1::LineCompositeTask::execute [and several]
specific OSS-fuzz issues [...].
more... | openexr
more detail |
2022-01-27 | VuXML ID 65847d9d-7f3e-11ec-8624-b42e991fc52e
huntr.dev reports:
In Mustache.php v2.0.0 through v2.14.0, Sections tag can
lead to arbitrary php code execution even if
strict_callables is true when section value is
controllable.
more... | phpmustache
more detail |
2022-01-26 | VuXML ID 0f8bf913-7efa-11ec-8c04-2cf05d620ecc
Qualys reports:
We discovered a Local Privilege Escalation (from any user to root) in
polkit's pkexec, a SUID-root program that is installed by default on
every major Linux distribution.
more... | polkit
more detail |
2022-01-25 | VuXML ID 58528a94-5100-4208-a04d-edc01598cf01
Strongswan Release Notes reports:
Fixed a denial-of-service vulnerability in the gmp plugin that
was caused by an integer overflow when processing RSASSA-PSS
signatures with very large salt lengths. This vulnerability has
been registered as CVE-2021-41990.
Fixed a denial-of-service vulnerability in the in-memory
certificate cache if certificates are replaced and a very large
random value caused an integer overflow. This vulnerability has
been registered as CVE-2021-41991.
more... | strongswan
more detail |
2022-01-25 | VuXML ID ccaea96b-7dcd-11ec-93df-00224d821998
Strongswan Release Notes reports:
Fixed a vulnerability in the EAP client implementation
that was caused by incorrectly handling early EAP-Success
messages. It may allow to bypass the client and in some
scenarios even the server authentication, or could lead to
a denial-of-service attack. This vulnerability has been
registered as CVE-2021-45079.
more... | strongswan
more detail |
2022-01-23 | VuXML ID 309c35f4-7c9f-11ec-a739-206a8a720317
David Bouman reports:
AIDE before 0.17.4 allows local users to obtain root privileges
via crafted file metadata (such as XFS extended attributes or
tmpfs ACLs), because of a heap-based buffer overflow.
Aide uses a fixed size (16k bytes) for the return buffer in
encode_base64/decode_base64 functions. This results in a segfault
if aide processes a file with too large extended attribute value
or ACL.
more... | aide
more detail |
2022-01-20 | VuXML ID 51496cbc-7a0e-11ec-a323-3065ec8fd3ec
Chrome Releases reports:
This release contains 26 security fixes, including:
- [1284367] Critical CVE-2022-0289: Use after free in Safe
browsing. Reported by Sergei Glazunov of Google Project Zero on
2022-01-05
- [1260134][1260007] High CVE-2022-0290: Use after free in Site
isolation. Reported by Brendon Tiszka and Sergei Glazunov of
Google Project Zero on 2021-10-15
- [1281084] High CVE-2022-0291: Inappropriate implementation in
Storage. Reported by Anonymous on 2021-12-19
- [1270358] High CVE-2022-0292: Inappropriate implementation in
Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
- [1283371] High CVE-2022-0293: Use after free in Web packaging.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-12-30
- [1273017] High CVE-2022-0294: Inappropriate implementation in
Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha
Lab on 2021-11-23
- [1278180] High CVE-2022-0295: Use after free in Omnibox.
Reported by Weipeng Jiang (@Krace) and Guang Gong of 360
Vulnerability Research Institute on 2021-12-09
- [1283375] High CVE-2022-0296: Use after free in Printing.
Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability
Research Institute on 2021-12-30
- [1274316] High CVE-2022-0297: Use after free in Vulkan. Reported
by Cassidy Kim of Amber Security Lab, OPPO Mobile
Telecommunications Corp. Ltd. on 2021-11-28
- [1212957] High CVE-2022-0298: Use after free in Scheduling.
Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
- [1275438] High CVE-2022-0300: Use after free in Text Input
Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha
Lab on 2021-12-01
- [1276331] High CVE-2022-0301: Heap buffer overflow in DevTools.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2021-12-03
- [1278613] High CVE-2022-0302: Use after free in Omnibox.
Reported by Weipeng Jiang (@Krace) and Guang Gong of 360
Vulnerability Research Institute on 2021-12-10
- [1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by
Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
- [1282118] High CVE-2022-0304: Use after free in Bookmarks.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-12-22
- [1282354] High CVE-2022-0305: Inappropriate implementation in
Service Worker API. Reported by @uwu7586 on 2021-12-23
- [1283198] High CVE-2022-0306: Heap buffer overflow in PDFium.
Reported by Sergei Glazunov of Google Project Zero on
2021-12-29
- [1281881] Medium CVE-2022-0307: Use after free in Optimization
Guide. Reported by Samet Bekmezci @sametbekmezci on
2021-12-21
- [1282480] Medium CVE-2022-0308: Use after free in Data Transfer.
Reported by @ginggilBesel on 2021-12-24
- [1240472] Medium CVE-2022-0309: Inappropriate implementation in
Autofill. Reported by Alesandro Ortiz on 2021-08-17
- [1283805] Medium CVE-2022-0310: Heap buffer overflow in Task
Manager. Reported by Samet Bekmezci @sametbekmezci on
2022-01-03
- [1283807] Medium CVE-2022-0311: Heap buffer overflow in Task
Manager. Reported by Samet Bekmezci @sametbekmezci on
2022-01-03
more... | chromium
more detail |
2022-01-19 | VuXML ID 7262f826-795e-11ec-8be6-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 78 new security patches for
Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 7.4
more... | mysql-connector-c++ mysql-connector-java mysql-connector-java51 mysql-connector-odbc mysql-server55 mysql-server56 mysql-server57 mysql-server80
more detail |
2022-01-14 | VuXML ID e3ec8b30-757b-11ec-922f-654747404482
The Prosody teaM reports:
It was discovered that an internal Prosody library to load XML based on
does not properly restrict the XML features allowed in parsed
XML data. Given suitable attacker input, this results in expansion of
recursive entity references from DTDs (CWE-776). In addition,
depending on the libexpat version used, it may also allow injections
using XML External Entity References (CWE-611).
more... | prosody
more detail |
2022-01-13 | VuXML ID 79b65dc5-749f-11ec-8be6-d4c9ef517024
The WordPress project reports:
- Issue with stored XSS through post slugs
- Issue with Object injection in some multisite installations
- SQL injection vulnerability in WP_Query
- SQL injection vulnerability in WP_Meta_Query
more... | wordpress
more detail |
2022-01-12 | VuXML ID 2a6106c6-73e5-11ec-8fa2-0800270512f4
Laurent Delosieres reports:
Fix for invalid pointer read that may cause a crash. This issue affects
0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
CL_SCAN_GENERAL_COLLECT_METADATA scan option
(the clamscan --gen-json option) is enabled.
more... | clamav clamav-lts
more detail |
2022-01-12 | VuXML ID 43f84437-73ab-11ec-a587-001b217b3468
Gitlab reports:
Arbitrary file read via group import feature
Stored XSS in notes
Lack of state parameter on GitHub import project OAuth
Vulnerability related fields are available to unauthorized users on GraphQL API
Deleting packages may cause table locks
IP restriction bypass via GraphQL
Repository content spoofing using Git replacement references
Users can import members from projects that they are not a maintainer on through API
Possibility to direct user to malicious site through Slack integration
Bypassing file size limits to the NPM package repository
User with expired password can still access sensitive information
Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port
more... | gitlab-ce
more detail |
2022-01-12 | VuXML ID 672eeea9-a070-4f88-b0f1-007e90a2cbc3
Jenkins Security Advisory:
Description
(Medium) SECURITY-2558 / CVE-2022-20612
CSRF vulnerability in build triggers
more... | jenkins jenkins-lts
more detail |
2022-01-09 | VuXML ID b927b654-7146-11ec-ad4b-5404a68ad561
Upstream project reports:
Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner*
functions where the text range in .hostText would not be duped using
malloc but remain unchanged (and hence "not owned") for URIs with
an IPv4 or IPv6 address hostname; depending on how an application
uses uriparser, this could lead the application into a use-after-free
situation.
As the second half, fix uriFreeUriMembers* functions that would not
free .hostText memory for URIs with an IPv4 or IPv6 address host;
also, calling uriFreeUriMembers* multiple times on a URI of this
very nature would result in trying to free pointers to stack
(rather than heap) memory.
Fix functions uriNormalizeSyntax* for out-of-memory situations
(i.e. malloc returning NULL) for URIs containing empty segments
(any of user info, host text, query, or fragment) where previously
pointers to stack (rather than heap) memory were freed.
more... | uriparser
more detail |
2022-01-06 | VuXML ID d3e023fb-6e88-11ec-b948-080027240888
Django Release reports:
CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator.
CVE-2021-45116: Potential information disclosure in dictsort template filter.
CVE-2021-45452: Potential directory-traversal via Storage.save().
more... | py37-django22 py37-django32 py37-django40 py38-django22 py38-django32 py38-django40 py39-django22 py39-django32 py39-django40
more detail |
2022-01-05 | VuXML ID 9c990e67-6e30-11ec-82db-b42e991fc52e
nlnetlabs reports:
Release 0.10.2 contains fixes for the following issues:
- Medium CVE-2021-43172: Infinite length chain of RRDP
repositories. Credit: Koen van Hove. Date: 2021-11-09
- Medium CVE-2021-43173: Hanging RRDP request.
Credit: Koen van Hove. Date: 2021-11-09
- Medium CVE-2021-43174: gzip transfer encoding caused
out-of-memory crash. Credit Koen van Hove. Date: 2021-11-09
more... | routinator
more detail |
2022-01-05 | VuXML ID 9eeccbf3-6e26-11ec-bb10-3065ec8fd3ec
Chrome Releases reports:
This release contains 37 security fixes, including:
- [$TBD][1275020] Critical CVE-2022-0096: Use after free in
Storage. Reported by Yangkang (@dnpushme) of 360 ATA on
2021-11-30
- [1117173] High CVE-2022-0097: Inappropriate implementation in
DevTools. Reported by David Erceg on 2020-08-17
- [1273609] High CVE-2022-0098: Use after free in Screen Capture.
Reported by @ginggilBesel on 2021-11-24
- [1245629] High CVE-2022-0099: Use after free in Sign-in.
Reported by Rox on 2021-09-01
- [1238209] High CVE-2022-0100: Heap buffer overflow in Media
streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO
Mobile Telecommunications Corp. Ltd. on 2021-08-10
- [1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks.
Reported by raven (@raid_akame) on 2021-09-14
- [1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by
Brendon Tiszka on 2021-10-14
- [1272266] High CVE-2022-0103: Use after free in SwiftShader.
Reported by Abraruddin Khan and Omair on 2021-11-21
- [1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE.
Reported by Abraruddin Khan and Omair on 2021-11-25
- [1274376] High CVE-2022-0105: Use after free in PDF. Reported by
Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications
Corp. Ltd. on 2021-11-28
- [1278960] High CVE-2022-0106: Use after free in Autofill.
Reported by Khalil Zhani on 2021-12-10
- [1248438] Medium CVE-2022-0107: Use after free in File Manager
API. Reported by raven (@raid_akame) on 2021-09-10
- [1248444] Medium CVE-2022-0108: Inappropriate implementation in
Navigation. Reported by Luan Herrera (@lbherrera_) on
2021-09-10
- [1261689] Medium CVE-2022-0109: Inappropriate implementation in
Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at
Seoul National University on 2021-10-20
- [1237310] Medium CVE-2022-0110: Incorrect security UI in
Autofill. Reported by Alesandro Ortiz on 2021-08-06
- [1241188] Medium CVE-2022-0111: Inappropriate implementation in
Navigation. Reported by garygreen on 2021-08-18
- [1255713] Medium CVE-2022-0112: Incorrect security UI in Browser
UI. Reported by Thomas Orlita on 2021-10-04
- [1039885] Medium CVE-2022-0113: Inappropriate implementation in
Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- [1267627] Medium CVE-2022-0114: Out of bounds memory access in
Web Serial. Reported by Looben Yang on 2021-11-06
- [1268903] Medium CVE-2022-0115: Uninitialized Use in File API.
Reported by Mark Brand of G
|