VuXML entries as processed by FreshPorts | Date | Decscription | Port(s) |
2025-01-23 | VuXML ID 1e109b60-d92e-11ef-a661-08002784c58d
The ClamAV project reports:
A possible buffer overflow read bug is found in the OLE2
file parser that could cause a denial-of-service (DoS)
condition.
more... | clamav clamav-lts
more detail |
2025-01-23 | VuXML ID 24c93a28-d95b-11ef-b6b2-2cf05da270f3
Gitlab reports:
Stored XSS via Asciidoctor render
Developer could exfiltrate protected CI/CD variables via CI lint
Cyclic reference of epics leads resource exhaustion
more... | gitlab-ce gitlab-ee
more detail |
2025-01-23 | VuXML ID 2def27c7-7dd0-42cb-adf6-8e5a7afe4db3
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
more... | electron33
more detail |
2025-01-22 | VuXML ID 7d17676d-4828-4a43-85d6-1ee14362de6e
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-12053.
more... | electron32
more detail |
2025-01-21 | VuXML ID 704aa72a-d840-11ef-a205-901b0e9408dc
The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a
zone ID may incorrectly satisfy a URI name constraint that
applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a
cross-domain redirect. For example, a request to a.com/
containing an Authorization header which is redirected to
b.com/ will not send that header to b.com.
more... | go122 go123
more detail |
2025-01-20 | VuXML ID 3161429b-3897-4593-84a0-b41ffbbfa36b
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12053.
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
more... | electron31
more detail |
2025-01-18 | VuXML ID d9b0fea0-d564-11ef-b9bc-d05099c0ae8c
Filippo Valsorda reports:
A plugin name containing a path separator may allow an
attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through
an attacker-controlled recipient or identity string, or to
the plugin.NewIdentity, plugin.NewIdentityWithoutData, or
plugin.NewRecipient APIs.
more... | age
more detail |
2025-01-17 | VuXML ID 47bc292a-d472-11ef-aaab-7d43732cb6f5
Frank Lichtenheld reports:
[OpenVPN v2.6.13 ...] improve server-side handling of clients sending
usernames or passwords longer than USER_PASS_LEN - this would not
result in a crash, buffer overflow or other security issues, but the
server would then misparse incoming IV variables and produce misleading
error messages.
more... | openvpn
more detail |
2025-01-14 | VuXML ID 163edccf-d2ba-11ef-b10e-589cfc10a551
rsync reports:
This update includes multiple security fixes:
- CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- CVE-2024-12086: Server leaks arbitrary client files
- CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links
- CVE-2024-12088: --safe-links Bypass
- CVE-2024-12747: symlink race condition
more... | rsync
more detail |
2025-01-14 | VuXML ID 3445e4b6-d2b8-11ef-9ff3-43c2b5d6c4c8
Git development team reports:
CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the
user susceptible to crafted URLs (e.g. in recursive clones) that
mislead the user into typing in passwords for trusted sites that
would then be sent to untrusted sites instead.
CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to
credential helpers which use line-reading functions that
interpret said Carriage Returns as line endings, even though Git
did not intend that.
more... | git git-cvs git-gui git-p4 git-svn
more detail |
2025-01-13 | VuXML ID 5e2bd238-d2bb-11ef-bc0e-1c697a616631
Keycloak reports:
This update includes 2 security fixes:
- CVE-2024-11734: Unrestricted admin use of system and environment variables
- CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers
more... | keycloak
more detail |
2025-01-12 | VuXML ID 7624c151-d116-11ef-b232-b42e991fc52e
cve@mitre.org reports:
An issue in the action_listcategories() function of Sangoma Asterisk
v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to
execute a path traversal.
more... | asterisk18 asterisk20
more detail |
2025-01-10 | VuXML ID 4d79fd1a-cc93-11ef-abed-08002784c58d
Redis core team reports:
An authenticated with sufficient privileges may create a
malformed ACL selector which, when accessed, triggers a
server panic and subsequent denial of service.The problem
exists in Redis 7.0.0 or newer.
more... | redis redis72 valkey
more detail |
2025-01-10 | VuXML ID 5f19ac58-cc90-11ef-abed-08002784c58d
Redis core team reports:
An authenticated user may use a specially crafted Lua
script to manipulate the garbage collector and potentially
lead to remote code execution. The problem exists in all
versions of Redis with Lua scripting.
more... | redis redis62 redis72 valkey
more detail |
2025-01-08 | VuXML ID 2bfde261-cdf2-11ef-b6b2-2cf05da270f3
Gitlab reports:
Possible access token exposure in GitLab logs
Cyclic reference of epics leads resource exhaustion
Unauthorized user can manipulate status of issues in public projects
Instance SAML does not respect external_provider configuration
more... | gitlab-ce gitlab-ee
more detail |
2024-12-29 | VuXML ID ed0a052a-c5e6-11ef-a457-b42e991fc52e
security@apache.org reports:
Time-of-check Time-of-use (TOCTOU) Race Condition
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the
default servlet write enabled (readonly initialisation parameter
set to the non-default value of false) may need additional configuration
to fully mitigate CVE-2024-50379 depending on which version of Java
they are using with Tomcat: - running on Java 8 or Java 11: the
system propertysun.io.useCanonCaches must be explicitly set to false
(it defaults to true) - running on Java 17: thesystem property
sun.io.useCanonCaches, if set, must be set to false(it defaults to
false) - running on Java 21 onwards: no further configuration is
required(the system property and the problematic cache have been
removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks
thatsun.io.useCanonCaches is set appropriately before allowing the
default servlet to be write enabled on a case insensitive file
system. Tomcat will also setsun.io.useCanonCaches to false by
default where it can.
more... | tomcat101 tomcat110 tomcat9
more detail |
2024-12-24 | VuXML ID 94b2d58a-c1e9-11ef-aa3f-dcfe074bd614
security-advisories@github.com reports:
Kanboard is project management software that focuses on the Kanban
methodology. In affected versions sessions are still usable even
though their lifetime has exceeded. Kanboard implements a cutom
session handler (`app/Core/Session/SessionHandler.php`), to store
the session data in a database. Therefore, when a `session_id` is
given, kanboard queries the data from the `sessions` sql table. At
this point, it does not correctly verify, if a given `session_id`
has already exceeded its lifetime (`expires_at`). Thus, a session
which's lifetime is already `> time()`, is still queried
from the database and hence a valid login. The implemented
**SessionHandlerInterface::gc** function, that does remove invalid
sessions, is called only **with a certain probability** (_Cleans
up expired sessions. Called by `session_start()`, based on
`session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime`
settings_) accordingly to the php documentation. In the official
Kanboard docker image these values default to: session.gc_probability=1,
session.gc_divisor=1000. Thus, an expired session is only terminated
with probability 1/1000. There are no known workarounds for
this vulnerability.
more... | kanboard
more detail |
2024-12-20 | VuXML ID 0a8dbc7f-bedc-11ef-b5a1-000ec6d40964
The Vaultwarden project reports:
Admins from any organization were able to modify or delete groups in any other organization if they know the group's uuid.
more... | vaultwarden
more detail |
2024-12-19 | VuXML ID e18c5c8d-be01-11ef-8c1c-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [382291459] High CVE-2024-12692: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-12-05
- [382190919] High CVE-2024-12693: Out of bounds memory access in V8. Reported by 303f06e3 on 2024-12-04
- [368222741] High CVE-2024-12694: Use after free in Compositing. Reported by Anonymous on 2024-09-19
- [383647255] High CVE-2024-12695: Out of bounds write in V8. Reported by 303f06e3 on 2024-12-12
more... | chromium ungoogled-chromium
more detail |
2024-12-18* | VuXML ID 5ca064a6-bca1-11ef-8926-9b4f2d14eb53
Problem Description:
- It was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.
- A fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.
- The members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.
- The tokens used when replying by email to issues or pull requests were weaker than the rfc2104 recommendations. The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.
- A registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.
- It was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.
- Some markup sanitation rules were not as strong as they could be (e.g. allowing emoji somethingelse as well as emoji). The rules are now stricter and do not allow for such cases.
- When Forgejo is configured to enable instance wide search (e.g. with bleve), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.
more... | forgejo forgejo7
more detail |
2024-12-18 | VuXML ID dc087dad-bd71-11ef-b5a1-000ec6d40964
The Open Quantum Safe project reports:
A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.
more... | liboqs
more detail |
2024-12-17 | VuXML ID 25a697de-bca1-11ef-8926-9b4f2d14eb53
Problem Description:
- When Forgejo is configured to run the internal ssh server with
[server].START_SSH_SERVER=true, it was possible for a registered user
to impersonate another user. The rootless container image uses the
internal ssh server by default and was vulnerable. A Forgejo
instance running from a binary or from a root container image does
not use the internal ssh server by default and was not vulnerable.
The incorrect use of the crypto package is the root cause of the
vulnerability and was fixed for the internal ssh server.
- Revert "allow synchronizing user status from OAuth2 login
providers"
more... | forgejo
more detail |
2024-12-17 | VuXML ID 38e6f778-bca3-11ef-8926-9b4f2d14eb53
Problem Description:
- Misuse of ServerConfig.PublicKeyCallback may cause authorization
bypass in golang.org/x/crypto
more... | gitea
more detail |
2024-12-17 | VuXML ID 453cd84e-bca4-11ef-8926-9b4f2d14eb53
Problem Description:
- Fix delete branch perm checking
- Upgrade crypto library
more... | gitea
more detail |
2024-12-17 | VuXML ID 6dcf6fc6-bca0-11ef-8926-9b4f2d14eb53
Problem Description:
- When Forgejo is configured to run the internal ssh server with
[server].START_SSH_SERVER=true, it was possible for a registered user
to impersonate another user. The rootless container image uses the
internal ssh server by default and was vulnerable. A Forgejo
instance running from a binary or from a root container image does
not use the internal ssh server by default and was not vulnerable.
The incorrect use of the crypto package is the root cause of the
vulnerability and was fixed for the internal ssh server.
- Revert "allow synchronizing user status from OAuth2 login
providers"
more... | forgejo
more detail |
2024-12-17 | VuXML ID 6ea20f0c-bca3-11ef-8926-9b4f2d14eb53
Problem Description:
- Fix basic auth with webauthn
- Refactor internal routers (partial backport, auth token const time comparing)
more... | gitea
more detail |
2024-12-16 | VuXML ID ef56065e-81fe-4731-a1e3-606c55925bef
Tim Wojtulewicz of Corelight reports:
Large QUIC packets can cause Zeek to overflow memory
and potentially crash. Due to the possibility of receiving
these packets from remote hosts, this is a DoS risk.
more... | zeek
more detail |
2024-12-15 | VuXML ID 71f3e9f0-bafc-11ef-885d-901b0e934d69
element-hq/synapse developers report:
[The 1.120.1] release fixes multiple security
vulnerabilities, some affecting all prior versions of
Synapse. Server administrators are encouraged to
update Synapse as soon as possible. We are not aware
of these vulnerabilities being exploited in the
wild.
Administrators who are unable to update Synapse may
use the workarounds described in the linked GitHub
Security Advisory below.
more... | py310-matrix-synapse py311-matrix-synapse py38-matrix-synapse py39-matrix-synapse
more detail |
2024-12-12 | VuXML ID 275ac414-b847-11ef-9877-2cf05da270f3
Gitlab reports:
Injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to ATO abusing OAuth flows
Denial of Service by repeatedly sending unauthenticated requests for diff-files
CI_JOB_TOKEN could be used to obtain GitLab session
Open redirect in releases API
Client-Side Path Traversal in Harbor artifact links
HTML injection in vulnerability details could lead to Cross Site Scripting
Leak branch names of projects with confidential repository
Non member can view unresolved threads marked as internal notes
Uncontrolled Resource Consumption through a maliciously crafted file
Certain sensitive information passed as literals inside GraphQL mutations retained in GraphQL logs
Information disclosure of confidential incidents details to a group member in Gitlab Wiki
Domain Confusion in GitLab Pages Unique Domain Implementation
more... | gitlab-ce gitlab-ee
more detail |
2024-12-11 | VuXML ID 3d5b7860-48ad-48c2-aa36-601b8ab9cc43
Chrome Releases reports:
This update includes 4 security fixes:
- [379009132] High CVE-2024-12053: Type Confusion in V8. Reported by gal1ium and chluo on 2024-11-14
more... | chromium ungoogled-chromium
more detail |
2024-12-11 | VuXML ID aeee5ebd-356c-49c1-8959-7c88981de5fd
Chrome Releases reports:
This update includes 3 security fixes:
- [381696874] High CVE-2024-12381: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-12-02
- [379516109] High CVE-2024-12382: Use after free in Translate. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-11-18
more... | chromium ungoogled-chromium
more detail |
2024-12-10 | VuXML ID 0e20e42c-b728-11ef-805a-b42e991fc52e
security@mozilla.org reports:
- CVE-2024-11692: An attacker could cause a select dropdown
to be shown over another tab; this could have led to user
confusion and possible spoofing attacks.
- CVE-2024-11696: The application failed to account for
exceptions thrown by the `loadManifestFromFile` method during
add-on signature verification. This flaw, triggered by an
invalid or unsupported extension manifest, could have caused
runtime errors that disrupted the signature validation process.
As a result, the enforcement of signature validation for
unrelated add-ons may have been bypassed. Signature validation
in this context is used to ensure that third-party
applications on the user's computer have not tampered
with the user's extensions, limiting the impact of this
issue.
- CVE-2024-11697: When handling keypress events, an attacker
may have been able to trick a user into bypassing the "
Open Executable File?" confirmation dialog. This could
have led to malicious code execution.
- CVE-2024-11699: Memory safety bugs present in Firefox 132,
Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs
showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run
arbitrary code.
more... | firefox firefox-esr thunderbird
more detail |
2024-12-07 | VuXML ID c2fd83e4-b450-11ef-b680-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 5 security bugs in Chromium:
- CVE-2024-11110: Inappropriate implementation in Blink
- CVE-2024-11112: Use after free in Media
- CVE-2024-11114: Inappropriate implementation in Views
- CVE-2024-11116: Inappropriate implementation in Paint
- CVE-2024-11117: Inappropriate implementation in FileSystem
more... | qt6-webengine
more detail |
2024-12-06 | VuXML ID 7256fae8-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
3 security bugs.
- CVE-2024-47542: ID3v2 parser out-of-bounds read and NULL-pointer dereference
- CVE-2024-47600: Out-of-bounds read in gst-discoverer-1.0 commandline tool
- CVE-2024-47541: Out-of-bounds write in SSA subtitle parser
more... | gstreamer1-plugins
more detail |
2024-12-06 | VuXML ID 750ab972-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
20 security bugs.
- CVE-2024-47537: Integer overflow in MP4/MOV sample table parser leading to out-of-bounds writes
- CVE-2024-47598: MP4/MOV sample table parser out-of-bounds read
- CVE-2024-47539: MP4/MOV Closed Caption handling out-of-bounds write
- CVE-2024-47543: MP4/MOV demuxer out-of-bounds read
- CVE-2024-47545: Integer overflow in MP4/MOV demuxer that can result in out-of-bounds read
- CVE-2024-47544: NULL-pointer dereferences in MP4/MOV demuxer CENC handling
- CVE-2024-47597: Out-of-bounds reads in MP4/MOV demuxer sample table parser
- CVE-2024-47546: Integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads
- CVE-2024-47606: Integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes
- CVE-2024-47596: Integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads
- CVE-2024-47540: Usage of uninitialized stack memory in Matroska/WebM demuxer
- CVE-2024-47602: NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer
- CVE-2024-47601: NULL-pointer dereference in Matroska/WebM demuxer
- CVE-2024-47603: NULL-pointer dereference in Matroska/WebM demuxer
- CVE-2024-47775: Out-of-bounds read in WAV parser
- CVE-2024-47776: Out-of-bounds read in WAV parser
- CVE-2024-47777: Out-of-bounds read in WAV parser
- CVE-2024-47778: Out-of-bounds read in WAV parser
- CVE-2024-47774: Integer overflow in AVI subtitle parser that leads to out-of-bounds reads
- CVE-2024-47834: Use-after-free in Matroska demuxer
more... | gstreamer1-plugins-good
more detail |
2024-12-06 | VuXML ID 772d8625-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
A NULL-pointer dereference in the gdk-pixbuf decoder that can
cause crashes for certain input files.
more... | gstreamer1-plugins-gdkpixbuf
more detail |
2024-12-06 | VuXML ID 7945c543-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
Insufficient error handling in the JPEG decoder that can lead to
NULL-pointer dereferences, and that can cause crashes for certain
input files.
more... | gstreamer1-plugins-jpeg
more detail |
2024-12-06 | VuXML ID 7b34ddf7-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
An out-of-bounds write in the Ogg demuxer that can cause crashes
for certain input files.
more... | gstreamer1-plugins-ogg
more detail |
2024-12-06 | VuXML ID 7d1b4e5d-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
Stack buffer-overflow in Opus decoder that can cause crashes for
certain input files.
more... | gstreamer1-plugins-opus
more detail |
2024-12-06 | VuXML ID 7f3a302b-b3e8-11ef-b680-4ccc6adda413
The GStreamer Security Center reports:
Stack buffer-overflow in Vorbis decoder that can cause crashes for
certain input files.
more... | gstreamer1-plugins-vorbis
more detail |
2024-12-02 | VuXML ID 8b6e97a9-804e-4366-9f75-d102b22a716d
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-11110.
more... | electron33
more detail |
2024-12-02 | VuXML ID f0d33375-b0e0-11ef-a724-b42e991fc52e
security@zabbix.com reports:
A non-admin user account on the Zabbix frontend with the default
User role, or with any other role that gives API access can exploit
this vulnerability. An SQLi exists in the CUser class in the
addRelatedObjects function, this function is being called from the
CUser.get function which is available for every user who has API
access.
more... | zabbix6-frontend zabbix64-frontend zabbix7-frontend
more detail |
2024-11-29 | VuXML ID c5dafd73-adfd-11ef-af27-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3463 / CVE-2024-47855
Denial of service vulnerability in bundled json-lib
more... | jenkins jenkins-lts
more detail |
2024-11-27 | VuXML ID 2263ea04-ac81-11ef-998c-2cf05da270f3
Gitlab reports:
Privilege Escalation via LFS Tokens
DoS through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file
Unintended Access to Usage Data via Scoped Tokens
Gitlab DOS via Harbor registry integration
Resource exhaustion and denial of service with test_report API calls
Streaming endpoint did not invalidate tokens after revocation
more... | gitlab-ce gitlab-ee
more detail |
2024-11-25 | VuXML ID 7d7a28cd-7f5a-450a-852f-c49aaab3fa7e
Keycloak reports:
This update includes 5 security fixes:
- CVE-2024-10451: Sensitive Data Exposure in Keycloak Build Process
- CVE-2024-10270: Potential Denial of Service
- CVE-2024-10492: Keycloak path trasversal
- CVE-2024-9666: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
- CVE-2024-10039: Bypassing mTLS validation
more... | keycloak
more detail |
2024-11-25 | VuXML ID 9dfca0cd-ab09-11ef-8c1c-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [377384894] High CVE-2024-11395: Type Confusion in V8. Reported by Anonymous on 2024-11-05
more... | chromium ungoogled-chromium
more detail |
2024-11-23 | VuXML ID 889eddee-a964-11ef-b680-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 16 security bugs in Chromium:
- CVE-2024-9120: Use after free in Dawn
- CVE-2024-9122: Type Confusion in V8
- CVE-2024-9123: Integer overflow in Skia
- CVE-2024-9369: Insufficient data validation in Mojo
- CVE-2024-9602: Type confusion in V8
- CVE-2024-9603: Type confusion in V8
- CVE-2024-9965: Insufficient data validation in DevTools
- CVE-2024-9966: Inappropriate implementation in Navigations
- CVE-2024-10229: Inappropriate implementation in Extensions
- CVE-2024-10230: Type confusion in V8
- CVE-2024-10231: Type confusion in V8
- CVE-2024-10487: Out of bounds write in Dawn
- CVE-2024-10827: Use after free in Serial
- CVE-2024-45490: Negative length in libexpat
- CVE-2024-45491: Integer overflow in libexpat
- CVE-2024-45492: Integer overflow in libexpat
more... | qt6-webengine
more detail |
2024-11-22 | VuXML ID 16e472d5-a8aa-11ef-b680-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 1 security bug in Chromium:
- CVE-2024-10827: Use after free in Serial
more... | qt5-webengine
more detail |
2024-11-19 | VuXML ID 141f2a22-a6a7-11ef-b282-0c9d92850f7a
The X.Org project reports:
-
CVE-2024-9632: Heap buffer Heap-based buffer overflow
privilege escalation in _XkbSetCompatMap
The _XkbSetCompatMap() function attempts to resize
the `sym_interpret` buffer.
However, It didn't update its size properly.
It updated `num_si` only, without updating `size_si`.
This may lead to local privilege escalation if the
server is run as root or remote code execution
(e.g. x11 over ssh).
more... | xorg-server xwayland
more detail |
2024-11-18 | VuXML ID efd4537e-a5e8-11ef-bedb-180373b66b37
The Vaultwarden project reports:
This release further fixed some CVE Reports reported by a third
party security auditor and we recommend everybody to update to the
latest version as soon as possible.
more... | vaultwarden
more detail |
2024-11-17 | VuXML ID 28ffa931-a510-11ef-8109-b42e991fc52e
cna@mongodb.com reports:
An authorized user may trigger crashes or receive the contents of
buffer over-reads of Server memory by issuing specially crafted
requests that construct malformed BSON in the MongoDB Server.
more... | mongodb50 mongodb60 mongodb70 mongodb80
more detail |
2024-11-16* | VuXML ID 773e7eb2-af19-4fc7-be7f-0f6a2523b98b
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-10827.
- Security: backported fix for CVE-2024-11110.
more... | electron31 electron32
more detail |
2024-11-16 | VuXML ID 8fe4f296-a3ec-11ef-8c1c-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [373263969] High CVE-2024-11110: Inappropriate implementation in Blink. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2024-10-14
- [360520331] Medium CVE-2024-11111: Inappropriate implementation in Autofill. Reported by Narendra Bhati, Suma Soft Pvt. Ltd - Pune (India) on 2024-08-18
- [354824998] Medium CVE-2024-11112: Use after free in Media. Reported by Nan Wang(@eternalsakura13) and Zhenghang Xiao(@Kipreyyy) of 360 Vulnerability Research Institute on 2024-07-23
- [360274917] Medium CVE-2024-11113: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-08-16
- [370856871] Medium CVE-2024-11114: Inappropriate implementation in Views. Reported by Micky on 2024-10-02
- [371929521] Medium CVE-2024-11115: Insufficient policy enforcement in Navigation. Reported by mastersplinter on 2024-10-07
- [40942531] Medium CVE-2024-11116: Inappropriate implementation in Paint. Reported by Thomas Orlita on 2023-11-14
- [40062534] Low CVE-2024-11117: Inappropriate implementation in FileSystem. Reported by Ameen Basha M K on 2023-01-06
more... | chromium ungoogled-chromium
more detail |
2024-11-16 | VuXML ID aba28514-a414-11ef-98e7-84a93843eb75
The Vaultwarden project reports:
This release has fixed some CVE Reports reported by a third party
security auditor and we recommend everybody to update to the
latest version as soon as possible.
more... | vaultwarden
more detail |
2024-11-14 | VuXML ID 12e3feab-a29f-11ef-af48-6cc21735f730
PostgreSQL project reports:
Incorrect privilege assignment in PostgreSQL allows a
less-privileged application user to view or change
different rows from those intended. An attack requires
the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature. The problem
arises when an application query uses parameters from
the attacker or conveys query results to the attacker.
If that query reacts to current_setting('role') or the
current user ID, it may modify or return data as though
the session had not used SET ROLE or SET SESSION
AUTHORIZATION. The attacker does not control which
incorrect user ID applies. Query text from
less-privileged sources is not a concern here, because
SET ROLE and SET SESSION AUTHORIZATION are not sandboxes
for unvetted queries
more... | postgresql12-server postgresql13-server postgresql14-server postgresql15-server postgresql16-server postgresql17-server
more detail |
2024-11-14 | VuXML ID 1eb4d32c-a245-11ef-998c-2cf05da270f3
Gitlab reports:
Unauthorized access to Kubernetes cluster agent
Device OAuth flow allows for cross window forgery
Denial of Service by importing malicious crafted FogBugz import payload
Stored XSS through javascript URL in Analytics dashboards
HTML injection in vulnerability Code flow could lead to XSS on self hosted instances
Information disclosure through an API endpoint
more... | gitlab-ce gitlab-ee
more detail |
2024-11-14 | VuXML ID 3831292b-a29d-11ef-af48-6cc21735f730
PostgreSQL project reports:
Incomplete tracking in PostgreSQL of tables with row
security allows a reused query to view or change
different rows from those intended. CVE-2023-2455 and
CVE-2016-2193 fixed most interaction between row
security and user ID changes. They missed cases where a
subquery, WITH query, security invoker view, or
SQL-language function references a table with a
row-level security policy. This has the same
consequences as the two earlier CVEs. That is to say, it
leads to potentially incorrect policies being applied in
cases where role-specific policies are used and a given
query is planned under one role and then executed under
other roles. This scenario can happen under security
definer functions or when a common user and query is
planned initially and then re-used across multiple SET
ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects only databases
that have used CREATE POLICY to define a row security policy. An
attacker must tailor an attack to a particular application's pattern of
query plan reuse, user ID changes, and role-specific row security
policies.
more... | postgresql12-server postgresql13-server postgresql14-server postgresql15-server postgresql16-server postgresql17-server
more detail |
2024-11-14 | VuXML ID 6b591e05-971c-4077-8ae4-1310554971b7
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-10231.
- Security: backported fix for CVE-2024-10229.
- Security: backported fix for CVE-2024-10487.
more... | electron31
more detail |
2024-11-14 | VuXML ID a03636f4-a29f-11ef-af48-6cc21735f730
PostgreSQL project reports:
Incorrect control of environment variables in PostgreSQL
PL/Perl allows an unprivileged database user to change
sensitive process environment variables (e.g. PATH).
That often suffices to enable arbitrary code execution,
even if the attacker lacks a database server operating
system user.
more... | postgresql12-plperl postgresql13-plperl postgresql14-plperl postgresql15-plperl postgresql16-plperl postgresql17-plperl
more detail |
2024-11-14 | VuXML ID a61ef21b-a29e-11ef-af48-6cc21735f730
PostgreSQL project reports:
Client use of server error message in PostgreSQL allows
a server not trusted under current SSL or GSS settings
to furnish arbitrary non-NUL bytes to the libpq
application. For example, a man-in-the-middle attacker
could send a long error message that a human or
screen-scraper user of psql mistakes for valid query
results. This is probably not a concern for clients
where the user interface unambiguously indicates the
boundary between one error message and other text.
more... | postgresql12-client postgresql13-client postgresql14-client postgresql15-client postgresql16-client postgresql17-client
more detail |
2024-11-13 | VuXML ID 8caa5d60-a174-11ef-9a62-002590c1f29c
Problem Description:
The command ctl_persistent_reserve_out allows the caller to
specify an arbitrary size which will be passed to the kernel's
memory allocator.
Impact:
A malicious guest could cause a Denial of Service (DoS) on the
host.
more... | FreeBSD-kernel
more detail |
2024-11-13 | VuXML ID ce0f52e1-a174-11ef-9a62-002590c1f29c
Problem Description:
The fetch(3) library uses environment variables for passing
certain information, including the revocation file pathname. The
environment variable name used by fetch(1) to pass the filename to
the library was incorrect, in effect ignoring the option.
Impact:
Fetch would still connect to a host presenting a certificate
included in the revocation file passed to the --crl option.
more... | FreeBSD
more detail |
2024-11-13 | VuXML ID eb5c615d-a173-11ef-9a62-002590c1f29c
Problem Description:
Several vulnerabilities were found in the bhyve hypervisor's
device models.
The NVMe driver function nvme_opc_get_log_page is vulnerable to a
buffer over- read from a guest-controlled value. (CVE-2024-51562)
The virtio_vq_recordon function is subject to a time-of-check to
time-of-use (TOCTOU) race condition. (CVE-2024-51563)
A guest can trigger an infinite loop in the hda audio driver.
(CVE-2024-51564)
The hda driver is vulnerable to a buffer over-read from a
guest-controlled value. (CVE-2024-51565)
The NVMe driver queue processing is vulernable to guest-induced
infinite loops. (CVE-2024-51566)
Impact:
Malicious guest virtual machines may be able to perform a denial
of service (DoS) of the bhyve host, and may read memory within the
bhyve process that they should not be able to access.
more... | FreeBSD
more detail |
2024-11-12 | VuXML ID 0a82bc4d-a129-11ef-8351-589cfc0f81b0
The Icinga project reports:
Icinga is a monitoring system which checks the availability of
network resources, notifies users of outages, and generates performance
data for reporting. The TLS certificate validation in all Icinga
2 versions starting from 2.4.0 was flawed, allowing an attacker to
impersonate both trusted cluster nodes as well as any API users
that use TLS client certificates for authentication (ApiUser objects
with the client_cn attribute set). This vulnerability has been
fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
more... | icinga2
more detail |
2024-11-12 | VuXML ID 574f7bc9-a141-11ef-84e9-901b0e9408dc
matrix-js-sdk upstream reports:
matrix-js-sdk before 34.11.0 is vulnerable to client-side
path traversal via crafted MXC URIs. A malicious room member
can trigger clients based on the matrix-js-sdk to issue
arbitrary authenticated GET requests to the client's
homeserver.
more... | cinny element-web
more detail |
2024-11-12 | VuXML ID ab4e6f65-a142-11ef-84e9-901b0e9408dc
Element team reports:
Versions of Element Web and Desktop earlier than 1.11.85 do
not check if thumbnails for attachments, stickers and images
are coherent. It is possible to add thumbnails to events
trigger a file download once clicked.
A malicious homeserver can send invalid messages over
federation which can prevent Element Web and Desktop from
rendering single messages or the entire room containing
them.
more... | element-web
more detail |
2024-11-12* | VuXML ID d5026193-6fa2-11ef-99bc-1c697a616631
Intel reports:
A potential security vulnerability in the Running Average Power Limit
(RAPL) interface for some Intel Processors may allow information
disclosure. Intel has released firmware updates to mitigate this
potential vulnerability.
A potential security vulnerability in some Intel Processors may allow
denial of service. Intel has released firmware updates to mitigate
this potential vulnerability.
more... | cpu-microcode-intel
more detail |
2024-11-08 | VuXML ID 305ceb2c-9df8-11ef-a660-d85ed309193e
cve@mitre.org reports:
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls,
which allows access by actors other than the current user.
more... | x11vnc
more detail |
2024-11-08 | VuXML ID 96266fc9-1200-43b5-8393-4c51f54bb7bc
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-10230.
- Security: backported fix for CVE-2024-10231.
- Security: backported fix for CVE-2024-10229.
- Security: backported fix for CVE-2024-10487.
more... | electron32
more detail |
2024-11-08 | VuXML ID adffe51e-9df5-11ef-a660-d85ed309193e
cve@mitre.org reports:
Lrzsz has an integer overflow vulernability in the
src/zm.c:zsdata() function. An attacker could exploit this with
the sz command to cause a crash or potentially leak information
to the receiving server.
more... | lrzsz
more detail |
2024-11-07 | VuXML ID d48a2224-9b4c-11ef-bdd9-4ccc6adda413
Qingpeng Du reports:
A series of specially crafted client requests during streaming setup
(post client authentication, if any) can cause the RTSP server library
to abort, if it has been compiled with assertions enabled.
more... | gstreamer1-rtsp-server
more detail |
2024-11-06 | VuXML ID ab254c9d-9c36-11ef-8c1c-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [370217726] High CVE-2024-10826: Use after free in Family Experiences. Reported by Anonymous on 2024-09-29
- [375065084] High CVE-2024-10827: Use after free in Serial. Reported by Anonymous on 2024-10-23
more... | chromium ungoogled-chromium
more detail |
2024-11-04 | VuXML ID ecf9a798-9aa9-11ef-a8f0-a8a15998b5cb
cve@mitre.org reports:
log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via
long log messages because the header size is not considered.
more... | libqb
more detail |
2024-11-02 | VuXML ID e17384ef-c5e8-4b5d-bb62-c13405e7f1f7
Chrome Releases reports:
This update includes 2 security fixes:
- [375123371] Critical CVE-2024-10487: Out of bounds write in Dawn. Reported by Apple Security Engineering and Architecture (SEAR) on 2024-10-23
- [374310077] High CVE-2024-10488: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-10-18
more... | chromium ungoogled-chromium
more detail |
2024-10-31 | VuXML ID 3092668e-97e4-11ef-bdd9-4ccc6adda413
Backports for 15 security bugs in Chromium:
- CVE-2024-4761: Out of bounds write in V8
- CVE-2024-5158: Type confusion in V8
- CVE-2024-7532: Out of bounds memory access in ANGLE
- CVE-2024-7965: Inappropriate implementation in V8
- CVE-2024-7967: Heap buffer overflow in Fonts
- CVE-2024-7971: Type confusion in V8
- CVE-2024-8198: Heap buffer overflow in Skia
- CVE-2024-8636: Heap buffer overflow in Skia
- CVE-2024-9123: Integer overflow in Skia
- CVE-2024-9602: Type confusion in V8
- CVE-2024-9603: Type confusion in V8
- CVE-2024-10229: Inappropriate implementation in Extensions
- CVE-2024-45490: Negative length in libexpat
- CVE-2024-45491: Integer overflow in libexpat
- CVE-2024-45492: Integer overflow in libexpat
more... | qt5-webengine
more detail |
2024-10-31 | VuXML ID fd538d14-5778-4764-b321-2ddd61a8a58f
Red Hat reports:
A vulnerability was found in Apache Sling Commons Messaging
Mail(angus-mail), which provides a simple interface for sending
emails via SMTPS in OSGi, does not offer an option to enable
server identity checks, leaving connections vulnerable to
"man-in-the-middle" attacks and can allow insecure email
communication.
more... | keycloak
more detail |
2024-10-30 | VuXML ID b73d1f2a-96de-11ef-9e71-00d8612f03c8
security@mozilla.org reports:
When manipulating the selection node cache, an attacker may have
been able to cause unexpected behavior, potentially leading to an
exploitable crash. This vulnerability affects Firefox < 131.0.3.
more... | librewolf
more detail |
2024-10-29 | VuXML ID 4b3a8e7d-9372-11ef-87ad-a8a15998b5cb
cve@mitre.org reports:
An issue was discovered in open-mpi hwloc 2.1.0 allows attackers
to cause a denial of service or other unspecified impacts via
glibc-cpuset in topology-linux.c.
more... | hwloc2
more detail |
2024-10-29 | VuXML ID f07c8f87-8e65-11ef-81b8-659bf0027d16
Problem Description:
- Forgejo generates a token which is used to authenticate web
endpoints that are only meant to be used internally, for instance
when the SSH daemon is used to push a commit with Git. The
verification of this token was not done in constant time and was
susceptible to timing attacks. A pre-condition for such an attack is
the precise measurements of the time for each operation. Since it
requires observing the timing of network operations, the issue is
mitigated when a Forgejo instance is accessed over the internet
because the ISP introduce unpredictable random delays.
- Because of a missing permission check, the branch used to propose
a pull request to a repository can always be deleted by the user
performing the merge. It was fixed so that such a deletion is only
allowed if the user performing the merge has write permission to the
repository from which the pull request was made.
more... | forgejo forgejo7
more detail |
2024-10-26 | VuXML ID 1e71e366-080b-4e8f-a9e6-150bf698186b
Chrome Releases reports:
This update includes 17 security fixes:
- [367755363] High CVE-2024-9954: Use after free in AI. Reported by DarkNavy on 2024-09-18
- [370133761] Medium CVE-2024-9955: Use after free in Web Authentication. Reported by anonymous on 2024-09-29
- [370482421] Medium CVE-2024-9956: Inappropriate implementation in Web Authentication. Reported by mastersplinter on 2024-09-30
- [358151317] Medium CVE-2024-9957: Use after free in UI. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-08
- [40076120] Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture. Reported by Lyra Rebane (rebane2001) on 2023-11-02
- [368672129] Medium CVE-2024-9959: Use after free in DevTools. Reported by Sakana.S on 2024-09-21
- [354748063] Medium CVE-2024-9960: Use after free in Dawn. Reported by Anonymous on 2024-07-23
- [357776197] Medium CVE-2024-9961: Use after free in Parcel Tracking. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-06
- [364508693] Medium CVE-2024-9962: Inappropriate implementation in Permissions. Reported by Shaheen Fazim on 2024-09-04
- [328278718] Medium CVE-2024-9963: Insufficient data validation in Downloads. Reported by Anonymous on 2024-03-06
- [361711121] Low CVE-2024-9964: Inappropriate implementation in Payments. Reported by Hafiizh on 2024-08-23
- [352651673] Low CVE-2024-9965: Insufficient data validation in DevTools. Reported by Shaheen Fazim on 2024-07-12
- [364773822] Low CVE-2024-9966: Inappropriate implementation in Navigations. Reported by Harry Chen on 2024-09-05
more... | chromium ungoogled-chromium
more detail |
2024-10-26 | VuXML ID 3152a474-9390-11ef-87ad-a8a15998b5cb
cve@mitre.org reports:
CVE-2021-42612: A use after free in cleanup_index in index.c in Halibut 1.2 allows
an attacker to cause a segmentation fault or possibly have other
unspecified impact via a crafted text document.
CVE-2021-42613: A double free in cleanup_index in index.c in Halibut 1.2 allows an
attacker to cause a denial of service or possibly have other
unspecified impact via a crafted text document.
CVE-2021-42614: A use after free in info_width_internal in bk_info.c in Halibut 1.2
allows an attacker to cause a segmentation fault or possibly have
unspecified other impact via a crafted text document.
more... | halibut
more detail |
2024-10-26 | VuXML ID 70cf37c8-939b-11ef-87ad-a8a15998b5cb
cve@mitre.org reports:
CVE-2017-6307: An issue was discovered in tnef before
1.4.13. Two OOB Writes have been identified in
src/mapi_attr.c:mapi_attr_read(). These might lead to
invalid read and write operations, controlled by an
attacker.
CVE-2017-6308: An issue was discovered in tnef before
1.4.13. Several Integer Overflows, which can lead to Heap
Overflows, have been identified in the functions that wrap
memory allocation.
CVE-2017-6309: An issue was discovered in tnef before
1.4.13. Two type confusions have been identified in the
parse_file() function. These might lead to invalid read and
write operations, controlled by an attacker.
CVE-2017-6310: An issue was discovered in tnef before
1.4.13. Four type confusions have been identified in the
file_add_mapi_attrs() function. These might lead to invalid
read and write operations, controlled by an attacker.
more... | tnef
more detail |
2024-10-26 | VuXML ID 776aaafc-939f-11ef-87ad-a8a15998b5cb
cve@mitre.org reports:
In tnef before 1.4.18, an attacker may be able to write to the
victim's .ssh/authorized_keys file via an e-mail message with
a crafted winmail.dat application/ms-tnef attachment, because of a
heap-based buffer over-read involving strdup.
more... | tnef
more detail |
2024-10-26 | VuXML ID fafaef4d-f364-4a07-bbdd-bf53448c593c
Chrome Releases reports:
This update includes 3 security fixes:
- [371011220] High CVE-2024-10229: Inappropriate implementation in Extensions. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2024-10-02
- [371565065] High CVE-2024-10230: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-10-05
- [372269618] High CVE-2024-10231: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-10-09
more... | chromium ungoogled-chromium
more detail |
2024-10-24 | VuXML ID 78e6c113-91c1-11ef-a904-2cf05da270f3
Gitlab reports:
HTML injection in Global Search may lead to XSS
DoS via XML manifest file import
more... | gitlab-ce gitlab-ee
more detail |
2024-10-24 | VuXML ID fcb0e00f-d7d3-49b6-a4a1-852528230912
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-9121.
- Security: backported fix for CVE-2024-9122.
- Security: backported fix for CVE-2024-7025.
- Security: backported fix for CVE-2024-9369.
- Security: backported fix for CVE-2024-7965.
- Security: backported fix for CVE-2024-7966.
- Security: backported fix for CVE-2024-7967.
- Security: backported fix for CVE-2024-8198.
- Security: backported fix for CVE-2024-8193.
- Security: backported fix for CVE-2024-7969.
- Security: backported fix for CVE-2024-7970.
- Security: backported fix for CVE-2024-8362.
- Security: backported fix for CVE-2024-8636.
- Security: backported fix for CVE-2024-9123.
- Security: backported fix for CVE-2024-9120.
more... | electron31
more detail |
2024-10-23 | VuXML ID cc068959-ce2b-42eb-81ed-055551fe0e51
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-7966.
- Security: backported fix for CVE-2024-9370.
more... | electron32
more detail |
2024-10-19 | VuXML ID c6f4177c-8e29-11ef-98e7-84a93843eb75
The OpenSSL project reports:
Low-level invalid GF(2^m) parameters lead to OOB memory access
(CVE-2024-9143) (Low)
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds
memory reads or writes.
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-10-18 | VuXML ID 815bf172-ab9e-4c4b-9662-d18b0054330d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-9602.
- Security: backported fix for CVE-2024-9603.
more... | electron31 electron32
more detail |
2024-10-18 | VuXML ID dbe8c5bd-8d3f-11ef-8d2e-a04a5edf46d9
The oauth2-proxy project reports:
Vulnerabilities have been addressed:
- CVE-2024-24786
- CVE-2024-24791
- CVE-2024-24790
- CVE-2024-24784
- CVE-2024-28180
- CVE-2023-45288
more... | oauth2-proxy
more detail |
2024-10-15 | VuXML ID 851ce3e4-8b03-11ef-84e9-901b0e9408dc
Element team reports:
Element Web versions 1.11.70 through 1.11.80 contain a
vulnerability which can, under specially crafted conditions,
lead to the access token becoming exposed to third
parties. At least one vector has been identified internally,
involving malicious widgets, but other vectors may
exist. Users are strongly advised to upgrade to version
1.11.81 to remediate the issue.
more... | element-web
more detail |
2024-10-11 | VuXML ID 64e299b6-d12b-4a7a-a94f-ab133703925a
VSCode developers report:
Visual Studio Code for Linux Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.94.0 and earlier versions in the elevated save flow.
more... | vscode
more detail |
2024-10-10 | VuXML ID 2fb13238-872d-11ef-bd1e-b42e991fc52e
security@mozilla.org reports:
An attacker was able to achieve code execution in the
content process by exploiting a use-after-free in Animation
timelines. We have had reports of this vulnerability being
exploited in the wild.
more... | firefox firefox-esr
more detail |
2024-10-10 | VuXML ID cc1ac01e-86b0-11ef-9369-2cf05da270f3
Gitlab reports:
Run pipelines on arbitrary branches
An attacker can impersonate arbitrary user
SSRF in Analytics Dashboard
Viewing diffs of MR with conflicts can be slow
HTMLi in OAuth page
Deploy Keys can push changes to an archived repository
Guests can disclose project templates
GitLab instance version disclosed to unauthorized users
more... | gitlab-ce gitlab-ee
more detail |
2024-10-09 | VuXML ID 7217f6e8-3ff4-4387-845d-d1744bb7f95e
Chrome Releases reports:
This update includes 3 security fixes:
- [368241697] High CVE-2024-9602: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-09-20
- [367818758] High CVE-2024-9603: Type Confusion in V8. Reported by @WeShotTheMoon and @Nguyen Hoang Thach of starlabs on 2024-09-18
more... | chromium ungoogled-chromium
more detail |
2024-10-09 | VuXML ID 79b1f4ee-860a-11ef-b2dc-cbccbf25b7ea
Problem Description:
- Fix bug when a token is given public only
more... | gitea
more detail |
2024-10-09 | VuXML ID 83117378-f773-4617-bf74-477d569dcd74
Chrome Releases reports:
This update includes 4 security fixes:
- [367764861] High CVE-2024-7025: Integer overflow in Layout. Reported by Tashita Software Security on 2024-09-18
- [368208152] High CVE-2024-9369: Insufficient data validation in Mojo. Reported by Xiantong Hou and Pisanbao of Wuheng Lab on 2024-09-19
- [368311899] High CVE-2024-9370: Inappropriate implementation in V8. Reported by Nguyá»Â
n Hoàng Thạch, ÃÂá» Minh Tuấn, and Wu JinLin of STAR Labs SG Pte. Ltd. on 2024-09-19
more... | chromium ungoogled-chromium
more detail |
2024-10-09 | VuXML ID 8727b513-855b-11ef-9e50-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2024-04: Crafted responses can lead to
a denial of service due to cache inefficiencies in the Recursor
more... | powerdns-recursor
more detail |
2024-10-06 | VuXML ID 2368755b-83f6-11ef-8d2e-a04a5edf46d9
NLnet labs report:
A vulnerability has been discovered in Unbound when handling
replies with very large RRsets that Unbound needs to perform name
compression for.
Malicious upstreams responses with very large RRsets can cause
Unbound to spend a considerable time applying name compression to
downstream replies. This can lead to degraded performance and
eventually denial of service in well orchestrated attacks.
Unbound version 1.21.1 introduces a hard limit on the number of
name compression calculations it is willing to do per packet.
Packets that need more compression will result in semi-compressed
packets or truncated packets, even on TCP for huge messages, to
avoid locking the CPU for long.
This change should not affect normal DNS traffic.
more... | unbound
more detail |
2024-10-05 | VuXML ID fe7031d3-3000-4b43-9fa6-52c2b624b8f9
Tim Wojtulewicz of Corelight reports:
Adding to the POP3 hardening in 7.0.2, the parser now
simply discards too many pending commands, rather than
any attempting to process them. Further, invalid server
responses do not result in command completion anymore.
Processing out-of-order commands or finishing commands
based on invalid server responses could result in
inconsistent analyzer state, potentially triggering null
pointer references for crafted traffic.
more... | zeek
more detail |
2024-10-03 | VuXML ID 0417d41a-8175-11ef-a5dc-b42e991fc52e
security@mozilla.org reports:
- CVE-2024-9392: A compromised content process could have
allowed for the arbitrary loading of cross-origin pages.
- CVE-2024-9396: It is currently unknown if this issue is
exploitable but a condition may arise where the structured
clone of certain objects could lead to memory corruption.
- CVE-2024-9400: A potential memory corruption vulnerability
could be triggered if an attacker had the ability to trigger
an OOM at a specific moment during JIT compilation.
- CVE-2024-9401: Memory safety bugs present in Firefox 130,
Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2.
Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been
exploited to run arbitrary code.
- CVE-2024-9402: Memory safety bugs present in Firefox 130,
Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs
showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run
arbitrary code.
- CVE-2024-9403: Memory safety bugs present in Firefox 130.
Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been
exploited to run arbitrary code.
more... | firefox firefox-esr thunderbird
more detail |
2024-10-03 | VuXML ID 3c6f8270-3210-4e2f-ba72-a9cdca7417a0
Jenkins Security Advisory:
Description
(Medium) SECURITY-3451 / CVE-2024-47803
Exposure of multi-line secrets through error messages in Jenkins
Description
(Medium) SECURITY-3448 / CVE-2024-47804
Item creation restriction bypass vulnerability in Jenkins
more... | jenkins jenkins-lts
more detail |
2024-10-02* | VuXML ID 24375796-7cbc-11ef-a3a9-001cc0382b2f
OpenPrinting reports:
Due to the service binding to *:631 ( INADDR_ANY ), multiple bugs
in cups-browsed can be exploited in sequence to introduce a
malicious printer to the system. This chain of exploits ultimately
enables an attacker to execute arbitrary commands remotely on the
target machine without authentication when a print job is started.
Posing a significant security risk over the network. Notably, this
vulnerability is particularly concerning as it can be exploited
from the public internet, potentially exposing a vast number of
systems to remote attacks if their CUPS services are enabled.
The vulnerability allows an attacker on the internet to create a
new printer device with arbitrary commands in the PPD file of the
printer. Attacks using mDNS on the local network can also replace an
existing printer. The commands are executed when a user attempts to
print on the malicious device. They run with the privileges of the
user "cups".
It is recommended to disable the cups_browsed service until patches
become available. On FreeBSD this is the default. You can check the
status and disable the service with the following commands:
# service cups_browsed status
# service cups_browsed stop
# service cups_browsed disable
If you choose to leave the service enabled, attacks from the
internet can be blocked by removing the "cups" protocol from the
BrowseRemoteProtocols and BrowseProtocols directives in
/usr/local/etc/cups/cups-browsed.conf. Attacks using mDNS can be
blocked by removing the "dnssd" protocol as well. Access can be
limited to specific IP addresses using BrowseAllow, BrowseDeny, and
BrowseOrder directives as documented in cups-browsed.conf(5). Then
restart the service with the following command:
# service cups_browsed restart
more... | cups cups-filters
more detail |
2024-10-02 | VuXML ID 8b20f21a-8113-11ef-b988-08002784c58d
Redis core team reports:
- CVE-2024-31449
- Lua library commands may lead to stack overflow and potential RCE.
- CVE-2024-31227
- Potential Denial-of-service due to malformed ACL selectors.
- CVE-2024-31228
- Potential Denial-of-service due to unbounded pattern matching.
more... | redis redis62 redis72 valkey
more detail |
2024-09-30 | VuXML ID 2f82696c-adad-447b-9938-c99441805fa3
Chrome Releases reports:
This update includes 5 security fixes:
- [365254285] High CVE-2024-9120: Use after free in Dawn. Reported by Anonymous on 2024-09-08
- [363538434] High CVE-2024-9121: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-09-01
- [365802567] High CVE-2024-9122: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-09-10
- [365884464] High CVE-2024-9123: Integer overflow in Skia. Reported by raven at KunLun lab on 2024-09-11
more... | chromium ungoogled-chromium
more detail |
2024-09-30 | VuXML ID f9cfdb00-7f43-11ef-9b27-592d55dd336d
NIST reports:
Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream,
allowing an attacker to pose as any server in the eyes of Slixmpp.
more... | py310-slixmpp py311-slixmpp py38-slixmpp py39-slixmpp
more detail |
2024-09-30 | VuXML ID fe5c1e7a-7eed-11ef-9533-f875a43e1796
php.net reports:
- CVE-2024-8926: CGI: Fixed bug GHSA-9pqp-7h25-4f32 (Bypass of CVE-2024-4577, Parameter Injection Vulnerability).
- CVE-2024-8927: CGI: Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision).
- CVE-2024-9026: FPM: Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
- CVE-2024-8925: SAPI: Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
more... | php81 php82 php83
more detail |
2024-09-29 | VuXML ID 42ec2207-7e85-11ef-89a4-b42e991fc52e
secalert@redhat.com reports:
A heap use-after-free issue has been identified in SQLite in the
jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a
local attacker to leverage a victim to pass specially crafted
malicious input to the application, potentially causing a crash and
leading to a denial of service.
more... | linux-c7-sqlite linux-rl9-sqlite sqlite3
more detail |
2024-09-26 | VuXML ID 4b7ed61f-7bbf-11ef-9369-2cf05da270f3
Gitlab reports:
Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request
AI feature reads unsanitized content, allowing for attacker to hide prompt injection
Project reference can be exposed in system notes
more... | gitlab-ce gitlab-ee
more detail |
2024-09-24 | VuXML ID 802961eb-7a89-11ef-bdd7-a0423f48a938
cve@mitre.org reports:
An issue was discovered in FRRouting (FRR). bgp_attr_encap
in bgpd/bgp_attr.c does not check the actual remaining stream length
before taking the TLV value.
more... | frr8 frr9
more detail |
2024-09-24 | VuXML ID ca5f3bbc-7a62-11ef-9533-f875a43e1796
libexpat reports:
- CVE-2024-45490: Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
- CVE-2024-45491: Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
- CVE-2024-45492: Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
more... | expat
more detail |
2024-09-24 | VuXML ID d47b7ae7-fe1d-4f7f-919a-480ca8035f00
Tim Wojtulewicz of Corelight reports:
The POP3 parser has been hardened to avoid unbounded
state growth in the face of one-sided traffic capture or
when enabled for non-POP3 traffic.
more... | zeek
more detail |
2024-09-20 | VuXML ID 1febd09b-7716-11ef-9a62-002590c1f29c
Problem Description:
bhyve can be configured to emulate devices on a virtual USB
controller (XHCI), such as USB tablet devices. An insufficient
boundary validation in the USB code could lead to an out-of-bounds read
on the heap, which could potentially lead to an arbitrary write and
remote code execution.
Impact:
A malicious, privileged software running in a guest VM can exploit
the vulnerability to crash the hypervisor process or potentially achieve
code execution on the host in the bhyve userspace process, which
typically runs as root. Note that bhyve runs in a Capsicum sandbox, so
malicious code is constrained by the capabilities available to the bhyve
process.
more... | FreeBSD
more detail |
2024-09-20* | VuXML ID 58750d49-7302-11ef-8c95-195d300202b3
The FreeBSD Project reports:
A signal handler in sshd(8) may call a logging function that is not async-
signal-safe. The signal handler is invoked when a client does not
authenticate within the LoginGraceTime seconds (120 by default).
This signal handler executes in the context of the sshd(8)'s privileged
code, which is not sandboxed and runs with full root privileges.
This issue is another instance of the problem in CVE-2024-6387 addressed by
FreeBSD-SA-24:04.openssh. The faulty code in this case is from the
integration of blacklistd in OpenSSH in FreeBSD.
more... | FreeBSD openssh-portable
more detail |
2024-09-20 | VuXML ID 8fb61d94-771b-11ef-9a62-002590c1f29c
Problem Description:
A logic bug in the code which disables kernel tracing for setuid
programs meant that tracing was not disabled when it should have,
allowing unprivileged users to trace and inspect the behavior of
setuid programs.
Impact:
The bug may be used by an unprivileged user to read the contents
of files to which they would not otherwise have access, such as the
local password database.
more... | FreeBSD-kernel
more detail |
2024-09-20 | VuXML ID 93c12fe5-7716-11ef-9a62-002590c1f29c
Problem Description:
A malicious value of size in a structure of packed libnv can
cause an integer overflow, leading to the allocation of a smaller
buffer than required for the parsed data. The introduced check was
incorrect, as it took into account the size of the pointer, not the
structure. This vulnerability affects both kernel and userland.
This issue was originally intended to be addressed as part of
FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was
not properly addressed.
Impact:
It is possible for an attacker to overwrite portions of memory
(in userland or the kernel) as the allocated buffer might be smaller
than the data received from a malicious process. This vulnerability
could result in privilege escalation or cause a system panic.
more... | FreeBSD FreeBSD-kernel
more detail |
2024-09-20 | VuXML ID c02b8db5-771b-11ef-9a62-002590c1f29c
Problem Description:
When mounting a remote filesystem using NFS, the kernel did not
sanitize remotely provided filenames for the path separator character,
"/". This allows readdir(3) and related functions to return
filesystem entries with names containing additional path components.
Impact:
The lack of validation described above gives rise to a confused
deputy problem. For example, a program copying files from an NFS
mount could be tricked into copying from outside the intended source
directory, and/or to a location outside the intended destination
directory.
more... | FreeBSD-kernel
more detail |
2024-09-20 | VuXML ID f140cff0-771a-11ef-9a62-002590c1f29c
Problem Description:
In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When
pf is configured to allow ND and block incoming Echo Requests, a
crafted Echo Request packet after a Neighbor Solicitation (NS) can
trigger an Echo Reply. The packet has to come from the same host
as the NS and have a zero as identifier to match the state created
by the Neighbor Discovery and allow replies to be generated.
Impact:
ICMPv6 packets with identifier value of zero bypass firewall
rules written on the assumption that the incoming packets are going
to create a state in the state table.
Note:
This advisory introduced additional issues that were addressed by
FreeBSD-EN-24:16.pf. Please refer to that erratum for additional
fixes.
more... | FreeBSD-kernel
more detail |
2024-09-20* | VuXML ID f1a00122-3797-11ef-b611-84a93843eb75
The OpenSSH project reports:
A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems.
more... | FreeBSD openssh-portable
more detail |
2024-09-18 | VuXML ID 3e738678-7582-11ef-bece-2cf05da270f3
Gitlab reports:
SAML authentication bypass
more... | gitlab-ce gitlab-ee
more detail |
2024-09-16 | VuXML ID bd940aba-7467-11ef-a5c4-08002784c58d
Oskar reports:
SnappyMail uses the `cleanHtml()` function to cleanup HTML
and CSS in emails. Research discovered that the function
has a few bugs which cause an mXSS exploit. Because the
function allowed too many (invalid) HTML elements, it was
possible (with incorrect markup) to trick the browser to
"fix" the broken markup into valid markup. As a result a
motivated attacker may be able to inject javascript.
more... | snappymail-php81 snappymail-php82 snappymail-php83 snappymail-php84
more detail |
2024-09-13 | VuXML ID e464f777-719e-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [361461526] High CVE-2024-8636: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-22
- [361784548] High CVE-2024-8637: Use after free in Media Router. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-23
- [362539773] High CVE-2024-8638: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-08-28
- [362658609] High CVE-2024-8639: Use after free in Autofill. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-28
more... | chromium ungoogled-chromium
more detail |
2024-09-12 | VuXML ID bcc8b21e-7122-11ef-bece-2cf05da270f3
Gitlab reports:
Execute environment stop actions as the owner of the stop action job
Prevent code injection in Product Analytics funnels YAML
SSRF via Dependency Proxy
Denial of Service via sending a large glm_source parameter
CI_JOB_TOKEN can be used to obtain GitLab session token
Variables from settings are not overwritten by PEP if a template is included
Guests can disclose the full source code of projects using custom group-level templates
IdentitiesController allows linking of arbitrary unclaimed provider identities
Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow
Open redirect in release permanent links can lead to account takeover through broken OAuth flow
Guest user with Admin group member permission can edit custom role to gain other permissions
Exposure of protected and masked CI/CD variables by abusing on-demand DAST
Credentials disclosed when repository mirroring fails
Commit information visible through release atom endpoint for guest users
Dependency Proxy Credentials are Logged in Plaintext in graphql Logs
User Application can spoof the redirect url
Group Developers can view group runners information
more... | gitlab-ce gitlab-ee
more detail |
2024-09-10 | VuXML ID 33236f80-a11d-11ef-a964-1c697a616631
Intel reports:
A potential security vulnerability in some 4th and 5th Generation
Intel Xeon Processors may allow denial of service. Intel released
microcode updates to mitigate this potential vulnerability.
Potential security vulnerabilities in some Intel Xeon processors using
Intel Software Guard Extensions (Intel SGX) may allow escalation of
privilege. Intel released firmware updates to mitigate these
potential vulnerabilities.
more... | cpu-microcode-intel
more detail |
2024-09-09 | VuXML ID 8fbe81f7-6eb5-11ef-b7bd-00505632d232
Netatalk release reports:
WolfSSL 5.7.0 (included in netatalk) includes multiple security vulnerabilities.
more... | netatalk3
more detail |
2024-09-09 | VuXML ID 996518f3-6ef9-11ef-b01b-08002784c58d
The ClamAV project reports:
- CVE-2024-20505
-
A vulnerability in the PDF parsing module of Clam
AntiVirus (ClamAV) could allow an unauthenticated,
remote attacker to cause a denial of service (DoS)
condition on an affected device. The vulnerability is
due to an out of bounds read. An attacker could exploit
this vulnerability by submitting a crafted PDF file to
be scanned by ClamAV on an affected device. An exploit
could allow the attacker to terminate the scanning
process.
- CVE-2024-20506
-
A vulnerability in the ClamD service module of Clam
AntiVirus (ClamAV) could allow an authenticated, local
attacker to corrupt critical system files. The
vulnerability is due to allowing the ClamD process to
write to its log file while privileged without checking
if the logfile has been replaced with a symbolic
link. An attacker could exploit this vulnerability if
they replace the ClamD log file with a symlink to a
critical system file and then find a way to restart the
ClamD process. An exploit could allow the attacker to
corrupt a critical system file by appending ClamD log
messages after restart.
more... | clamav clamav-lts
more detail |
2024-09-07 | VuXML ID 3e44c35f-6cf4-11ef-b813-4ccc6adda413
Kevin Backhouse reports:
An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability
is in the parser for the ASF video format, which was a new feature in v0.28.0,
so Exiv2 versions before v0.28 are not affected. The out-of-bounds read is
triggered when Exiv2 is used to read the metadata of a crafted video file.
more... | exiv2
more detail |
2024-09-07 | VuXML ID 7ade3c38-6d1f-11ef-ae11-b42e991fc52e
security@mozilla.org reports:
An error in the ECMA-262 specification relating to Async Generators
could have resulted in a type confusion, potentially leading to
memory corruption and an exploitable crash.
more... | firefox
more detail |
2024-09-06 | VuXML ID 943f8915-6c5d-11ef-810a-f8b46a88f42c
alster@vinterdalen.se reports PR/281070:
A new version of devel/binutils has been released fixing
CVE-2023-1972, CVE-2023-25585, CVE-2023-25586, and
CVE-2023-25588.
more... | binutils
more detail |
2024-09-06 | VuXML ID a5e13973-6c75-11ef-858b-23eeba13701a
Problem Description:
- Replace v-html with v-text in search inputbox
- Upgrade webpack to v5.94.0 as a precaution to mitigate
CVE-2024-43788, although we were not yet able to confirm that this
can be exploited in Forgejo.
more... | forgejo forgejo7
more detail |
2024-09-05* | VuXML ID 21f505f4-6a1c-11ef-b611-84a93843eb75
The OpenSSL project reports:
Possible denial of service in X.509 name checks [Moderate severity]
Applications performing certificate name checks (e.g., TLS clients
checking server certificates) may attempt to read an invalid
memory address resulting in abnormal termination of the application
process.
SSL_select_next_proto buffer overread [Low severity]
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.
more... | FreeBSD openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-09-05 | VuXML ID 4edaa9f4-6b51-11ef-9a62-002590c1f29c
Problem Description:
bhyve can be configured to emulate devices on a virtual USB
controller (XHCI), such as USB tablet devices. An insufficient
boundary validation in the USB code could lead to an out-of-bounds
write on the heap, with data controlled by the caller.
Impact:
A malicious, privileged software running in a guest VM can
exploit the vulnerability to achieve code execution on the host in
the bhyve userspace process, which typically runs as root. Note
that bhyve runs in a Capsicum sandbox, so malicious code is constrained
by the capabilities available to the bhyve process.
more... | FreeBSD
more detail |
2024-09-05 | VuXML ID 56d76414-6b50-11ef-9a62-002590c1f29c
Problem Description:
bhyve can be configured to provide access to the host's TPM
device, where it passes the communication through an emulated device
provided to the guest. This may be performed on the command-line
by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters.
The MMIO handler for the emulated device did not validate the offset
and size of the memory access correctly, allowing guests to read
and write memory contents outside of the memory area effectively
allocated.
Impact:
Malicious software running in a guest VM can exploit the buffer
overflow to achieve code execution on the host in the bhyve userspace
process, which typically runs as root. Note that bhyve runs in a
Capsicum sandbox, so malicious code is constrained by the capabilities
available to the bhyve process.
more... | FreeBSD
more detail |
2024-09-05 | VuXML ID 66907dab-6bb2-11ef-b813-4ccc6adda413
Backports for 6 security bugs in Chromium:
- CVE-2024-5496: Use after free in Media Session
- CVE-2024-5846: Use after free in PDFium
- CVE-2024-6291: Use after free in Swiftshader
- CVE-2024-6989: Use after free in Loader
- CVE-2024-6996: Race in Frames
- CVE-2024-7536: Use after free in WebAudio
more... | qt5-webengine
more detail |
2024-09-05 | VuXML ID 7e079ce2-6b51-11ef-9a62-002590c1f29c
Problem Description:
Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY
sub-request of UMTX_OP_SHM can lead to decreasing the reference
count of the object representing the mapping too many times, causing
it to be freed too early.
Impact:
A malicious code exercizing the UMTX_SHM_DESTROY sub-request
in parallel can panic the kernel or enable further Use-After-Free
attacks, potentially including code execution or Capsicum sandbox
escape.
more... | FreeBSD
more detail |
2024-09-05 | VuXML ID 8d1f9adf-6b4f-11ef-9a62-002590c1f29c
Problem Description:
CVE-2024-45287 is a vulnerability that affects both the kernel
and userland. A malicious value of size in a structure of packed
libnv can cause an integer overflow, leading to the allocation of
a smaller buffer than required for the parsed data.
CVE-2024-45288 is a vulnerability that affects both the kernel and
userland. A missing null-termination character in the last element
of an nvlist array string can lead to writing outside the allocated
buffer.
Impact:
It is possible for an attacker to overwrite portions of memory
(in userland or the kernel) as the allocated buffer might be smaller
than the data received from a malicious process. This vulnerability
could result in privilege escalation or cause a system panic.
more... | FreeBSD FreeBSD-kernel
more detail |
2024-09-05 | VuXML ID 9bd5e47b-6b50-11ef-9a62-002590c1f29c
Problem Description:
Several vulnerabilities were found in the ctl subsystem.
The function ctl_write_buffer incorrectly set a flag which resulted
in a kernel Use-After-Free when a command finished processing
(CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions
allocated memory to be returned to userspace, without initializing
it (CVE-2024-8178). The ctl_report_supported_opcodes function did
not sufficiently validate a field provided by userspace, allowing
an arbitrary write to a limited amount of kernel help memory
(CVE-2024-42416). The ctl_request_sense function could expose up
to three bytes of the kernel heap to userspace (CVE-2024-43110).
Guest virtual machines in the bhyve hypervisor can send SCSI commands
to the corresponding kernel driver via the virtio_scsi interface.
This provides guests with direct access to the vulnerabilities
covered by this advisory.
The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming
iSCSI connections, performs authentication and passes connections
to the kernel ctl(4) target layer.
Impact:
Malicious software running in a guest VM that exposes virtio_scsi
can exploit the vulnerabilities to achieve code execution on the
host in the bhyve userspace process, which typically runs as root.
Note that bhyve runs in a Capsicum sandbox, so malicious code is
constrained by the capabilities available to the bhyve process.
A malicious iSCSI initiator could achieve remote code execution on
the iSCSI target host.
more... | FreeBSD-kernel
more detail |
2024-09-05 | VuXML ID a3a1caf5-6ba1-11ef-b9e8-b42e991fc52e
security@mozilla.org reports:
This entry contains 8 vulnerabilities:
- CVE-2024-8381: A potentially exploitable type
confusion could be triggered when looking up a property
name on an object being used as the `with` environment.
- CVE-2024-8382: Internal browser event interfaces were
exposed to web content when privileged EventHandler listener
callbacks ran for those events. Web content that tried to
use those interfaces would not be able to use them with
elevated privileges, but their presence would indicate
certain browser features had been used, such as when a user
opened the Dev Tools console.
- CVE-2024-8383: Firefox normally asks for confirmation
before asking the operating system to find an application to
handle a scheme that the browser does not support. It did not
ask before doing so for the Usenet-related schemes news: and
snews:. Since most operating systems don't have a
trusted newsreader installed by default, an unscrupulous
program that the user downloaded could register itself as a
handler. The website that served the application download
could then launch that application at will.
- CVE-2024-8384: The JavaScript garbage collector could
mis-color cross-compartment objects if OOM conditions were
detected at the right point between two passes. This could have
led to memory corruption.
- CVE-2024-8385: A difference in the handling of
StructFields and ArrayTypes in WASM could be used to trigger
an exploitable type confusion vulnerability.
- CVE-2024-8386: If a site had been granted the permission
to open popup windows, it could cause Select elements to
appear on top of another site to perform a spoofing attack.
- CVE-2024-8387: Memory safety bugs present in Firefox 129,
Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs
showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run
arbitrary code.
- CVE-2024-8389: Memory safety bugs present in Firefox 129.
Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been
exploited to run arbitrary code.
more... | firefox
more detail |
2024-09-05 | VuXML ID f5d0cfe7-6ba6-11ef-858b-23eeba13701a
Problem Description:
- Replace v-html with v-text in search inputbox
- Fix nuget/conan/container packages upload bugs
more... | gitea
more detail |
2024-09-03 | VuXML ID 26125e09-69ca-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [357391257] High CVE-2024-8362: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-08-05
- [358485426] High CVE-2024-7970: Out of bounds write in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-08-09
more... | chromium ungoogled-chromium
more detail |
2024-08-30 | VuXML ID 5e4d7172-66b8-11ef-b104-b42e991fc52e
security@mozilla.org reports:
- Firefox adds web-compatibility shims in place of some
tracking scripts blocked by Enhanced Tracking Protection.
On a site protected by Content Security Policy in
"strict-dynamic" mode, an attacker able to
inject an HTML element could have used a DOM
Clobbering attack on some of the shims and achieved XSS,
bypassing the CSP strict-dynamic protection.
- Form validation popups could capture escape key presses.
Therefore, spamming form validation messages could be used
to prevent users from exiting full-screen mode.
- When almost out-of-memory an elliptic curve key which
was never allocated could have been freed again.
- It was possible to move the cursor using pointerlock
from an iframe. This allowed moving the cursor outside
of the viewport and the Firefox window.
more... | firefox
more detail |
2024-08-30 | VuXML ID 7e9cc7fd-6b3e-46c5-ad6d-409d90d41bbf
hadmut reports:
This C library includes 2 command-line tools that can take
credentials as command-line options. The credentials are exposed
as plain-text in the process list. This could allow an attacker
with access to the process list to see the credentials.
more... | rabbitmq-c
more detail |
2024-08-30 | VuXML ID eb437e17-66a1-11ef-ac08-75165d18d8d2
The forgejo team reports:
The scope of application tokens was not verified when writing
containers or Conan packages. This is of no consequence when the
user associated with the application token does not have write
access to packages. If the user has write access to packages, such
a token can be used to write containers and Conan packages. An
application token that was used to write containers or Conan
packages without the package:write scope will now fail with an
unauthorized error. It must be re-created to include the
package:write scope.
more... | forgejo
more detail |
2024-08-29 | VuXML ID 44de1b82-662d-11ef-a51b-b42e991fc52e
security@mozilla.org reports:
This update includes 3 CVEs:
- The contextual menu for links could provide an
opportunity for cross-site scripting attacks.
- Long pressing on a download link could potentially
provide a means for cross-site scripting.
- Long pressing on a download link could potentially
allow Javascript commands to be executed within the
browser.
more... | firefox
more detail |
2024-08-29 | VuXML ID 46419e8c-65d9-11ef-ac06-b0416f0c4c67
report@snyk.io reports:
All versions of the package configobj are vulnerable to Regular
Expression Denial of Service (ReDoS) via the validate function,
using (.+?)\((.*)\).**Note:** This is only exploitable in the case
of a developer putting the offending value in a server side
configuration file.
more... | py310-configobj py311-configobj py38-configobj py39-configobj
more detail |
2024-08-29 | VuXML ID 6f2545bb-65e8-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09
- [360265320] High CVE-2024-8193: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-16
- [360533914] High CVE-2024-8194: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-08-18
- [360758697] High CVE-2024-8198: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-19
more... | chromium ungoogled-chromium
more detail |
2024-08-25 | VuXML ID 49ef501c-62b6-11ef-bba5-2cf05da270f3
Gitlab reports:
The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases
Denial of Service by importing maliciously crafted GitHub repository
Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline
An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions
more... | gitlab-ce gitlab-ee
more detail |
2024-08-23 | VuXML ID 6e8b9c75-6179-11ef-8a7d-b42e991fc52e
cve@mitre.org reports:
MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function
in support.c.
more... | mcpp
more detail |
2024-08-23 | VuXML ID 7e6e932f-617b-11ef-8a7d-b42e991fc52e
security@mozilla.org reports:
- CVE-2024-5697: A website was able to detect when a
user took a screenshot of a page using the built-in
Screenshot functionality in Firefox.
- CVE-2024-5698: By manipulating the fullscreen
feature while opening a data-list, an attacker could
have overlaid a text box over the address bar. This
could have led to user confusion and possible spoofing
attacks.
more... | firefox
more detail |
2024-08-23 | VuXML ID f2b1da2e-6178-11ef-8a7d-b42e991fc52e
cve@mitre.org reports:
md_analyze_line in md4c.c in md4c 0.4.7 allows attackers
to trigger use of uninitialized memory, and cause a denial
of service via a malformed Markdown document.
more... | md4c
more detail |
2024-08-22 | VuXML ID addc71b8-6024-11ef-86a1-8c164567ca3c
The nginx development team reports:
This update fixes the buffer overread vulnerability in the
ngx_http_mp4_module.
more... | nginx nginx-devel
more detail |
2024-08-22 | VuXML ID b339992e-6059-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 38 security fixes:
- [358296941] High CVE-2024-7964: Use after free in Passwords. Reported by Anonymous on 2024-08-08
- [356196918] High CVE-2024-7965: Inappropriate implementation in V8. Reported by TheDog on 2024-07-30
- [355465305] High CVE-2024-7966: Out of bounds memory access in Skia. Reported by Renan Rios (@HyHy100) on 2024-07-25
- [355731798] High CVE-2024-7967: Heap buffer overflow in Fonts. Reported by Tashita Software Security on 2024-07-27
- [349253666] High CVE-2024-7968: Use after free in Autofill. Reported by Han Zheng (HexHive) on 2024-06-25
- [351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09
- [360700873] High CVE-2024-7971: Type confusion in V8. Reported by Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) on 2024-08-19
- [345960102] Medium CVE-2024-7972: Inappropriate implementation in V8. Reported by Simon Gerst (intrigus-lgtm) on 2024-06-10
- [345518608] Medium CVE-2024-7973: Heap buffer overflow in PDFium. Reported by soiax on 2024-06-06
- [339141099] Medium CVE-2024-7974: Insufficient data validation in V8 API. Reported by bowu(@gocrashed) on 2024-05-07
- [347588491] Medium CVE-2024-7975: Inappropriate implementation in Permissions. Reported by Thomas Orlita on 2024-06-16
- [339654392] Medium CVE-2024-7976: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-10
- [324770940] Medium CVE-2024-7977: Insufficient data validation in Installer. Reported by Kim Dong-uk (@justlikebono) on 2024-02-11
- [40060358] Medium CVE-2024-7978: Insufficient policy enforcement in Data Transfer. Reported by NDevTK on 2022-07-21
- [356064205] Medium CVE-2024-7979: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-29
- [356328460] Medium CVE-2024-7980: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-30
- [40067456] Low CVE-2024-7981: Inappropriate implementation in Views. Reported by Thomas Orlita on 2023-07-14
- [350256139] Low CVE-2024-8033: Inappropriate implementation in WebApp Installs. Reported by Lijo A.T on 2024-06-30
- [353858776] Low CVE-2024-8034: Inappropriate implementation in Custom Tabs. Reported by Bharat (mrnoob) on 2024-07-18
- [40059470] Low CVE-2024-8035: Inappropriate implementation in Extensions. Reported by Microsoft on 2022-04-26
more... | chromium ungoogled-chromium
more detail |
2024-08-20 | VuXML ID 04c9c3f8-5ed3-11ef-8262-b0416f0c4c67
security-advisories@github.com reports:
Jinja is an extensible templating engine. The `xmlattr` filter in
affected versions of Jinja accepts keys containing non-attribute
characters. XML/HTML attributes cannot contain spaces, `/`, `>`,
or `=`, as each would then be interpreted as starting a separate
attribute. If an application accepts keys (as opposed to only
values) as user input, and renders these in pages that other users
see as well, an attacker could use this to inject other attributes
and perform XSS. The fix for CVE-2024-22195 only addressed spaces
but not other characters. Accepting keys as user input is now
explicitly considered an unintended use case of the `xmlattr` filter,
and code that does so without otherwise validating the input should
be flagged as insecure, regardless of Jinja version. Accepting
_values_ as user input continues to be safe. This vulnerability
is fixed in 3.1.4.
more... | py310-Jinja2 py311-Jinja2 py38-Jinja2 py39-Jinja2
more detail |
2024-08-19 | VuXML ID d0ac9a17-5e68-11ef-b8cc-b42e991fc52e
security@mozilla.org reports:
Select options could obscure the fullscreen notification dialog.
This could be used by a malicious site to perform a spoofing attack.
This vulnerability affects Firefox < 129, Firefox ESR < 128.1,
and Thunderbird < 128.1.
more... | firefox
more detail |
2024-08-18 | VuXML ID ac025402-4cbc-4177-bd99-c20c03a07f23
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6776.
- Security: backported fix for CVE-2024-6778.
- Security: backported fix for CVE-2024-6777.
- Security: backported fix for CVE-2024-6773.
- Security: backported fix for CVE-2024-6774.
- Security: backported fix for CVE-2024-6772.
- Security: backported fix for CVE-2024-6775.
- Security: backported fix for CVE-2024-6779.
- Security: backported fix for CVE-2024-6989.
- Security: backported fix for CVE-2024-6991.
more... | electron29 electron30
more detail |
2024-08-18 | VuXML ID e61af8f4-455d-4f99-8d81-fbb004929dab
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6989.
- Security: backported fix for CVE-2024-6991.
more... | electron31
more detail |
2024-08-16 | VuXML ID 6a6ad6cb-5c6c-11ef-b456-001e676bf734
Dovecot reports:
A DoS is possible with a large number of address headers or abnormally large email headers.
more... | dovecot
more detail |
2024-08-14 | VuXML ID 9d8e9952-5a42-11ef-a219-1c697a616631
Intel reports:
A potential security vulnerability in SMI Transfer monitor (STM) may
allow escalation of privilege. Intel has released microcode updates
to mitigate this potential vulnerability.
A potential security vulnerability in some 3rd Generation Intel Xeon
Scalable Processors may allow denial of service. Intel has released
microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some 3rd, 4th, and 5th
Generation Intel Xeon Processors may allow escalation of privilege.
Intel has released firmware updates to mitigate this potential
vulnerability.
A potential security vulnerability in the Intel Core Ultra Processor
stream cache mechanism may allow escalation of privilege. Intel has
released microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some Intel Processor stream
cache mechanisms may allow escalation of privilege. Intel has
released microcode updates to mitigate this potential vulnerability.
more... | cpu-microcode-intel
more detail |
2024-08-13 | VuXML ID 5d7939f6-5989-11ef-9793-b42e991fc52e
security@mozilla.org reports:
-
CVE-2024-7531: Calling `PK11_Encrypt()` in NSS using
CKM_CHACHA20 and the same buffer for input and output can
result in plaintext on an Intel Sandy Bridge processor. In
Firefox this only affects the QUIC header protection
feature when the connection is using the ChaCha20-Poly1305
cipher suite. The most likely outcome is connection
failure, but if the connection persists despite the high
packet loss it could be possible for a network observer to
identify packets as coming from the same source despite a
network path change. This vulnerability affects Firefox
< 129, Firefox ESR < 115.14, and Firefox ESR <
128.1.
-
CVE-2024-7529: The date picker could partially obscure
security prompts. This could be used by a malicious site
to trick a user into granting permissions. This
vulnerability affects Firefox < 129, Firefox ESR <
115.14, Firefox ESR < 128.1, Thunderbird < 128.1,
and Thunderbird < 115.14.
-
CVE-2024-7525: It was possible for a web extension with
minimal permissions to create a `StreamFilter` which could
be used to read and modify the response body of requests
on any site. This vulnerability affects Firefox < 129,
Firefox ESR < 115.14, Firefox ESR < 128.1,
Thunderbird < 128.1, and Thunderbird < 115.14.
-
CVE-2024-7522: Editor code failed to check an attribute
value. This could have led to an out-of-bounds read. This
vulnerability affects Firefox < 129, Firefox ESR <
115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and
Thunderbird < 115.14.
-
CVE-2024-7520: A type confusion bug in WebAssembly could
be leveraged by an attacker to potentially achieve code
execution. This vulnerability affects Firefox < 129,
Firefox ESR < 128.1, and Thunderbird < 128.1.
-
CVE-2024-7521: Incomplete WebAssembly exception handing
could have led to a use-after-free. This vulnerability
affects Firefox < 129, Firefox ESR < 115.14,
Firefox ESR < 128.1, Thunderbird < 128.1, and
Thunderbird < 115.14.
-
CVE-2024-7530: Incorrect garbage collection interaction
could have led to a use-after-free. This vulnerability
affects Firefox < 129.
-
CVE-2024-7528: Incorrect garbage collection interaction in
IndexedDB could have led to a use-after-free. This
vulnerability affects Firefox < 129,
Firefox ESR < 128.1, and Thunderbird < 128.1.
-
CVE-2024-7527: Unexpected marking work at the start of
sweeping could have led to a use-after-free. This
vulnerability affects Firefox < 129,
Firefox ESR < 115.14, Firefox ESR < 128.1,
Thunderbird < 128.1, and Thunderbird < 115.14.
more... | firefox
more detail |
2024-08-12 | VuXML ID d2723b0f-58d9-11ef-b611-84a93843eb75
SO-AND-SO reports:
This release has several CVE Reports fixed and we recommend
everybody to update to the latest version as soon as possible.
more... | vaultwarden
more detail |
2024-08-10 | VuXML ID 5776cc4f-5717-11ef-b611-84a93843eb75
The Roundcube project reports:
XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
more... | roundcube
more detail |
2024-08-10 | VuXML ID 7d631146-5769-11ef-b618-1c697a616631
AMD reports:
Researchers from IOActive have reported that it may be possible for
an attacker with ring 0 access to modify the configuration of System
Management Mode (SMM) even when SMM Lock is enabled. Improper
validation in a model specific register (MSR) could allow a malicious
program with ring0 access to modify SMM configuration while SMI lock
is enabled, potentially leading to arbitrary code execution.
more... | cpu-microcode-amd
more detail |
2024-08-10 | VuXML ID aa1c7af9-570e-11ef-a43e-b42e991fc52e
security@mozilla.org reports:
By monitoring the time certain operations take, an attacker could
have guessed which external protocol handlers were functional on a
user's system. This vulnerability affects Firefox < 127,
Firefox ESR < 115.12, and Thunderbird < 115.12.
more... | firefox
more detail |
2024-08-09 | VuXML ID 587ed8ac-5957-11ef-854a-001e676bf734
OpenHAB reports:
This patch release addresses the following security advisories:
All of these are related to the CometVisu add-on for openHAB - if you are a user of CometVisu, we strongly recommend to upgrade your system to openHAB 4.2.1 in order to fix those vulnerabilities.
more... | openhab-addons
more detail |
2024-08-09 | VuXML ID 8c342a6c-563f-11ef-a77e-901b0e9408dc
soft-serve team reports:
Arbitrary code execution by crafting git ssh requests
It is possible for a user who can commit files to a
repository hosted by Soft Serve to execute arbitrary code
via environment manipulation and Git.
more... | soft-serve
more detail |
2024-08-08 | VuXML ID 48e6d514-5568-11ef-af48-6cc21735f730
PostgreSQL project reports:
An attacker able to create and drop non-temporary objects could
inject SQL code that would be executed by a concurrent pg_dump
session with the privileges of the role running pg_dump
(which is often a superuser). The attack involves replacing a
sequence or similar object with a view or foreign table that will
execute malicious code. To prevent this, introduce a new server
parameter restrict_nonsystem_relation_kind that can disable
expansion of non-builtin views as well as access to foreign
tables, and teach pg_dump to set it when available. Note that the
attack is prevented only if both pg_dump and the server it is
dumping from are new enough to have this fix.
more... | postgresql12-client postgresql12-server postgresql13-client postgresql13-server postgresql14-client postgresql14-server postgresql15-client postgresql15-server postgresql16-client postgresql16-server
more detail |
2024-08-07 | VuXML ID 729008b9-54bf-11ef-a61b-2cf05da270f3
Gitlab reports:
Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access
Cross project access of Security policy bot
Advanced search ReDOS in highlight for code results
Denial of Service via banzai pipeline
Denial of service using adoc files
ReDoS in RefMatcher when matching branch names using wildcards
Path encoding can cause the Web interface to not render diffs correctly
XSS while viewing raw XHTML files through API
Ambiguous tag name exploitation
Logs disclosings potentially sensitive data in query params
Password bypass on approvals using policy projects
ReDoS when parsing git push
Webhook deletion audit log can preserve auth credentials
more... | gitlab-ce gitlab-ee
more detail |
2024-08-07 | VuXML ID 94d441d2-5497-11ef-9d2f-080027836e8b
Django reports:
CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat().
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize().
CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget.
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list().
more... | py310-django42 py310-django50 py311-django42 py311-django50 py39-django42
more detail |
2024-08-07 | VuXML ID db8fa362-0ccb-4aa8-9220-72b7763e9a4a
Jenkins Security Advisory:
Description
(Critical) SECURITY-3430 / CVE-2024-43044
Arbitrary file read vulnerability through agent connections can lead to RCE
Description
(Medium) SECURITY-3349 / CVE-2024-43045
Missing permission check allows accessing other users' "My Views"
more... | jenkins jenkins-lts
more detail |
2024-08-06 | VuXML ID 05cd9f82-5426-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [350528343] Critical CVE-2024-7532: Out of bounds memory access in ANGLE. Reported by wgslfuzz on 2024-07-02
- [353552540] High CVE-2024-7533: Use after free in Sharing. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-07-17
- [355256380] High CVE-2024-7550: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-07-25
- [352467338] High CVE-2024-7534: Heap buffer overflow in Layout. Reported by Tashita Software Security on 2024-07-11
- [352690885] High CVE-2024-7535: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-07-12
- [354847246] High CVE-2024-7536: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-07-23
more... | chromium ungoogled-chromium
more detail |
2024-07-31 | VuXML ID 15d398ea-4f73-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [353034820] Critical CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert on 2024-07-15
- [352872238] High CVE-2024-7255: Out of bounds read in WebTransport. Reported by Marten Richter on 2024-07-13
- [354748060] High CVE-2024-7256: Insufficient data validation in Dawn. Reported by gelatin dessert on 2024-07-23
more... | chromium ungoogled-chromium
more detail |
2024-07-30 | VuXML ID fb0b5574-4e64-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 22 security fixes:
- [349198731] High CVE-2024-6988: Use after free in Downloads. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-25
- [349342289] High CVE-2024-6989: Use after free in Loader. Reported by Anonymous on 2024-06-25
- [346618785] High CVE-2024-6991: Use after free in Dawn. Reported by wgslfuzz on 2024-06-12
- [339686368] Medium CVE-2024-6994: Heap buffer overflow in Layout. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2024-05-10
- [343938078] Medium CVE-2024-6995: Inappropriate implementation in Fullscreen. Reported by Alesandro Ortiz on 2024-06-01
- [333708039] Medium CVE-2024-6996: Race in Frames. Reported by Louis Jannett (Ruhr University Bochum) on 2024-04-10
- [325293263] Medium CVE-2024-6997: Use after free in Tabs. Reported by Sven Dysthe (@svn-dys) on 2024-02-15
- [340098902] Medium CVE-2024-6998: Use after free in User Education. Reported by Sven Dysthe (@svn-dys) on 2024-05-13
- [340893685] Medium CVE-2024-6999: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-15
- [339877158] Medium CVE-2024-7000: Use after free in CSS. Reported by Anonymous on 2024-05-11
- [347509736] Medium CVE-2024-7001: Inappropriate implementation in HTML. Reported by Jake Archibald on 2024-06-17
- [338233148] Low CVE-2024-7003: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-01
- [40063014] Low CVE-2024-7004: Insufficient validation of untrusted input in Safe Browsing. Reported by Anonymous on 2023-02-10
- [40068800] Low CVE-2024-7005: Insufficient validation of untrusted input in Safe Browsing. Reported by Umar Farooq on 2023-08-04
more... | chromium ungoogled-chromium
more detail |
2024-07-28 | VuXML ID 8057d198-4d26-11ef-8e64-641c67a117d8
Mitre reports:
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.
more... | znc
more detail |
2024-07-26 | VuXML ID 3e917407-4b3f-11ef-8e49-001999f8d30b
Mailpit developer reports:
A vulnerability was discovered which allowed a bad
actor with SMTP access to Mailpit to bypass the Content
Security Policy headers using a series of crafted HTML
messages which could result in a stored XSS attack via
the web UI.
more... | mailpit
more detail |
2024-07-25 | VuXML ID 24c88add-4a3e-11ef-86d7-001b217b3468
Gitlab reports:
XSS via the Maven Dependency Proxy
Project level analytics settings leaked in DOM
Reports can access and download job artifacts despite use of settings to prevent it
Direct Transfer - Authorised project/group exports are accessible to other users
Bypassing tag check and branch check through imports
Project Import/Export - Make project/group export files hidden to everyone except user who initiated it
more... | gitlab-ce gitlab-ee
more detail |
2024-07-19 | VuXML ID 574028b4-a181-455b-a78b-ec5c62781235
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6291.
- Security: backported fix for CVE-2024-6293.
- Security: backported fix for CVE-2024-6290.
- Security: backported fix for CVE-2024-6292.
more... | electron29
more detail |
2024-07-17 | VuXML ID 088b8b7d-446c-11ef-b611-84a93843eb75
The Apache httpd project reports:
source code disclosure with handlers configured via AddType
(CVE-2024-40725) (Important): A partial fix for CVE-2024-39884
in the core of Apache HTTP Server 2.4.61 ignores some use of the
legacy content-type based configuration of handlers. "AddType"
and similar configuration, under some circumstances where files
are requested indirectly, result in source code disclosure of
local content. For example, PHP scripts may be served instead
of interpreted.
more... | apache24
more detail |
2024-07-16 | VuXML ID 3b018063-4358-11ef-b611-84a93843eb75
Oracle reports:
36 new security patches for Oracle MySQL. 11 of these vulnerabilities
may be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 9.8.
more... | mysql80-client mysql80-server mysql81-client mysql81-server mysql84-client mysql84-server
more detail |
2024-07-16 | VuXML ID 6091d1d8-4347-11ef-a4d4-080027957747
GLPI team reports:
GLPI 10.0.16 Changelog
- [SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
- [SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)
- [SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)
more... | glpi
more detail |
2024-07-13 | VuXML ID 55d4a92f-c75f-43e8-ab1f-4a0efc9795c4
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-6291.
- Security: backported fix for CVE-2024-6293.
- Security: backported fix for CVE-2024-6290.
- Security: backported fix for CVE-2024-6292.
more... | electron29
more detail |
2024-07-13 | VuXML ID 6410f91d-1214-4f92-b7e0-852e39e265f9
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-5493.
- Security: backported fix for CVE-2024-5831.
- Security: backported fix for CVE-2024-5832.
- Security: backported fix for CVE-2024-6100.
- Security: backported fix for CVE-2024-6101.
- Security: backported fix for CVE-2024-6103.
- Security: backported fix for CVE-2024-6291.
- Security: backported fix for CVE-2024-6293.
- Security: backported fix for CVE-2024-6290.
- Security: backported fix for CVE-2024-6292.
more... | electron30
more detail |
2024-07-11 | VuXML ID acb4eab6-3f6d-11ef-8657-001b217b3468
Gitlab reports:
An attacker can run pipeline jobs as an arbitrary user
Developer user with admin_compliance_framework permission can change group URL
Admin push rules custom role allows creation of project level deploy token
Package registry vulnerable to manifest confusion
User with admin_group_member permission can ban group members
Subdomain takeover in GitLab Pages
more... | gitlab-ce gitlab-ee
more detail |
2024-07-10 | VuXML ID 171afa61-3eba-11ef-a58f-080027836e8b
Django reports:
CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize().
CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords.
CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save().
CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant().
more... | py310-django42 py310-django50 py311-django42 py311-django50 py39-django42
more detail |
2024-07-07 | VuXML ID 767dfb2d-3c9e-11ef-a829-5404a68ad561
The traefik authors report:
There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early
data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.
more... | traefik
more detail |
2024-07-04 | VuXML ID 51498ee4-39a1-11ef-b609-002590c1f29c
Request Tracker reports:
CVE-2024-3262 describes previously viewed pages being stored in the
browser cache, which is the typical default behavior of most browsers to
enable the "back" button. Someone who gains access to a host computer could
potentially view ticket data using the back button, even after logging out
of RT. The CVE specifically references RT version 4.4.1, but this behavior
is present in most browsers viewing all versions of RT before 5.0.6.
more... | rt50
more detail |
2024-07-04 | VuXML ID 5d921a8c-3a43-11ef-b611-84a93843eb75
The Apache httpd project reports:
isource code disclosure with handlers configured via AddType
(CVE-2024-39884) (Important). A regression in the core of Apache HTTP
Server 2.4.60 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly, result
in source code disclosure of local content. For example, PHP scripts
may be served instead of interpreted.
more... | apache24
more detail |
2024-07-03 | VuXML ID b0374722-3912-11ef-a77e-901b0e9408dc
The Go project reports:
net/http: denial of service due to improper 100-continue handling
The net/http HTTP/1.1 client mishandled the case where a
server responds to a request with an "Expect: 100-continue"
header with a non-informational (200 or higher) status. This
mishandling could leave a client connection in an invalid
state, where the next request sent on the connection will
fail.
An attacker sending a request to a
net/http/httputil.ReverseProxy proxy can exploit this
mishandling to cause a denial of service by sending "Expect:
100-continue" requests which elicit a non-informational
response from the backend. Each such request leaves the
proxy with an invalid connection, and causes one subsequent
request using that connection to fail.
more... | go121 go122
more detail |
2024-07-01 | VuXML ID d7efc2ad-37af-11ef-b611-84a93843eb75
The Apache httpd project reports:
DoS by Null pointer in websocket over HTTP/2 (CVE-2024-36387) (Low).
Serving WebSocket protocol upgrades over a HTTP/2 connection could
result in a Null Pointer dereference, leading to a crash of the server
process, degrading performance.
Proxy encoding problem (CVE-2024-38473) (Moderate).
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier
allows request URLs with incorrect encoding to be sent to backend
services, potentially bypassing authentication via crafted requests.
Weakness with encoded question marks in backreferences
(CVE-2024-38474) (Important). Substitution encoding issue in
mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker
to execute scripts in directories permitted by the configuration but
not directly reachable by any URL or source disclosure of scripts
meant to only to be executed as CGI.
Weakness in mod_rewrite when first segment of substitution matches
filesystem path (CVE-2024-38475) (Important). Improper escaping of
output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows
an attacker to map URLs to filesystem locations that are permitted to
be served by the server but are not intentionally/directly reachable
by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables
as the first segment of the substitution are affected. Some unsafe
RewiteRules will be broken by this change and the rewrite flag
"UnsafePrefixStat" can be used to opt back in once ensuring the
substitution is appropriately constrained.
may use exploitable/malicious backend application output to run local
handlers via internal redirect (CVE-2024-38476) (Important).
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are
vulnerable to information disclosure, SSRF or local script execution
via backend applications whose response headers are malicious or
exploitable.
Crash resulting in Denial of Service in mod_proxy via a malicious
request (CVE-2024-38477) (Important). Null pointer dereference in
mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker
to crash the server via a malicious request.
mod_rewrite proxy handler substitution (CVE-2024-39573) (Moderate).
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
allows an attacker to cause unsafe RewriteRules to unexpectedly setup
URL's to be handled by mod_proxy.
more... | apache24
more detail |
2024-06-30 | VuXML ID c742dbe8-3704-11ef-9e6e-b42e991fc52e
cve@mitre.org reports:
This entry documents the following three vulnerabilities:
- Netatalk before 3.2.1 has an off-by-one error and resultant heap-based
buffer overflow because of setting ibuf[len] to '\0' in
FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19
are also fixed versions.
- Netatalk before 3.2.1 has an off-by-one error, and resultant
heap-based buffer overflow and segmentation violation, because of
incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c.
The original issue 1097 report stated: 'The latest version of
Netatalk (v3.2.0) contains a security vulnerability. This vulnerability
arises due to a lack of validation for the length field after parsing
user-provided data, leading to an out-of-bounds heap write of one
byte (\0). Under specific configurations, this can result in reading
metadata of the next heap block, potentially causing a Denial of
Service (DoS) under certain heap layouts or with ASAN enabled. ...
- Netatalk before 3.2.1 has an off-by-one error and resultant heap-based
buffer overflow because of setting ibuf[PASSWDLEN] to '\0'
in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19
are also fixed versions.
more... | netatalk3
more detail |
2024-06-28 | VuXML ID 07f0ea8c-356a-11ef-ac6d-a0423f48a938
cve@mitre.org reports:
In FRRouting (FRR) through 9.1, there are multiples vulnerabilities.
- CVE-2024-31950: buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets
- CVE-2024-31951: buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets
more... | frr8 frr9
more detail |
2024-06-28 | VuXML ID 0e73964d-053a-481a-bf1c-202948d68484
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-5499.
- Security: backported fix for CVE-2024-5493.
- Security: backported fix for CVE-2024-5494.
- Security: backported fix for CVE-2024-5495.
- Security: backported fix for CVE-2024-5496.
- Security: backported fix for CVE-2024-5158.
- Security: backported fix for CVE-2024-5160.
- Security: backported fix for CVE-2024-5157.
- Security: backported fix for CVE-2024-5159.
- Security: backported fix for CVE-2024-5831.
- Security: backported fix for CVE-2024-5832.
- Security: backported fix for CVE-2024-6100.
- Security: backported fix for CVE-2024-6101.
- Security: backported fix for CVE-2024-6103.
more... | electron29
more detail |
2024-06-27 | VuXML ID 589de937-343f-11ef-8a7b-001b217b3468
Gitlab reports:
Run pipelines as any user
Stored XSS injected in imported project's commit notes
CSRF on GraphQL API IntrospectionQuery
Remove search results from public projects with unauthorized repos
Cross window forgery in user application OAuth flow
Project maintainers can bypass group's merge request approval policy
ReDoS via custom built markdown page
Private job artifacts can be accessed by any user
Security fixes for banzai pipeline
ReDoS in dependency linker
Denial of service using a crafted OpenAPI file
Merge request title disclosure
Access issues and epics without having an SSO session
Non project member can promote key results to objectives
more... | gitlab-ce gitlab-ee
more detail |
2024-06-25 | VuXML ID 2b68c86a-32d5-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [342428008] High CVE-2024-6290: Use after free in Dawn. Reported by wgslfuzz on 2024-05-23
- [40942995] High CVE-2024-6291: Use after free in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-15
- [342545100] High CVE-2024-6292: Use after free in Dawn. Reported by wgslfuzz on 2024-05-24
- [345993680] High CVE-2024-6293: Use after free in Dawn. Reported by wgslfuzz on 2024-06-09
more... | chromium ungoogled-chromium
more detail |
2024-06-23 | VuXML ID 4f6c4c07-3179-11ef-9da5-1c697a616631
GNU Emacs developers report:
Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability. Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code.
more... | emacs emacs-canna emacs-devel emacs-devel-nox emacs-nox emacs-wayland
more detail |
2024-06-22 | VuXML ID 82830965-3073-11ef-a17d-5404a68ad561
The traefik authors report:
There is a vulnerability in Azure Identity Libraries and
Microsoft Authentication Library Elevation of Privilege Vulnerability.
more... | traefik
more detail |
2024-06-20 | VuXML ID 007e7e77-2f06-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 6 security fixes:
- [344608204] High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04
- [343748812] High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31
- [339169163] High CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz on 2024-05-07
- [344639860] High CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz on 2024-06-04
more... | chromium ungoogled-chromium
more detail |
2024-06-20 | VuXML ID 142c538e-b18f-40a1-afac-c479effadd5c
Gert Doering reports that OpenVPN 2.6.11 fixes two security bugs (three on Windows):
CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. (Reynir Björnsson)
more... | openvpn
more detail |
2024-06-20 | VuXML ID aa2b65e4-2f63-11ef-9cab-4ccc6adda413
Backports for 5 security bugs in Chromium:
- CVE-2024-3837: Use after free in QUIC
- CVE-2024-3839: Out of bounds read in Fonts
- CVE-2024-3914: Use after free in V8
- CVE-2024-4058: Type confusion in ANGLE
- CVE-2024-4558: Use after free in ANGLE
more... | qt5-webengine
more detail |
2024-06-20 | VuXML ID c5415838-2f52-11ef-9cab-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 7 security bugs in Chromium:
- CVE-2024-4948: Use after free in Dawn
- CVE-2024-5274: Type Confusion in V8
- CVE-2024-5493: Heap buffer overflow in WebRTC
- CVE-2024-5494: Use after free in Dawn
- CVE-2024-5495: Use after free in Dawn
- CVE-2024-5496: Use after free in Media Session
- CVE-2024-5499: Out of bounds write in Streams API
more... | qt6-webengine
more detail |
2024-06-18 | VuXML ID 453aa0fc-2d91-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 21 security fixes:
- [342456991] High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24
- [339171223] High CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz on 2024-05-07
- [340196361] High CVE-2024-5832: Use after free in Dawn. Reported by wgslfuzz on 2024-05-13
- [342602616] High CVE-2024-5833: Type Confusion in V8. Reported by @ginggilBesel on 2024-05-24
- [342840932] High CVE-2024-5834: Inappropriate implementation in Dawn. Reported by gelatin dessert on 2024-05-26
- [341991535] High CVE-2024-5835: Heap buffer overflow in Tab Groups. Reported by Weipeng Jiang (@Krace) of VRI on 2024-05-22
- [341875171] High CVE-2024-5836: Inappropriate Implementation in DevTools. Reported by Allen Ding on 2024-05-21
- [342415789] High CVE-2024-5837: Type Confusion in V8. Reported by Anonymous on 2024-05-23
- [342522151] High CVE-2024-5838: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-24
- [340122160] Medium CVE-2024-5839: Inappropriate Implementation in Memory Allocator. Reported by Micky on 2024-05-13
- [41492103] Medium CVE-2024-5840: Policy Bypass in CORS. Reported by Matt Howard on 2024-01-17
- [326765855] Medium CVE-2024-5841: Use after free in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-02-26
- [40062622] Medium CVE-2024-5842: Use after free in Browser UI. Reported by Sven Dysthe (@svn_dy) on 2023-01-12
- [333940412] Medium CVE-2024-5843: Inappropriate implementation in Downloads. Reported by hjy79425575 on 2024-04-12
- [331960660] Medium CVE-2024-5844: Heap buffer overflow in Tab Strip. Reported by Sri on 2024-04-01
- [340178596] Medium CVE-2024-5845: Use after free in Audio. Reported by anonymous on 2024-05-13
- [341095523] Medium CVE-2024-5846: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-16
- [341313077] Medium CVE-2024-5847: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-18
more... | chromium ungoogled-chromium
more detail |
2024-06-15 | VuXML ID 219aaa1e-2aff-11ef-ab37-5404a68ad561
The traefik authors report:
There is a vulnerability in Go managing various Is methods
(IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses.
They didn't work as expected returning false for addresses
which would return true in their traditional IPv4 forms.
more... | traefik
more detail |
2024-06-15 | VuXML ID a5c64f6f-2af3-11ef-a77e-901b0e9408dc
The Go project reports:
archive/zip: mishandling of corrupt central directory record
The archive/zip package's handling of certain types of
invalid zip files differed from the behavior of most zip
implementations. This misalignment could be exploited to
create an zip file with contents that vary depending on the
implementation reading the file. The archive/zip package now
rejects files containing these errors.
net/netip: unexpected behavior from Is methods for
IPv4-mapped IPv6 addresses
The various Is methods (IsPrivate, IsLoopback, etc) did
not work as expected for IPv4-mapped IPv6 addresses,
returning false for addresses which would return true in
their traditional IPv4 forms.
more... | go121 go122
more detail |
2024-06-13 | VuXML ID 92cd1c03-2940-11ef-bc02-001b217b3468
Gitlab reports:
ReDoS in gomod dependency linker
ReDoS in CI interpolation (fix bypass)
ReDoS in Asana integration issue mapping when webhook is called
XSS and content injection when viewing raw XHTML files on iOS devices
Missing agentk request validation could cause KAS to panic
more... | gitlab-ce gitlab-ee
more detail |
2024-06-11 | VuXML ID 479df73e-2838-11ef-9cab-4ccc6adda413
David Edmundson reports:
KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
based purely on the host, allowing all local connections. This allows
another user on the same machine to gain access to the session
manager.
A well crafted client could use the session restore feature to execute
arbitrary code as the user on the next boot.
more... | plasma5-plasma-workspace plasma6-plasma-workspace
more detail |
2024-06-10 | VuXML ID 5f608c68-276c-11ef-8caa-0897988a1c07
Composer project reports:
The status, reinstall and remove commands with packages
installed from source via git containing specially crafted
branch names in the repository can be used to execute
code.
The composer install command running inside a git/hg
repository which has specially crafted branch names can
lead to command injection. So this requires cloning
untrusted repositories.
more... | php81-composer php82-composer php83-composer
more detail |
2024-06-07 | VuXML ID 91929399-249e-11ef-9296-b42e991fc52e
security-advisories@github.com reports:
Kanboard is project management software that focuses on the Kanban
methodology. The vuln is in app/Controller/ProjectPermissionController.php
function addUser(). The users permission to add users to a project
only get checked on the URL parameter project_id. If the user is
authorized to add users to this project the request gets processed.
The users permission for the POST BODY parameter project_id does
not get checked again while processing. An attacker with the
'Project Manager' on a single project may take over any
other project. The vulnerability is fixed in 1.2.37.
more... | kanboard
more detail |
2024-06-05 | VuXML ID 144836e3-2358-11ef-996e-40b034455553
Minio security advisory GHSA-xx8w-mq23-29g4 ports:
When someone creates an access key, it inherits the
permissions of the parent key. Not only for s3:* actions,
but also admin:* actions. Which means unless somewhere
above in the access-key hierarchy, the admin rights are
denied, access keys will be able to simply override their
own s3 permissions to something more permissive.
more... | minio
more detail |
2024-06-05 | VuXML ID 14908bda-232b-11ef-b621-00155d645102
Cyrus IMAP 3.8.3 Release Notes states:
Fixed CVE-2024-34055: Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.
The IMAP protocol allows for command arguments to be LITERALs of negotiated length, and for these the server allocates memory to receive the content before instructing the client to proceed. The allocated memory is released when the whole command has been received and processed.
The IMAP protocol has a number commands that specify an unlimited number of arguments, for example SEARCH. Each of these arguments can be a LITERAL, for which memory will be allocated and not released until the entire command has been received and processed. This can run a server out of memory, with varying consequences depending on the server's OOM policy.
more... | cyrus-imapd25 cyrus-imapd30 cyrus-imapd32 cyrus-imapd34 cyrus-imapd36 cyrus-imapd38
more detail |
2024-06-05 | VuXML ID 80fbe184-2358-11ef-996e-40b034455553
Minio security advisory GHSA-95fr-cm4m-q5p9 reports:
when used with anonymous requests by sending a random
object name requests you can figure out if the object
exists or not on the server on a specific bucket and also
gain access to some amount of information.
more... | minio
more detail |
2024-06-03 | VuXML ID b058380e-21a4-11ef-8a0f-a8a1599412c6
Chrome Releases reports:
This update includes 11 security fixes:
- [339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
- [338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
- [338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
- [338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
- [339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
- [339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
- [339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11
more... | chromium ungoogled-chromium
more detail |
2024-05-29 | VuXML ID 320a19f7-1ddd-11ef-a2ae-8c164567ca3c
The nginx development team reports:
This update fixes the following vulnerabilities:
- Stack overflow and use-after-free in HTTP/3
- Buffer overwrite in HTTP/3
- Memory disclosure in HTTP/3
- NULL pointer dereference in HTTP/3
more... | nginx nginx-devel
more detail |
2024-05-29 | VuXML ID 6926d038-1db4-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20
more... | chromium ungoogled-chromium
more detail |
2024-05-28 | VuXML ID 73a697d7-1d0f-11ef-a490-84a93843eb75
The OpenSSL project reports:
Use After Free with SSL_free_buffers (low).
Calling the OpenSSL API function SSL_free_buffers may cause
memory to be accessed that was previously freed in some situations
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-05-25 | VuXML ID 04e78f32-04b2-4c23-bfae-72600842d317
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-4948.
more... | electron29
more detail |
2024-05-25 | VuXML ID 43d1c381-a3e5-4a1d-b3ed-f37b61a451af
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-4948.
- Security: backported fix for CVE-2024-3914.
- Security: backported fix for CVE-2024-4060.
- Security: backported fix for CVE-2024-4058.
- Security: backported fix for CVE-2024-4558.
more... | electron28
more detail |
2024-05-24 | VuXML ID f5fa174d-19de-11ef-83d8-4ccc6adda413
Andy Shaw reports:
The OAuth1 implementation in QtNetworkAuth created nonces using
a PRNG that was seeded with a predictable seed.
This means that an attacker that can somehow control the time of
the first OAuth1 flow of the process has a high chance of predicting
the nonce used in said OAuth flow.
more... | qt5-networkauth qt6-networkauth
more detail |
2024-05-22 | VuXML ID 8247af0d-183b-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 15 security fixes:
- [336012573] High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang on 2024-04-21
- [338908243] High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-06
- [335613092] High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop) on 2024-04-18
- [338161969] High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz on 2024-05-01
- [340221135] High CVE-2024-4947: Type Confusion in V8. Reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on 2024-05-13
- [333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
- [326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
- [40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06
more... | chromium ungoogled-chromium
more detail |
2024-05-22 | VuXML ID f848ef90-1848-11ef-9850-001b217b3468
Gitlab reports:
1-click account takeover via XSS in the code editor in gitlab.com
A DOS vulnerability in the 'description' field of the runner
CSRF via K8s cluster-integration
Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match
Redos on wiki render API/Page
Resource exhaustion and denial of service with test_report API calls
Guest user can view dependency lists of private projects through job artifacts
Stored XSS via PDFjs
more... | gitlab-ce gitlab-ee
more detail |
2024-05-21 | VuXML ID 9bcff2c4-1779-11ef-b489-b42e991fc52e
security-advisories@github.com reports:
Openfire's administrative console, a web-based
application, was found to be vulnerable to a path traversal attack
via the setup environment. This permitted an unauthenticated user
to use the unauthenticated Openfire Setup Environment in an already
configured Openfire environment to access restricted pages in the
Openfire Admin Console reserved for administrative users. This
vulnerability affects all versions of Openfire that have been
released since April 2015, starting with version 3.10.0. The problem
has been patched in Openfire release 4.7.5 and 4.6.8, and further
improvements will be included in the yet-to-be released first version
on the 4.8 branch (which is expected to be version 4.8.0). Users
are advised to upgrade. If an Openfire upgrade isnt available for
a specific release, or isnt quickly actionable, users may see the
linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
more... | openfire
more detail |
2024-05-21 | VuXML ID e020b0fd-1751-11ef-a490-84a93843eb75
The Roundcube project reports:
cross-site scripting (XSS) vulnerability in handling SVG
animate attributes.
cross-site scripting (XSS) vulnerability in handling list
columns from user preferences.
more... | roundcube
more detail |
2024-05-19 | VuXML ID d58455cc-159e-11ef-83d8-4ccc6adda413
Backports for 2 security bugs in Chromium:
- CVE-2024-3157: Out of bounds write in Compositing
- CVE-2024-3516: Heap buffer overflow in ANGLE
more... | qt5-webengine
more detail |
2024-05-18 | VuXML ID f393b5a7-1535-11ef-8064-c5610a6efffb
Tor Project reports:
When building anonymizing circuits to or from an onion
service with 'lite' vanguards (the default) enabled, the
circuit manager code would build the circuits with one
hop too few.
When 'full' vanguards are enabled, some circuits are
supposed to be built with an extra hop to minimize the
linkability of the guard nodes. In some circumstances,
the circuit manager would build circuits with one hop
too few, making it easier for an adversary to discover
the L2 and L3 guards of the affected clients and
services.
more... | arti
more detail |
2024-05-17 | VuXML ID a431676c-f86c-4371-b48a-b7d2b0bec3a3
Electron developers report:
This update fixes the following vulnerability:
- Backported fix for CVE-2024-22017.
more... | electron29
more detail |
2024-05-17 | VuXML ID b88aa380-1442-11ef-a490-84a93843eb75
The OpenSSL project reports:
Excessive time spent checking DSA keys and parameters (Low)
Checking excessively long DSA keys or parameters may be very
slow.
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32 openssl33
more detail |
2024-05-15 | VuXML ID c6f03ea6-12de-11ef-83d8-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 16 security bugs in Chromium:
- CVE-2024-2625: Object lifecycle issue in V8
- CVE-2024-2626: Out of bounds read in Swiftshader
- CVE-2024-2885: Use after free in Dawn
- CVE-2024-2887: Type Confusion in WebAssembly
- CVE-2024-3157: Out of bounds write in Compositing
- CVE-2024-3159: Out of bounds memory access in V8
- CVE-2024-3516: Heap buffer overflow in ANGLE
- CVE-2024-3837: Use after free in QUIC
- CVE-2024-3839: Out of bounds read in Fonts
- CVE-2024-3914: Use after free in V8
- CVE-2024-3840: Insufficient policy enforcement in Site Isolation
- CVE-2024-4058: Type Confusion in ANGLE
- CVE-2024-4060: Use after free in Dawn
- CVE-2024-4331: Use after free in Picture In Picture
- CVE-2024-4368: Use after free in Dawn
- CVE-2024-4671: Use after free in Visuals
more... | qt6-webengine
more detail |
2024-05-15 | VuXML ID e79cc4e2-12d7-11ef-83d8-4ccc6adda413
Andy Shaw reports:
QStringConverter has an invalid pointer being passed as a callback
which can allow modification of the stack. Qt itself is not vulnerable
to remote attack however an application using QStringDecoder either
directly or indirectly can be vulnerable.
This requires:
- the attacker be able to tell the application a specific codec to use
- the attacker be able to feed the application data in a specific way to cause the desired modification
- the attacker what in the stack will get modified, which requires knowing the build of the application (and not all builds will be vulnerable)
- the modification do anything in particular that is useful to the attacker, besides maybe crashing the application
Qt does not automatically use any of those codecs, so this needs the application
to implement something using QStringDecoder to be vulnerable.
more... | qt6-base
more detail |
2024-05-14 | VuXML ID 5afd64ae-122a-11ef-8eed-1c697a616631
Intel reports:
Potential security vulnerabilities in some Intel Trust Domain
Extensions (TDX) module software may allow escalation of
privilege. Improper input validation in some Intel TDX module
software before version 1.5.05.46.698 may allow a privileged user to
potentially enable escalation of privilege via local access. Intel
is releasing firmware updates to mitigate these potential
vulnerabilities.
A potential security vulnerability in some Intel Processors may
allow information disclosure. Hardware logic contains race
conditions in some Intel Processors that may allow an authenticated
user to potentially enable partial information disclosure via local
access. Intel is releasing microcode updates to mitigate this
potential vulnerability.
A potential security vulnerability in Intel Core Ultra Processors
may allow denial of service. Sequence of processor instructions
leads to unexpected behavior in Intel Core Ultra Processors may
allow an authenticated user to potentially enable denial of service
via local access. Intel is releasing microcode updates to mitigate
this potential vulnerability.
more... | cpu-microcode-intel
more detail |
2024-05-14 | VuXML ID 8e0e8b56-11c6-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [339458194] High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09
more... | chromium ungoogled-chromium
more detail |
2024-05-13 | VuXML ID d3847eba-114b-11ef-9c21-901b0e9408dc
The Go project reports:
net: malformed DNS message can cause infinite loop
A malformed DNS message in response to a query can cause
the Lookup functions to get stuck in an infinite loop.
more... | go121 go122
more detail |
2024-05-13 | VuXML ID f2d8342f-1134-11ef-8791-6805ca2fa271
PowerDNS Security Advisory reports:
When incoming DNS over HTTPS support is enabled using the nghttp2 provider,
and queries are routed to a tcp-only or DNS over TLS backend, an attacker can
trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR
or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a
Denial of Service. DNS over HTTPS is not enabled by default, and backends are using
plain DNS (Do53) by default.
more... | dnsdist
more detail |
2024-05-12 | VuXML ID 3cf8ea44-1029-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07
more... | chromium ungoogled-chromium
more detail |
2024-05-09 | VuXML ID d53c30c1-0d7b-11ef-ba02-6cc21735f730
PostgreSQL project reports:
A security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs, potentially allowing authenticated database
users to see data they shouldn't. If this is of concern in your
installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql
for each of your databases. See the link for details.
more... | postgresql-server
more detail |
2024-05-09 | VuXML ID ec994672-5284-49a5-a7fc-93c02126e5fb
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-3914.
- Security: backported fix for CVE-2024-4558.
more... | electron29
more detail |
2024-05-09 | VuXML ID ee6936da-0ddd-11ef-9c21-901b0e9408dc
Tailscale team reports:
In Tailscale versions earlier than 1.66.0, exit nodes,
subnet routers, and app connectors, could allow inbound
connections to other tailnet nodes from their local area
network (LAN). This vulnerability only affects Linux exit
nodes, subnet routers, and app connectors in tailnets where
ACLs allow "src": "*", such as with default ACLs.
more... | tailscale
more detail |
2024-05-09 | VuXML ID fbc2c629-0dc5-11ef-9850-001b217b3468
Gitlab reports:
ReDoS in branch search when using wildcards
ReDoS in markdown render pipeline
Redos on Discord integrations
Redos on Google Chat Integration
Denial of Service Attack via Pin Menu
DoS by filtering tags and branches via the API
MR approval via CSRF in SAML SSO
Banned user from groups can read issues updates via the api
Require confirmation before linking JWT identity
View confidential issues title and description of any public project via export
SSRF via Github importer
more... | gitlab-ce gitlab-ee
more detail |
2024-05-08 | VuXML ID 059a99a9-45e0-492b-b9f9-5a79573c8eb6
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-4060.
- Security: backported fix for CVE-2024-4058.
more... | electron29
more detail |
2024-05-02 | VuXML ID 4a1e2bad-0836-11ef-9fd2-1c697a616631
HiddenLayer Research reports:
Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system.
more... | R
more detail |
2024-05-02 | VuXML ID f69415aa-086e-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [335003891] High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16
- [333508731] High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
more... | chromium ungoogled-chromium
more detail |
2024-05-01 | VuXML ID da4adc02-07f4-11ef-960d-5404a68ad561
The openSUSE project reports:
The problematic function in question is putSDN() in mail.c. The static variable `cp` is used as an index for a fixed-sized buffer `ibuf`. There is a range check: `if ( cp >= HDR_BUF_LEN ) ...` but under certain circumstances, cp can be incremented beyond the buffer size, leading to a buffer overwrite
more... | ko-hcode
more detail |
2024-04-28 | VuXML ID 5da8b1e6-0591-11ef-9e00-080027957747
GLPI team reports:
GLPI 10.0.15 Changelog
- [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
- [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)
more... | glpi
more detail |
2024-04-28 | VuXML ID b3affee8-04d1-11ef-8928-901b0ef714d4
GitHub Advisory Database:
Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.
more... | py310-social-auth-app-django py311-social-auth-app-django py38-social-auth-app-django py39-social-auth-app-django
more detail |
2024-04-25* | VuXML ID 0309c898-3aed-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.
more... | glpi
more detail |
2024-04-25* | VuXML ID 07aecafa-3b12-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID 09eef008-3b16-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
more... | glpi
more detail |
2024-04-25* | VuXML ID 0ba61fcc-3b38-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
more... | glpi
more detail |
2024-04-25* | VuXML ID 190176ce-3b3a-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
more... | glpi
more detail |
2024-04-25* | VuXML ID 27a230a2-3b11-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID 3a63f478-3b10-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID 5acd95db-3b16-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
more... | glpi
more detail |
2024-04-25* | VuXML ID 675e5098-3b15-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
more... | glpi
more detail |
2024-04-25* | VuXML ID 68958e18-ed94-11ed-9688-b42e991fc52e
glpi Project reports:
Multiple vulnerabilities found and fixed in this version:
- High CVE-2023-28849: SQL injection and Stored XSS via inventory agent request.
- High CVE-2023-28632: Account takeover by authenticated user.
- High CVE-2023-28838: SQL injection through dynamic reports.
- Moderate CVE-2023-28852: Stored XSS through dashboard administration.
- Moderate CVE-2023-28636: Stored XSS on external links.
- Moderate CVE-2023-28639: Reflected XSS in search pages.
- Moderate CVE-2023-28634: Privilege Escalation from technician to super-admin.
- Low CVE-2023-28633: Blind Server-Side Request Forgery (SSRF) in RSS feeds.
more... | glpi
more detail |
2024-04-25* | VuXML ID 695b2310-3b3a-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
more... | glpi
more detail |
2024-04-25* | VuXML ID 6a467439-3b38-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.
more... | glpi
more detail |
2024-04-25 | VuXML ID 7a42852d-0347-11ef-9f97-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [332546345] Critical CVE-2024-4058: Type Confusion in ANGLE. Reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02
- [333182464] High CVE-2024-4059: Out of bounds read in V8 API. Reported by Eirik on 2024-04-08
- [333420620] High CVE-2024-4060: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
more... | chromium ungoogled-chromium
more detail |
2024-04-25* | VuXML ID 7f163c81-3b12-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.
more... | glpi
more detail |
2024-04-25* | VuXML ID 832fd11b-3b11-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID aec9cbe0-3b0f-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID b3695b08-3b3a-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
more... | glpi
more detail |
2024-04-25* | VuXML ID b3aae7ea-3aef-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID b64edef7-3b10-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
more... | glpi
more detail |
2024-04-25* | VuXML ID b7abdb0f-3b15-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
more... | glpi
more detail |
2024-04-25* | VuXML ID d222241d-91cc-11ea-82b8-4c72b94353b5
MITRE Corporation reports:
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
more... | glpi
more detail |
2024-04-25* | VuXML ID d3f60db0-3aea-11eb-af2a-080027dbe4b7
MITRE Corporation reports:
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
more... | glpi
more detail |
2024-04-24 | VuXML ID 1af16f2b-023c-11ef-8791-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2024-02: if recursive forwarding is configured,
crafted responses can lead to a denial of service in Recursor
more... | powerdns-recursor
more detail |
2024-04-24 | VuXML ID b857606c-0266-11ef-8681-001b217b3468
Gitlab reports:
GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider
Path Traversal leads to DoS and Restricted File Read
Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search
Personal Access Token scopes not honoured by GraphQL subscriptions
Domain based restrictions bypass using a crafted email address
more... | gitlab-ce gitlab-ee
more detail |
2024-04-24 | VuXML ID bdfa6c04-027a-11ef-9c21-901b0e9408dc
Matrix developers report:
Weakness in auth chain indexing allows DoS from remote
room members through disk fill and high CPU usage. (High severity)
more... | py310-matrix-synapse py311-matrix-synapse py38-matrix-synapse py39-matrix-synapse
more detail |
2024-04-23 | VuXML ID 2ce1a2f1-0177-11ef-a45e-08002784c58d
sp2ip reports:
If attacker-supplied data is provided to the Ruby regex
compiler, it is possible to extract arbitrary heap data
relative to the start of the text, including pointers and
sensitive strings.
more... | ruby ruby31 ruby32 ruby33
more detail |
2024-04-22 | VuXML ID 304d92c3-00c5-11ef-bd52-080027bff743
GitHub Security Lab reports:
stb_image.h and stb_vorbis libraries contain several memory access violations of different severity
- Wild address read in stbi__gif_load_next (GHSL-2023-145).
- Multi-byte read heap buffer overflow in stbi__vertical_flip (GHSL-2023-146).
- Disclosure of uninitialized memory in stbi__tga_load (GHSL-2023-147).
- Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148).
- Null pointer dereference in stbi__convert_format (GHSL-2023-149).
- Possible double-free or memory leak in stbi__load_gif_main (GHSL-2023-150).
- Null pointer dereference because of an uninitialized variable (GHSL-2023-151).
- 0 byte write heap buffer overflow in start_decoder (GHSL-2023-165)
- Multi-byte write heap buffer overflow in start_decoder (GHSL-2023-166)
- Heap buffer out of bounds write in start_decoder (GHSL-2023-167)
- Off-by-one heap buffer write in start_decoder (GHSL-2023-168)
- Attempt to free an uninitialized memory pointer in vorbis_deinit (GHSL-2023-169)
- Null pointer dereference in vorbis_deinit (GHSL-2023-170)
- Out of bounds heap buffer write (GHSL-2023-171)
- Wild address read in vorbis_decode_packet_rest (GHSL-2023-172)
more... | sdl2_sound
more detail |
2024-04-22 | VuXML ID bb49f1fa-00da-11ef-92b7-589cfc023192
GLPI team reports:
GLPI 10.0.13 Changelog
- [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
- [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
- [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
- [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
- [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
- [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)
more... | glpi
more detail |
2024-04-22 | VuXML ID ed688880-00c4-11ef-92b7-589cfc023192
GLPI team reports:
GLPI 10.0.11 Changelog
- [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
- [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
- [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
more... | glpi
more detail |
2024-04-22 | VuXML ID faccf131-00d9-11ef-92b7-589cfc023192
GLPI team reports:
GLPI 10.0.12 Changelog
- [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
- [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)
more... | glpi
more detail |
2024-04-21 | VuXML ID 9bed230f-ffc8-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 23 security fixes:
- [331358160] High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
- [331383939] High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
- [330759272] High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
- [326607008] High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24
- [41491379] Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15
- [328278717] Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06
- [41491859] Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16
- [41493458] Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22
- [330376742] Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19
- [41486690] Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24
- [40058873] Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23
- [323583084] Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03
- [40064754] Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23
- [328690293] Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08
more... | chromium ungoogled-chromium
more detail |
2024-04-19 | VuXML ID 4ebdd56b-fe72-11ee-bc57-00e081b7aa2d
Jenkins Security Advisory:
Description
(Medium) SECURITY-3386 / CVE-2023-48795
Terrapin SSH vulnerability in Jenkins CLI client
more... | jenkins jenkins-lts
more detail |
2024-04-19 | VuXML ID ecafc4af-fe8a-11ee-890c-08002784c58d
BÃ
ÂaÃ
¼ej PawÃ
Âowski reports:
A vulnerability in the HTML parser of ClamAV could allow
an unauthenticated, remote attacker to cause a denial of
service (DoS) condition on an affected device. The
vulnerability is due to an issue in the C to Rust foreign
function interface. An attacker could exploit this
vulnerability by submitting a crafted file containing HTML
content to be scanned by ClamAV on an affected device. An
exploit could allow the attacker to cause the ClamAV
scanning process to terminate, resulting in a DoS
condition on the affected software.
more... | clamav
more detail |
2024-04-18 | VuXML ID f90bf863-e43c-4db3-b5a8-d9603684657a
Electron develpers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-3515.
- Security: backported fix for CVE-2024-3516.
- Security: backported fix for CVE-2024-3157.
- Security: backported fix for CVE-2024-1580.
more... | electron27 electron28 electron29
more detail |
2024-04-16 | VuXML ID 080936ba-fbb7-11ee-abc8-6960f2492b1d
Simon Tatham reports:
ECDSA signatures using 521-bit keys (the NIST P521 curve,
otherwise known as ecdsa-sha2-nistp521) were generated with biased
random numbers. This permits an attacker in possession of a few
dozen signatures to RECOVER THE PRIVATE KEY.
Any 521-bit ECDSA private key that PuTTY or Pageant has used to
sign anything should be considered compromised.
Additionally, if you have any 521-bit ECDSA private keys that
you've used with PuTTY, you should consider them to be
compromised: generate new keys, and remove the old public keys
from any authorized_keys files.
A second, independent scenario is that the adversary is an operator
of an SSH server to which the victim authenticates (for remote login
or file copy), [...] and the victim uses the same private key for
SSH connections to other services operated by other entities. Here,
the rogue server operator (who would otherwise have no way to
determine the victim's private key) can derive the victim's private
key, and then use it for unauthorized access to those other
services. If the other services include Git services, then again it
may be possible to conduct supply-chain attacks on software
maintained in Git. This also affects, for example, FileZilla before
3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and
TortoiseSVN through 1.14.6.
more... | filezilla putty putty-nogtk
more detail |
2024-04-16 | VuXML ID 6d82c5e9-fc24-11ee-a689-04421a1baf97
This update includes 3 security fixes:
- High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
- High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
- Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
- High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs
more... | php81 php82 php83
more detail |
2024-04-15 | VuXML ID cdb5e0e3-fafc-11ee-9c21-901b0e9408dc
The Go project reports:
http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and
process all HEADERS and CONTINUATION frames on a
connection. When a request's headers exceed MaxHeaderBytes,
we don't allocate memory to store the excess headers but we
do parse them. This permits an attacker to cause an HTTP/2
endpoint to read arbitrary amounts of header data, all
associated with a request which is going to be
rejected. These headers can include Huffman-encoded data
which is significantly more expensive for the receiver to
decode than for an attacker to send.
more... | go121 go122
more detail |
2024-04-12 | VuXML ID 7314942b-0889-46f0-b02b-2c60aabe4a82
Chrome Releases reports:
This update includes 3 security fixes:
- [331237485] High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26
- [328859176] High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao (zx) Pham and Toan (suto) Pham of Qrious Secure on 2024-03-09
- [331123811] High CVE-2024-3515: Use after free in Dawn. Reported by wgslfuzz on 2024-03-25
more... | chromium ungoogled-chromium
more detail |
2024-04-11 | VuXML ID 02be46c1-f7cc-11ee-aa6b-b42e991fc52e
cve@mitre.org reports:
latchset jose through version 11 allows attackers to cause
a denial of service (CPU consumption) via a large p2c (aka
PBES2 Count) value.
more... | jose
more detail |
2024-04-11 | VuXML ID 31617e47-7eec-4c60-9fdf-8aee61622bab
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-3159.
more... | electron27 electron28
more detail |
2024-04-11 | VuXML ID 7c217849-f7d7-11ee-a490-84a93843eb75
The OpenSSL project reports:
Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32
more detail |
2024-04-11 | VuXML ID c092be0e-f7cc-11ee-aa6b-b42e991fc52e
security@golang.org reports:
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts
of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS
and CONTINUATION frames on a connection. When a request's
headers exceed MaxHeaderBytes, no memory is allocated to store the
excess headers, but they are still parsed. This permits an attacker
to cause an HTTP/2 endpoint to read arbitrary amounts of header
data, all associated with a request which is going to be rejected.
These headers can include Huffman-encoded data which is significantly
more expensive for the receiver to decode than for an attacker to
send. The fix sets a limit on the amount of excess header frames
we will process before closing a connection.
more... | forgejo
more detail |
2024-04-11 | VuXML ID dad6294c-f7c1-11ee-bb77-001b217b3468
Gitlab reports:
Stored XSS injected in diff viewer
Stored XSS via autocomplete results
Redos on Integrations Chat Messages
Redos During Parse Junit Test Report
more... | gitlab-ce
more detail |
2024-04-11 | VuXML ID f0ba7008-2bbd-11ef-b4ca-814a3d504243
The forgejo team reports:
CVE-2024-24789:
The archive/zip package's handling of certain types of invalid
zip files differs from the behavior of most zip implementations.
This misalignment could be exploited to create an zip file with
contents that vary depending on the implementation reading the
file.
The OAuth2 implementation does not always require authentication
for public clients, a requirement of RFC 6749 Section 10.2. A
malicious client can impersonate another client and obtain access
to protected resources if the impersonated client fails to, or is
unable to, keep its client credentials confidential.
more... | forgejo
more detail |
2024-04-10 | VuXML ID ea4a2dfc-f761-11ee-af2c-589cfc0f81b0
The Wordpress team reports:
A cross-site scripting (XSS) vulnerability affecting the Avatar block type
more... | de-wordpress-de_DE fr-wordpress-fr_FR ja-wordpress-ja ru-wordpress-ru_RU wordpress zh-wordpress-zh_CN zh-wordpress-zh_TW
more detail |
2024-04-05 | VuXML ID 8e6f684b-f333-11ee-a573-84a93843eb75
The Apache httpd project reports:
HTTP/2 DoS by memory exhaustion on endless continuation frames
HTTP Response Splitting in multiple modules
more... | apache24 mod_http2
more detail |
2024-04-05 | VuXML ID c2431c4e-622c-4d92-996d-d8b5258ae8c9
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-2885.
- Security: backported fix for CVE-2024-2883.
- Security: backported fix for CVE-2024-2887.
- Security: backported fix for CVE-2024-2886.
more... | electron27 electron28
more detail |
2024-04-04 | VuXML ID 4a026b6c-f2b8-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
- [329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17
- [330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
more... | chromium ungoogled-chromium
more detail |
2024-04-04 | VuXML ID 57561cfc-f24b-11ee-9730-001fc69cd6dc
The X.Org project reports:
-
CVE-2024-31080: Heap buffer overread/data leakage in
ProcXIGetSelectedEvents
The ProcXIGetSelectedEvents() function uses the byte-swapped
length of the return data for the amount of data to return to
the client, if the client has a different endianness than
the X server.
- CVE-2024-31081: Heap buffer overread/data leakage in
ProcXIPassiveGrabDevice
The ProcXIPassiveGrabDevice() function uses the byte-swapped
length of the return data for the amount of data to return to
the client, if the client has a different endianness than
the X server.
- CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
The ProcRenderAddGlyphs() function calls the AllocateGlyph()
function to store new glyphs sent by the client to the X server.
AllocateGlyph() would return a new glyph with refcount=0 and
a re-used glyph would end up not changing the refcount at all.
The resulting glyph_new array would thus have multiple entries
pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a
use-after-free when the same glyph pointer is then later used.
more... | xephyr xorg-nextserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2024-04-02 | VuXML ID 2e3bea0c-f110-11ee-bc57-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3379 / CVE-2024-22201
HTTP/2 denial of service vulnerability in bundled Jetty
more... | jenkins jenkins-lts
more detail |
2024-04-01* | VuXML ID 21a854cc-cac1-11ee-b7a7-353f1e043d9a
Simon Kelley reports:
If DNSSEC validation is enabled, then an attacker who can force a
DNS server to validate a specially crafted signed domain can use a
lot of CPU in the validator. This only affects dnsmasq installations
with DNSSEC enabled.
Stichting NLnet Labs reports:
The KeyTrap [CVE-2023-50387] vulnerability works by using a
combination of Keys (also colliding Keys), Signatures and number of
RRSETs on a malicious zone. Answers from that zone can force a
DNSSEC validator down a very CPU intensive and time costly
validation path.
The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a
malicious zone with multiple NSEC3 RRSETs to force a DNSSEC
validator down a very CPU intensive and time costly NSEC3 hash
calculation path.
more... | bind9-devel bind916 bind918 dnsmasq dnsmasq-devel FreeBSD powerdns-recursor unbound
more detail |
2024-03-31 | VuXML ID d58726ff-ef5e-11ee-8d8e-080027a5b8e9
Mediawiki reports:
(T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.
(T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET
request to Special:MovePage on pages with thousands of subpages.
more... | mediawiki139 mediawiki140 mediawiki141
more detail |
2024-03-29 | VuXML ID bdcd041e-5811-4da3-9243-573a9890fdb1
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2625.
more... | electron27 electron28
more detail |
2024-03-28 | VuXML ID d2992bc2-ed18-11ee-96dc-001b217b3468
Gitlab reports:
Stored-XSS injected in Wiki page via Banzai pipeline
DOS using crafted emojis
more... | gitlab-ce
more detail |
2024-03-27 | VuXML ID 814af1be-ec63-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 7 security fixes:
- [327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
- [328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
- [330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
- [330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21
more... | chromium ungoogled-chromium
more detail |
2024-03-26 | VuXML ID 34f98d06-eb56-11ee-8007-6805ca2fa271
Quiche Releases reports:
This release includes 2 security fixes:
-
CVE-2024-1410: Unbounded storage of information related to
connection ID retirement, in quiche. Reported by Marten
Seeman (@marten-seeman)
-
CVE-2024-1765: Unlimited resource allocation by QUIC
CRYPTO frames flooding in quiche. Reported by Marten
Seeman (@marten-seeman)
more... | quiche
more detail |
2024-03-26* | VuXML ID 6d31ef38-df85-11ee-abf1-6c3be5272acd
Grafana Labs reports:
The vulnerability impacts Grafana Cloud and Grafana Enterprise instances,
and it is exploitable if a user who should not be able to access all data
sources is granted permissions to create a data source.
By default, only organization Administrators are allowed to create a data
source and have full access to all data sources. All other users need to be
explicitly granted permission to create a data source, which then means they
could exploit this vulnerability.
When a user creates a data source via the
API,
they can specify data source UID. If the UID is set to an asterisk (*),
the user gains permissions to query, update, and delete all data sources
in the organization. The exploit, however, does not stretch across
organizations â to exploit the vulnerability in several organizations, a user
would need permissions to create data sources in each organization.
The vulnerability comes from a lack of UID validation. When evaluating
permissions, we interpret an asterisk (*) as a wild card for all resources.
Therefore, we should treat it as a reserved value, and not allow the creation
of a resource with the UID set to an asterisk.
The CVSS score for this vulnerability is
6 Medium.
more... | grafana grafana9
more detail |
2024-03-26 | VuXML ID 8b3be705-eba7-11ee-99b3-589cfc0f81b0
phpMyFAQ team reports:
The phpMyFAQ Team has learned of multiple security issues that'd
been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains
cross-site scripting (XSS), SQL injection and bypass
vulnerabilities.
more... | phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2024-03-26 | VuXML ID f661184a-eb90-11ee-92fc-1c697a616631
GNU Emacs developers report:
Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.
- Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
- New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
- Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
- LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
- Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
more... | emacs emacs-canna emacs-nox
more detail |
2024-03-22 | VuXML ID 80815c47-e84f-11ee-8e76-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01
- [40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22
- [41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21
- [41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03
- [41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02
- [41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07
- [41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29
more... | chromium ungoogled-chromium
more detail |
2024-03-21 | VuXML ID 7a7129ef-e790-11ee-a1c0-0050569f0b83
Shibboleth Developers report:
The Identity Provider's CAS support relies on a function in the
Spring Framework to parse CAS service URLs and append the ticket
parameter.
more... | shibboleth-idp
more detail |
2024-03-20 | VuXML ID a8448963-e6f5-11ee-a784-dca632daf43b
MongoDB, Inc. reports:
A security vulnerability was found where a server process
running MongoDB 3.2.6 or later will allow incoming connections
to skip peer certificate validation if the server process was
started with TLS enabled (net.tls.mode set to allowTLS,
preferTLS, or requireTLS) and without a net.tls.CAFile
configured (CVE-2024-1351).
more... | mongodb44 mongodb50 mongodb60 mongodb70
more detail |
2024-03-18 | VuXML ID 05b7180b-e571-11ee-a1c0-0050569f0b83
The Varnish Development Team reports:
A denial of service attack can be performed on Varnish Cacher servers
that have the HTTP/2 protocol turned on. An attacker can let the
servers HTTP/2 connection control flow window run out of credits
indefinitely and prevent progress in the processing of streams,
retaining the associated resources.
more... | varnish7
more detail |
2024-03-17 | VuXML ID 0a48e552-e470-11ee-99b3-589cfc0f81b0
The Amavis project reports:
Emails which consist of multiple parts (`Content-Type: multipart/*`)
incorporate boundary information stating at which point one part ends and the
next part begins.
A boundary is announced by an Content-Type header's `boundary` parameter. To
our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a
parser should handle multiple boundary parameters that contain conflicting
values. As a result, there is no canonical choice which of the values should or
should not be used for mime part decomposition.
more... | amavisd-new
more detail |
2024-03-16 | VuXML ID 1ad3d264-e36b-11ee-9c27-40b034429ecf
Typo3 developers reports:
All versions are security releases and contain important security fixes - read the corresponding security advisories here:
- Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451
- Code Execution in TYPO3 Install Tool CVE-2024-22188
- Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118
- Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119
- Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120
- Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121
more... | typo3-11 typo3-12
more detail |
2024-03-14 | VuXML ID 49dd9362-4473-48ae-8fac-e1b69db2dedf
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2173.
more... | electron27 electron28
more detail |
2024-03-12 | VuXML ID b6dd9d93-e09b-11ee-92fc-1c697a616631
Intel reports:
2024.1 IPU - Intel Processor Bus Lock Advisory
A potential security vulnerability in the bus lock regulator
mechanism for some Intel Processors may allow denial of service. Intel
is releasing firmware updates to mitigate this potential
vulnerability.
2024.1 IPU - Intel Processor Return Predictions Advisory
A potential security vulnerability in some Intel Processors may
allow information disclosure.
2024.1 IPU - Intel Atom Processor Advisory
A potential security vulnerability in some Intel Atom Processors
may allow information disclosure.
2024.1 IPU - Intel Xeon Processor Advisory
A potential security vulnerability in some 3rd and 4th Generation
Intel Xeon Processors when using Intel Software Guard Extensions (SGX)
or Intel Trust Domain Extensions (TDX) may allow escalation of
privilege.
2024.1 IPU OOB - Intel Xeon D Processor Advisory
A potential security vulnerability in some Intel Xeon D Processors
with Intel Software Guard Extensions (SGX) may allow information
disclosure.
more... | cpu-microcode-intel
more detail |
2024-03-09 | VuXML ID c2ad8700-de25-11ee-9190-84a93843eb75
NLNet Labs reports:
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes. Due to an
unchecked condition, the code that trims the text of the EDE records
could loop indefinitely. This happens when Unbound would reply with
attached EDE information on a positive reply and the client's buffer
size is smaller than the needed space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option
is used; non default configuration.
more... | unbound
more detail |
2024-03-07 | VuXML ID b2caae55-dc38-11ee-96dc-001b217b3468
Gitlab reports:
Bypassing CODEOWNERS approval allowing to steal protected variables
Guest with manage group access tokens can rotate and see group access token with owner permissions
more... | gitlab-ce
more detail |
2024-03-07 | VuXML ID e74da31b-276a-4a22-9772-17dd42b97559
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-25062.
more... | electron27 electron28
more detail |
2024-03-06 | VuXML ID b1b039ec-dbfc-11ee-9165-901b0e9408dc
The Go project reports reports:
crypto/x509: Verify panics on certificates with an
unknown public key algorithm
Verifying a certificate chain which contains a
certificate with an unknown public key algorithm will
cause Certificate.Verify to panic.
net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total
size of the parsed form were not applied to the memory consumed
while reading a single form line. This permitted a maliciously
crafted input containing very long lines to cause allocation of
arbitrarily large amounts of memory, potentially leading to memory
exhaustion.
net/http, net/http/cookiejar: incorrect forwarding
of sensitive headers and cookies on HTTP redirect
When following an HTTP redirect to a domain which
is not a subdomain match or exact match of the initial
domain, an http.Client does not forward sensitive headers
such as "Authorization" or "Cookie". For example, a
redirect from foo.com to www.foo.com will forward the
Authorization header, but a redirect to bar.com will not.
html/template: errors returned from MarshalJSON methods
may break template escaping
If errors returned from MarshalJSON methods contain user
controlled data, they may be used to break the contextual
auto-escaping behavior of the html/template package, allowing
for subsequent actions to inject unexpected content into
templates.
net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments
(text within parentheses) within display names. Since this is a
misalignment with conforming address parsers, it can result in
different trust decisions being made by programs using different
parsers.
more... | go121 go122
more detail |
2024-03-06 | VuXML ID fd3401a1-b6df-4577-917a-2c22fee99d34
Chrome Releases reports:
This update includes 3 security fixes:
- [325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19
- [325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19
- [325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20
more... | chromium ungoogled-chromium
more detail |
2024-03-04 | VuXML ID 0ef3398e-da21-11ee-b23a-080027a5b8e9
Django reports:
CVE-2024-27351: Potential regular expression denial-of-service in
django.utils.text.Truncator.words().
more... | py310-django32 py310-django42 py310-django50 py311-django32 py311-django42 py311-django50 py39-django32 py39-django42
more detail |
2024-03-01 | VuXML ID 46a9eb0f-d7d2-11ee-bb12-001b217b3468
support@hackerone.com reports:
On Linux, Node.js ignores certain environment variables if those
may have been set by an unprivileged user while the process is
running with elevated privileges with the only exception of
CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this
exception, Node.js incorrectly applies this exception even when
certain other capabilities have been set. This allows unprivileged
users to inject code that inherits the process's elevated
privileges.
more... | null
more detail |
2024-03-01 | VuXML ID 77a6f1c9-d7d2-11ee-bb12-001b217b3468
Node.js reports:
Code injection and privilege escalation through Linux capabilities- (High)
http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
Path traversal by monkey-patching Buffer internals- (High)
setuid() does not drop all privileges due to io_uring - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
more... | node node16 node18 node20 node21
more detail |
2024-02-29 | VuXML ID 31bb1b8d-d6dc-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11
- [323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05
more... | chromium ungoogled-chromium
more detail |
2024-02-29 | VuXML ID 3567456a-6b17-41f7-ba7f-5cd3efb2b7c9
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1670.
more... | electron27 electron28
more detail |
2024-02-28 | VuXML ID 02e33cd1-c655-11ee-8613-08002784c58d
Hiroki Kurosawa reports:
curl inadvertently kept the SSL session ID for connections
in its cache even when the verify status (OCSP stapling)
test failed. A subsequent transfer to the same hostname
could then succeed if the session ID cache was still
fresh, which then skipped the verify status check.
more... | curl
more detail |
2024-02-28 | VuXML ID 3dada2d5-4e17-4e39-97dd-14fdbd4356fb
sep@nlnetlabs.nl reports:
Due to a mistake in error checking, Routinator will terminate when
an incoming RTR connection is reset by the peer too quickly after
opening.
more... | null
more detail |
2024-02-24 | VuXML ID 2a470712-d351-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
- [41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
- [41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
- [41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
- [41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
- [40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
- [41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by BartÃ
Âomiej Wacko on 2023-12-21
- [40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
more... | chromium ungoogled-chromium
more detail |
2024-02-24 | VuXML ID 5ecfb588-d2f4-11ee-ad82-dbdfaa8acfc2
Problem Description:
- The Wiki page did not sanitize author name
- the reviewer name on a "dismiss review" comment is also affected
- the migration page has some spots
more... | gitea
more detail |
2024-02-23 | VuXML ID 255bf44c-d298-11ee-9c27-40b034429ecf
c-ares project reports:
Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.
more... | c-ares
more detail |
2024-02-23 | VuXML ID 80ad6d6c-b398-457f-b88f-bf6be0bbad44
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1283.
- Security: backported fix for CVE-2024-1284.
more... | electron27
more detail |
2024-02-23 | VuXML ID 979dc373-d27d-11ee-8b84-b42e991fc52e
Suricata team reports:
Multiple vulnerabilities fixed in the last release of suricata.
No details have been disclosed yet
more... | suricata
more detail |
2024-02-22 | VuXML ID 03bf5157-d145-11ee-acee-001b217b3468
Gitlab reports:
Stored-XSS in user's profile page
User with "admin_group_members" permission can invite other groups to gain owner access
ReDoS issue in the Codeowners reference extractor
LDAP user can reset password using secondary email and login using direct authentication
Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard
Users with the Guest role can change Custom dashboard projects settings for projects in the victim group
Group member with sub-maintainer role can change title of shared private deploy keys
Bypassing approvals of CODEOWNERS
more... | gitlab-ce
more detail |
2024-02-20 | VuXML ID 6a851dc0-cfd2-11ee-ac09-6c3be5272acd
Grafana Labs reports:
The vulnerability impacts instances where
Grafana basic authentication is enabled.
Grafana has a
verify_email_enabled configuration option. When this option is enabled,
users are required to confirm their email addresses before the sign-up process
is complete. However, the email is only checked at the time of the sign-up.
No further verification is carried out if a userâÂÂs email address is updated
after the initial sign-up. Moreover, Grafana allows using an email address
as the userâÂÂs login name, and no verification is ever carried out for this email
address.
This means that even if the
verify_email_enabled configuration option is enabled, users can use
unverified email addresses to log into Grafana if the email address
has been changed after the sign up, or if an email address is set as the login
name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
more... | grafana grafana10 grafana9
more detail |
2024-02-16 | VuXML ID e15ba624-cca8-11ee-84ca-b42e991fc52e
cve@mitre.org reports:
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155
when RFC 9276 guidance is skipped) allows remote attackers to cause
a denial of service (CPU consumption for SHA-1 computations) via
DNSSEC responses in a random subdomain attack, aka the "NSEC3"
issue. The RFC 5155 specification implies that an algorithm must
perform thousands of iterations of a hash function in certain
situations.
CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035,
6840, and related RFCs) allow remote attackers to cause a denial
of service (CPU consumption) via one or more DNSSEC responses, aka
the "KeyTrap" issue. One of the concerns is that, when
there is a zone with many DNSKEY and RRSIG records, the protocol
specification implies that an algorithm must evaluate all combinations
of DNSKEY and RRSIG records.
more... | powerdns-recursor
more detail |
2024-02-15 | VuXML ID bd7592a1-cbfd-11ee-a42a-5404a6f3ca32
Problem Description:
Even with RequireSignInView enabled, anonymous users can use docker pull
to fetch public images.
more... | gitea
more detail |
2024-02-15 | VuXML ID c97a4ecf-cc25-11ee-b0ee-0050569f0b83
The nginx development team reports:
When using HTTP/3 a segmentation fault might occur in a
worker process while processing a specially crafted QUIC session.
more... | nginx-devel
more detail |
2024-02-14* | VuXML ID 43768ff3-c683-11ee-97d0-001b217b3468
Git community reports:
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities
more... | eza libgit2
more detail |
2024-02-14 | VuXML ID 46a29f83-cb47-11ee-b609-002590c1f29c
Problem Description:
The jail(2) system call has not limited a visiblity of allocated
TTYs (the kern.ttys sysctl). This gives rise to an information
leak about processes outside the current jail.
Impact:
Attacker can get information about TTYs allocated on the host
or in other jails. Effectively, the information printed by "pstat
-t" may be leaked.
more... | FreeBSD-kernel
more detail |
2024-02-14 | VuXML ID 4edbea45-cb0c-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix.
more... | chromium ungoogled-chromium
more detail |
2024-02-14 | VuXML ID c62285cb-cb46-11ee-b609-002590c1f29c
Problem Description:
`bhyveload -h ` may be used to grant loader access
to the directory tree on the host. Affected versions
of bhyveload(8) do not make any attempt to restrict loader's access
to , allowing the loader to read any file the host user
has access to.
Impact:
In the bhyveload(8) model, the host supplies a userboot.so to
boot with, but the loader scripts generally come from the guest
image. A maliciously crafted script could be used to exfiltrate
sensitive data from the host accessible to the user running
bhyhveload(8), which is often the system root.
more... | FreeBSD
more detail |
2024-02-12 | VuXML ID 388eefc0-c93f-11ee-92ce-4ccc6adda413
Google reports:
A heap buffer overflow exists in readstat_convert.
more... | readstat
more detail |
2024-02-12 | VuXML ID f161a5ad-c9bd-11ee-b7a7-353f1e043d9a
Austin Hackers Anonymous report:
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.
[...] it is in a routine that is predominantly used for development and
testing. It is not likely to appear in production code.
more... | openexr
more detail |
2024-02-11 | VuXML ID cb22a9a6-c907-11ee-8d1c-40b034429ecf
Spreadsheet-ParseExcel reports:
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files.
Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability
due to passing unvalidated input from a file into a string-type eval "eval".
Specifically, the issue stems from the evaluation of Number format strings
(not to be confused with printf-style format strings) within the Excel parsing logic.
more... | p5-Spreadsheet-ParseExcel
more detail |
2024-02-11 | VuXML ID cbfc1591-c8c0-11ee-b45a-589cfc0f81b0
phpMyFAQ team reports:
phpMyFAQ doesn't implement sufficient checks to avoid XSS when
storing on attachments filenames. The 'sharing FAQ' functionality
allows any unauthenticated actor to misuse the phpMyFAQ application
to send arbitrary emails to a large range of targets. phpMyFAQ's
user removal page allows an attacker to spoof another user's
detail, and in turn make a compelling phishing case for removing
another user's account.
more... | phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2024-02-08 | VuXML ID 19047673-c680-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 3 security fixes:
- [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
- [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2024-02-08 | VuXML ID 19e6dd1b-c6a5-11ee-9cd0-6cc21735f730
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
more... | postgresql-server
more detail |
2024-02-08 | VuXML ID 33ba2241-c68e-11ee-9ef3-001999f8d30b
Copmposer reports:
Code execution and possible privilege escalation via
compromised InstalledVersions.php or installed.php.
Several files within the local working directory are
included during the invocation of Composer and in the
context of the executing user.
As such, under certain conditions arbitrary code
execution may lead to local privilege escalation, provide
lateral user movement or malicious code execution when
Composer is invoked within a directory with tampered
files.
All Composer CLI commands are affected, including
composer.phar's self-update.
more... | php81-composer php82-composer php83-composer
more detail |
2024-02-08 | VuXML ID 6b2cba6a-c6a5-11ee-97d0-001b217b3468
Gitlab reports:
Restrict group access token creation for custom roles
Project maintainers can bypass group's scan result policy block_branch_modification setting
ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax
Resource exhaustion using GraphQL vulnerabilitiesCountByDay
more... | gitlab-ce
more detail |
2024-02-07 | VuXML ID 68ae70c5-c5e5-11ee-9768-08002784c58d
The ClamAV project reports:
- CVE-2024-20290
-
A vulnerability in the OLE2 file format parser of ClamAV
could allow an unauthenticated, remote attacker to cause
a denial of service (DoS) condition on an affected
device. This vulnerability is due to an incorrect check
for end-of-string values during scanning, which may
result in a heap buffer over-read. An attacker could
exploit this vulnerability by submitting a crafted file
containing OLE2 content to be scanned by ClamAV on an
affected device. A successful exploit could allow the
attacker to cause the ClamAV scanning process to
terminate, resulting in a DoS condition on the affected
software and consuming available system resources.
- CVE-2024-20328
-
Fixed a possible command injection vulnerability in the
"VirusEvent" feature of ClamAV's ClamD
service. To fix this issue, we disabled the '%f' format
string parameter. ClamD administrators may continue to
use the `CLAM_VIRUSEVENT_FILENAME` environment variable,
instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly
in the clamd.conf "VirusEvent" command.
more... | clamav clamav-lts
more detail |
2024-02-07 | VuXML ID e0f6215b-c59e-11ee-a6db-080027a5b8e9
Django reports:
CVE-2024-24680:Potential denial-of-service in intcomma template filter.
more... | py310-django32 py310-django42 py311-django32 py311-django42 py311-django50 py39-django32 py39-django42
more detail |
2024-02-02 | VuXML ID 72d6d757-c197-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 17 security fixes:
- [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
- [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
- [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
- [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
- [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦æ³æ¹é 家 on 2023-11-25
- [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
- [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
- [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
- [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
more... | chromium ungoogled-chromium
more detail |
2024-02-02 | VuXML ID dc9e5237-c197-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
- [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
- [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2024-02-01 | VuXML ID 13a8c4bf-cb2b-48ec-b49c-a3875c72b3e8
Electron developers reports:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0807.
more... | electron26 electron27 electron28
more detail |
2024-01-31 | VuXML ID 10dee731-c069-11ee-9190-84a93843eb75
The OpenSSL project reports:
Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
PKCS12 Decoding crashes (CVE-2024-0727)
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32
more detail |
2024-01-31 | VuXML ID 67c2eb06-5579-4595-801b-30355be24654
cve@mitre.org reports:
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product
was renamed), there is an unchecked buffer size during a memcpy in
the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h).
Remote attackers can leverage this vulnerability to cause a denial
of service via a crafted input file, as well as achieve remote code
execution.
more... | lizard
more detail |
2024-01-31 | VuXML ID bbcb1584-c068-11ee-bdd6-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 3 security bugs in Chromium:
- [1505080] High CVE-2024-0807: Use after free in WebAudio
- [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
more... | qt5-webengine qt6-webengine
more detail |
2024-01-29 | VuXML ID a11e7dd1-bed4-11ee-bdd6-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 8 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
more... | qt5-webengine
more detail |
2024-01-29 | VuXML ID a25b323a-bed9-11ee-bdd6-4ccc6adda413
Qt qtwebengine-chromium repo reports:
Backports for 15 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1500856] High CVE-2023-6346: Use after free in WebAudio
- [1494461] High CVE-2023-6347: Use after free in Mojo
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1502102] High CVE-2023-6703: Use after free in Blink
- [1505708] High CVE-2023-6705: Use after free in WebRTC
- [1500921] High CVE-2023-6706: Use after free in FedCM
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1506923] High CVE-2024-0225: Use after free in WebGPU
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
more... | qt6-webengine
more detail |
2024-01-26 | VuXML ID 61fe903b-bc2e-11ee-b06e-001b217b3468
Gitlab reports:
Arbitrary file write while creating workspace
ReDoS in Cargo.toml blob viewer
Arbitrary API PUT requests via HTML injection in user's name
Disclosure of the public email in Tags RSS Feed
Non-Member can update MR Assignees of owned MRs
more... | gitlab-ce
more detail |
2024-01-26 | VuXML ID b5e22ec5-bc4b-11ee-b0b5-b42e991fc52e
Multiple vulnerabilities in ssh and golang
-
CVE-2023-45286: HTTP request body disclosure in go-resty
disclosure across requests.
-
CVE-2023-48795: The SSH transport protocol with certain
OpenSSH extensions, found in OpenSSH before 9.6 and
other products, allows remote attackers to bypass
integrity checks.
more... | rclone
more detail |
2024-01-24 | VuXML ID 8b03d274-56ca-489e-821a-cf32f07643f0
Jenkins Security Advisory:
Description
(Critical) SECURITY-3314 / CVE-2024-23897
Arbitrary file read vulnerability through the CLI can lead to RCE
Description
(High) SECURITY-3315 / CVE-2024-23898
Cross-site WebSocket hijacking vulnerability in the CLI
more... | jenkins jenkins-lts
more detail |
2024-01-23 | VuXML ID 9532a361-b84d-11ee-b0d7-84a93843eb75
TinyMCE reports:
Special characters in unescaped text nodes can trigger mXSS
when using TinyMCE undo/redo, getContentAPI, resetContentAPI,
and Autosave plugin
more... | roundcube tinymce
more detail |
2024-01-22 | VuXML ID fedf7e71-61bd-49ec-aaf0-6da14bdbb319
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of packets containing nested
MIME entities can cause Zeek to spend large amounts of
time parsing the entities.
more... | zeek
more detail |
2024-01-19 | VuXML ID 2264566a-a890-46eb-a895-7881dd220bd0
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0519.
more... | electron26
more detail |
2024-01-18* | VuXML ID a8326b61-eda0-4c03-9a5b-49ebd8f41c1a
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0518.
- Security: backported fix for CVE-2024-0517.
more... | electron26 electron27
more detail |
2024-01-17 | VuXML ID 1bc07be0-b514-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
- [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
more... | chromium ungoogled-chromium
more detail |
2024-01-16 | VuXML ID 7467c611-b490-11ee-b903-001fc69cd6dc
The X.Org project reports:
- CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent
and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit
for each logical button currently down. Buttons can be arbitrarily
mapped to any value up to 255 but the X.Org Server was only
allocating space for the device's number of buttons,
leading to a heap overflow if a bigger value was used.
- CVE-2024-0229: Reattaching to different master device may lead
to out-of-bounds memory access
If a device has both a button class and a key class and
numButtons is zero, we can get an out-of-bounds write due
to event under-allocation in the DeliverStateNotifyEvent
function.
- CVE-2024-21885: Heap buffer overflow in
XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to
store up to MAXDEVICES (256) xXIHierarchyInfo structures in info.
If a device with a given ID was removed and a new device with
the same ID added both in the same operation,
the single device ID will lead to two info structures being
written to info.
Since this case can occur for every device ID at once,
a total of two times MAXDEVICES info structures might be written
to the allocation, leading to a heap buffer overflow.
- CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device
is disabled and it moves the device from the inputInfo.devices
linked list to the inputInfo.off_devices linked list.
However, its link/unlink operation has an issue during the recursive
call to DisableDevice() due to the prev pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
more... | xephyr xorg-nextserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2024-01-12 | VuXML ID 28b42ef5-80cd-440c-904b-b7fbca74c73d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0224.
- Security: backported fix for CVE-2024-0225.
- Security: backported fix for CVE-2024-0223.
- Security: backported fix for CVE-2024-0222.
more... | electron26 electron27
more detail |
2024-01-12 | VuXML ID 4c8c2218-b120-11ee-90ec-001b217b3468
Gitlab reports:
Account Takeover via Password Reset without user interactions
Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
Bypass CODEOWNERS approval removal
Workspaces able to be created under different root namespace
Commit signature validation ignores headers after signature
more... | gitlab-ce
more detail |
2024-01-11 | VuXML ID 8337251b-b07b-11ee-b0d7-84a93843eb75
SO-AND-SO reports:
The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.
more... | openssl openssl-quictls openssl31 openssl31-quictls openssl32
more detail |
2024-01-10 | VuXML ID ec8e4040-afcd-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
more... | chromium ungoogled-chromium
more detail |
2024-01-07 | VuXML ID e2f981f1-ad9e-11ee-8b55-4ccc6adda413
Andy Shaw reports:
A potential integer overflow has been discovered in Qt's HTTP2
implementation. If the HTTP2 implementation receives more than 4GiB
in total headers, or more than 2GiB for any given header pair, then
the internal buffers may overflow.
more... | qt5-network qt6-base
more detail |
2024-01-06 | VuXML ID 1f0d0024-ac9c-11ee-8e91-1c697a013f4b
Mantis 2.25.8 release reports:
Security and maintenance release
- 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
- 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
more... | mantis-php74 mantis-php80 mantis-php81 mantis-php82 mantis-php83
more detail |
2024-01-04 | VuXML ID 0cee4f9c-5efb-4770-b917-f4e4569e8bec
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6704.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
more... | electron26
more detail |
2024-01-04 | VuXML ID 3ee577a9-aad4-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 6 security fixes:
- [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
- [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
- [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
more... | chromium ungoogled-chromium
more detail |
2024-01-04 | VuXML ID d1b20e09-dbdf-432b-83c7-89f0af76324a
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6706.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
- Security: backported fix for CVE-2023-6704.
more... | electron27
more detail |
2024-01-02 | VuXML ID 13d83980-9f18-11ee-8e38-002590c1f29c
Problem Description:
The SSH protocol executes an initial handshake between the
server and the client. This protocol handshake includes the
possibility of several extensions allowing different options to be
selected. Validation of the packets in the handshake is done through
sequence numbers.
Impact:
A man in the middle attacker can silently manipulate handshake
messages to truncate extension negotiation messages potentially
leading to less secure client authentication algorithms or deactivating
keystroke timing attack countermeasures.
more... | FreeBSD
more detail |
2023-12-31* | VuXML ID 2fe004f5-83fd-11ee-9f5d-31909fb2f495
The OpenVPN community project team reports:
CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
Reported by Niccolo Belli and WIPocket (Github #400, #417).
CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)
more... | openvpn openvpn-devel
more detail |
2023-12-22 | VuXML ID 7015ab21-9230-490f-a2fe-f7557e3de25d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6508.
- Security: backported fix for CVE-2023-7024.
more... | electron26 electron27
more detail |
2023-12-21 | VuXML ID 1b2a8e8a-9fd5-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19
more... | chromium ungoogled-chromium
more detail |
2023-12-21 | VuXML ID b2765c89-a052-11ee-bed2-596753f1a87c
The Gitea team reports:
Update golang.org/x/crypto
more... | gitea
more detail |
2023-12-19 | VuXML ID 0f7598cc-9fe2-11ee-b47f-901b0e9408dc
Upstream reports:
Security fix:
- Update golang.org/x/crypto, which includes a fix for CVE-2023-48795.
more... | nebula
more detail |
2023-12-19 | VuXML ID 76c2110b-9e97-11ee-ae23-a0f3c100ae18
Slurm releases notes:
Description
CVE-2023-49933 through CVE-2023-49938
Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available
and address a number of recently-discovered security issues.
They've been assigned CVE-2023-49933 through CVE-2023-49938.
more... | slurm-wlm
more detail |
2023-12-19 | VuXML ID 91955195-9ebb-11ee-bc14-a703705db3a6
Simon Tatham reports:
PuTTY version 0.80 [contains] one security fix [...] for a newly discovered security issue known as the 'Terrapin'
attack, also numbered CVE-2023-48795. The issue affects widely-used
OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
cipher system, and 'encrypt-then-MAC' mode.
In order to benefit from the fix, you must be using a fixed version
of PuTTY _and_ a server with the fix, so that they can agree to
adopt a modified version of the protocol. [...]
more... | putty putty-nogtk
more detail |
2023-12-17 | VuXML ID fd47fcfe-ec69-4000-b9ce-e5e62102c1c7
Nick Vatamane reports:
Design documents with matching document IDs, from databases on the
same cluster, may share a mutable Javascript environment when using
various design document functions.
more... | couchdb
more detail |
2023-12-14* | VuXML ID 9cbbc506-93c1-11ee-8e38-002590c1f29c
Problem Description:
As part of its stateful TCP connection tracking implementation,
pf performs sequence number validation on inbound packets. This
makes it difficult for a would-be attacker to spoof the sender and
inject packets into a TCP stream, since crafted packets must contain
sequence numbers which match the current connection state to avoid
being rejected by the firewall.
A bug in the implementation of sequence number validation means
that the sequence number is not in fact validated, allowing an
attacker who is able to impersonate the remote host and guess the
connection's port numbers to inject packets into the TCP stream.
Impact:
An attacker can, with relatively little effort, inject packets
into a TCP stream destined to a host behind a pf firewall. This
could be used to implement a denial-of-service attack for hosts
behind the firewall, for example by sending TCP RST packets to the
host.
more... | FreeBSD-kernel
more detail |
2023-12-14 | VuXML ID e2fb85ce-9a3c-11ee-af26-001b217b3468
Gitlab reports:
Smartcard authentication allows impersonation of arbitrary user using user's public certificate
When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge
The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags
Project maintainer can escalate to Project owner using project access token rotate API
Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content
Unvalidated timeSpent value leads to unable to load issues on Issue board
Developer can bypass predefined variables via REST API
Auditor users can create merge requests on projects they don't have access to
more... | gitlab-ce
more detail |
2023-12-13 | VuXML ID 502c9f72-99b3-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 9 security fixes:
- [1501326] High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10
- [1502102] High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14
- [1504792] High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23
- [1505708] High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28
- [1500921] High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09
- [1504036] Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21
more... | chromium ungoogled-chromium
more detail |
2023-12-13 | VuXML ID 8eefff69-997f-11ee-8e38-002590c1f29c
Problem Description:
In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve
the performance of IO_APPEND writes, that is, writes which add data
to the end of a file and so extend its size. This uncovered an old
bug in some routines which copy userspace data into the kernel.
The bug also affects the NFS client's implementation of direct I/O;
however, this implementation is disabled by default by the
vfs.nfs.nfs_directio_enable sysctl and is only used to handle
synchronous writes.
Impact:
When a program running on an affected system appends data to a
file via an NFS client mount, the bug can cause the NFS client to
fail to copy in the data to be written but proceed as though the
copy operation had succeeded. This means that the data to be written
is instead replaced with whatever data had been in the packet buffer
previously. Thus, an unprivileged user with access to an affected
system may abuse the bug to trigger disclosure of sensitive
information. In particular, the leak is limited to data previously
stored in mbufs, which are used for network transmission and
reception, and for certain types of inter-process communication.
The bug can also be triggered unintentionally by system
applications, in which case the data written by the application to an
NFS mount may be corrupted. Corrupted data is written over the
network to the NFS server, and thus also susceptible to being snooped
by other hosts on the network.
Note that the bug exists only in the NFS client; the version and
implementation of the server has no effect on whether a given system
is affected by the problem.
more... | FreeBSD-kernel
more detail |
2023-12-13 | VuXML ID 972568d6-3485-40ab-80ff-994a8aaf9683
The X.Org project reports:
- CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org
server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the
device. When a logical device switch happens (e.g. moving
from a touchpad to a mouse), the server re-calculates the
information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation
only allocated enough memory for a single XKB action
rather instead of enough for the newly active physical
device's number of button. As a result, querying or
changing the XKB button actions results in out-of-bounds
memory reads and writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
- CVE-2023-6478/ZDI-CAN-22561: X.Org server:
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-12-11 | VuXML ID 4405e9ad-97fe-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 10 security fixes:
- [1497984] High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy Kim(@cassidy6564) on 2023-10-31
- [1494565] High CVE-2023-6509: Use after free in Side Panel Search. Reported by Khalil Zhani on 2023-10-21
- [1480152] Medium CVE-2023-6510: Use after free in Media Capture. Reported by [pwn2car] on 2023-09-08
- [1478613] Low CVE-2023-6511: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-09-04
- [1457702] Low CVE-2023-6512: Inappropriate implementation in Web Browser UI. Reported by Om Apip on 2023-06-24
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2023-12-10 | VuXML ID 2bc376c0-977e-11ee-b4bc-b42e991fc52e
security@apache.org reports:
Authorization Bypass Through User-Controlled Key vulnerability in
Apache ZooKeeper. If SASL Quorum Peer authentication is enabled
in ZooKeeper (quorum.auth.enableSasl=true), the authorization is
done by verifying that the instance part in SASL authentication ID
is listed in zoo.cfg server list. The instance part in SASL auth
ID is optional and if it's missing, like 'eve@EXAMPLE.COM',
the authorization check will be skipped.As a result an arbitrary
endpoint could join the cluster and begin propagating counterfeit
changes to the leader, essentially giving it complete read-write
access to the data tree.Quorum Peer authentication is not enabled
by default.
Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,
which fixes the issue.
Alternately ensure the ensemble election/quorum communication is
protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
more... | zookeeper
more detail |
2023-12-09 | VuXML ID bbda3d16-968e-11ee-b780-b42e991fc52e
cve@mitre.org reports:
strongSwan before 5.9.12 has a buffer overflow and possible
unauthenticated remote code execution via a DH public value that
exceeds the internal buffer in charon-tkm's DH proxy. The
earliest affected version is 5.3.0. An attack can occur via a
crafted IKE_SA_INIT message.
more... | null
more detail |
2023-12-07 | VuXML ID e07a7754-12a4-4661-b852-fd221d68955f
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6350.
- Security: backported fix for CVE-2023-6351.
more... | electron25
more detail |
2023-12-02 | VuXML ID f25a34b1-910d-11ee-a1a2-641c67a117d8
Varnish Cache Project reports:
A denial of service attack can be performed on Varnish Cache servers
that have the HTTP/2 protocol turned on. An attacker can create a large
volume of streams and immediately reset them without ever reaching the
maximum number of concurrent streams allowed for the session, causing
the Varnish server to consume unnecessary resources processing requests
for which the response will not be delivered.
more... | varnish6 varnish7
more detail |
2023-12-01 | VuXML ID 302fc846-860f-482e-a8f6-ee9f254dfacf
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6345.
- Security: backported fix for CVE-2023-6346.
- Security: backported fix for CVE-2023-6347.
more... | electron25
more detail |
2023-12-01 | VuXML ID 3b14b2b4-9014-11ee-98b3-001b217b3468
Gitlab reports:
XSS and ReDoS in Markdown via Banzai pipeline of Jira
Members with admin_group_member custom permission can add members with higher role
Release Description visible in public projects despite release set as project members only through atom response
Manipulate the repository content in the UI (CVE-2023-3401 bypass)
External user can abuse policy bot to gain access to internal projects
Client-side DOS via Mermaid Flowchart
Developers can update pipeline schedules to use protected branches even if they don't have permission to merge
Users can install Composer packages from public projects even when Package registry is turned off
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
Guest users can react (emojis) on confidential work items which they cant see in a project
more... | gitlab-ce
more detail |
2023-12-01 | VuXML ID 7e1a508f-7167-47b0-b9fc-95f541933a86
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6345.
- Security: backported fix for CVE-2023-6346.
- Security: backported fix for CVE-2023-6347.
- Security: backported fix for CVE-2023-6350.
more... | electron26
more detail |
2023-11-29 | VuXML ID 8cdd38c7-8ebb-11ee-86bb-a8a1599412c6
Chrome Releases reports:
This update includes 7 security fixes:
- [1491459] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
- [1494461] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
- [1500856] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
- [1501766] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
- [1501770] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
- [1505053] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2023-11-26 | VuXML ID 388e6557-8c80-11ee-9ee3-84a93843eb75
The MariaDB project reports:
Easily exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise MySQL
Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
more... | mariadb1011-server mariadb105-server mariadb106-server
more detail |
2023-11-24 | VuXML ID a62c0c50-8aa0-11ee-ac0d-00e0670f2660
strongSwan reports:
A vulnerability in charon-tkm related to processing
DH public values was discovered in strongSwan
that can result in a buffer overflow and potentially
remote code execution. All versions since
5.3.0 are affected.
more... | strongswan
more detail |
2023-11-22 | VuXML ID 147353a3-c33b-46d1-b751-e72c0d7f29df
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5997.
more... | electron25 electron26
more detail |
2023-11-16 | VuXML ID 0da4db89-84bf-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1497997] High CVE-2023-5997: Use after free in Garbage Collection. Reported by Anonymous on 2023-10-31
- [1499298] High CVE-2023-6112: Use after free in Navigation. Reported by Sergei Glazunov of Google Project Zero on 2023-11-04
more... | chromium qt5-webengine qt6-webengine ungoogled-chromium
more detail |
2023-11-16 | VuXML ID a30f1a12-117f-4dac-a1d0-d65eaf084953
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5996.
more... | electron25 electron26
more detail |
2023-11-15 | VuXML ID 7cc003cb-83b9-11ee-957d-b42e991fc52e
security-advisories@github.com reports:
Weak Authentication in Session Handling in typo3/cms-core:
In typo3 installations there are always
at least two different sites. Eg. first.example.org and
second.example.com. In affected versions a session cookie
generated for the first site can be reused on the second site
without requiring additional authentication. This
vulnerability has been addressed in versions 8.7.55, 9.5.44,
10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
Information Disclosure in Install Tool in typo3/cms-install:
In affected versions the login screen of the standalone
install tool discloses the full path of the transient data
directory (e.g. /var/www/html/var/transient/). This applies
to composer-based scenarios only - classic non-composer
installations are not affected. This issue has been addressed
in version 12.4.8. Users are advised to upgrade. There are
no known workarounds for this vulnerability.
By-passing Cross-Site Scripting Protection in HTML Sanitizer:
In affected versions DOM processing instructions are not
handled correctly. This allows bypassing the cross-site
scripting mechanism of typo3/html-sanitizer. This
vulnerability has been addressed in versions 1.5.3 and 2.1.4.
Users are advised to upgrade. There are no known workarounds
for this vulnerability.
more... | typo3-11 typo3-12
more detail |
2023-11-09 | VuXML ID 0f445859-7f0e-11ee-94b4-6cc21735f730
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
more... | postgresql-server
more detail |
2023-11-09 | VuXML ID 31f45d06-7f0e-11ee-94b4-6cc21735f730
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
more... | postgresql-server
more detail |
2023-11-09 | VuXML ID 5558dded-a870-4fbe-8b0a-ba198db47007
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-5849.
- Security: backported fix for CVE-2023-5482.
more... | electron25 electron26
more detail |
2023-11-09 | VuXML ID bbb18fcb-7f0d-11ee-94b4-6cc21735f730
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
more... | postgresql-server
more detail |
2023-11-08 | VuXML ID 4ade0c4d-7e83-11ee-9a8c-00155d01f201
cve@mitre.org reports:
Multiple signed integers overflow in function au_read_header in
src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c
in Libsndfile, allows an attacker to cause Denial of Service or
other unspecified impacts.
more... | libsndfile
more detail |
2023-11-08 | VuXML ID 5afcc9a4-7e04-11ee-8e38-002590c1f29c
Problem Description:
For line-buffered streams the __sflush() function did not
correctly update the FILE object's write space member when the
write(2) system call returns an error.
Impact:
Depending on the nature of an application that calls libc's
stdio functions and the presence of errors returned from the write(2)
system call (or an overridden stdio write routine) a heap buffer
overfly may occur. Such overflows may lead to data corruption or
the execution of arbitrary code at the privilege level of the calling
program.
more... | FreeBSD
more detail |
2023-11-08 | VuXML ID 77fc311d-7e62-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1497859] High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30
more... | chromium ungoogled-chromium
more detail |
2023-11-08 | VuXML ID a5956603-7e4f-11ee-9df6-84a93843eb75
The OpenSSL project reports:
Excessive time spent in DH check / generation with large Q
parameter value (low).
Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
more... | openssl openssl-quictls openssl111 openssl31 openssl31-quictls
more detail |
2023-11-08 | VuXML ID f4464e49-7e04-11ee-8e38-002590c1f29c
Problem Description:
Casper services allow limiting operations that a process can
perform. Each service maintains a specific list of permitted
operations. Certain operations can be further restricted, such as
specifying which domain names can be resolved. During the verification
of limits, the service must ensure that the new set of constraints
is a subset of the previous one. In the case of the cap_net service,
the currently limited set of domain names was fetched incorrectly.
Impact:
In certain scenarios, if only a list of resolvable domain names
was specified without setting any other limitations, the application
could submit a new list of domains including include entries not
previously in the list.
more... | FreeBSD
more detail |
2023-11-05 | VuXML ID a1a1f81c-7c13-11ee-bcf1-f8b156b6dcc8
Frank-Z7 reports:
Heap buffer overflow when vorbis-tools/oggenc converts
WAV files to Ogg files.
more... | vorbis-tools
more detail |
2023-11-03 | VuXML ID a1e27775-7a61-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 15 security fixes:
- [1492698] High CVE-2023-5480: Inappropriate implementation in Payments. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2023-10-14
- [1492381] High CVE-2023-5482: Insufficient data validation in USB. Reported by DarkNavy on 2023-10-13
- [1492384] High CVE-2023-5849: Integer overflow in USB. Reported by DarkNavy on 2023-10-13
- [1281972] Medium CVE-2023-5850: Incorrect security UI in Downloads. Reported by Mohit Raj (shadow2639) on 2021-12-22
- [1473957] Medium CVE-2023-5851: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-08-18
- [1480852] Medium CVE-2023-5852: Use after free in Printing. Reported by [pwn2car] on 2023-09-10
- [1456876] Medium CVE-2023-5853: Incorrect security UI in Downloads. Reported by Hafiizh on 2023-06-22
- [1488267] Medium CVE-2023-5854: Use after free in Profiles. Reported by Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ on 2023-10-01
- [1492396] Medium CVE-2023-5855: Use after free in Reading Mode. Reported by ChaobinZhang on 2023-10-13
- [1493380] Medium CVE-2023-5856: Use after free in Side Panel. Reported by Weipeng Jiang (@Krace) of VRI on 2023-10-17
- [1493435] Medium CVE-2023-5857: Inappropriate implementation in Downloads. Reported by Will Dormann on 2023-10-18
- [1457704] Low CVE-2023-5858: Inappropriate implementation in WebApp Provider. Reported by Axel Chong on 2023-06-24
- [1482045] Low CVE-2023-5859: Incorrect security UI in Picture In Picture. Reported by Junsung Lee on 2023-09-13
more... | chromium qt6-webengine ungoogled-chromium
more detail |
2023-11-02 | VuXML ID 4f370c80-79ce-11ee-be8e-589cfc0f81b0
phpmyfaq developers report:
XSS
Insufficient session expiration
more... | phpmyfaq-php80 phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2023-11-02 | VuXML ID fe7ac70a-792b-11ee-bf9a-a04a5edf46d9
Frank-Z7 reports:
Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out"
configuration options enabled raises a global-buffer-overflow bug,
which could allow a remote attacker to conduct a denial-of-service
attack or other unspecified effect on a crafted file.
more... | optipng
more detail |
2023-11-01 | VuXML ID a612c25f-788a-11ee-8d57-001b217b3468
Gitlab reports:
Disclosure of CI/CD variables using Custom project templates
GitLab omnibus DoS crash via OOM with CI Catalogs
Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service
DoS - Blocking FIFO files in Tar archives
Titles exposed by service-desk template
Approval on protected environments can be bypassed
Version information disclosure when super_sidebar_logged_out feature flag is enabled
Add abuse detection for search syntax filter pipes
more... | gitlab-ce
more detail |
2023-11-01 | VuXML ID d2505ec7-78ea-11ee-9131-6f01853956d5
VMware reports:
This update includes 2 security fixes:
- High CVE-2023-34058: SAML token signature bypass vulnerability
- High CVE-2023-34059: File descriptor hijack vulnerability in the vmware-user-suid-wrapper
more... | open-vm-tools open-vm-tools-nox11
more detail |
2023-10-27 | VuXML ID 386a14bb-1a21-41c6-a2cf-08d79213379b
Tim Wojtulewicz of Corelight reports:
A specially-crafted SSL packet could cause Zeek to
leak memory and potentially crash.
A specially-crafted series of FTP packets could cause
Zeek to log entries for requests that have already been
completed, using resources unnecessarily and potentially
causing Zeek to lose other traffic.
A specially-crafted series of SSL packets could cause
Zeek to output a very large number of unnecessary alerts
for the same record.
A specially-crafted series of SSL packets could cause
Zeek to generate very long ssl_history fields in the
ssl.log, potentially using a large amount of memory due
to unbounded state growth
A specially-crafted IEEE802.11 packet could cause
Zeek to overflow memory and potentially crash
more... | zeek
more detail |
2023-10-27 | VuXML ID db33e250-74f7-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [1491296] High CVE-2023-5472: Use after free in Profiles. Reported by @18楼梦æ³æ¹é 家 on 2023-10-10
more... | chromium ungoogled-chromium
more detail |
2023-10-25 | VuXML ID 9e2fdfc7-e237-4393-9fa5-2d50908c66b3
The X.Org project reports:
- ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write
in XIChangeDeviceProperty/RRChangeOutputProperty
When prepending values to an existing property an
invalid offset calculation causes the existing values to
be appended at the wrong offset. The resulting memcpy()
would write into memory outside the heap-allocated
array.
- ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in
DestroyWindow
This vulnerability requires a legacy multi-screen setup
with multiple protocol screens ("Zaphod"). If the pointer
is warped from one screen to the root window of the other
screen, the enter/leave code may retain a reference to the
previous pointer window. Destroying this window leaves
that reference in place, other windows may then trigger a
use-after-free bug when they are destroyed.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-10-25 | VuXML ID a8fb8e3a-730d-11ee-ab61-b42e991fc52e
The squid-cache project reports:
- Denial of Service in FTP
- Request/Response smuggling in HTTP/1.1 and ICAP
- Denial of Service in HTTP Digest Authentication
more... | squid
more detail |
2023-10-24 | VuXML ID 4a4712ae-7299-11ee-85eb-84a93843eb75
SO-AND-SO reports:
Moderate severity: A bug has been identified in the processing
of key and initialisation vector (IV) lengths. This can lead to
potential truncation or overruns during the initialisation of
some symmetric ciphers.
more... | openssl openssl-quictls openssl31
more detail |
2023-10-23 | VuXML ID 22df5074-71cd-11ee-85eb-84a93843eb75
Oracle reports:
This Critical Patch Update contains 37 new security patches, plus
additional third party patches noted below, for Oracle MySQL. 9 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
more... | mysql-connector-c++ mysql-connector-j mysql-connector-odbc mysql57-server mysql80-server
more detail |
2023-10-19 | VuXML ID 9000591b-483b-45ac-9c87-b3df3a4198ec
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5218.
more... | electron25 electron26
more detail |
2023-10-19 | VuXML ID f923205f-6e66-11ee-85eb-84a93843eb75
The Apache httpd project reports:
- CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST
- CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0
- CVE-2023-31122: mod_macro buffer over-read
more... | apache24
more detail |
2023-10-18 | VuXML ID 1ee26d45-6ddb-11ee-9898-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3291 / CVE-2023-36478, CVE-2023-44487
HTTP/2 denial of service vulnerability in bundled Jetty
more... | jenkins jenkins-lts
more detail |
2023-10-18 | VuXML ID 8706e097-6db7-11ee-8744-080027f5fec9
Redis core team reports:
The wrong order of listen(2) and chmod(2) calls creates a
race condition that can be used by another process to
bypass desired Unix socket permissions on startup.
more... | redis redis-devel redis62 redis70
more detail |
2023-10-18 | VuXML ID d2ad7647-6dd9-11ee-85eb-84a93843eb75
The Roundcube project reports:
cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages
more... | roundcube
more detail |
2023-10-18 | VuXML ID e14b9870-62a4-11ee-897b-000bab9f87f1
Request Tracker reports:
CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.
CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.
CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.
more... | rt44 rt50
more detail |
2023-10-16 | VuXML ID f8c2f741-6be1-11ee-b33a-a04a5edf46d9
The moonlight-embedded project reports:
Moonlight Embedded v2.6.1 fixed CVE-2023-42799, CVE-2023-42800,
and CVE-2023-42801.
more... | moonlight-embedded
more detail |
2023-10-14 | VuXML ID 7a1b2624-6a89-11ee-af06-5404a68ad561
The traefik authors report:
There is a vulnerability in GO managing HTTP/2 requests, which
impacts Traefik. This vulnerability could be exploited to cause
a denial of service.
more... | traefik
more detail |
2023-10-14 | VuXML ID ae0ee356-6ae1-11ee-bfb6-8c164567ca3c
The libcue team reports:
There is a vulnerability to out-of-bounds array access.
more... | libcue
more detail |
2023-10-12 | VuXML ID 199cdb4d-690d-11ee-9ed0-001fc69cd6dc
The X.Org project reports:
- CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
- An out-of-bounds read is located in ParseComment() when reading from
a memory buffer instead of a file, as it continued to look for the
closing comment marker past the end of the buffer.
- CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
- A corrupted colormap section may cause libXpm to read out of bounds.
more... | libXpm
more detail |
2023-10-12 | VuXML ID 4281b712-ad6b-4c21-8f66-619a9150691f
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5187.
more... | electron25
more detail |
2023-10-12 | VuXML ID bd92f1ab-690c-11ee-9ed0-001fc69cd6dc
The X.Org project reports:
- CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
- When libX11 is processing the reply from the X server to the XkbGetMap
request, if it detected the number of symbols in the new map was less
than the size of the buffer it had allocated, it always added room for
128 more symbols, instead of the actual size needed. While the
_XkbReadBufferCopyKeySyms() helper function returned an error if asked
to copy more keysyms into the buffer than there was space allocated for,
the caller never checked for an error and assumed the full set of keysyms
was copied into the buffer and could then try to read out of bounds when
accessing the buffer. libX11 1.8.7 has been patched to both fix the size
allocated and check for error returns from _XkbReadBufferCopyKeySyms().
- CVE-2023-43786: stack exhaustion in XPutImage
- When splitting a single line of pixels into chunks that fit in a single
request (not using the BIG-REQUESTS extension) to send to the X server,
the code did not take into account the number of bits per pixel, so would
just loop forever finding it needed to send more pixels than fit in the
given request size and not breaking them down into a small enough chunk to
fit. An XPM file was provided that triggered this bug when loaded via
libXpm's XpmReadFileToPixmap() function, which in turn calls XPutImage()
and hit this bug.
- CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow
- When creating an image, there was no validation that the multiplication
of the caller-provided width by the visual's bits_per_pixel did not
overflow and thus result in the allocation of a buffer too small to hold
the data that would be copied into it. An XPM file was provided that
triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function,
which in turn calls XCreateImage() and hit this bug.i
more... | libX11
more detail |
2023-10-11 | VuXML ID 040e69f1-6831-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. A logged
user from any profile can hijack the Kanban feature to alter any
user field, and end-up with stealing its account. Users are advised
to upgrade to version 10.0.10. There are no known workarounds for
this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 07ee8c14-68f1-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 20 security fixes:
- [1487110] Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦æ³æ¹é 家 on 2023-09-27
- [1062251] Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17
- [1414936] Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11
- [1476952] Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30
- [1425355] Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17
- [1458934] Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28
- [1474253] Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20
- [1483194] Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15
- [1471253] Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09
- [1395164] Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02
- [1472404] Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12
- [1472558] Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13
- [1357442] Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29
- [1484000] Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18
more... | chromium qt6-webengine ungoogled-chromium
more detail |
2023-10-11 | VuXML ID 10e86b16-6836-11ee-b06f-0050569ceb3a
From the GLPI 10.0.10 Changelog:
You will find below security issues fixed in this bugfixes version:
[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
The mentioned CVE is invalid
more... | glpi
more detail |
2023-10-11 | VuXML ID 1fe40200-6823-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Versions
of the software starting with 9.2.0 and prior to 10.0.8 have an
incorrect rights check on a on a file accessible by an authenticated
user, allows access to the view all KnowbaseItems. Version 10.0.8
has a patch for this issue.
more... | glpi
more detail |
2023-10-11 | VuXML ID 20302cbc-6834-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. An
unauthenticated user can enumerate users logins. Users are advised
to upgrade to version 10.0.10. There are no known workarounds for
this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 257e1bf0-682f-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a Free Asset and IT Management Software package, Data center
management, ITIL Service Desk, licenses tracking and software
auditing. An administrator can trigger SQL injection via dashboards
administration. This vulnerability has been patched in version
10.0.9.
more... | glpi
more detail |
2023-10-11 | VuXML ID 40173815-6827-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Versions
of the software starting with 0.68 and prior to 10.0.8 have an
incorrect rights check on a on a file accessible by an authenticated
user. This allows access to the list of all users and their personal
information. Users should upgrade to version 10.0.8 to receive a
patch.
more... | glpi
more detail |
2023-10-11 | VuXML ID 548a4163-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 0.80 and prior to version 10.0.8, Computer Virtual Machine
form and GLPI inventory request can be used to perform a SQL injection
attack. Version 10.0.8 has a patch for this issue. As a workaround,
one may disable native inventory.
more... | glpi
more detail |
2023-10-11 | VuXML ID 54e5573a-6834-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. The lack
of path filtering on the GLPI URL may allow an attacker to transmit
a malicious URL of login page that can be used to attempt a phishing
attack on user credentials. Users are advised to upgrade to version
10.0.10. There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 6851f3bb-6833-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. An API
user can enumerate sensitive fields values on resources on which
he has read access. Users are advised to upgrade to version 10.0.10.
There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 6f6518ab-6830-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. UI layout
preferences management can be hijacked to lead to SQL injection.
This injection can be use to takeover an administrator account.
Users are advised to upgrade to version 10.0.10. There are no known
workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 717efd8a-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 9.5.0 and prior to version 10.0.8, an incorrect rights
check on a on a file accessible by an authenticated user (or not
for certain actions), allows a threat actor to interact, modify,
or see Dashboard data. Version 10.0.8 contains a patch for this
issue.
more... | glpi
more detail |
2023-10-11 | VuXML ID 894f2491-6834-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. The ITIL
actors input field from the Ticket form can be used to perform a
SQL injection. Users are advised to upgrade to version 10.0.10.
There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 95c4ec45-6831-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. An API
user that have read access on users resource can steal accounts of
other users. Users are advised to upgrade to version 10.0.10.
There are no known workarounds for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID 95fde6bc-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 9.5.0 and prior to version 10.0.8, an incorrect rights
check on a file allows an unauthenticated user to be able to access
dashboards data. Version 10.0.8 contains a patch for this issue.
more... | glpi
more detail |
2023-10-11 | VuXML ID ae8b1445-6833-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. A user
with write access to another user can make requests to change the
latter's password and then take control of their account.
Users are advised to upgrade to version 10.0.10. There are no known
work around for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID b14a6ddc-6821-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 9.4.0 and prior to version 10.0.8, a malicious link can
be crafted by an unauthenticated user that can exploit a reflected
XSS in case any authenticated user opens the crafted link. Users
should upgrade to version 10.0.8 to receive a patch.
more... | glpi
more detail |
2023-10-11* | VuXML ID d6c19e8c-6806-11ee-9464-b42e991fc52e
The curl team reports:
This flaw makes curl overflow a heap based buffer in the
SOCKS5 proxy handshake. When curl is asked to pass along
the hostname to the SOCKS5 proxy to allow that to resolve
the address instead of it getting done by curl itself, the
maximum length that hostname can be is 255 bytes. If the
hostname is detected to be longer than 255 bytes, curl
switches to local name resolving and instead passes on the
resolved address only to the proxy. Due to a bug, the
local variable that means "let the host resolve the name"
could get the wrong value during a slow SOCKS5 handshake,
and contrary to the intention, copy the too long hostname
to the target buffer instead of copying just the resolved
address there.
more... | cmake-core curl
more detail |
2023-10-11 | VuXML ID df71f5aa-6831-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
Asset and IT Management Software package, that provides ITIL Service
Desk features, licenses tracking and software auditing. The document
upload process can be diverted to delete some files. Users are
advised to upgrade to version 10.0.10. There are no known workarounds
for this vulnerability.
more... | glpi
more detail |
2023-10-11 | VuXML ID e44e5ace-6820-11ee-b06f-0050569ceb3a
security-advisories@github.com reports:
GLPI is a free asset and IT management software package. Starting
in version 10.0.0 and prior to version 10.0.8, GLPI inventory
endpoint can be used to drive a SQL injection attack. By default,
GLPI inventory endpoint requires no authentication. Version 10.0.8
has a patch for this issue. As a workaround, one may disable native
inventory.
more... | glpi
more detail |
2023-10-10 | VuXML ID bf545001-b96d-42e4-9d2e-60fdee204a43
Kazuo Okuhu reports:
H2O is vulnerable to the HTTP/2 Rapid Reset attack.
An attacker might be able to consume more than adequate amount of
processing power of h2o and the backend servers by mounting the
attack.
more... | h2o h2o-devel
more detail |
2023-10-05 | VuXML ID 4f254817-6318-11ee-b2ff-080027de9982
Django reports:
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator.
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-10-04 | VuXML ID 162a675b-6251-11ee-8e38-002590c1f29c
Problem Description:
On CPU 0 the check for the SMCCC workaround is called before
SMCCC support has been initialized.
Impact:
No speculative execution workarounds are installed on CPU 0.
more... | FreeBSD-kernel
more detail |
2023-10-04 | VuXML ID 4e45c45b-629e-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1485829] High CVE-2023-5346: Type Confusion in V8. Reported by Amit Kumar on 2023-09-22
more... | chromium ungoogled-chromium
more detail |
2023-10-04 | VuXML ID 915855ad-283d-4597-b01e-e0bf611db78b
Trendmicro ZDI reports:
Integer Underflow Remote Code Execution Vulnerability
The specific flaw exists within the parsing of SPF macros.
When parsing SPF macros, the process does not properly
validate user-supplied data, which can result in an integer
underflow before writing to memory. An attacker can leverage
this vulnerability to execute code in the context of the
service account.
more... | libspf2
more detail |
2023-10-04 | VuXML ID e261e71c-6250-11ee-8e38-002590c1f29c
Problem Description:
The syscall checked only for the CAP_READ and CAP_WRITE
capabilities on the input and output file descriptors, respectively.
Using an offset is logically equivalent to seeking, and the syscall
must additionally require the CAP_SEEK capability.
Impact:
A sandboxed process with only read or write but no seek capability
on a file descriptor may be able to read data from or write data
to an arbitrary location within the file corresponding to that file
descriptor.
more... | FreeBSD-kernel
more detail |
2023-10-04 | VuXML ID fefcd340-624f-11ee-8e38-002590c1f29c
Problem Description:
In certain cases using the truncate or ftruncate system call
to extend a file size populates the additional space in the file
with unallocated data from the underlying disk device, rather than
zero bytes.
Impact:
A user with write access to files on a msdosfs file system may
be able to read unintended data (for example, from a previously
deleted file).
more... | FreeBSD-kernel
more detail |
2023-10-02 | VuXML ID e59fed96-60da-11ee-9102-000c29de725b
Mediawikwi reports:
(T264765, CVE-2023-PENDING) SECURITY: Users without correct permission
are incorrectly shown MediaWiki:Missing-revision-permission.
(T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for
self-redirects with variants conversion.
(T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped
messages leading to potential XSS.
(T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page
message is assumed to yield a valid title.
(T340221, CVE-2023-PENDING) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
(T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X
intermediate revisions by the same user not shown") ignores username
suppression.
(T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML
file to Special:Upload (non-standard configuration).
more... | mediawiki135 mediawiki139 mediawiki140
more detail |
2023-09-30* | VuXML ID 2bcd6ba4-d8e2-42e5-9033-b50b722821fb
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5217.
more... | electron22 electron24 electron25 libvpx
more detail |
2023-09-30* | VuXML ID 33922b84-5f09-11ee-b63d-0897988a1c07
Composer project reports:
Description: Users publishing a composer.phar to a
public web-accessible server where the composer.phar can
be executed as a php file may be impacted if PHP also has
register_argc_argv enabled in php.ini.
Workaround: Make sure register_argc_argv is disabled
in php.ini, and avoid publishing composer.phar to the web
as this really should not happen.
more... | php80-composer php80-composer2 php81-composer php81-composer2 php82-composer php82-composer2 php83-composer php83-composer2
more detail |
2023-09-29 | VuXML ID 6d9c6aae-5eb1-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 10 security fixes:
- [1486441] High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25
- [1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
- [1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
more... | chromium qt6-webengine ungoogled-chromium
more detail |
2023-09-29 | VuXML ID 6e0ebb4a-5e75-11ee-a365-001b217b3468
Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project
Group import allows impersonation of users in CI pipelines
Developers can bypass code owners approval by changing a MR's base branch
Leaking source code of restricted project through a fork
Third party library Consul requires enable-script-checks to be False to enable patch
Service account not deleted when namespace is deleted allowing access to internal projects
Enforce SSO settings bypassed for public projects for Members without identity
Removed project member can write to protected branches
Unauthorised association of CI jobs for Machine Learning experiments
Force pipelines to not have access to protected variables and will likely fail using tags
Maintainer can create a fork relationship between existing projects
Disclosure of masked CI variables via processing CI/CD configuration of forks
Asset Proxy Bypass using non-ASCII character in asset URI
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
Removed Developer can continue editing the source code of a public project
A project reporter can leak owner's Sentry instance projects
Math rendering in markdown can escape container and hijack clicks
more... | gitlab-ce
more detail |
2023-09-27 | VuXML ID af065e47-5d62-11ee-bbae-1c61b4739ac9
xrdp team reports:
Access to the font glyphs in xrdp_painter.c is not bounds-checked.
Since some of this data is controllable by the user, this can result
in an out-of-bounds read within the xrdp executable. The vulnerability
allows an out-of-bounds read within a potentially privileged process.
On non-Debian platforms, xrdp tends to run as root. Potentially an
out-of-bounds write can follow the out-of-bounds read. There is no
denial-of-service impact, providing xrdp is running in forking mode. This
issue has been addressed in release 0.9.23.1. Users are advised to upgrade.
There are no known workarounds for this vulnerability.
more... | xrdp
more detail |
2023-09-27 | VuXML ID c9ff1150-5d63-11ee-bbae-1c61b4739ac9
xrdp team reports:
In versions prior to 0.9.23 improper handling of session establishment
errors allows bypassing OS-level session restrictions. The `auth_start_session`
function can return non-zero (1) value on, e.g., PAM error which may result
in session restrictions such as max concurrent sessions per user by PAM
(ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't
use restrictions by PAM are not affected. This issue has been addressed in
release version 0.9.23. Users are advised to upgrade. There are no known
workarounds for this issue.
more... | xrdp
more detail |
2023-09-27 | VuXML ID ea9d1fd2-5d24-11ee-8507-b42e991fc52e
sep@nlnetlabs.nl reports:
NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a
possible path traversal vulnerability in the optional, off-by-default
keep-rrdp-responses feature that allows users to store the content
of responses received for RRDP requests. The location of these
stored responses is constructed from the URL of the request. Due
to insufficient sanitation of the URL, it is possible for an attacker
to craft a URL that results in the response being stored outside
of the directory specified for it.
more... | routinator
more detail |
2023-09-25 | VuXML ID 402fccd0-5b6d-11ee-9898-00e081b7aa2d
Jenkins Security Advisory:
Description
(Medium) SECURITY-3261 / CVE-2023-43494
Builds can be filtered by values of sensitive build variables
(High) SECURITY-3245 / CVE-2023-43495
Stored XSS vulnerability
(High) SECURITY-3072 / CVE-2023-43496
Temporary plugin file created with insecure permissions
(Low) SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)
Temporary uploaded file created with insecure permissions
more... | jenkins jenkins-lts
more detail |
2023-09-23 | VuXML ID 732282a5-5a10-11ee-bca0-001999f8d30b
Mailpit author reports:
Update Go modules to address CVE-2023-42821 (go markdown module DoS).
more... | mailpit
more detail |
2023-09-21 | VuXML ID 4fd7a2fc-5860-11ee-a1b3-dca632daf43b
Google Chrome reports:
Heap buffer overflow in WebP ... allowed a remote attacker to perform an out of bounds memory write ...
more... | webp
more detail |
2023-09-20 | VuXML ID 58a738d4-57af-11ee-8c58-b42e991fc52e
chrome-cve-admin@google.com reports:
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write
via a crafted HTML page. (Chromium security severity: Critical)
The Tor browser is based on Firefox and GeckoView and uses also
libwep so it is affected by this bug.
more... | tor-browser
more detail |
2023-09-19 | VuXML ID 32a4896a-56da-11ee-9186-001b217b3468
Gitlab reports:
Attacker can abuse scan execution policies to run pipelines as another user
more... | gitlab-ce
more detail |
2023-09-16 | VuXML ID 11982747-544c-11ee-ac3e-a04a5edf46d9
NLnet Labs report:
This release fixes two issues in Routinator that can be exploited
remotely by rogue RPKI CAs and repositories. We therefore advise all
users of Routinator to upgrade to this release at their earliest
convenience.
The first issue, CVE-2022-39915, can lead to Routinator crashing
when trying to decode certain illegal RPKI objects.
The second issue, CVE-2022-39916, only affects users that have the
rrdp-keep-responses option enabled which allows storing all received
RRDP responses on disk. Because the file name for these responses is
derived from the URI and the path wasn't checked properly, a RRDP URI
could be constructed that results in the response stored outside the
directory, possibly overwriting existing files.
more... | routinator
more detail |
2023-09-16 | VuXML ID b5508c08-547a-11ee-85eb-84a93843eb75
The Roundcube webmail project reports:
cross-site scripting (XSS) vulnerability in handling of
linkrefs in plain text messages
more... | roundcube
more detail |
2023-09-13 | VuXML ID 3693eca5-f0d3-453c-9558-2353150495bb
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4572.
- Security: backported fix for CVE-2023-4762.
- Security: backported fix for CVE-2023-4863.
more... | electron22
more detail |
2023-09-13 | VuXML ID 4bc66a81-89d2-4696-a04b-defd2eb77783
VSCode developers report:
Visual Studio Code Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.
VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.
more... | vscode
more detail |
2023-09-13 | VuXML ID 773ce35b-eabb-47e0-98ca-669b2b98107a
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4763.
- Security: backported fix for CVE-2023-4762.
- Security: backported fix for CVE-2023-4761.
- Security: backported fix for CVE-2023-4863.
more... | electron24 electron25
more detail |
2023-09-13 | VuXML ID 833b469b-5247-11ee-9667-080027f5fec9
selmelc on hackerone reports:
When curl retrieves an HTTP response, it stores the
incoming headers so that they can be accessed later via
the libcurl headers API.
However, curl did not have a limit in how many or how
large headers it would accept in a response, allowing a
malicious server to stream an endless series of headers
and eventually cause curl to run out of heap memory.
more... | curl
more detail |
2023-09-13 | VuXML ID 88754d55-521a-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 16 security fixes:
- [1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoüs Munk School on 2023-09-06
- [1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
- [1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29
- [1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14
- [1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18
- [1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09
- [1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29
- [1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30
- [1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04
- [1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06
- [1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09
more... | chromium ungoogled-chromium
more detail |
2023-09-12 | VuXML ID 8eefa87f-31f1-496d-bf8e-2b465b6e4e8a
Tim Wojtulewicz of Corelight reports:
File extraction limits were not correctly enforced
for files containing large amounts of missing bytes.
Sessions are sometimes not cleaned up completely
within Zeek during shutdown, potentially causing a crash
when using the -B dpd flag for debug logging.
A specially-crafted HTTP packet can cause Zeek's
filename extraction code to take a long time to process
the data.
A specially-crafted series of FTP packets made up of
a CWD request followed by a large amount of ERPT requests
may cause Zeek to spend a long time logging the commands.
A specially-crafted VLAN packet can cause Zeek to
overflow memory and potentially crash.
more... | zeek
more detail |
2023-09-10 | VuXML ID 4061a4b2-4fb1-11ee-acc7-0151f07bc899
The Gitea team reports:
check blocklist for emails when adding them to account
more... | gitea
more detail |
2023-09-10 | VuXML ID 482bb980-99a3-11ee-b5f7-6bd56600d90c
The Gitea team reports:
Fix missing check
Do some missing checks
By crafting an API request, attackers can access the contents of
issues even though the logged-in user does not have access rights to
these issues.
more... | gitea
more detail |
2023-09-07 | VuXML ID 6c72b13f-4d1d-11ee-a7f1-080027f5fec9
yangbodong22011 reports:
Redis does not correctly identify keys accessed by SORT_RO
and, as a result, may grant users executing this command
access to keys that are not explicitly authorized by the
ACL configuration.
more... | redis redis-devel redis70
more detail |
2023-09-07 | VuXML ID 924cb116-4d35-11ee-8e38-002590c1f29c
Problem Description:
The net80211 subsystem would fallback to the multicast key for unicast
traffic in the event the unicast key was removed. This would result in
buffered unicast traffic being exposed to any stations with access to the
multicast key.
Impact:
As described in the "Framing Frames: Bypassing Wi-Fi Encryption by
Manipulating Transmit Queues" paper, an attacker can induce an access point
to buffer frames for a client, deauthenticate the client (causing the unicast
key to be removed from the access point), and subsequent flushing of the
buffered frames now encrypted with the multicast key. This would give the
attacker access to the data.
more... | FreeBSD-kernel
more detail |
2023-09-07 | VuXML ID a57472ba-4d84-11ee-bf05-000c29de725b
Python reports:
gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable
to a bypass of the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were post-handshake
TLS encrypted data.
more... | python310 python311 python38 python39
more detail |
2023-09-07 | VuXML ID beb36f39-4d74-11ee-985e-bff341e78d94
The Go project reports:
cmd/go: go.mod toolchain directive allows arbitrary
execution
The go.mod toolchain directive, introduced in Go 1.21,
could be leveraged to execute scripts and binaries
relative to the root of the module when the "go" command
was executed within the module. This applies to modules
downloaded using the "go" command from the module proxy,
as well as modules downloaded directly using VCS software.
html/template: improper handling of HTML-like comments
within script contexts
The html/template package did not properly handle
HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in
crypto/tls: panic when processing post-handshake message
on QUIC connections
Processing an incomplete post-handshake message for a QUIC
connection caused a panic.
more... | go120 go121
more detail |
2023-09-07 | VuXML ID d35373ae-4d34-11ee-8e38-002590c1f29c
Problem Description:
With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6
fragment headers would be reassembled, and then immediately processed. That
is, a packet with multiple fragment extension headers would not be recognized
as the correct ultimate payload. Instead a packet with multiple IPv6 fragment
headers would unexpectedly be interpreted as a fragmented packet, rather than
as whatever the real payload is.
Impact:
IPv6 fragments may bypass firewall rules written on the assumption all
fragments have been reassembled and, as a result, be forwarded or processed
by the host.
more... | FreeBSD-kernel
more detail |
2023-09-06 | VuXML ID df0a2fd1-4c92-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1476403] High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by DarkNavy on 2023-08-28
- [1473247] High CVE-2023-4762: Type Confusion in V8. Reported by Rong Jian of VRI on 2023-08-16
- [1469928] High CVE-2023-4763: Use after free in Networks. Reported by anonymous on 2023-08-03
- [1447237] High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan Kurniawan (sourc7) on 2023-05-20
more... | chromium ungoogled-chromium
more detail |
2023-09-04 | VuXML ID 8fd4f40a-4b7d-11ee-aa2a-080027de9982
Django reports:
CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri().
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py38-django32 py38-django41 py38-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-09-01 | VuXML ID aaea7b7c-4887-11ee-b164-001b217b3468
Gitlab reports:
Privilege escalation of "external user" to internal access through group service account
Maintainer can leak sentry token by changing the configured URL (fix bypass)
Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners
Information disclosure via project import endpoint
Developer can leak DAST scanners "Site Profile" request headers and auth password
Project forking outside current group
User is capable of creating Model experiment and updating existing run's status in public project
ReDoS in bulk import API
Pagination for Branches and Tags can be skipped leading to DoS
Internal Open Redirection Due to Improper handling of "../" characters
Subgroup Member With Reporter Role Can Edit Group Labels
Banned user can delete package registries
more... | gitlab-ce
more detail |
2023-08-31 | VuXML ID 06492bd5-085a-4cc0-9743-e30164bdcb1c
Snyk reports:
This affects all versions of package Flask-Security.
When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`.
This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`.
**Note:** Flask-Security is not maintained anymore.
more... | py310-flask-security py311-flask-security py37-flask-security py38-flask-security py39-flask-security
more detail |
2023-08-31 | VuXML ID 09b7cd39-47bd-11ee-8e38-002590c1f29c
Problem Description:
A flaw in the backwards-compatibility key exchange route allows a
pointer to be freed twice.
Impact:
A remote, unauthenticated attacker may be able to cause a denial of
service, or possibly remote code execution.
Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of
OpenSSH, and are not affected. FreeBSD 13.2-BETA1 and later include the
fix.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 17efbe19-4e72-426a-8016-2b4e001c1378
A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.
A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.
For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.
For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.
more... | py310-wagtail py311-wagtail py37-wagtail py38-wagtail py39-wagtail
more detail |
2023-08-31 | VuXML ID 181f5e49-b71d-4527-9464-d4624d69acc3
Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary.
Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies").
This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.
more... | py310-treq py311-treq py37-treq py38-treq py39-treq
more detail |
2023-08-31 | VuXML ID 1a15b928-5011-4953-8133-d49e24902fe1
Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks.
more... | py310-WsgiDAV py311-WsgiDAV py37-WsgiDAV py38-WsgiDAV py39-WsgiDAV
more detail |
2023-08-31 | VuXML ID 1e37fa3e-5988-4991-808f-eae98047e2af
Glyph reports:
HTTPie is a command-line HTTP client.
HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage.
Before 3.1.0, HTTPie didn't distinguish between cookies and hosts they belonged.
This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website.
Users are advised to upgrade.
There are no known workarounds.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.
more... | py310-httpie py311-httpie py37-httpie py38-httpie py39-httpie
more detail |
2023-08-31 | VuXML ID 252f40cb-618c-47f4-a2cf-1abf30cffbbe
praetorian-colby-morgan reports:
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9.
It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
more... | py310-Flask-Cors py311-Flask-Cors py37-Flask-Cors py38-Flask-Cors py39-Flask-Cors
more detail |
2023-08-31 | VuXML ID 291d0953-47c1-11ee-8e38-002590c1f29c
Problem Description:
The server may cause ssh-agent to load shared libraries other than
those required for PKCS#11 support. These shared libraries may have
side effects that occur on load and unload (dlopen and dlclose).
Impact:
An attacker with access to a server that accepts a forwarded
ssh-agent connection may be able to execute code on the machine running
ssh-agent. Note that the attack relies on properties of operating
system-provided libraries. This has been demonstrated on other
operating systems; it is unknown whether this attack is possible using
the libraries provided by a FreeBSD installation.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 29f050e9-3ef4-4c5f-8204-503b41caf181
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
- Security: backported fix for CVE-2023-4430.
- Security: backported fix for CVE-2023-4572.
more... | electron24
more detail |
2023-08-31 | VuXML ID 2ad25820-c71a-4e6c-bb99-770c66fe496d
When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.
There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.
Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.
These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.
If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.
If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;
patching that downloader middlware may be necessary as well.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID 2def7c4b-736f-4754-9f03-236fcb586d91
A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents.
For both images and documents, files are loaded into memory during upload for additional processing.
A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
It can only be exploited by admin users with permission to upload images or documents.
Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.
more... | py310-wagtail py311-wagtail py37-wagtail py38-wagtail py39-wagtail
more detail |
2023-08-31 | VuXML ID 3dabf5b8-47c0-11ee-8e38-002590c1f29c
Problem Description:
Each fragment of an IPv6 packet contains a fragment header which
specifies the offset of the fragment relative to the original packet,
and each fragment specifies its length in the IPv6 header. When
reassembling the packet, the kernel calculates the complete IPv6 payload
length. The payload length must fit into a 16-bit field in the IPv6
header.
Due to a bug in the kernel, a set of carefully crafted packets can
trigger an integer overflow in the calculation of the reassembled
packet's payload length field.
Impact:
Once an IPv6 packet has been reassembled, the kernel continues
processing its contents. It does so assuming that the fragmentation
layer has validated all fields of the constructed IPv6 header. This bug
violates such assumptions and can be exploited to trigger a remote
kernel panic, resulting in a denial of service.
more... | FreeBSD-kernel
more detail |
2023-08-31 | VuXML ID 3fcab88b-47bc-11ee-8e38-002590c1f29c
Problem Description:
When GELI reads a key file from a standard input, it doesn't store it
anywhere. If the user tries to initialize multiple providers at once,
for the second and subsequent devices the standard input stream will be
already empty. In this case, GELI silently uses a NULL key as the user
key file. If the user used only a key file without a user passphrase,
the master key was encrypted with an empty key file. This might not be
noticed if the devices were also decrypted in a batch operation.
Impact:
Some GELI providers might be silently encrypted with a NULL key
file.
more... | FreeBSD-kernel
more detail |
2023-08-31 | VuXML ID 41af0277-47bf-11ee-8e38-002590c1f29c
Problem Description:
pam_krb5 authenticates the user by essentially running kinit(1) with
the password, getting a `ticket-granting ticket' (tgt) from the Kerberos
KDC (Key Distribution Center) over the network, as a way to verify the
password.
Normally, the system running the pam_krb5 module will also have a
keytab, a key provisioned by the KDC. The pam_krb5 module will use the
tgt to get a service ticket and validate it against the keytab, ensuring
the tgt is valid and therefore, the password is valid.
However, if a keytab is not provisioned on the system, pam_krb5 has
no way to validate the response from the KDC, and essentially trusts the
tgt provided over the network as being valid.
Impact:
In a non-default FreeBSD installation that leverages pam_krb5 for
authentication and does not have a keytab provisioned, an attacker that
is able to control both the password and the KDC responses can return a
valid tgt, allowing authentication to occur for any user on the
system.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 4eb5dccb-923c-4f18-9cd4-b53f9e28d4d7
kmike and nramirezuy report:
Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID 579c7489-c23d-454a-b0fc-ed9d80ea46e0
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
more... | electron22
more detail |
2023-08-31 | VuXML ID 67fe5e5b-549f-4a2a-9834-53f60eaa415e
ranjit-git reports:
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID 692a5fd5-bb25-4df4-8a0e-eb91581f2531
subnix reports:
The Flask-Caching extension through 2.0.2 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.
If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
more... | py310-flask-caching py311-flask-caching py37-flask-caching py38-flask-caching py39-flask-caching
more detail |
2023-08-31 | VuXML ID 83b29e3f-886f-439f-b9a8-72e014479ff9
yeisonvargasf reports:
dparse is a parser for Python dependency files.
dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service.
All the users parsing index server URLs with dparse are impacted by this vulnerability.
Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.
more... | py310-dparse py311-dparse py37-dparse py38-dparse py39-dparse
more detail |
2023-08-31 | VuXML ID 970dcbe0-a947-41a4-abe9-7aaba87f41fe
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
- Security: backported fix for CVE-2023-4429.
- Security: backported fix for CVE-2023-4430.
- Security: backported fix for CVE-2023-4572.
more... | electron25
more detail |
2023-08-31 | VuXML ID 97c1b0f7-47b9-11ee-8e38-002590c1f29c
Problem Description:
Multiple security vulnerabilities have been discovered in the Heimdal
implementation of the Kerberos 5 network authentication
protocols and KDC.
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
- CVE-2019-14870 Validate client attributes in protocol-transition
- CVE-2019-14870 Apply forwardable policy in protocol-transition
- CVE-2019-14870 Always lookup impersonate client in DB
Impact:
A malicious actor with control of the network between a client and a
service using Kerberos for authentication can impersonate either the
client or the service, enabling a man-in-the-middle (MITM) attack
circumventing mutual authentication.
Note that, while CVE-2022-44640 is a severe vulnerability, possibly
enabling remote code execution on other platforms, the version of
Heimdal included with the FreeBSD base system cannot be exploited in
this way on FreeBSD.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID 9b0d9832-47c1-11ee-8e38-002590c1f29c
Problem Description:
The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
the patch for that advisory.
Impact:
The impact described in FreeBSD-SA-23:04.pam_krb5 persists.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID a005aea9-47bb-11ee-8e38-002590c1f29c
Problem Description:
ping reads raw IP packets from the network to process responses in
the pr_pack() function. As part of processing a response ping has to
reconstruct the IP header, the ICMP header and if present a "quoted
packet," which represents the packet that generated an ICMP error.
The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers
for further processing. In so doing, it fails to take into account the
possible presence of IP option headers following the IP header in either
the response or the quoted packet. When IP options are present,
pr_pack() overflows the destination buffer by up to 40 bytes.
Impact:
The memory safety bugs described above can be triggered by a remote
host, causing the ping program to crash.
The ping process runs in a capability mode sandbox on all affected
versions of FreeBSD and is thus very constrained in how it can interact
with the rest of the system at the point where the bug can occur.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID a5403af6-225e-48ba-b233-bd95ad26434a
Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.
more... | py310-Scrapy py311-Scrapy py37-Scrapy py38-Scrapy py39-Scrapy
more detail |
2023-08-31 | VuXML ID ab437561-47c0-11ee-8e38-002590c1f29c
Problem Description:
The fwctl driver implements a state machine which is executed when
the guest accesses certain x86 I/O ports. The interface lets the guest
copy a string into a buffer resident in the bhyve process' memory. A
bug in the state machine implementation can result in a buffer
overflowing when copying this string.
Impact:
A malicious, privileged software running in a guest VM can exploit
the buffer overflow to achieve code execution on the host in the bhyve
userspace process, which typically runs as root. Note that bhyve runs
in a Capsicum sandbox, so malicious code is constrained by the
capabilities available to the bhyve process.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID b8a52e5a-483d-11ee-971d-3df00e0f9020
Thomas Waldmann reports:
A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.
The attack requires an attacker to be able to
- insert files (with no additional headers) into backups
- gain write access to the repository
This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.
more... | py310-borgbackup py311-borgbackup py312-borgbackup py37-borgbackup py38-borgbackup py39-borgbackup
more detail |
2023-08-31 | VuXML ID c2c89dea-2859-4231-8f3b-012be0d475ff
domiee13 reports:
A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic.
Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler.
The manipulation of the argument object.caption leads to cross site scripting.
The attack may be launched remotely.
Upgrading to version 3.16 is able to address this issue.
The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7.
It is recommended to apply a patch to fix this issue.
VDB-215906 is the identifier assigned to this vulnerability.
more... | py310-django-photologue py311-django-photologue py37-django-photologue py38-django-photologue py39-django-photologue
more detail |
2023-08-31 | VuXML ID c8eb4c40-47bd-11ee-8e38-002590c1f29c
Problem Description:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304)
A timing based side channel exists in the OpenSSL RSA Decryption
implementation.
Use-after-free following BIO_new_NDEF (CVE-2023-0215)
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support
the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
BIO onto the front of it to form a BIO chain, and then returns the new head
of the BIO chain to the caller. Under certain conditions, for example if a
CMS recipient public key is invalid, the new filter BIO is freed and the
function returns a NULL result indicating a failure. However, in this case,
the BIO chain is not properly cleaned up and the BIO passed by the caller
still retains internal pointers to the previously freed filter BIO.
Double free after calling PEM_read_bio_ex (CVE-2022-4450)
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data. In
this case PEM_read_bio_ex() will return a failure code but will populate the
header argument with a pointer to a buffer that has already been freed.
Impact:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
Timing Oracle in RSA Decryption (CVE-2022-4304)
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
Use-after-free following BIO_new_NDEF (CVE-2023-0215)
A use-after-free will occur under certain conditions. This will most likely
result in a crash.
Double free after calling PEM_read_bio_ex (CVE-2022-4450)
A double free may occur. This will most likely lead to a crash. This could be
exploited by an attacker who has the ability to supply malicious PEM files
for parsing to achieve a denial of service attack.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID c9b3324f-8e03-4ae3-89ce-8098cdc5bfa9
Ben Caller reports:
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability.
If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
more... | py310-markdown2 py311-markdown2 py37-markdown2 py38-markdown2 py39-markdown2
more detail |
2023-08-31 | VuXML ID cdc685b5-1724-49a1-ad57-2eaab68e9cc0
Red Hat reports:
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Ben Caller reports:
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.
Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.
By crafting malicious input, an attacker can cause a denial of service.
more... | py310-pygments py310-pygments-25 py311-pygments py311-pygments-25 py37-pygments py37-pygments-25 py38-pygments py38-pygments-25 py39-pygments py39-pygments-25
more detail |
2023-08-31 | VuXML ID cf6f3465-e996-4672-9458-ce803f29fdb7
TheGrandPew reports:
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds.
For example, an attack might use elementname@ or elementname- with an onclick attribute.
more... | py310-markdown2 py311-markdown2 py37-markdown2 py38-markdown2 py39-markdown2
more detail |
2023-08-31 | VuXML ID e31a8f8e-47bf-11ee-8e38-002590c1f29c
Problem Description:
When using ssh-add(1) to add smartcard keys to ssh-agent(1) with
per-hop destination constraints, a logic error prevented the constraints
from being sent to the agent resulting in keys being added to the agent
without constraints.
Impact:
A malicious server could leverage the keys provided by a forwarded
agent that would normally not be allowed due to the logic error.
more... | FreeBSD
more detail |
2023-08-31 | VuXML ID e831dd5a-7d8e-4818-aa1f-17dd495584ec
lebr0nli reports:
Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
more... | py310-httpx013 py311-httpx013 py37-httpx013 py38-httpx013 py39-httpx013
more detail |
2023-08-30 | VuXML ID 22fffa69-46fa-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 1 security fix:
- [1472492] High CVE-2023-4572: Use after free in MediaStream. Reported by fwnfwn(@_fwnfwn) on 2023-08-12
more... | chromium ungoogled-chromium
more detail |
2023-08-27 | VuXML ID 36a37c92-44b1-11ee-b091-6162c1274384
The Gitea team reports:
Fix API leaking Usermail if not logged in
The API should only return the real Mail of a User, if the
caller is logged in. The check do to this don't work. This PR
fixes this. This not really a security issue, but can lead to
Spam.
more... | gitea
more detail |
2023-08-24 | VuXML ID 5999fc39-72d0-4b99-851c-ade7ff7125c3
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4071.
- Security: backported fix for CVE-2023-4070.
- Security: backported fix for CVE-2023-4075.
- Security: backported fix for CVE-2023-4076.
- Security: backported fix for CVE-2023-4074.
- Security: backported fix for CVE-2023-4072.
- Security: backported fix for CVE-2023-4068.
- Security: backported fix for CVE-2023-4073.
- Security: backported fix for CVE-2023-4355.
- Security: backported fix for CVE-2023-4354.
- Security: backported fix for CVE-2023-4353.
- Security: backported fix for CVE-2023-4351.
more... | electron25
more detail |
2023-08-24 | VuXML ID 5fa332b9-4269-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [1469542] High CVE-2023-4430: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2023-08-02
- [1469754] High CVE-2023-4429: Use after free in Loader. Reported by Anonymous on 2023-08-03
- [1470477] High CVE-2023-4428: Out of bounds memory access in CSS. Reported by Francisco Alonso (@revskills) on 2023-08-06
- [1470668] High CVE-2023-4427: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-08-07
- [1469348] Medium CVE-2023-4431: Out of bounds memory access in Fonts. Reported by Microsoft Security Researcher on 2023-08-01
more... | chromium ungoogled-chromium
more detail |
2023-08-24 | VuXML ID 99bc2966-55be-4411-825f-b04017a4c100
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4355.
- Security: backported fix for CVE-2023-4354.
- Security: backported fix for CVE-2023-4353.
- Security: backported fix for CVE-2023-4352.
- Security: backported fix for CVE-2023-4351.
more... | electron22 electron24
more detail |
2023-08-23 | VuXML ID ddd3fcc9-2bdd-11ee-9af4-589cfc0f81b0
phpmyfaq developers report:
Cross Site Scripting vulnerability
CSV injection vulnerability
more... | phpmyfaq-php80 phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83
more detail |
2023-08-17 | VuXML ID 5666688f-803b-4cf0-9cb1-08c088f2225a
Chrome Releases reports:
This update includes 26 security fixes:
- [1448548] High CVE-2023-2312: Use after free in Offline. Reported by avaue at S.S.L. on 2023-05-24
- [1458303] High CVE-2023-4349: Use after free in Device Trust Connectors. Reported by Weipeng Jiang (@Krace) of VRI on 2023-06-27
- [1454817] High CVE-2023-4350: Inappropriate implementation in Fullscreen. Reported by Khiem Tran (@duckhiem) on 2023-06-14
- [1465833] High CVE-2023-4351: Use after free in Network. Reported by Guang and Weipeng Jiang of VRI on 2023-07-18
- [1452076] High CVE-2023-4352: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-06-07
- [1458046] High CVE-2023-4353: Heap buffer overflow in ANGLE. Reported by Christoph Diehl / Microsoft Vulnerability Research on 2023-06-27
- [1464215] High CVE-2023-4354: Heap buffer overflow in Skia. Reported by Mark Brand of Google Project Zero on 2023-07-12
- [1468943] High CVE-2023-4355: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-07-31
- [1449929] Medium CVE-2023-4356: Use after free in Audio. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-05-30
- [1458911] Medium CVE-2023-4357: Insufficient validation of untrusted input in XML. Reported by Igor Sak-Sakovskii on 2023-06-28
- [1466415] Medium CVE-2023-4358: Use after free in DNS. Reported by Weipeng Jiang (@Krace) of VRI on 2023-07-20
- [1443722] Medium CVE-2023-4359: Inappropriate implementation in App Launcher. Reported by @retsew0x01 on 2023-05-09
- [1462723] Medium CVE-2023-4360: Inappropriate implementation in Color. Reported by Axel Chong on 2023-07-07
- [1465230] Medium CVE-2023-4361: Inappropriate implementation in Autofill. Reported by Thomas Orlita on 2023-07-17
- [1316379] Medium CVE-2023-4362: Heap buffer overflow in Mojom IDL. Reported by Zhao Hai of NanJing Cyberpeace TianYu Lab on 2022-04-14
- [1367085] Medium CVE-2023-4363: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2022-09-23
- [1406922] Medium CVE-2023-4364: Inappropriate implementation in Permission Prompts. Reported by Jasper Rebane on 2023-01-13
- [1431043] Medium CVE-2023-4365: Inappropriate implementation in Fullscreen. Reported by Hafiizh on 2023-04-06
- [1450784] Medium CVE-2023-4366: Use after free in Extensions. Reported by asnine on 2023-06-02
- [1467743] Medium CVE-2023-4367: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
- [1467751] Medium CVE-2023-4368: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
more... | chromium ungoogled-chromium
more detail |
2023-08-17 | VuXML ID 759a5599-3ce8-11ee-a0d1-84a93843eb75
Oracle reports:
This Critical Patch Update contains 24 new security patches for Oracle
MySQL. 11 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring
user credentials.
more... | mysql-client57 mysql-client80 mysql-connector-c++ mysql-server57 mysql-server80
more detail |
2023-08-16 | VuXML ID 51a59f36-3c58-11ee-b32e-080027f5fec9
Steve Smith reports:
There is a possible denial of service vulnerability in the
HFS+ file parser.
more... | clamav clamav-lts
more detail |
2023-08-16 | VuXML ID 8e561cfe-3c59-11ee-b32e-080027f5fec9
The ClamAV project reports:
There is a possible denial of service vulnerability in the
AutoIt file parser.
more... | clamav-lts
more detail |
2023-08-14 | VuXML ID a6986f0f-3ac0-11ee-9a88-206a8a720317
SO-AND-SO reports:
When issuing a ticket for a TGS renew or validate request, copy
only the server field from the outer part of the header ticket
to the new ticket. Copying the whole structure causes the
enc_part pointer to be aliased to the header ticket until
krb5_encrypt_tkt_part() is called, resulting in a double-free
if handle_authdata() fails..
more... | krb5 krb5-121 krb5-devel
more detail |
2023-08-14 | VuXML ID b1ac663f-3aa9-11ee-b887-b42e991fc52e
TYPO3 reports:
TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer
TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution
TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin
more... | typo3-11-php80 typo3-11-php81 typo3-12-php80 typo3-12-php81
more detail |
2023-08-11* | VuXML ID f3a35fb8-2d70-47c9-a516-6aad7eb222b1
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3732.
- Security: backported fix for CVE-2023-3728.
- Security: backported fix for CVE-2023-3730.
more... | electron22 electron23 electron24 electron25
more detail |
2023-08-10 | VuXML ID 59a43a73-3786-11ee-94b4-6cc21735f730
PostgreSQL Project reports
PostgreSQL 15 introduced the MERGE command, which fails to test
new rows against row security policies defined for UPDATE and
SELECT. If UPDATE and SELECT policies forbid some row that
INSERT policies do not forbid, a user could store such rows.
Subsequent consequences are application-dependent. This
affects only databases that have used CREATE POLICY to define
a row security policy.
more... | postgresql-server
more detail |
2023-08-10 | VuXML ID cfd2a634-3785-11ee-94b4-6cc21735f730
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
more... | postgresql-server
more detail |
2023-08-05 | VuXML ID 441e1e1a-27a5-11ee-a156-080027f5fec9
The Samba Team reports:
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability
-
When parsing Spotlight mdssvc RPC packets, one encoded
data structure is a key-value style dictionary where
keys are character strings and values can be any of
the supported types in the mdssvc protocol. Due to a
lack of type checking in callers of the function
dalloc_value_for_key(), which returns the object
associated with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer. As RPC worker
processes are shared among multiple client connections,
a malicious client can crash the worker process
affecting all other clients that are also served by this
worker.
- CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
-
When doing NTLM authentication, the client sends replies
to cryptographic challenges back to the server. These
replies have variable length. Winbind did not properly
bounds-check the lan manager response length, which
despite the lan manager version no longer being used is
still part of the protocol. If the system is running
Samba's ntlm_auth as authentication backend for services
like Squid (or a very unusual configuration with
FreeRADIUS), the vulnarebility is remotely exploitable.
If not so configured, or to exploit this vulnerability
locally, the user must have access to the privileged
winbindd UNIX domain socket (a subdirectory with name
'winbindd_privileged' under "state directory", as set in
the smb.conf). This access is normally only given so
special system services like Squid or FreeRADIUS, use
this feature.
- CVE-2023-34968: Spotlight server-side Share Path Disclosure
-
As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targeted by
the RPC request. Samba returns the real server-side
share path at this point, as well as returning the
absolute server-side path of results in search queries
by clients. Known server side paths could be used to
mount subsequent more serious security attacks or could
disclose confidential information that is part of the
path. To mitigate the issue, Samba will replace the
real server-side path with a fake path constructed from
the sharename.
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability
-
When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.
This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
"spotlight = yes".
- CVE-2023-3347: SMB2 packet signing not enforced
-
SMB2 packet signing is not enforced if an admin
configured "server signing = required" or for SMB2
connections to Domain Controllers where SMB2 packet
signing is mandatory. SMB2 packet signing is a
mechanism that ensures the integrity and authenticity of
data exchanged between a client and a server using the
SMB2 protocol. It provides protection against certain
types of attacks, such as man-in-the-middle attacks,
where an attacker intercepts network traffic and
modifies the SMB2 messages. Both client and server of
an SMB2 connection can require that signing is being
used. The server-side setting in Samba to configure
signing to be required is "server signing = required".
Note that on an Samba AD DCs this is also the default
for all SMB2 connections. Unless the client requires
signing which would result in signing being used on the
SMB2 connection, sensitive data might have been modified
by an attacker. Clients connecting to IPC$ on an AD DC
will require signed connections being used, so the
integrity of these connections was not affected.
more... | samba413 samba416
more detail |
2023-08-04 | VuXML ID 6e4e8e87-9fb8-4e32-9f8e-9b4303f4bfd5
Chrome Releases reports:
This update includes 17 security fixes:
- [1466183] High CVE-2023-4068: Type Confusion in V8. Reported by Jerry on 2023-07-20
- [1465326] High CVE-2023-4069: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-07-17
- [1462951] High CVE-2023-4070: Type Confusion in V8. Reported by Jerry on 2023-07-07
- [1458819] High CVE-2023-4071: Heap buffer overflow in Visuals. Reported by Guang and Weipeng Jiang of VRI on 2023-06-28
- [1464038] High CVE-2023-4072: Out of bounds read and write in WebGL. Reported by Apple Security Engineering and Architecture (SEAR) on 2023-07-12
- [1456243] High CVE-2023-4073: Out of bounds memory access in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-06-20
- [1464113] High CVE-2023-4074: Use after free in Blink Task Scheduling. Reported by Anonymous on 2023-07-12
- [1457757] High CVE-2023-4075: Use after free in Cast. Reported by Cassidy Kim(@cassidy6564) on 2023-06-25
- [1459124] High CVE-2023-4076: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2023-06-29
- [1451146] Medium CVE-2023-4077: Insufficient data validation in Extensions. Reported by Anonymous on 2023-06-04
- [1461895] Medium CVE-2023-4078: Inappropriate implementation in Extensions. Reported by Anonymous on 2023-07-04
more... | chromium ungoogled-chromium
more detail |
2023-08-02 | VuXML ID 78f2e491-312d-11ee-85f2-bd89b893fcb4
The Go project reports:
crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause
a client/server to expend significant CPU time verifying
signatures. Limit this by restricting the size of RSA keys
transmitted during handshakes to <= 8192 bits.
net/http: insufficient sanitization of Host header
The HTTP/1 client did not fully validate the contents of
the Host header. A maliciously crafted Host header could
inject additional headers or entire requests. The HTTP/1
client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.
cmd/go: cgo code injection
The go command may generate unexpected code at build
time when using cgo. This may result in unexpected
behavior when running a go program which uses cgo.
runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary
had the setuid/setgid bit set. On Unix platforms, if a
setuid/setgid binary was executed with standard I/O file
descriptors closed, opening any files could result in
unexpected content being read/written with elevated
prilieges. Similarly if a setuid/setgid program was
terminated, either via panic or signal, it could leak the
contents of its registers.
cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time
when using cgo. This may occur when running "go get" on a
malicious module, or when running any other command which
builds untrusted code. This is can by triggered by linker
flags, specified via a "#cgo LDFLAGS" directive.
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous
characters when inserted into CSS contexts. Templates
containing multiple actions separated by a '/' character
could result in unexpectedly closing the CSS context and
allowing for injection of unexpected HMTL, if executed
with untrusted input.
html/template: improper handling of JavaScript whitespace
Not all valid JavaScript whitespace characters were
considered to be whitespace. Templates containing
whitespace characters outside of the character set
"\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that
also contain actions may not be properly sanitized
during execution.
html/template: improper handling of empty HTML attributes
Templates containing actions in unquoted HTML attributes
(e.g. "attr={{.}}") executed with empty input could
result in output that would have unexpected results when
parsed due to HTML normalization rules. This may allow
injection of arbitrary attributes into tags.
more... | go119 go120
more detail |
2023-08-02 | VuXML ID fa239535-30f6-11ee-aef9-001b217b3468
Gitlab reports:
ReDoS via ProjectReferenceFilter in any Markdown fields
ReDoS via AutolinkFilter in any Markdown fields
Regex DoS in Harbor Registry search
Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality
Stored XSS in Web IDE Beta via crafted URL
securityPolicyProjectAssign mutation does not authorize security policy project ID
An attacker can run pipeline jobs as arbitrary user
Possible Pages Unique Domain Overwrite
Access tokens may have been logged when a query was made to an endpoint
Reflected XSS via PlantUML diagram
The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code
Invalid 'start_sha' value on merge requests page may lead to Denial of Service
Developers can create pipeline schedules on protected branches even if they don't have access to merge
Potential DOS due to lack of pagination while loading license data
Leaking emails of newly created users
more... | gitlab-ce
more detail |
2023-07-31 | VuXML ID bad6588e-2fe0-11ee-a0d1-84a93843eb75
The OpenSSL project reports:
Checking excessively long DH keys or parameters may be very slow
(severity: Low).
more... | openssl openssl30 openssl31
more detail |
2023-07-26 | VuXML ID a0321b74-031d-485c-bb76-edd75256a6f0
Jenkins Security Advisory:
Description
(High) SECURITY-3188 / CVE-2023-39151
Stored XSS vulnerability
more... | jenkins jenkins-lts
more detail |
2023-07-23 | VuXML ID ab0bab3c-2927-11ee-8608-07b8d3947721
The Gitea team reports:
Disallow javascript, vbscript and data (data uri images still
work) url schemes even if all other schemes are allowed
more... | gitea
more detail |
2023-07-21 | VuXML ID 887eb570-27d3-11ee-adba-c80aa9043978
OpenSSH project reports:
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
more... | openssh-portable openssh-portable-gssapi openssh-portable-hpn
more detail |
2023-07-20 | VuXML ID 2f22927f-26ea-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 20 security fixes:
- [1454086] High CVE-2023-3727: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-06-12
- [1457421] High CVE-2023-3728: Use after free in WebRTC. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-06-23
- [1453465] High CVE-2023-3730: Use after free in Tab Groups. Reported by @ginggilBesel on 2023-06-09
- [1450899] High CVE-2023-3732: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-06-02
- [1450203] Medium CVE-2023-3733: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-31
- [1450376] Medium CVE-2023-3734: Inappropriate implementation in Picture In Picture. Reported by Thomas Orlita on 2023-06-01
- [1394410] Medium CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts. Reported by Ahmed ElMasry on 2022-11-29
- [1434438] Medium CVE-2023-3736: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2023-04-19
- [1446754] Medium CVE-2023-3737: Inappropriate implementation in Notifications. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2023-05-19
- [1434330] Medium CVE-2023-3738: Inappropriate implementation in Autofill. Reported by Hafiizh on 2023-04-18
- [1405223] Low CVE-2023-3740: Insufficient validation of untrusted input in Themes. Reported by Fardeen Siddiqui on 2023-01-06
more... | chromium ungoogled-chromium
more detail |
2023-07-19* | VuXML ID 1ba034fb-ca38-11ed-b242-d4c9ef517024
The OpenSSL project reports:
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
more... | openssl openssl-quic openssl30 openssl31 virtualbox-ose
more detail |
2023-07-19 | VuXML ID bc90e894-264b-11ee-a468-80fa5b29d485
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Difficult to
exploit vulnerability allows unauthenticated attacker with network
access via RDP to compromise Oracle VM VirtualBox. Successful
attacks of this vulnerability can result in takeover of Oracle VM
VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity
and Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
more... | virtualbox-ose
more detail |
2023-07-19 | VuXML ID cf40e8b7-264d-11ee-a468-80fa5b29d485
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable
vulnerability allows low privileged attacker with logon to the
infrastructure where Oracle VM VirtualBox executes to compromise
Oracle VM VirtualBox. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle VM VirtualBox. Note:
This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score
5.5 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
more... | virtualbox-ose
more detail |
2023-07-19 | VuXML ID f32b1fbd-264d-11ee-a468-80fa5b29d485
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). Supported versions that are
affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable
vulnerability allows high privileged attacker with logon to the
infrastructure where Oracle VM VirtualBox executes to compromise
Oracle VM VirtualBox. Successful attacks require human interaction
from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.
CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
more... | virtualbox-ose
more detail |
2023-07-18 | VuXML ID c70c3dc3-258c-11ee-b37b-901b0e9408dc
Matrix Developers reports:
The Export Chat feature includes certain attacker-controlled elements in the
generated document without sufficient escaping, leading to stored XSS.
more... | element-web
more detail |
2023-07-16 | VuXML ID 41c60e16-2405-11ee-a0d1-84a93843eb75
The OpenSSL project reports:
The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.
more... | openssl30 openssl31
more detail |
2023-07-14 | VuXML ID 3446e45d-a51b-486f-9b0e-e4402d91fed6
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3422.
- Security: backported fix for CVE-2023-3421.
- Security: backported fix for CVE-2023-3420.
more... | electron22
more detail |
2023-07-10 | VuXML ID 0e254b4a-1f37-11ee-a475-080027f5fec9
Redis core team reports:
A specially crafted Lua script executing in Redis can
trigger a heap overflow in the cjson and cmsgpack
libraries, and result in heap corruption and potentially
remote code execution.
more... | redis redis-devel redis60 redis62
more detail |
2023-07-10 | VuXML ID 6fae2d6c-1f38-11ee-a475-080027f5fec9
Redis core team reports:
Extracting key names from a command and a list of
arguments may, in some cases, trigger a heap overflow and
result in reading random heap memory, heap corruption and
potentially remote code execution. Specifically: using
COMMAND GETKEYS* and validation of key names in ACL rules.
more... | redis redis-devel
more detail |
2023-07-10 | VuXML ID b67d768c-1f53-11ee-82ed-4ccc6adda413
Albin EldstÃÂ¥l-Ahrens reports:
An out-of-bounds read on a heap buffer in the importshp plugin may
allow an attacker to read sensitive data via a crafted DBF file.
more... | librecad
more detail |
2023-07-08* | VuXML ID b31f7029-817c-4c1f-b7d3-252de5283393
SUSE reports:
cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.
more... | py310-suds py311-suds py37-suds py38-suds py39-suds
more detail |
2023-07-06 | VuXML ID d1681df3-421e-4a63-95b4-a3d6e29d395d
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3422.
- Security: backported fix for CVE-2023-3421.
- Security: backported fix for CVE-2023-3420.
more... | electron23 electron24
more detail |
2023-07-05 | VuXML ID 01eeea33-1afa-11ee-8a9b-b42e991fc52e
cve@mitre.org reports:
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2
that allows users to store malicious values that may be executed
by other users at a later time via get_request in lib/function.php.
more... | phpldapadmin-php80 phpldapadmin-php81
more detail |
2023-07-05 | VuXML ID 8ea24413-1b15-11ee-9331-570525adb7f1
The Gitea team reports:
If redirect_to parameter has set value starting with
\\example.com redirect will be created with header Location:
/\\example.com that will redirect to example.com domain.
more... | gitea
more detail |
2023-07-05 | VuXML ID b3f77aae-241c-11ee-9684-c11c23f7b0f9
The Gitea team reports:
Test if container blob is accessible before mounting.
Set type="password" on all auth_token fields
Seen when migrating from other hosting platforms.
Prevents exposing the token to screen capture/cameras/eyeballs.
Prevents the browser from saving the value in its autocomplete
dictionary, which often is not secure.
more... | gitea
more detail |
2023-07-05 | VuXML ID d8972bcd-1b64-11ee-9cd6-001b217b3468
Gitlab reports:
A user can change the name and path of some public GitLab groups
more... | gitlab-ce
more detail |
2023-07-03 | VuXML ID 4ee7fa77-19a6-11ee-8a05-080027eda32c
Django reports:
CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py38-django32 py38-django41 py38-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-07-01 | VuXML ID 95dad123-180e-11ee-86ba-080027eda32c
Mediawiki reports:
(T335203, CVE-2023-29197) Upgrade guzzlehttp/psr7 to >= 1.9.1/2.4.5.
(T335612, CVE-2023-36674) Manualthumb bypasses badFile lookup.
(T332889, CVE-2023-36675) XSS in BlockLogFormatter due to unsafe message
use.
more... | mediawiki135 mediawiki138 mediawiki139
more detail |
2023-06-30 | VuXML ID 3117e6cd-1772-11ee-9cd6-001b217b3468
Gitlab reports:
ReDoS via EpicReferenceFilter in any Markdown fields
New commits to private projects visible in forks created while project was public
New commits to private projects visible in forks created while project was public
Maintainer can leak masked webhook secrets by manipulating URL masking
Information disclosure of project import errors
Sensitive information disclosure via value stream analytics controller
Bypassing Code Owners branch protection rule in GitLab
HTML injection in email address
Webhook token leaked in Sidekiq logs if log format is 'default'
Private email address of service desk issue creator disclosed via issues API
more... | gitlab-ce
more detail |
2023-06-30 | VuXML ID d821956f-1753-11ee-ad66-1c61b4739ac9
Daiyuu Nobori reports:
The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code.
The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways.
The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc.
- CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
- CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
- CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process
- CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person
- CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process
- CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read
more... | softether softether-devel
more detail |
2023-06-27 | VuXML ID 06428d91-152e-11ee-8b14-dbdd62da85fb
oss-fuzz reports:
heap buffer overflow in internal_huf_decompress.
Cary Phillips reports:
v3.1.9 - Patch release that addresses [...] also OSS-fuzz 59382 Heap-buffer-overflow in internal_huf_decompress
Kimball Thurston reports:
Fix scenario where malformed dwa file could read past end of buffer - fixes OSS-Fuzz 59382
more... | openexr
more detail |
2023-06-27 | VuXML ID ad05a737-14bd-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 4 security fixes:
- [1452137] High CVE-2023-3420: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-06-07
- [1447568] High CVE-2023-3421: Use after free in Media. Reported by Piotr Bania of Cisco Talos on 2023-05-22
- [1450397] High CVE-2023-3422: Use after free in Guest View. Reported by asnine on 2023-06-01
more... | chromium ungoogled-chromium
more detail |
2023-06-23 | VuXML ID fdbe9aec-118b-11ee-908a-6c3be5272acd
Grafana Labs reports:
Grafana validates Azure Active Directory accounts based on the email claim.
On Azure AD, the profile email field is not unique across Azure AD tenants.
This can enable a Grafana account takeover and authentication bypass when
Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
more... | grafana grafana10 grafana8 grafana9
more detail |
2023-06-22 | VuXML ID 770d88cc-f6dc-4385-bdfe-497f8080c3fb
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3215.
- Security: backported fix for CVE-2023-3216.
- Security: backported fix for CVE-2023-0698.
- Security: backported fix for CVE-2023-0932.
more... | electron22
more detail |
2023-06-22 | VuXML ID a03b2d9e-b3f2-428c-8f66-21092ed2ba94
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3215.
- Security: backported fix for CVE-2023-3216.
more... | electron23 electron24
more detail |
2023-06-16 | VuXML ID 3bf6795c-d44c-4033-9b37-ed2e30f34fca
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-2724.
- Security: backported fix for CVE-2023-2725.
- Security: backported fix for CVE-2023-2721.
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2934.
- Security: backported fix for CVE-2023-2930.
more... | electron23
more detail |
2023-06-16 | VuXML ID 3c3d3dcb-bef7-4d20-9580-b4216b5ff6a2
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-2724.
- Security: backported fix for CVE-2023-2723.
- Security: backported fix for CVE-2023-2725.
- Security: backported fix for CVE-2023-2721.
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2930.
more... | electron22
more detail |
2023-06-16 | VuXML ID 734b8f46-773d-4fef-bed3-61114fe8e4c5
The X.Org project reports:
- Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]
The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check
that the values provided for the Request, Event, or Error IDs are
within the bounds of the arrays that those functions write to, using
those IDs as array indexes. Instead they trusted that they were called
with values provided by an Xserver that was adhering to the bounds
specified in the X11 protocol, as all X servers provided by X.Org do.
As the protocol only specifies a single byte for these values, an
out-of-bounds value provided by a malicious server (or a malicious
proxy-in-the-middle) can only overwrite other portions of the Display
structure and not write outside the bounds of the Display structure
itself. Testing has found it is possible to at least cause the client
to crash with this memory corruption.
more... | libX11
more detail |
2023-06-16 | VuXML ID aae2ab45-2d21-4cd5-a53b-07ec933400ac
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2934.
- Security: backported fix for CVE-2023-2930.
more... | electron24
more detail |
2023-06-14 | VuXML ID b4db7d78-bb62-4f4c-9326-6e9fc2ddd400
Jenkins Security Advisory:
Description
(High) SECURITY-3135 / CVE-2023-35141
CSRF protection bypass vulnerability
more... | jenkins jenkins-lts
more detail |
2023-06-13 | VuXML ID 1567be8c-0a15-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 5 security fixes:
- [1450568] Critical CVE-2023-3214: Use after free in Autofill payments. Reported by Rong Jian of VRI on 2023-06-01
- [1446274] High CVE-2023-3215: Use after free in WebRTC. Reported by asnine on 2023-05-17
- [1450114] High CVE-2023-3216: Type Confusion in V8. Reported by 5n1p3r0010 from Topsec ChiXiao Lab on 2023-05-31
- [1450601] High CVE-2023-3217: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2023-06-01
more... | chromium ungoogled-chromium
more detail |
2023-06-13 | VuXML ID f0250129-fdb8-41ed-aa9e-661ff5026845
VSCode developers reports:
VS Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
more... | vscode
more detail |
2023-06-12 | VuXML ID f7e9a1cc-0931-11ee-94b4-6cc21735f730
Shibboleth consortium reports:
An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a server-side request forgery (SSRF) vulnerability.
Including certain legal but "malicious in intent" content in the
KeyInfo element defined by the XML Signature standard will result
in attempts by the SP's shibd process to dereference untrusted
URLs.
While the content of the URL must be supplied within the message
and does not include any SP internal state or dynamic content,
there is at minimum a risk of denial of service, and the attack
could be combined with others to create more serious vulnerabilities
in the future.
more... | xmltooling
more detail |
2023-06-09 | VuXML ID fdca9418-06f0-11ee-abe2-ecf4bbefc954
Neil Pang reports:
HiCA was injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine.
more... | acme.sh
more detail |
2023-06-08 | VuXML ID d86becfe-05a4-11ee-9d4a-080027eda32c
Python reports:
gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded
to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well
as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal
based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with
shell=True.
gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter
argument that allows limiting tar features than may be surprising or dangerous, such as creating
files outside the destination directory.
gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to
acquire the runtime head lock.
gh-100892: Fixed a crash due to a race while iterating over thread states in clearing
threading.local.
more... | python310 python311 python37 python38 python39
more detail |
2023-06-07 | VuXML ID 12741b1f-04f9-11ee-8290-a8a1599412c6
Chrome Releases reports:
This update includes 2 security fixes:
- [1450481] High CVE-2023-3079: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-06-01
more... | chromium ungoogled-chromium
more detail |
2023-06-07 | VuXML ID 652064ef-056f-11ee-8e16-6c3be5272acd
Grafana Labs reports:
We have discovered a vulnerability with GrafanaâÂÂs data source query
endpoints that could end up crashing a Grafana instance.
If you have public dashboards (PD) enabled, we
are scoring this as a CVSS 7.5 High.
If you have disabled PD, this vulnerability is still a risk,
but triggering the issue requires data source read privileges
and access to the Grafana API through a developer script.
more... | grafana grafana9
more detail |
2023-06-07 | VuXML ID 6c1de144-056f-11ee-8e16-6c3be5272acd
Grafana Labs reports:
Grafana can allow an attacker in the Viewer role
to send alerts by API Alert - Test. This option,
however, is not available in the user panel UI for the Viewer role.
The CVSS score for this vulnerability is 4.1 Medium
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
more... | grafana grafana8 grafana9
more detail |
2023-06-07 | VuXML ID cdb5338d-04ec-11ee-9c88-001b217b3468
Gitlab reports:
Stored-XSS with CSP-bypass in Merge requests
ReDoS via FrontMatterFilter in any Markdown fields
ReDoS via InlineDiffFilter in any Markdown fields
ReDoS via DollarMathPostFilter in Markdown fields
DoS via malicious test report artifacts
Restricted IP addresses can clone repositories of public projects
Reflected XSS in Report Abuse Functionality
Privilege escalation from maintainer to owner by importing members from a project
Bypassing tags protection in GitLab
Denial of Service using multiple labels with arbitrarily large descriptions
Ability to use an unverified email for public and commit emails
Open Redirection Through HTTP Response Splitting
Disclosure of issue notes to an unauthorized user when exporting a project
Ambiguous branch name exploitation
more... | gitlab-ce
more detail |
2023-06-06 | VuXML ID 2f38c6a2-04a4-11ee-8cb0-e41f13b9c674
cve@mitre.org reports:
qpress before PierreLvx/qpress 20220819 and before version 11.3,
as used in Percona XtraBackup and other products, allows directory
traversal via ../ in a .qp file.
more... | qpress xtrabackup8
more detail |
2023-06-06 | VuXML ID bfca647c-0456-11ee-bafd-b42e991fc52e
Kanboard is project management software that focuses on the Kanban
methodology. The last update includes 4 vulnerabilities:
security-advisories@github.com reports:
- Missing access control in internal task links feature
- Stored Cross site scripting in the Task External Link Functionality in Kanboard
- Missing Access Control allows User to move and duplicate tasks in Kanboard
- Parameter based Indirect Object Referencing leading to private file exposure in Kanboard
more... | php80-kanboard
more detail |
2023-05-31 | VuXML ID eb9a3c57-ff9e-11ed-a0d1-84a93843eb75
The OpenSSL project reports:
Severity: Moderate. Processing some specially crafted ASN.1
object identifiers or data containing them may be very slow.
more... | openssl openssl-quictls openssl30 openssl31
more detail |
2023-05-31 | VuXML ID fd87a250-ff78-11ed-8290-a8a1599412c6
Chrome Releases reports:
This update includes 16 security fixes:
- [1410191] High CVE-2023-2929: Out of bounds write in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-25
- [1443401] High CVE-2023-2930: Use after free in Extensions. Reported by asnine on 2023-05-08
- [1444238] High CVE-2023-2931: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-10
- [1444581] High CVE-2023-2932: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-11
- [1445426] High CVE-2023-2933: Use after free in PDF. Reported by Quang Nguyá»Â
n (@quangnh89) of Viettel Cyber Security and Nguyen Phuong on 2023-05-15
- [1429720] High CVE-2023-2934: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-04-01
- [1440695] High CVE-2023-2935: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-27
- [1443452] High CVE-2023-2936: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-05-08
- [1413813] Medium CVE-2023-2937: Inappropriate implementation in Picture In Picture. Reported by NDevTK on 2023-02-08
- [1416350] Medium CVE-2023-2938: Inappropriate implementation in Picture In Picture. Reported by Alesandro Ortiz on 2023-02-15
- [1427431] Medium CVE-2023-2939: Insufficient data validation in Installer. Reported by ycdxsb from VARAS@IIE on 2023-03-24
- [1426807] Medium CVE-2023-2940: Inappropriate implementation in Downloads. Reported by Axel Chong on 2023-03-22
- [1430269] Low CVE-2023-2941: Inappropriate implementation in Extensions API. Reported by Jasper Rebane on 2023-04-04
more... | chromium ungoogled-chromium
more detail |
2023-05-30 | VuXML ID 79514fcd-feb4-11ed-92b5-b42e991fc52e
security-advisories@github.com reports:
Kanboard is project management software that focuses on the Kanban
methodology. Due to improper handling of elements under the
`contentEditable` element, maliciously crafted clipboard content
can inject arbitrary HTML tags into the DOM. A low-privileged
attacker with permission to attach a document on a vulnerable
Kanboard instance can trick the victim into pasting malicious
screenshot data and achieve cross-site scripting if CSP is improperly
configured. This issue has been patched in version 1.2.29.
more... | php80-kanboard
more detail |
2023-05-28 | VuXML ID 5d1b1a0a-fd36-11ed-a0d1-84a93843eb75
The MariaDB project reports:
MariaDB Server is vulnerable to Denial of Service. It is possible for
function spider_db_mbase::print_warnings to dereference a null pointer.
more... | mariadb1011-server mariadb103-server mariadb104-server mariadb105-server mariadb106-server
more detail |
2023-05-21 | VuXML ID 7d6be8d4-f812-11ed-a7ff-589cfc0f81b0
phpmyfaq developers report:
Multiple XSS vulnerabilities
more... | phpmyfaq
more detail |
2023-05-19 | VuXML ID 1ab7357f-a3c2-406a-89fb-fd00e49a71b5
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of FTP packets with a CMD
command with a large path followed by a very large number
of replies could cause Zeek to spend a long time processing
the data.
A specially-crafted with a truncated header can cause
Zeek to overflow memory and potentially crash.
A specially-crafted series of SMTP packets can cause
Zeek to generate a very large number of events and take
a long time to process them.
A specially-crafted series of POP3 packets containing
MIME data can cause Zeek to spend a long time dealing
with each individual file ID.
more... | zeek
more detail |
2023-05-19 | VuXML ID a4f8bb03-f52f-11ed-9859-080027083a05
Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:
This update fixes 4 security vulnerabilities:
- Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
- Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
- Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
- Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19
more... | curl
more detail |
2023-05-18 | VuXML ID b09d77d0-b27c-48ae-b69b-9641bb68b39e
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-29469
more... | electron22 electron23
more detail |
2023-05-17 | VuXML ID bea52545-f4a7-11ed-8290-a8a1599412c6
Chrome Releases reports:
This update includes 12 security fixes:
- [1444360] Critical CVE-2023-2721: Use after free in Navigation. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2023-05-10
- [1400905] High CVE-2023-2722: Use after free in Autofill UI. Reported by Rong Jian of VRI on 2022-12-14
- [1435166] High CVE-2023-2723: Use after free in DevTools. Reported by asnine on 2023-04-21
- [1433211] High CVE-2023-2724: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-14
- [1442516] High CVE-2023-2725: Use after free in Guest View. Reported by asnine on 2023-05-04
- [1442018] Medium CVE-2023-2726: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-03
more... | chromium ungoogled-chromium
more detail |
2023-05-13 | VuXML ID 4a08a4fb-f152-11ed-9c88-001b217b3468
Gitlab reports:
Smuggling code changes via merge requests with refs/replace
more... | gitlab-ce
more detail |
2023-05-12 | VuXML ID ec63bc8e-f092-11ed-85ca-001517a2e1a4
Piwigo reports:
Piwigo is affected by multiple SQL injection issues.
more... | piwigo
more detail |
2023-05-11 | VuXML ID 4b636f50-f011-11ed-bbae-6cc21735f730
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
more... | postgresql-server
more detail |
2023-05-11 | VuXML ID fbb5a260-f00f-11ed-bbae-6cc21735f730
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
more... | postgresql-server
more detail |
2023-05-10 | VuXML ID 7913fe6d-2c6e-40ba-a7d7-35696f3db2b6
secure@microsoft.com reports:
Visual Studio Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
more... | vscode
more detail |
2023-05-08 | VuXML ID 96b2d4db-ddd2-11ed-b6ea-080027f5fec9
Redis core team reports:
Authenticated users can use the HINCRBYFLOAT command to
create an invalid hash field that may later crash Redis on
access.
more... | redis redis6 redis62
more detail |
2023-05-06 | VuXML ID 89fdbd85-ebd2-11ed-9c88-001b217b3468
Gitlab reports:
Malicious Runner Attachment via GraphQL
more... | gitlab-ce
more detail |
2023-05-05 | VuXML ID d55e1b4d-eadc-11ed-9cc0-080027de9982
Django reports:
CVE-2023-31047: Potential bypass of validation when uploading multiple
files using one form field.
more... | py310-django32 py310-django41 py310-django42 py311-django32 py311-django41 py311-django42 py37-django32 py38-django32 py38-django41 py38-django42 py39-django32 py39-django41 py39-django42
more detail |
2023-05-03 | VuXML ID 246174d3-e979-11ed-8290-a8a1599412c6
Chrome Releases reports:
This update includes 15 security fixes:
- [1423304] Medium CVE-2023-2459: Inappropriate implementation in Prompts. Reported by Rong Jian of VRI on 2023-03-10
- [1419732] Medium CVE-2023-2460: Insufficient validation of untrusted input in Extensions. Reported by Martin Bajanik, Fingerprint[.]com on 2023-02-27
- [1350561] Medium CVE-2023-2461: Use after free in OS Inputs. Reported by @ginggilBesel on 2022-08-06
- [1375133] Medium CVE-2023-2462: Inappropriate implementation in Prompts. Reported by Alesandro Ortiz on 2022-10-17
- [1406120] Medium CVE-2023-2463: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2023-01-10
- [1418549] Medium CVE-2023-2464: Inappropriate implementation in PictureInPicture. Reported by Thomas Orlita on 2023-02-23
- [1399862] Medium CVE-2023-2465: Inappropriate implementation in CORS. Reported by @kunte_ctf on 2022-12-10
- [1385714] Low CVE-2023-2466: Inappropriate implementation in Prompts. Reported by Jasper Rebane (popstonia) on 2022-11-17
- [1413586] Low CVE-2023-2467: Inappropriate implementation in Prompts. Reported by Thomas Orlita on 2023-02-07
- [1416380] Low CVE-2023-2468: Inappropriate implementation in PictureInPicture. Reported by Alesandro Ortiz on 2023-02-15
more... | chromium ungoogled-chromium
more detail |
2023-05-02 | VuXML ID 4ffcccae-e924-11ed-9c88-001b217b3468
Gitlab reports:
Privilege escalation for external users when OIDC is enabled under certain conditions
Account takeover through open redirect for Group SAML accounts
Users on banned IP addresses can still commit to projects
User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables
The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.
Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.
The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.
XSS and content injection and iframe injection when viewing raw files on iOS devices
Authenticated users can find other users by their private email
more... | gitlab-ce
more detail |
2023-04-30 | VuXML ID 4da51989-5a8b-4eb9-b442-46d94ec0802d
Elijah Glover reports:
Malformed HTTP/1.1 requests can crash worker processes.
occasionally locking up child workers and causing denial of
service, and an outage dropping any open connections.
more... | h2o h2o-devel
more detail |
2023-04-29 | VuXML ID 02562a78-e6b7-11ed-b0ce-b42e991fc52e
security@ubuntu.com reports:
Sensitive data could be exposed in logs of cloud-init before version
23.1.2. An attacker could use this information to find hashed
passwords and possibly escalate their privilege.
more... | cloud-init cloud-init-devel
more detail |
2023-04-28* | VuXML ID 25872b25-da2d-11ed-b715-a1e76793953b
cve@mitre.org reports:
In Artifex Ghostscript through 10.01.0, there is a buffer overflow
leading to potential corruption of data internal to the PostScript
interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode,
TBCPEncode, and TBCPDecode. If the write buffer is filled to one
byte less than full, and one then tries to write an escaped character,
two bytes are written.
more... | ghostscript ghostscript7-base ghostscript7-commfont ghostscript7-jpnfont ghostscript7-korfont ghostscript7-x11 ghostscript8-base ghostscript8-x11 ghostscript9-agpl-base
more detail |
2023-04-26 | VuXML ID 0b85b1cd-e468-11ed-834b-6c3be5272acd
Grafana Labs reports:
An issue in how go handles backticks (`) with Javascript can lead to
an injection of arbitrary code into go templates. While Grafana Labs software
contains potentially vulnerable versions of go, we have not identified any
exploitable use cases at this time.
The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).
more... | grafana grafana8 grafana9
more detail |
2023-04-26 | VuXML ID 5e257b0d-e466-11ed-834b-6c3be5272acd
Grafana Labs reports:
When setting up Grafana, there is an option to enable
JWT authentication. Enabling this will allow users to authenticate towards
the Grafana instance with a special header (default X-JWT-Assertion
).
In Grafana, there is an additional way to authenticate using JWT called
URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header,
which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 Medium
more... | grafana grafana9
more detail |
2023-04-26 | VuXML ID c676bb1b-e3f8-11ed-b37b-901b0e9408dc
Matrix developers report:
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP
client into a web page. Prior to version 3.71.0, plain text messages
containing HTML tags are rendered as HTML in the search results.
To exploit this, an attacker needs to trick a user into searching
for a specific message containing an HTML injection payload. No
cross-site scripting attack is possible due to the hardcoded content
security policy. Version 3.71.0 of the SDK patches over the issue.
As a workaround, restarting the client will clear the HTML injection.
more... | element-web
more detail |
2023-04-26 | VuXML ID d2c6173f-e43b-11ed-a1d7-002590f2a714
git developers reports:
This update includes 2 security fixes:
- CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)
- CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on
more... | git git-lite git-tiny
more detail |
2023-04-25 | VuXML ID 4ee322e9-e363-11ed-b934-b42e991fc52e
security-advisories@github.com reports:
Jellyfin is a free-software media system. Versions starting with
10.8.0 and prior to 10.8.10 and prior have a directory traversal
vulnerability inside the `ClientLogController`, specifically
`/ClientLog/Document`. When combined with a cross-site scripting
vulnerability (CVE-2023-30627), this can result in file write and
arbitrary code execution. Version 10.8.10 has a patch for this
issue. There are no known workarounds.
more... | jellyfin
more detail |
2023-04-24 | VuXML ID bb528d7c-e2c6-11ed-a3e6-589cfc0f81b0
phpmyfaq developers report:
XSS
email address manipulation
more... | phpmyfaq
more detail |
2023-04-22* | VuXML ID f504a8d2-e105-11ed-85f6-84a93843eb75
Oracle reports:
This Critical Patch Update contains 34 new security patches, plus
additional third party patches noted below, for Oracle MySQL. 11 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
more... | mysql-client57 mysql-client80 mysql-connector-java mysql-server57 mysql-server80
more detail |
2023-04-20 | VuXML ID 90c48c04-d549-4fc0-a503-4775e32d438e
Chrome Releases reports:
This update includes 8 security fixes:
- [1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [1424337] High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
- [1432603] High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-12
- [1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
more... | chromium ungoogled-chromium
more detail |
2023-04-16 | VuXML ID 0bd7f07b-dc22-11ed-bf28-589cfc0f81b0
The libxml2 project reports:
Hashing of empty dict strings isn't deterministic
Fix null deref in xmlSchemaFixupComplexType
more... | libxml2
more detail |
2023-04-15 | VuXML ID 6f0327d4-9902-4042-9b68-6fc2266944bc
Chrome Releases reports:
This update includes 2 security fixes:
- [1432210] High CVE-2023-2033: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-11
more... | chromium ungoogled-chromium
more detail |
2023-04-15 | VuXML ID e8b20517-dbb6-11ed-bf28-589cfc0f81b0
The mod_gnutls project reports:
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions
from 0.9.0 to 0.12.0 (including) did not properly fail blocking
read operations on TLS connections when the transport hit timeouts.
Instead it entered an endless loop retrying the read operation,
consuming CPU resources. This could be exploited for denial of
service attacks. If trace level logging was enabled, it would also
produce an excessive amount of log output during the loop, consuming
disk space.
more... | ap24-mod_gnutls
more detail |
2023-04-12 | VuXML ID 96d6809a-81df-46d4-87ed-2f78c79f06b1
Tim Wojtulewicz of Corelight reports:
Receiving DNS responses from async DNS requests (via
A specially-crafted stream of FTP packets containing a
command reply with many intermediate lines can cause Zeek
to spend a large amount of time processing data.
A specially-crafted set of packets containing extremely
large file offsets cause cause the reassembler code to
allocate large amounts of memory.
The DNS manager does not correctly expire responses
that don't contain any data, such those containing NXDOMAIN
or NODATA status codes. This can lead to Zeek allocating
large amounts of memory for these responses and never
deallocating them.
A specially-crafted stream of RDP packets can cause
Zeek to spend large protocol validation.
A specially-crafted stream of SMTP packets can cause
Zeek to spend large amounts of time processing data.
more... | zeek
more detail |
2023-04-10 | VuXML ID 2acdf364-9f8d-4aaf-8d1b-867fdfd771c6
macosforgebot reports:
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
more... | py310-kerberos py311-kerberos py37-kerberos py38-kerberos py39-kerberos
more detail |
2023-04-10 | VuXML ID 374793ad-2720-4c4a-b86c-fc4a1780deac
ret2libc reports:
psutil (aka python-psutil) through 5.6.5 can have a double free.
This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
more... | py310-psutil121 py311-psutil121 py37-psutil121 py38-psutil121 py39-psutil121
more detail |
2023-04-10 | VuXML ID a32ef450-9781-414b-a944-39f2f61677f2
alex reports:
Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers.
This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python.
This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.
This now correctly raises an exception.
This issue has been present since `update_into` was originally introduced in cryptography 1.8.
more... | py310-cryptography py311-cryptography py37-cryptography py38-cryptography py39-cryptography
more detail |
2023-04-10 | VuXML ID b54abe9d-7024-4d10-98b2-180cf1717766
matheusbrat reports:
The Beaker library through 1.12.1 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
more... | py310-beaker py311-beaker py37-beaker py38-beaker py39-beaker
more detail |
2023-04-10 | VuXML ID c1a8ed1c-2814-4260-82aa-9e37c83aac93
pyca/cryptography's wheels include a statically linked copy of OpenSSL.
The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue.
More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL.
Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
more... | py310-cryptography py311-cryptography py37-cryptography py38-cryptography py39-cryptography
more detail |
2023-04-10 | VuXML ID e1b77733-a982-442e-8796-a200571bfcf2
abeluck reports:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed.
Files would remain in the bucket exposing the data.
This issue affects directly data confidentiality.
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers.
Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes.
This issue affects mainly the service availability.
more... | py310-ansible py311-ansible py37-ansible py38-ansible py39-ansible
more detail |
2023-04-10 | VuXML ID f418cd50-561a-49a2-a133-965d03ede72a
Tapas jena reports:
A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory.
Any secret information in an async status file will be readable by a malicious user on that system.
This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
more... | py310-ansible py311-ansible py37-ansible py38-ansible py39-ansible
more detail |
2023-04-10* | VuXML ID faf7c1d0-f5bb-47b4-a6a8-ef57317b9766
NVD reports:
An issue was discovered in the FFmpeg package, where
vp3_decode_frame in libavcodec/vp3.c lacks check of the
return value of av_malloc() and will cause a null pointer
dereference, impacting availability.
A null pointer dereference issue was discovered in
'FFmpeg' in decode_main_header() function of
libavformat/nutdec.c file. The flaw occurs because the
function lacks check of the return value of
avformat_new_stream() and triggers the null pointer
dereference error, causing an application to crash.
A vulnerability classified as problematic has been found
in ffmpeg. This affects an unknown part of the file
libavcodec/rpzaenc.c of the component QuickTime RPZA Video
Encoder. The manipulation of the argument y_size leads to
out-of-bounds read. It is possible to initiate the attack
remotely. The name of the patch is
92f9b28ed84a77138105475beba16c146bdaf984. It is recommended
to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-213543.
more... | avidemux emby-server emby-server-devel ffmpeg ffmpeg4 handbrake mythtv mythtv-frontend
more detail |
2023-04-09 | VuXML ID 0a38a0d9-757f-4ac3-9561-b439e933dfa9
Snyk reports:
This affects the package celery before 5.2.2.
It by default trusts the messages and metadata stored in backends (result stores).
When reading task metadata from the backend, the data is deserialized.
Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
more... | py39-celery
more detail |
2023-04-09 | VuXML ID 15dae5cc-9ee6-4577-a93e-2ab57780e707
Tom Wolters reports:
When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry.
These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.
more... | py39-sentry-sdk
more detail |
2023-04-09 | VuXML ID 17083017-d993-43eb-8aaf-7138f4486d1c
jwang-a reports:
An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5.
It allows local attackers to escape the sandbox.
An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability.
The specific flaw exists within the virtual memory manager.
The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block.
An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code on the host machine.
more... | py39-unicorn
more detail |
2023-04-09 | VuXML ID 187ab98e-2953-4495-b379-4060bd4b75ee
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 44.1.1_1.
more... | py27-setuptools44
more detail |
2023-04-09 | VuXML ID 1b38aec4-4149-4c7d-851c-3c4de3a1fbd0
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.
more... | py39-setuptools
more detail |
2023-04-09 | VuXML ID 24da150a-33e0-4fee-b4ee-2c6b377d3395
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.
more... | py39-setuptools58
more detail |
2023-04-09 | VuXML ID 28a37df6-ba1a-4eed-bb64-623fc8e8dfd0
SCH227 reports:
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
more... | py39-py
more detail |
2023-04-09 | VuXML ID 326b2f3e-6fc7-4661-955d-a772760db9cf
Thibaut Goetghebuer-Planchon reports:
The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.
Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.
An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.
It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.
This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).
more... | py310-tflite py311-tflite py37-tflite py38-tflite py39-tflite
more detail |
2023-04-09 | VuXML ID 3f6d6181-79b2-4d33-bb1e-5d3f9df0c1d1
drago-balto reports:
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner.
The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665).
CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
more... | py39-redis
more detail |
2023-04-09 | VuXML ID 43e9ffd4-d6e0-11ed-956f-7054d21a9e2a
Philipp Jeitner and Haya Shulman report:
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.
The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
more... | py39-pycares
more detail |
2023-04-09 | VuXML ID 52311651-f100-4720-8c62-0887dad6d321
Jingyi Shi reports:
The 'AvgPoolOp' function takes an argument `ksize` that must be positive but is not checked.
A negative `ksize` can trigger a `CHECK` failure and crash the program.
more... | py310-tensorflow py311-tensorflow py37-tensorflow py38-tensorflow py39-tensorflow
more detail |
2023-04-09 | VuXML ID 845f8430-d0ee-4134-ae35-480a3e139b8a
jimlinntu reports:
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
more... | py39-joblib
more detail |
2023-04-09 | VuXML ID 8aa6340d-e7c6-41e0-b2a3-3c9e9930312a
drago-balto reports:
redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.
NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
more... | py39-redis
more detail |
2023-04-09 | VuXML ID 8ccff771-ceca-43a0-85ad-3e595e73b425
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
more... | py39-sqlalchemy11
more detail |
2023-04-09 | VuXML ID 93db4f92-9997-4f4f-8614-3963d9e2b0ec
Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.
more... | py310-slixmpp py311-slixmpp py37-slixmpp py38-slixmpp py39-slixmpp
more detail |
2023-04-09 | VuXML ID 951b513a-9f42-436d-888d-2162615d0fe4
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.
more... | py310-pymatgen py311-pymatgen py37-pymatgen py38-pymatgen py39-pymatgen
more detail |
2023-04-09 | VuXML ID a0509648-65ce-4a1b-855e-520a75bd2549
Utkarsh Gupta reports:
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0.
By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
more... | py310-cinder py311-cinder py37-cinder py38-cinder py39-cinder
more detail |
2023-04-09 | VuXML ID ae132c6c-d716-11ed-956f-7054d21a9e2a
Kang Hong Jin, Neophytos Christou, Ã¥ÂÂÃ¥ÂÂ溠and Pattarakrit Rattankul report:
Another instance of CVE-2022-35935, where `SobolSample` is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
Pattarakrit Rattankul reports:
Another instance of CVE-2022-35991, where `TensorListScatter` and `TensorListScatterV2` crash via non scalar inputs in`element_shape`, was found in eager mode and fixed.
more... | py310-tensorflow py311-tensorflow py37-tensorflow py38-tensorflow py39-tensorflow
more detail |
2023-04-09 | VuXML ID b692a49c-9ae7-4958-af21-cbf8f5b819ea
asolino reports:
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
more... | py310-impacket py311-impacket py37-impacket py38-impacket py39-impacket
more detail |
2023-04-09 | VuXML ID d2293e22-4390-42c2-a323-34cca2066000
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
more... | py39-sqlalchemy12
more detail |
2023-04-09 | VuXML ID d82bcd2b-5cd6-421c-8179-b3ff0231029f
Yakun Zhang of Baidu Security reports:
An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service
more... | py310-tflite py311-tflite py37-tflite py38-tflite py39-tflite
more detail |
2023-04-09 | VuXML ID de970aef-d60e-466b-8e30-1ae945a047f1
DarkTinia reports:
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).
**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
more... | py39-configobj
more detail |
2023-04-09 | VuXML ID e5d117b3-2153-4129-81ed-42b0221afa78
Jorge Rosillo reports:
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.
This affects all XML parsing in the codebase.
more... | py39-OWSLib
more detail |
2023-04-09 | VuXML ID e87a9326-dd35-49fc-b20b-f57cbebaae87
ztauras reports:
Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.
more... | py310-nicotine-plus py311-nicotine-plus py37-nicotine-plus py38-nicotine-plus py39-nicotine-plus
more detail |
2023-04-09 | VuXML ID f4a94232-7864-4afb-bbf9-ff2dc8e288d1
Duncan Thomas reports:
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
more... | py310-cinder py311-cinder py37-cinder py38-cinder py39-cinder
more detail |
2023-04-09 | VuXML ID f767d615-01db-47e9-b4ab-07bb8d3409fd
OpenStack project reports:
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0.
When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element.
This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume.
Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint.
more... | py39-cinder
more detail |
2023-04-07 | VuXML ID 02e51cb3-d7e4-11ed-9f7a-5404a68ad561
The Go project reports:
HTTP and MIME header parsing can allocate large amounts
of memory, even when parsing small inputs, potentially
leading to a denial of service. Certain unusual patterns
of input data can cause the common function used to parse
HTTP and MIME headers to allocate substantially more
memory than required to hold the parsed headers. An
attacker can exploit this behavior to cause an HTTP
server to allocate large amounts of memory from a small
request, potentially leading to memory exhaustion and a
denial of service. With fix, header parsing now correctly
allocates only the memory required to hold parsed headers.
more... | traefik
more detail |
2023-04-07 | VuXML ID 348ee234-d541-11ed-ad86-a134a566f1e6
The Go project reports:
go/parser: infinite loop in parsing
Calling any of the Parse functions on Go source code
which contains //line directives with very large line
numbers can cause an infinite loop due to integer
overflow.
html/template: backticks not treated as string delimiters
Templates did not properly consider backticks (`) as
Javascript string delimiters, and as such did not escape
them as expected. Backticks are used, since ES6, for JS
template literals. If a template contained a Go template
action within a Javascript template literal, the contents
of the action could be used to terminate the literal,
injecting arbitrary Javascript code into the Go template.
As ES6 template literals are rather complex, and
themselves can do string interpolation, we've decided
to simply disallow Go template actions from being used
inside of them (e.g. "var a = {{.}}"), since there is no
obviously safe way to allow this behavior. This takes the
same approach as github.com/google/safehtml.
Template.Parse will now return an Error when it encounters
templates like this, with a currently unexported ErrorCode
with a value of 12. This ErrorCode will be exported in the
next major release.
net/http, net/textproto: denial of service from excessive
memory allocation
HTTP and MIME header parsing could allocate large
amounts of memory, even when parsing small inputs.
Certain unusual patterns of input data could cause the
common function used to parse HTTP and MIME headers to
allocate substantially more memory than required to hold
the parsed headers. An attacker can exploit this
behavior to cause an HTTP server to allocate large
amounts of memory from a small request, potentially
leading to memory exhaustion and a denial of service.
Header parsing now correctly allocates only the memory
required to hold parsed headers.
net/http, net/textproto, mime/multipart: denial of service
from excessive resource consumption
Multipart form parsing can consume large amounts of CPU
and memory when processing form inputs containing very
large numbers of parts. This stems from several causes:
mime/multipart.Reader.ReadForm limits the total memory a
parsed multipart form can consume. ReadForm could
undercount the amount of memory consumed, leading it to
accept larger inputs than intended. Limiting total
memory does not account for increased pressure on the
garbage collector from large numbers of small
allocations in forms with many parts. ReadForm could
allocate a large number of short-lived buffers, further
increasing pressure on the garbage collector. The
combination of these factors can permit an attacker to
cause an program that parses multipart forms to consume
large amounts of CPU and memory, potentially resulting
in a denial of service. This affects programs that use
mime/multipart.Reader.ReadForm, as well as form parsing
in the net/http package with the Request methods
FormFile, FormValue, ParseMultipartForm, and
PostFormValue. ReadForm now does a better job of
estimating the memory consumption of parsed forms, and
performs many fewer short-lived allocations. In
addition, mime/multipart.Reader now imposes the
following limits on the size of parsed forms: Forms
parsed with ReadForm may contain no more than 1000
parts. This limit may be adjusted with the environment
variable GODEBUG=multipartmaxparts=. Form parts parsed
with NextPart and NextRawPart may contain no more than
10,000 header fields. In addition, forms parsed with
ReadForm may contain no more than 10,000 header fields
across all parts. This limit may be adjusted with the
environment variable GODEBUG=multipartmaxheaders=.
more... | go119 go120
more detail |
2023-04-07 | VuXML ID e86b8e4d-d551-11ed-8d1e-005056a311d1
The Samba Team reports:
An incomplete access check on dnsHostName allows
authenticated but otherwise unprivileged users to
delete this attribute from any object in the directory.
The Samba AD DC administration tool, when operating
against a remote LDAP server, will by default send
new or reset passwords over a signed-only connection.
The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
CVE-2018-10919 Confidential attribute disclosure via
LDAP filters was insufficient and an attacker may be
able to obtain confidential BitLocker recovery keys
from a Samba AD DC.
Installations with such secrets in their Samba AD
should assume they have been obtained and need replacing.
more... | samba416 samba417 samba418
more detail |
2023-04-05 | VuXML ID 3d5581ff-d388-11ed-8581-a8a1599412c6
Chrome Releases reports:
This update includes 16 security fixes:
- [1414018] High CVE-2023-1810: Heap buffer overflow in Visuals. Reported by Weipeng Jiang (@Krace) of VRI on 2023-02-08
- [1420510] High CVE-2023-1811: Use after free in Frames. Reported by Thomas Orlita on 2023-03-01
- [1418224] Medium CVE-2023-1812: Out of bounds memory access in DOM Bindings. Reported by Shijiang Yu on 2023-02-22
- [1423258] Medium CVE-2023-1813: Inappropriate implementation in Extensions. Reported by Axel Chong on 2023-03-10
- [1417325] Medium CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2023-02-18
- [1278708] Medium CVE-2023-1815: Use after free in Networking APIs. Reported by DDV_UA on 2021-12-10
- [1413919] Medium CVE-2023-1816: Incorrect security UI in Picture In Picture. Reported by NDevTK on 2023-02-08
- [1418061] Medium CVE-2023-1817: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2023-02-22
- [1223346] Medium CVE-2023-1818: Use after free in Vulkan. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research, Eric Lawrence, Microsoft, Patrick Walker (@HomeSen), and Kirtikumar Anandrao Ramchandani on 2021-06-24
- [1406588] Medium CVE-2023-1819: Out of bounds read in Accessibility. Reported by Microsoft Edge Team on 2023-01-12
- [1408120] Medium CVE-2023-1820: Heap buffer overflow in Browser History. Reported by raven at KunLun lab on 2023-01-17
- [1413618] Low CVE-2023-1821: Inappropriate implementation in WebShare. Reported by Axel Chong on 2023-02-07
- [1066555] Low CVE-2023-1822: Incorrect security UI in Navigation. Reported by ê°Âì°짠on 2020-04-01
- [1406900] Low CVE-2023-1823: Inappropriate implementation in FedCM. Reported by Jasper Rebane (popstonia) on 2023-01-13
more... | chromium ungoogled-chromium
more detail |
2023-04-01 | VuXML ID 466ba8bd-d033-11ed-addf-080027eda32c
Mediawikwi reports:
(T285159, CVE-2023-PENDING) SECURITY: X-Forwarded-For header allows
brute-forcing autoblocked IP addresses.
(T326946, CVE-2020-36649) SECURITY: Bundled PapaParse copy in
VisualEditor has known ReDos.
(T330086, CVE-2023-PENDING) SECURITY: OATHAuth allows replay attacks when
MediaWiki is configured without ObjectCache; Insecure Default Configuration.
more... | mediawiki135 mediawiki138 mediawiki139
more detail |
2023-03-31 | VuXML ID 54006796-cf7b-11ed-a5d5-001b217b3468
Gitlab reports:
Cross-site scripting in "Maximum page reached" page
Private project guests can read new changes using a fork
Mirror repository error reveals password in Settings UI
DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint
Unauthenticated users can view Environment names from public projects limited to project members only
Copying information to the clipboard could lead to the execution of unexpected commands
Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL
Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release
Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown
MR for security reports are available to everyone
API timeout when searching for group issues
Unauthorised user can add child epics linked to victim's epic in an unrelated group
GitLab search allows to leak internal notes
Ambiguous branch name exploitation in GitLab
Improper permissions checks for moving an issue
Private project branches names can be leaked through a fork
more... | gitlab-ce
more detail |
2023-03-30 | VuXML ID 6bd2773c-cf1a-11ed-bd44-080027f5fec9
ooooooo_q reports:
The Time parser mishandles invalid strings that have
specific characters. It causes an increase in execution
time for parsing strings to Time objects.
more... | ruby ruby27 ruby30 ruby31 ruby32 rubygem-time
more detail |
2023-03-30 | VuXML ID 9b60bba1-cf18-11ed-bd44-080027f5fec9
Dominic Couture reports:
A ReDoS issue was discovered in the URI component. The URI
parser mishandles invalid URLs that have specific
characters. It causes an increase in execution time for
parsing strings to URI objects.
more... | ruby ruby27 ruby30 ruby31 ruby32 rubygem-uri
more detail |
2023-03-30 | VuXML ID dc33795f-ced7-11ed-b1fe-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2023-02: Deterred spoofing attempts
can lead to authoritative servers being marked unavailable
more... | powerdns-recursor
more detail |
2023-03-29 | VuXML ID 425b9538-ce5f-11ed-ade3-d4c9ef517024
The OpenSSL project reports:
Severity: low
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.
The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.
more... | openssl openssl-quic openssl30 openssl31
more detail |
2023-03-29 | VuXML ID 5b0ae405-cdc7-11ed-bb39-901b0e9408dc
Matrix developers report:
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk
to patch a pair of High severity vulnerabilities (CVE-2023-28427 /
GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv
for matrix-react-sdk).
The issues involve prototype pollution via events containing special strings
in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk
and matrix-react-sdk, potentially impacting the consumer's ability to process data
safely.
more... | cinny element-web
more detail |
2023-03-29 | VuXML ID 955eb3cc-ce0b-11ed-825f-6c3be5272acd
Grafana Labs reports:
When a user adds a Graphite data source, they can then use the data source
in a dashboard. This capability contains a feature to use Functions. Once
a function is selected, a small tooltip appears when hovering over the name
of the function. This tooltip allows you to delete the selected Function
from your query or show the Function Description. However, no sanitization
is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker
could host a Graphite instance with modified Function Descriptions containing
XSS payloads. When the victim uses it in a query and accidentally hovers
over the Function Description, an attacker-controlled XSS payload
will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium
(CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
more... | grafana grafana8 grafana9
more detail |
2023-03-29 | VuXML ID 96d84238-b500-490b-b6aa-2b77090a0410
The X.Org project reports:
- ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Local Privilege Escalation Vulnerability
If a client explicitly destroys the compositor overlay window (aka COW),
the Xserver would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-03-28 | VuXML ID e4181981-ccf1-11ed-956f-7054d21a9e2a
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
more... | py39-sqlalchemy10
more detail |
2023-03-26 | VuXML ID 2991178f-cbe8-11ed-956f-7054d21a9e2a
Red Hat Security Response Team reports:
Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.
more... | py39-Elixir
more detail |
2023-03-26* | VuXML ID 70d0d2ec-cb62-11ed-956f-7054d21a9e2a
NIST reports:
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
more... | py39-rencode
more detail |
2023-03-26 | VuXML ID c13a8c17-cbeb-11ed-956f-7054d21a9e2a
TeamSeri0us reports:
An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
more... | py39-lmdb
more detail |
2023-03-24 | VuXML ID 2fdb053c-ca25-11ed-9d7e-080027f5fec9
ooooooo_q reports:
Carefully crafted input can cause header parsing in Rack
to take an unexpected amount of time, possibly resulting
in a denial of service attack vector. Any applications
that parse headers using Rack (virtually all Rails
applications) are impacted.
more... | rubygem-rack rubygem-rack16 rubygem-rack22
more detail |
2023-03-24 | VuXML ID 6bacd9fd-ca56-11ed-bc52-589cfc0f81b0
phpmyfaq developers report:
XSS
weak passwords
privilege escalation
Captcha bypass
more... | phpmyfaq
more detail |
2023-03-24 | VuXML ID dec6b8e9-c9fe-11ed-bb39-901b0e9408dc
Dino team reports:
Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows
attackers to modify the personal bookmark store via a crafted
message. The attacker can change the display of group chats or
force a victim to join a group chat; the victim may then be tricked
into disclosing sensitive information.
more... | dino
more detail |
2023-03-23 | VuXML ID 1b15a554-c981-11ed-bb39-901b0e9408dc
Tailscale team reports:
A vulnerability identified in the implementation of Tailscale SSH in FreeBSD
allowed commands to be run with a higher privilege group ID than that specified
by Tailscale SSH access rules.
more... | tailscale
more detail |
2023-03-23 | VuXML ID 38f213b6-8f3d-4067-91ef-bf14de7ba518
The X.Org project reports:
- CVE-2022-46285: Infinite loop on unclosed comments
When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.
This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team.
The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148
- CVE-2022-44617: Runaway loop on width of 0 and enormous height
When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a denial
of service to the calling program when given a small crafted XPM file to parse.
This issue was found by Martin Ettl.
The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28
and
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d
- CVE-2022-4883: compression commands depend on $PATH
By default, on all platforms except MinGW, libXpm will detect if a filename
ends in .Z or .gz, and will when reading such a file fork off an uncompress
or gunzip command to read from via a pipe, and when writing such a file will
fork off a compress or gzip command to write to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those privileges.
This issue was found by Alan Coopersmith of the Oracle Solaris team.
more... | libXpm
more detail |
2023-03-22 | VuXML ID c8b334e0-6e83-4575-81d1-f9d5803ceb07
Chrome Releases reports:
This update includes 8 security fixes:
- [1421773] High CVE-2023-1528: Use after free in Passwords. Reported by Wan Choi of Seoul National University on 2023-03-07
- [1419718] High CVE-2023-1529: Out of bounds memory access in WebHID. Reported by anonymous on 2023-02-27
- [1419831] High CVE-2023-1530: Use after free in PDF. Reported by The UK's National Cyber Security Centre (NCSC) on 2023-02-27
- [1415330] High CVE-2023-1531: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2023-02-13
- [1421268] High CVE-2023-1532: Out of bounds read in GPU Video. Reported by Mark Brand of Google Project Zero on 2023-03-03
- [1422183] High CVE-2023-1533: Use after free in WebProtect. Reported by Weipeng Jiang (@Krace) of VRI on 2023-03-07
- [1422594] High CVE-2023-1534: Out of bounds read in ANGLE. Reported by Jann Horn and Mark Brand of Google Project Zero on 2023-03-08
more... | chromium ungoogled-chromium
more detail |
2023-03-21 | VuXML ID a60cc0e4-c7aa-11ed-8a4b-080027f5fec9
Yupeng Yang reports:
Authenticated users can use the MSETNX command to trigger
a runtime assertion and termination of the Redis server
process.
more... | redis redis-devel
more detail |
2023-03-20 | VuXML ID 0d7d104c-c6fb-11ed-8a4b-080027f5fec9
Harry Sintonen reports:
- CVE-2023-27533
-
curl supports communicating using the TELNET protocol
and as a part of this it offers users to pass on user
name and "telnet options" for the server
negotiation.
Due to lack of proper input scrubbing and without it
being the documented functionality, curl would pass on
user name and telnet options to the server as
provided. This could allow users to pass in carefully
crafted content that pass on content or do option
negotiation without the application intending to do
so. In particular if an application for example allows
users to provide the data or parts of the data.
- CVE-2023-27534
-
curl supports SFTP transfers. curl's SFTP implementation
offers a special feature in the path component of URLs:
a tilde (~) character as the first path element in the
path to denotes a path relative to the user's home
directory. This is supported because of wording in the
once proposed to-become RFC draft that was to dictate
how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did
however not only replace it when it is used stand-alone
as the first path element but also wrongly when used as
a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using
the user dan (with home directory /home/dan) would then
quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering
or worse.
- CVE-2023-27535
-
libcurl would reuse a previously created FTP connection
even when one or more options had been changed that
could have made the effective user a very different one,
thus leading to the doing the second transfer with wrong
credentials.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, several FTP settings
were left out from the configuration match checks,
making them match too easily. The settings in questions
are CURLOPT_FTP_ACCOUNT,
CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and
CURLOPT_USE_SSL level.
- CVE-2023-27536
-
ibcurl would reuse a previously created connection even
when the GSS delegation (CURLOPT_GSSAPI_DELEGATION)
option had been changed that could have changed the
user's permissions in a second transfer.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, this GSS delegation
setting was left out from the configuration match
checks, making them match too easily, affecting
krb5/kerberos/negotiate/GSSAPI transfers.
- CVE-2023-27537
-
libcurl supports sharing HSTS data between separate
"handles". This sharing was introduced without
considerations for do this sharing across separate
threads but there was no indication of this fact in the
documentation.
Due to missing mutexes or thread locks, two threads
sharing the same HSTS data could end up doing a
double-free or use-after-free.
- CVE-2023-27538
-
libcurl would reuse a previously created connection even
when an SSH related option had been changed that should
have prohibited reuse.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, two SSH settings
were left out from the configuration match checks,
making them match too easily.
more... | curl
more detail |
2023-03-16 | VuXML ID 72583cb3-a7f9-11ed-bd9e-589cfc0f81b0
phpMyAdmin Team reports:
PMASA-2023-1 XSS vulnerability in drag-and-drop upload
more... | phpMyAdmin phpMyAdmin-php80 phpMyAdmin-php81 phpMyAdmin-php82 phpMyAdmin5 phpMyAdmin5-php80 phpMyAdmin5-php81 phpMyAdmin5-php82
more detail |
2023-03-11 | VuXML ID 8edeb3c1-bfe7-11ed-96f5-3497f65b111b
The Apache httpd project reports:
- CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
HTTP response splitting (cve.mitre.org).
HTTP Response Smuggling vulnerability in Apache HTTP Server
via mod_proxy_uwsgi. This issue affects Apache HTTP Server:
from 2.4.30 through 2.4.55.
Special characters in the origin response header can
truncate/split the response forwarded to the client.
- CVE-2023-25690: HTTP request splitting with mod_rewrite
and mod_proxy (cve.mitre.org).
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along
with some form of RewriteRule or ProxyPassMatch in which a
non-specific pattern matches some portion of the user-supplied
request-target (URL) data and is then re-inserted into the
proxied request-target using variable substitution.
more... | apache24
more detail |
2023-03-09 | VuXML ID d357f6bb-0af4-4ac9-b096-eeec183ad829
Chrome Releases reports:
This update includes 40 security fixes:
- [1411210] High CVE-2023-1213: Use after free in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-30
- [1412487] High CVE-2023-1214: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-02-03
- [1417176] High CVE-2023-1215: Type Confusion in CSS. Reported by Anonymous on 2023-02-17
- [1417649] High CVE-2023-1216: Use after free in DevTools. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-02-21
- [1412658] High CVE-2023-1217: Stack buffer overflow in Crash reporting. Reported by sunburst of Ant Group Tianqiong Security Lab on 2023-02-03
- [1413628] High CVE-2023-1218: Use after free in WebRTC. Reported by Anonymous on 2023-02-07
- [1415328] High CVE-2023-1219: Heap buffer overflow in Metrics. Reported by Sergei Glazunov of Google Project Zero on 2023-02-13
- [1417185] High CVE-2023-1220: Heap buffer overflow in UMA. Reported by Sergei Glazunov of Google Project Zero on 2023-02-17
- [1385343] Medium CVE-2023-1221: Insufficient policy enforcement in Extensions API. Reported by Ahmed ElMasry on 2022-11-16
- [1403515] Medium CVE-2023-1222: Heap buffer overflow in Web Audio API. Reported by Cassidy Kim(@cassidy6564) on 2022-12-24
- [1398579] Medium CVE-2023-1223: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-12-07
- [1403539] Medium CVE-2023-1224: Insufficient policy enforcement in Web Payments API. Reported by Thomas Orlita on 2022-12-25
- [1408799] Medium CVE-2023-1225: Insufficient policy enforcement in Navigation. Reported by Roberto Ffrench-Davis @Lihaft on 2023-01-20
- [1013080] Medium CVE-2023-1226: Insufficient policy enforcement in Web Payments API. Reported by Anonymous on 2019-10-10
- [1348791] Medium CVE-2023-1227: Use after free in Core. Reported by @ginggilBesel on 2022-07-31
- [1365100] Medium CVE-2023-1228: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2022-09-18
- [1160485] Medium CVE-2023-1229: Inappropriate implementation in Permission prompts. Reported by Thomas Orlita on 2020-12-20
- [1404230] Medium CVE-2023-1230: Inappropriate implementation in WebApp Installs. Reported by Axel Chong on 2022-12-30
- [1274887] Medium CVE-2023-1231: Inappropriate implementation in Autofill. Reported by Yan Zhu, Brave on 2021-11-30
- [1346924] Low CVE-2023-1232: Insufficient policy enforcement in Resource Timing. Reported by Sohom Datta on 2022-07-24
- [1045681] Low CVE-2023-1233: Insufficient policy enforcement in Resource Timing. Reported by Soroush Karami on 2020-01-25
- [1404621] Low CVE-2023-1234: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-01-03
- [1404704] Low CVE-2023-1235: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-03
- [1374518] Low CVE-2023-1236: Inappropriate implementation in Internals. Reported by Alesandro Ortiz on 2022-10-14
more... | chromium ungoogled-chromium
more detail |
2023-03-09 | VuXML ID f68bb358-be8e-11ed-9215-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-3037 / CVE-2023-27898
XSS vulnerability in plugin manager
(Medium) SECURITY-3030 / CVE-2023-24998 (upstream issue), CVE-2023-27900 (MultipartFormDataParser), CVE-2023-27901 (StaplerRequest)
DoS vulnerability in bundled Apache Commons FileUpload library
(Medium) SECURITY-1807 / CVE-2023-27902
Workspace temporary directories accessible through directory browser
(Low) SECURITY-3058 / CVE-2023-27903
Temporary file parameter created with insecure permissions
(Low) SECURITY-2120 / CVE-2023-27904
Information disclosure through error stack traces related to agents
more... | jenkins jenkins-lts
more detail |
2023-03-08 | VuXML ID 6678211c-bd47-11ed-beb0-1c1b0d9ea7e6
The Apache Openoffice project reports:
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
more... | apache-openoffice apache-openoffice-devel
more detail |
2023-03-08 | VuXML ID 742279d6-bdbe-11ed-a179-2b68e9d12706
The Go project reports:
crypto/elliptic: incorrect P-256 ScalarMult and
ScalarBaseMult results
The ScalarMult and ScalarBaseMult methods of the P256
Curve may return an incorrect result if called with some
specific unreduced scalars (a scalar larger than the
order of the curve).
more... | go119 go120
more detail |
2023-03-08 | VuXML ID bed545c6-bdb8-11ed-bca8-a33124f1beb1
Mantis 2.25.6 release reports:
Security and maintenance release
- 0031086: Private issue summary disclosure (CVE-2023-22476)
- 0030772: Update (bundled) moment.js to 2.29.4 (CVE-2022-31129)
- 0030791: Allow adding relation type noopener/noreferrer to outgoing links
more... | mantis-php74 mantis-php80 mantis-php81 mantis-php82
more detail |
2023-03-06 | VuXML ID f0798a6a-bbdb-11ed-ba99-080027f5fec9
Aaron Patterson reports:
The Multipart MIME parsing code in Rack limits the number
of file parts, but does not limit the total number of
parts that can be uploaded. Carefully crafted requests can
abuse this and cause multipart parsing to take longer than
expected.
more... | rubygem-rack rubygem-rack16 rubygem-rack22
more detail |
2023-03-05 | VuXML ID be233fc6-bae7-11ed-a4fb-080027f5fec9
Harry Sintonen and Patrick Monnerat report:
- CVE-2023-23914
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality fail when multiple URLs are
requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure
clear-text HTTP step even when HTTP is provided in the
URL. This HSTS mechanism would however surprisingly be
ignored by subsequent transfers when done on the same
command line because the state would not be properly
carried on.
- CVE-2023-23915
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality to behave incorrectly when
multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of
using an insecure clear-text HTTP step even when HTTP is
provided in the URL. This HSTS mechanism would however
surprisingly fail when multiple transfers are done in
parallel as the HSTS cache file gets overwritten by the
most recently completed transfer. A later HTTP-only
transfer to the earlier host name would then *not* get
upgraded properly to HSTS.
- CVE-2023-23916
-
An allocation of resources without limits or throttling
vulnerability exists in curl < v7.88.0 based on the
"chained" HTTP compression algorithms, meaning
that a server response can be compressed multiple times
and potentially with different algorithms. The number of
acceptable "links" in this "decompression
chain" was capped, but the cap was implemented on a
per-header basis allowing a malicious server to insert a
virtually unlimited number of compression steps simply
by using many headers. The use of such a decompression
chain could result in a "malloc bomb", making
curl end up spending enormous amounts of allocated heap
memory, or trying to and returning out of memory errors.
more... | curl
more detail |
2023-03-04 | VuXML ID 3f9b6943-ba58-11ed-bbbd-00e0670f2660
strongSwan reports:
A vulnerability related to certificate verification in TLS-based EAP methods
was discovered in strongSwan that results in a denial of service
but possibly even remote code execution. Versions 5.9.8 and 5.9.9
may be affected.
more... | strongswan
more detail |
2023-03-03 | VuXML ID f7c5b3a9-b9fb-11ed-99c6-001b217b3468
Gitlab reports:
Stored XSS via Kroki diagram
Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings
Improper validation of SSO and SCIM tokens while managing groups
Maintainer can leak Datadog API key by changing Datadog site
Clipboard based XSS in the title field of work items
Improper user right checks for personal snippets
Release Description visible in public projects despite release set as project members only
Group integration settings sensitive information exposed to project maintainers
Improve pagination limits for commits
Gitlab Open Redirect Vulnerability
Maintainer may become an Owner of a project
more... | gitlab-ce
more detail |
2023-03-01 | VuXML ID 6dccc186-b824-11ed-b695-6c3be5272acd
Grafana Labs reports:
During an internal audit of Grafana on January 1, a member of the security
team found a stored XSS vulnerability affecting the core text plugin.
The stored XSS vulnerability requires several user interactions in order
to be fully exploited. The vulnerability was possible due to ReactâÂÂs render
cycle that will pass through the unsanitized HTML code, but in the next cycle,
the HTML is cleaned up and saved in GrafanaâÂÂs database.
The CVSS score for this vulnerability is 6.4 Medium
(CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
more... | grafana grafana9
more detail |
2023-03-01 | VuXML ID b17bce48-b7c6-11ed-b304-080027f5fec9
The Redis core team reports:
- CVE-2023-25155
-
Specially crafted SRANDMEMBER, ZRANDMEMBER, and
HRANDFIELD commands can trigger an integer overflow,
resulting in a runtime assertion and termination of the
Redis server process.
- CVE-2022-36021
-
String matching commands (like SCAN or KEYS) with a
specially crafted pattern to trigger a denial-of-service
attack on Redis, causing it to hang and consume 100% CPU
time.
more... | redis redis-devel redis6 redis62
more detail |
2023-03-01 | VuXML ID e2a8e2bd-b808-11ed-b695-6c3be5272acd
Grafana Labs reports:
During an internal audit of Grafana on January 25, a member of the security
team found a stored XSS vulnerability affecting the core geomap plugin.
The stored XSS vulnerability was possible because map attributions werenâÂÂt
properly sanitized, allowing arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
more... | grafana grafana8 grafana9
more detail |
2023-03-01 | VuXML ID e7841611-b808-11ed-b695-6c3be5272acd
Grafana Labs reports:
During an internal audit of Grafana on January 30, a member
of the engineering team found a stored XSS vulnerability affecting
the TraceView panel.
The stored XSS vulnerability was possible because the value of a spanâÂÂs
attributes/resources were not properly sanitized, and this will be rendered
when the spanâÂÂs attributes/resources are expanded.
The CVSS score for this vulnerability is 7.3 High
(CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
more... | grafana grafana8 grafana9
more detail |
2023-02-27 | VuXML ID a75929bd-b6a4-11ed-bad6-080027f5fec9
Xi Lu reports:
- CVE-2022-48337
-
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the
system C library function in its implementation of the
etags program. For example, a victim may use the
"etags -u *" command (suggested in the etags
documentation) in a situation where the current working
directory has contents that depend on untrusted input.
- CVE-2022-48338
-
An issue was discovered in GNU Emacs through 28.2. In
ruby-mode.el, the ruby-find-library-file function has a
local command injection vulnerability. The
ruby-find-library-file function is an interactive
function, and bound to C-c C-f. Inside the function, the
external command gem is called through
shell-command-to-string, but the feature-name parameters
are not escaped. Thus, malicious Ruby source files may
cause commands to be executed.
- CVE-2022-48339
-
An issue was discovered in GNU Emacs through
28.2. htmlfontify.el has a command injection
vulnerability. In the hfy-istext-command function, the
parameter file and parameter srcdir come from external
input, and parameters are not escaped. If a file name or
directory name contains shell metacharacters, code may
be executed.
more... | emacs emacs-canna emacs-devel emacs-devel-nox emacs-nox
more detail |
2023-02-24 | VuXML ID c682923d-b444-11ed-9268-b42e991fc52e
MITRE reports:
FreeRDP based clients on unix systems using
`/parallel` command line switch might read uninitialized
data and send it to the server the client is currently
connected to. FreeRDP based server implementations are not
affected.
more... | freerdp
more detail |
2023-02-24 | VuXML ID dd271de6-b444-11ed-9268-b42e991fc52e
MITRE reports:
All FreeRDP based clients when using the `/video`
command line switch might read uninitialized data, decode
it as audio/video and display the result. FreeRDP based
server implementations are not affected.
more... | freerdp
more detail |
2023-02-22 | VuXML ID 4d6b5ea9-bc64-4e77-a7ee-d62ba68a80dd
Chrome Releases reports:
This update includes 10 security fixes:
- [1415366] Critical CVE-2023-0941: Use after free in Prompts. Reported by Anonymous on 2023-02-13
- [1414738] High CVE-2023-0927: Use after free in Web Payments API. Reported by Rong Jian of VRI on 2023-02-10
- [1309035] High CVE-2023-0928: Use after free in SwiftShader. Reported by Anonymous on 2022-03-22
- [1399742] High CVE-2023-0929: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2022-12-09
- [1410766] High CVE-2023-0930: Heap buffer overflow in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-27
- [1407701] High CVE-2023-0931: Use after free in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-17
- [1413005] High CVE-2023-0932: Use after free in WebRTC. Reported by Omri Bushari (Talon Cyber Security) on 2023-02-05
- [1404864] Medium CVE-2023-0933: Integer overflow in PDF. Reported by Zhiyi Zhang from Codesafe Team of Legendsec at QI-ANXIN
more... | chromium ungoogled-chromium
more detail |
2023-02-21 | VuXML ID 21f12de8-b1db-11ed-b0f4-002590f2a714
git team reports:
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
more... | git
more detail |
2023-02-21 | VuXML ID 2fcca7e4-b1d7-11ed-b0f4-002590f2a714
The git team reports:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(,
%>(, %>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
more... | git
more detail |
2023-02-21 | VuXML ID 421c0af9-b206-11ed-9fe5-f4a47516fb57
Libde265 developer reports:
This release fixes the known CVEs below. Many of them are actually caused by the same underlying issues that manifest in different ways.
more... | libde265
more detail |
2023-02-21 | VuXML ID 7a425536-74f7-4ce4-9768-0079a9d44d11
Tim Wojtulewicz of Corelight reports:
Receiving DNS responses from async DNS requests (via
the lookup_addr, etc BIF methods) with the TTL set to
zero could cause the DNS manager to eventually stop being
able to make new requests.
Specially-crafted FTP packets with excessively long
usernames, passwords, or other fields could cause log
writes to use large amounts of disk space.
The find_all and find_all_ordered BIF methods could
take extremely large amounts of time to process incoming
data depending on the size of the input.
more... | zeek
more detail |
2023-02-21 | VuXML ID 8fafbef4-b1d9-11ed-b0f4-002590f2a714
git team reports:
gitattributes are used to define unique attributes corresponding
to paths in your repository. These attributes are defined by
.gitattributes file(s) within your repository.
The parser used to read these files has multiple integer
overflows, which can occur when parsing either a large number
of patterns, a large number of attributes, or attributes with
overly-long names.
These overflows may be triggered via a malicious
.gitattributes file. However, Git automatically splits lines at
2KB when reading .gitattributes from a file, but not when parsing
it from the index. Successfully exploiting this vulnerability
depends on the location of the .gitattributes file in question.
This integer overflow can result in arbitrary heap reads
and writes, which may result in remote code execution.
more... | git
more detail |
2023-02-21 | VuXML ID 9548d6ed-b1da-11ed-b0f4-002590f2a714
git team reports:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
more... | git
more detail |
2023-02-20 | VuXML ID 5048ed45-b0f1-11ed-ab04-9106b1b896dd
The Gitea team reports:
This PR refactors and improves the password hashing code within
gitea and makes it possible for server administrators to set the
password hashing parameters.
In addition it takes the opportunity to adjust the settings for
pbkdf2 in order to make the hashing a little stronger.
Add command to bulk set must-change-password
As part of administration sometimes it is appropriate to
forcibly tell users to update their passwords.
This PR creates a new command gitea admin user
must-change-password which will set the MustChangePassword flag on
the provided users.
more... | gitea
more detail |
2023-02-19 | VuXML ID 428922c9-b07e-11ed-8700-5404a68ad561
The Go project reports:
A request smuggling attack is possible when using
MaxBytesHandler. When using MaxBytesHandler, the body of
an HTTP request is not fully consumed. When the server
attempts to read HTTP2 frames from the connection, it
will instead be reading the body of the HTTP request,
which could be attacker-manipulated to represent
arbitrary HTTP2 requests.
more... | traefik
more detail |
2023-02-16 | VuXML ID 27c822a0-addc-11ed-a9ee-dca632b19f10
The Rundeck project reports:
This release updates both Community and Enterprise with the latest Log4J
to address CVE-2021-44832 by updating it to 2.17.1.
more... | rundeck3
more detail |
2023-02-16 | VuXML ID fd792048-ad91-11ed-a879-080027f5fec9
Simon Scannell reports:
- CVE-2023-20032
-
Fixed a possible remote code execution vulnerability in the HFS+ file parser.
- CVE-2023-20052
-
Fixed a possible remote information leak vulnerability in the DMG file parser.
more... | clamav clamav-lts
more detail |
2023-02-15 | VuXML ID 3d73e384-ad1f-11ed-983c-83fe35862e3a
The Go project reports:
path/filepath: path traversal in filepath.Clean on Windows
On Windows, the filepath.Clean function could transform
an invalid path such as a/../c:/b into the valid path
c:\b. This transformation of a relative (if invalid)
path into an absolute path could enable a directory
traversal attack. The filepath.Clean function will now
transform this path into the relative (but still
invalid) path .\c:\b.
net/http, mime/multipart: denial of service from excessive
resource consumption
Multipart form parsing with
mime/multipart.Reader.ReadForm can consume largely
unlimited amounts of memory and disk files. This also
affects form parsing in the net/http package with the
Request methods FormFile, FormValue, ParseMultipartForm,
and PostFormValue.
crypto/tls: large handshake records may cause panics
Both clients and servers may send large TLS handshake
records which cause servers and clients,
respectively, to panic when attempting to construct responses.
net/http: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause
excessive CPU consumption in the HPACK decoder,
sufficient to cause a denial of service from a small
number of small requests.
more... | go119 go120
more detail |
2023-02-14 | VuXML ID 9c9ee9a6-ac5e-11ed-9323-080027d3a315
Django reports:
CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.
more... | py310-django32 py310-django40 py310-django41 py37-django32 py38-django32 py38-django40 py38-django41 py39-django32 py39-django40 py39-django41
more detail |
2023-02-13 | VuXML ID 0a7a5dfb-aba4-11ed-be2c-001cc0382b2f
The GnuTLS project reports:
A vulnerability was found that the response times to malformed RSA
ciphertexts in ClientKeyExchange differ from response times of
ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext
processing is affected.
more... | gnutls
more detail |
2023-02-13 | VuXML ID 8e20430d-a72b-11ed-a04f-40b034455553
MinIO reports:
A security issue was found where an unprivileged user is
able to create service accounts for root or other admin
users and then is able to assume their access policies
via the generated credentials.
more... | minio
more detail |
2023-02-12 | VuXML ID 3eccc968-ab17-11ed-bd9e-589cfc0f81b0
phpmyfaq developers report:
a bypass to flood admin with FAQ proposals
stored XSS in questions
stored HTML injections
weak passwords
more... | phpmyfaq
more detail |
2023-02-10 | VuXML ID 310ca30e-a951-11ed-8314-a8a1599412c6
Chrome Releases reports:
This release contains 15 security fixes, including:
- [1402270] High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18
- [1341541] High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on 2022-07-03
- [1403573] High CVE-2023-0698: Out of bounds read in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2022-12-25
- [1371859] Medium CVE-2023-0699: Use after free in GPU. Reported by 7o8v and Cassidy Kim(@cassidy6564) on 2022-10-06
- [1393732] Medium CVE-2023-0700: Inappropriate implementation in Download. Reported by Axel Chong on 2022-11-26
- [1405123] Medium CVE-2023-0701: Heap buffer overflow in WebUI. Reported by Sumin Hwang of SSD Labs on 2023-01-05
- [1316301] Medium CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14
- [1405574] Medium CVE-2023-0703: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-07
- [1385982] Low CVE-2023-0704: Insufficient policy enforcement in DevTools. Reported by Rhys Elsmore and Zac Sims of the Canva security team on 2022-11-18
- [1238642] Low CVE-2023-0705: Integer overflow in Core. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-11
more... | chromium ungoogled-chromium
more detail |
2023-02-09 | VuXML ID 7a8b6170-a889-11ed-bbae-6cc21735f730
PostgreSQL Project reports:
A modified, unauthenticated server can send an
unterminated string during the establishment of Kerberos
transport encryption. When a libpq client application
has a Kerberos credential cache and doesn't explicitly
disable option gssencmode, a server can cause libpq to
over-read and report an error message containing
uninitialized bytes from and following its receive
buffer. If libpq's caller somehow makes that message
accessible to the attacker, this achieves a disclosure
of the over-read bytes. We have not confirmed or ruled
out viability of attacks that arrange for a crash or for
presence of notable, confidential information in
disclosed bytes.
more... | postgresql12-client postgresql13-client postgresql14-client postgresql15-client
more detail |
2023-02-09 | VuXML ID e6281d88-a7a7-11ed-8d6a-6c3be5272acd
Grafana Labs reports:
A third-party penetration test of Grafana found a vulnerability
in the snapshot functionality. The value of the originalUrl parameter
is automatically generated. The purpose of the presented originalUrl parameter
is to provide a user who views the snapshot with the possibility to click
on the Local Snapshot button in the Grafana web UI
and be presented with the dashboard that the snapshot captured. The value
of the originalUrl parameter can be arbitrarily chosen by a malicious user that
creates the snapshot. (Note: This can be done by editing the query thanks
to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM
(CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
more... | grafana grafana8 grafana9
more detail |
2023-02-09 | VuXML ID ecffb881-a7a7-11ed-8d6a-6c3be5272acd
Grafana Labs reports:
On 2022-12-16 during an internal audit of Grafana, a member of the security
team found a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to SVG-files weren't properly
sanitized and allowed arbitrary JavaScript to be executed in the context
of the currently authorized user of the Grafana instance.
more... | grafana grafana8 grafana9
more detail |
2023-02-08 | VuXML ID 1dd84344-a7da-11ed-86e9-d4c9ef517024
The OpenBSD project reports:
A malicious certificate revocation list or timestamp response token
would allow an attacker to read arbitrary memory.
more... | libressl libressl-devel
more detail |
2023-02-08 | VuXML ID 6cc63bf5-a727-4155-8ec4-68b626475e68
The X.org project reports:
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-02-08 | VuXML ID b34c1947-a749-11ed-b24b-1c61b4739ac9
MITRE reports:
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
more... | tightvnc
more detail |
2023-02-07 | VuXML ID 648a432c-a71f-11ed-86e9-d4c9ef517024
The OpenSSL project reports:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High):
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate):
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate):
A read buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs
after certificate chain signature verification and requires either a
CA to have signed the malicious certificate or for the application to
continue certificate verification despite failure to construct a path
to a trusted issuer.
Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate):
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications.
Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate):
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer
to a buffer that has already been freed. If the caller also frees this buffer
then a double free will occur. This will most likely lead to a crash. This
could be exploited by an attacker who has the ability to supply malicious PEM
files for parsing to achieve a denial of service attack.
Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate):
An invalid pointer dereference on read can be triggered when an
application tries to load malformed PKCS7 data with the
d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
NULL dereference validating DSA public key (CVE-2023-0217) (Moderate):
An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
EVP_PKEY_public_check() function. This will most likely lead
to an application crash. This function can be called on public
keys supplied from untrusted sources which could allow an attacker
to cause a denial of service attack.
NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate):
A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.
more... | openssl openssl-devel openssl-quictls
more detail |
2023-02-06 | VuXML ID c49a880d-a5bb-11ed-aab5-080027de9982
Django reports:
CVE-2023-23969: Potential denial-of-service via Accept-Language headers.
more... | py310-django32 py310-django40 py310-django41 py37-django32 py38-django32 py38-django40 py38-django41 py39-django32 py39-django40 py39-django41
more detail |
2023-02-04 | VuXML ID 01823528-a4c1-11ed-b6af-b42e991fc52e
NIST reports:
jackson-databind before 2.13.0 allows a Java StackOverflow
exception and denial of service via a large depth of nested
objects.
more... | kafka
more detail |
2023-02-04 | VuXML ID d835c54f-a4bd-11ed-b6af-b42e991fc52e
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
more... | node_exporter
more detail |
2023-02-02 | VuXML ID 8dd438ed-a338-11ed-b48b-589cfc0f81b0
The Asterisk project reports:
AST-2022-007: Remote Crash Vulnerability in H323 channel add on
AST-2022-008: Use after free in res_pjsip_pubsub.c
AST-2022-009: GetConfig AMI Action can read files outside of
Asterisk directory
more... | asterisk18
more detail |
2023-02-02 | VuXML ID c3fb48cc-a2ff-11ed-8fbc-6cf0490a8c18
StÃÂéphane Bruckert
If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.
more... | py310-spotipy py311-spotipy py37-spotipy py38-spotipy py39-spotipy
more detail |
2023-02-01 | VuXML ID 2b5fc9c4-eaca-46e0-83d0-9b10c51c4b1b
Tim Wojtulewicz of Corelight reports:
A missing field in the SMB FSControl script-land record could
cause a heap buffer overflow when receiving packets containing
those header types.
Receiving a series of packets that start with HTTP/1.0
and then switch to HTTP/0.9 could cause Zeek to spend a
large amount of time processing the packets.
Receiving large numbers of FTP commands sequentially
from the network with bad data in them could cause Zeek
to spend a large amount of time processing the packets,
and generate a large amount of events.
more... | zeek
more detail |
2023-02-01 | VuXML ID ee890be3-a1ec-11ed-a81d-001b217b3468
Gitlab reports:
Denial of Service via arbitrarily large Issue descriptions
CSRF via file upload allows an attacker to take over a repository
Sidekiq background job DoS by uploading malicious CI job artifact zips
Sidekiq background job DoS by uploading a malicious Helm package
more... | gitlab-ce
more detail |
2023-01-30 | VuXML ID 791a09c5-a086-11ed-954d-b42e991fc52e
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
more... | prometheus
more detail |
2023-01-30 | VuXML ID 98f78c7a-a08e-11ed-946e-002b67dfc673
Plex Security Team reports:
We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.
Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.
more... | plexmediaserver plexmediaserver-plexpass
more detail |
2023-01-25 | VuXML ID 3d0a3eb0-9ca3-11ed-a925-3065ec8fd3ec
Chrome Releases reports:
This release contains 6 security fixes, including:
- [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
- [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
- [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
- [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14
more... | chromium ungoogled-chromium
more detail |
2023-01-25 | VuXML ID b0e1fa2b-9c86-11ed-9296-002b67dfc673
re2c reports:
re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.
more... | re2c
more detail |
2023-01-24 | VuXML ID b8a0fea2-9be9-11ed-8acf-0800277bb8a8
The Gitea team reports:
Prevent multiple To recipients: Change the mailer interface to
prevent leaking of possible hidden email addresses when sending
to multiple recipients.
more... | gitea
more detail |
2023-01-23 | VuXML ID 28b69630-9b10-11ed-97a6-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
more... | powerdns-recursor
more detail |
2023-01-23 | VuXML ID 7844789a-9b1f-11ed-9a3f-b42e991fc52e
MITRE reports:
NLnet Labs Krill supports direct access to the RRDP repository
content through its built-in web server at the "/rrdp" endpoint.
Prior to 0.12.1 a direct query for any existing directory under
"/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml"
as would be expected, causes Krill to crash. If the built-in "/rrdp"
endpoint is exposed directly to the internet, then malicious remote
parties can cause the publication server to crash. The repository
content is not affected by this, but the availability of the server
and repository can cause issues if this attack is persistent and is
not mitigated. .
more... | krill
more detail |
2023-01-23 | VuXML ID b6f7ad7d-9b19-11ed-9a3f-b42e991fc52e
Mitre reports:
etserver and etclient have predictable logfile names in
/tmp and they are world-readable logfiles
more... | eternalterminal
more detail |
2023-01-23 | VuXML ID bba3f684-9b1d-11ed-9a3f-b42e991fc52e
MITRE reports:
It seems #90 is not completely fixed in 7.8.
(that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed).
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a
partial absolute pathname (omitting the initial /etc), even
though it was intended to only read a file in the /etc/awstats/awstats.conf format.
NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
more... | awstats
more detail |
2023-01-21 | VuXML ID a3b10c9b-99d9-11ed-aa55-d05099fed512
Peter Ammon reports:
fish is a command line shell. fish version 3.1.0 through
version 3.3.1 is vulnerable to arbitrary code execution.
git repositories can contain per-repository
configuration that change the behavior of git, including
running arbitrary commands. When using the default
configuration of fish, changing to a directory
automatically runs git commands in order to display
information about the current repository in the prompt.
If an attacker can convince a user to change their
current directory into one controlled by the attacker,
such as on a shared file system or extracted archive,
fish will run arbitrary commands under the attacker's
control. This problem has been fixed in fish 3.4.0. Note
that running git in these directories, including using
the git tab completion, remains a potential trigger for
this issue. As a workaround, remove the
fish_git_prompt function from the prompt.
more... | fish
more detail |
2023-01-21 | VuXML ID dc49f6dc-99d2-11ed-86e9-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 37 new security patches for
Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network withouti
requiring user credentials.
more... | mysql-client57 mysql-client80 mysql-connector-c++ mysql-connector-odbc mysql-server57 mysql-server80
more detail |
2023-01-20 | VuXML ID 005dfb48-990d-11ed-b9d3-589cfc0f81b0
phpmyfaq developers report:
phpMyFAQ does not implement sufficient checks to avoid a stored
XSS in "Add new question"
phpMyFAQ does not implement sufficient checks to avoid a stored XSS
in admin user page
phpMyFAQ does not implement sufficient checks to avoid a stored XSS
in FAQ comments
phpMyFAQ does not implement sufficient checks to avoid a blind
stored XSS in admin open question page
phpMyFAQ does not implement sufficient checks to avoid a reflected
XSS in the admin backend login
phpMyFAQ does not implement sufficient checks to avoid stored XSS
on user, category, FAQ, news and configuration admin backend
phpMyFAQ does not implement sufficient checks to avoid weak passwords
more... | phpmyfaq
more detail |
2023-01-19 | VuXML ID 95176ba5-9796-11ed-bfbf-080027f5fec9
Aaron Patterson reports:
- CVE-2022-44570
-
Carefully crafted input can cause the Range header
parsing component in Rack to take an unexpected amount
of time, possibly resulting in a denial of service
attack vector. Any applications that deal with Range
requests (such as streaming applications, or
applications that serve files) may be impacted.
- CVE-2022-44571
-
Carefully crafted input can cause Content-Disposition
header parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
- CVE-2022-44572
-
Carefully crafted input can cause RFC2183 multipart
boundary parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
more... | rubygem-rack rubygem-rack16 rubygem-rack22
more detail |
2023-01-17 | VuXML ID 00919005-96a3-11ed-86e9-d4c9ef517024
The Apache httpd project reports:
mod_dav out of bounds read, or write of zero byte (CVE-2006-20001)
(moderate)
mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)
mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response
splitting (CVE-2022-37436) (moderate)
more... | apache24
more detail |
2023-01-16 | VuXML ID 5fa68bd9-95d9-11ed-811a-080027f5fec9
The Redis core team reports:
- CVE-2022-35977
-
Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic.
- CVE-2023-22458
-
Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service.
more... | redis redis-devel redis6 redis62
more detail |
2023-01-16 | VuXML ID 9d9e9439-959e-11ed-b464-b42e991fc52e
CIRCL reports:
- CVE-2022-41966: XStream serializes Java objects to XML
and back again.
Versions prior to 1.4.20 may allow a remote attacker
to terminate the application with a stack
overflow error, resulting in a denial of
service only via manipulation the
processed input stream.
- CVE-2022-40151: If the parser is running on user
supplied input, an attacker may supply content that
causes the parser to crash by stackoverflow. This
effect may support a denial of service attack.
more... | keycloak
more detail |
2023-01-14 | VuXML ID 847f16e5-9406-11ed-a925-3065ec8fd3ec
The Tor Project reports:
TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through
This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a).
Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.
more... | tor
more detail |
2023-01-12 | VuXML ID 76e2fcce-92d2-11ed-a635-080027f5fec9
lu4nx reports:
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the system
C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *"
command (suggested in the ctags documentation) in a
situation where the current working directory has contents
that depend on untrusted input.
more... | emacs emacs-canna emacs-devel emacs-devel-nox emacs-nox
more detail |
2023-01-11 | VuXML ID 3a023570-91ab-11ed-8950-001b217b3468
Gitlab reports:
Race condition on gitlab.com enables verified email forgery and third-party account hijacking
DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint
Maintainer can leak sentry token by changing the configured URL
Maintainer can leak masked webhook secrets by changing target URL of the webhook
Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP
Group access tokens continue to work after owner loses ability to revoke them
Users' avatar disclosure by user ID in private GitLab instances
Arbitrary Protocol Redirection in GitLab Pages
Regex DoS due to device-detector parsing user agents
Regex DoS in the Submodule Url Parser
more... | gitlab-ce
more detail |
2023-01-11 | VuXML ID 53caf29b-9180-11ed-acbe-b42e991fc52e
Cassandra tema reports:
This release contains 6 security fixes including
- CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
- CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
- CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
- CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
more... | cassandra3
more detail |
2023-01-11 | VuXML ID 60624f63-9180-11ed-acbe-b42e991fc52e
Marcus Eriksson reports:
When running Apache Cassandra with
the following configuration:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
it is possible for an attacker to execute arbitrary code on
the host. The attacker would need to have enough permissions
to create user defined functions in the cluster to be able
to exploit this.
more... | cassandra3
more detail |
2023-01-11 | VuXML ID 9fa7b139-c1e9-409e-bed0-006aadcf5845
The X.org project reports:
- CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack
overflow
The swap handler for the XTestFakeInput request of the XTest extension
may corrupt the stack if GenericEvents with lengths larger than 32 bytes
are sent through a the XTestFakeInput request.
This issue does not affect systems where client and server use the same
byte order.
- CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab
out-of-bounds access
The handler for the XIPassiveUngrab request accesses out-of-bounds
memory when invoked with a high keycode or button code.
- CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify
use-after-free
The handler for the XvdiSelectVideoNotify request may write to memory
after it has been freed.
- CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes
use-after-free
The handler for the ScreenSaverSetAttributes request may write to memory
after it has been freed.
- CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty
out-of-bounds access
The handler for the XIChangeProperty request has a length-validation
issues, resulting in out-of-bounds memory reads and potential
information disclosure.
- CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free
The XkbCopyNames function left a dangling pointer to freed memory,
resulting in out-of-bounds memory access on subsequent XkbGetKbdByName
requests.
more... | xephyr xorg-nestserver xorg-server xorg-vfbserver xwayland xwayland-devel
more detail |
2023-01-11 | VuXML ID b3fd12ea-917a-11ed-acbe-b42e991fc52e
mindrot project reports:
There is an integer overflow that
occurs with very large log_rounds values, first reported by
Marcus Rathsfeld.
more... | cassandra3
more detail |
2023-01-10 | VuXML ID 7b929503-911d-11ed-a925-3065ec8fd3ec
Chrome Releases reports:
This release contains 17 security fixes, including:
- [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
- [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
- [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
- [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
- [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
- [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
- [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
- [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
- [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
- [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
- [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
- [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
- [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
- [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12
more... | chromium ungoogled-chromium
more detail |
2023-01-09* | VuXML ID 59c284f4-8d2e-11ed-9ce0-b42e991fc52e
cacti team reports:
A command injection vulnerability allows an
unauthenticated user to execute arbitrary code on a server
running Cacti, if a specific data source was selected for
any monitored device.
more... | cacti
more detail |
2023-01-05 | VuXML ID 541696ed-8d12-11ed-af80-ecf4bbc0bda0
C. Michael Pilato reports:
security fix: escape revision view copy paths (#311) [CVE-2023-22464]
security fix: escape revision view changed paths (#311) [CVE-2023-22456]
more... | py37-viewvc-devel py38-viewvc-devel py39-viewvc-devel
more detail |
2023-01-03 | VuXML ID 5b2eac07-8b4d-11ed-8b23-a0f3c100ae18
Marc Lehmann reports:
The biggest issue is resolving CVE-2022-4170, which allows command
execution inside urxvt from within the terminal (that means anything that
can output text in the terminal can start commands in the context of the
urxvt process, even remotely).
more... | rxvt-unicode
more detail |
2023-01-02 | VuXML ID 86c330fe-bbae-4ca7-85f7-5321e627a4eb
The Gitea team reports:
Remove ReverseProxy authentication from the API
Support Go Vulnerability Management
Forbid HTML string tooltips
more... | gitea
more detail |
2022-12-29 | VuXML ID 140a20e1-8769-11ed-b074-002b67dfc673
Webtrees reports:
GEDCOM imports containing errors and HTML displayed unescaped.
more... | webtrees
more detail |
2022-12-29 | VuXML ID d379aa14-8729-11ed-b988-080027d3a315
Mediawikwi reports:
(T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files not world readable.
more... | mediawiki135 mediawiki138 mediawiki139
more detail |
2022-12-27 | VuXML ID 4b60c3d9-8640-11ed-a762-482ae324f959
Netdata reports:
GHSA-xg38-3vmw-2978: Netdata Streaming Alert Command Injection
GHSA-jx85-39cw-66f2: Netdata Streaming Authentication Bypass
more... | netdata
more detail |
2022-12-24 | VuXML ID 1f0421b1-8398-11ed-973d-002b67dfc673
FreeRDP reports:
GHSA-5w4j-mrrh-jjrm: Out of bound read in zgfx decoder.
GHSA-99cm-4gw7-c8jh: Undefined behaviour in zgfx decoder.
GHSA-387j-8j96-7q35: Division by zero in urbdrc channel.
GHSA-mvxm-wfj2-5fvh: Missing length validation in urbdrc channel.
GHSA-qfq2-82qr-7f4j: Heap buffer overflow in urbdrc channel.
GHSA-c5xq-8v35-pffg: Missing path sanitation with `drive` channel.
GHSA-pmv3-wpw4-pw5h: Missing input length validation in `drive` channel.
more... | freerdp
more detail |
2022-12-22 | VuXML ID d0da046a-81e6-11ed-96ca-0800277bb8a8
The Gitea team reports:
Do not allow Ghost access to limited visible user/org
Fix package access for admins and inactive users
more... | gitea
more detail |
2022-12-17 | VuXML ID d9e154c9-7de9-11ed-adca-080027d3a315
TYPO3 reports:
TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling.
TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login.
TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset.
TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework.
TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration.
TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer.
more... | typo3-11-php81 typo3-12-php81
more detail |
2022-12-14 | VuXML ID 0f99a30c-7b4b-11ed-9168-080027f5fec9
Daniel Stenberg reports:
- CVE-2022-32221: POST following PUT confusion
-
When doing HTTP(S) transfers, libcurl might erroneously
use the read callback
(
CURLOPT_READFUNCTION ) to ask for data to
send, even when the CURLOPT_POSTFIELDS
option has been set, if the same handle previously was
used to issue a PUT request which used that
callback. This flaw may surprise the application and
cause it to misbehave and either send off the wrong data
or use memory after free or similar in the subsequent
POST request. The problem exists in the
logic for a reused handle when it is changed from a PUT
to a POST.
- CVE-2022-35260: .netrc parser out-of-bounds access
-
curl can be told to parse a .netrc file for
credentials. If that file ends in a line with
consecutive non-white space letters and no newline, curl
could read past the end of the stack-based buffer, and
if the read works, write a zero byte possibly beyond its
boundary. This will in most cases cause a segfault or
similar, but circumstances might also cause different
outcomes. If a malicious user can provide a custom netrc
file to an application or otherwise affect its contents,
this flaw could be used as denial-of-service.
- CVE-2022-42915: HTTP proxy double-free
-
f curl is told to use an HTTP proxy for a transfer with
a non-HTTP(S) URL, it sets up the connection to the
remote server by issuing a CONNECT request to the proxy,
and then tunnels the rest of protocol through. An HTTP
proxy might refuse this request (HTTP proxies often only
allow outgoing connections to specific port numbers,
like 443 for HTTPS) and instead return a non-200
response code to the client. Due to flaws in the
error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the
URL for the transfer: dict, gopher, gophers, ldap,
ldaps, rtmp, rtmps, telnet
- CVE-2022-42916: HSTS bypass via IDN
-
curl's HSTS check could be bypassed to trick it to keep
using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS directly instead of using an
insecure clear-text HTTP step even when HTTP is provided
in the URL. This mechanism could be bypassed if the host
name in the given URL uses IDN characters that get
replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002
(IDEOGRAPHIC FULL STOP) instead of the common ASCII full
stop (U+002E) .. Like this: http://curlãÂÂseãÂÂ
more... | curl
more detail |
2022-12-14 | VuXML ID 83eb9374-7b97-11ed-be8f-3065ec8fd3ec
Chrome Releases reports:
This release contains 8 security fixes, including:
- [1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15
- [1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30
- [1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07
- [1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22
- [1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09
more... | chromium ungoogled-chromium
more detail |
2022-12-12 | VuXML ID 439f3f81-7a49-11ed-97ac-589cfc0f81b0
phpmyfaq developers report:
an authenticated SQL injection when adding categories in the admin backend
a stored cross-site scripting vulnerability in the category name
a stored cross-site scripting vulnerability in the admin logging
a stored cross-site scripting vulnerability in the FAQ title
a PostgreSQL based SQL injection for the lang parameter
a SQL injection when storing an instance name in the admin backend
a SQL injection when adding attachments in the admin backend
a stored cross-site scripting vulnerability when adding users by admins
a missing "secure" flag for cookies when using TLS
a cross-site request forgery / cross-site scripting vulnerability when saving new questions
a reflected cross-site scripting vulnerability in the admin backend
more... | phpmyfaq
more detail |
2022-12-10 | VuXML ID 508da89c-78b9-11ed-854f-5404a68ad561
The Traefik project reports:
This update is recommended for all traefik users and provides following important security fixes:
- CVE-2022-23469: Authorization header displayed in the debug logs
- CVE-2022-46153: Routes exposed with an empty TLSOption in traefik
more... | traefik
more detail |
2022-12-10 | VuXML ID ba94433c-7890-11ed-859e-1c61b4739ac9
xrdp project reports:
This update is recommended for all xrdp users and provides following important security fixes:
- CVE-2022-23468
- CVE-2022-23477
- CVE-2022-23478
- CVE-2022-23479
- CVE-2022-23480
- CVE-2022-23481
- CVE-2022-23483
- CVE-2022-23482
- CVE-2022-23484
- CVE-2022-23493
These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.
more... | xrdp
more detail |
2022-12-07 | VuXML ID 050eba46-7638-11ed-820d-080027d3a315
Python reports:
gh-100001: python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
name resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
gh-98739: Update bundled libexpat to 2.5.0.
gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
script. The script no longer uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
more... | python310 python311 python37 python38 python39
more detail |
2022-12-06 | VuXML ID 6f5192f5-75a7-11ed-83c0-411d43ce7fe4
The Go project reports:
os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
The os.DirFS function and http.Dir type provide access to a
tree of files rooted at a given directory. These functions
permitted access to Windows device files under that root. For
example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.
In addition, on Windows, an os.DirFS for the directory \(the root
of the current drive) can permit a maliciously crafted path to escape
from the drive and access any path on the system.
The behavior of os.DirFS("") has changed. Previously, an empty root
was treated equivalently to "/", so os.DirFS("").Open("tmp") would
open the path "/tmp". This now returns an error.
net/http: limit canonical header cache by bytes, not entries
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total number
of entries in this cache is capped, an attacker sending very large
keys can cause the server to allocate approximately 64 MiB per open
connection.
more... | go118 go119
more detail |
2022-12-03 | VuXML ID 2899da38-7300-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1394403] High CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29
Google is aware that an exploit for CVE-2022-4262 exists in the wild.
more... | chromium ungoogled-chromium
more detail |
2022-12-01 | VuXML ID 0c52abde-717b-11ed-98ca-40b034429ecf
rpm project reports:
Fix intermediate symlinks not verified (CVE-2021-35939).
Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521).
Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)
more... | rpm4
more detail |
2022-12-01 | VuXML ID 3cde510a-7135-11ed-a28b-bff032704f00
Gitlab reports:
DAST API scanner exposes Authorization headers in vulnerabilities
Group IP allow-list not fully respected by the Package Registry
Deploy keys and tokens may bypass External Authorization service if it is enabled
Repository import still allows to import 40 hexadecimal branches
Webhook secret tokens leaked in webhook logs
Maintainer can leak webhook secret token by changing the webhook URL
Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP
Release names visible in public projects despite release set as project members only
Sidekiq background job DoS by uploading malicious NuGet packages
SSRF in Web Terminal advertise_address
more... | gitlab-ce
more detail |
2022-11-30 | VuXML ID 5f7ed6ea-70a7-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 28 security fixes, including:
- [1379054] High CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
- [1381401] High CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-11-04
- [1361066] High CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
- [1379242] High CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
- [1376099] High CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
- [1377783] High CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
- [1378564] High CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
- [1382581] High CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
- [1368739] Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
- [1251790] Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
- [1358647] Medium CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
- [1373025] Medium CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
- [1377165] Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
- [1381217] Medium CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
- [1340879] Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
- [1344647] Medium CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
- [1378997] Medium CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
- [1373941] Medium CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
- [1344514] Medium CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
- [1354518] Medium CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
- [1370562] Medium CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
- [1371926] Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06
more... | chromium ungoogled-chromium
more detail |
2022-11-25 | VuXML ID 8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1392715] High CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22
Google is aware that an exploit for CVE-2022-4135 exists in the wild.
more... | chromium ungoogled-chromium
more detail |
2022-11-24 | VuXML ID 658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of HTTP 0.9 packets can
cause Zeek to spend large amounts of time processing the
packets.
A specially-crafted FTP packet can cause Zeek to spend
large amounts of time processing the command.
A specially-crafted IPv6 packet can cause Zeek to
overflow memory and potentially crash.
more... | zeek
more detail |
2022-11-24 | VuXML ID 84ab03b6-6c20-11ed-b519-080027f5fec9
Hiroshi Tokumaru reports:
If an application that generates HTTP responses using the
cgi gem with untrusted user input, an attacker can exploit
it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object
were not checked properly. If an application creates a
CGI::Cookie object based on user input, an
attacker may exploit it to inject invalid attributes in
Set-Cookie header. We think such applications
are unlikely, but we have included a change to check
arguments for CGI::Cookie#initialize
preventatively.
more... | ruby ruby27 ruby30 ruby31 ruby32 rubygem-cgi
more detail |
2022-11-24 | VuXML ID b6a84729-6bd0-11ed-8d9a-b42e991fc52e
GitHub advisories reports:
Multiple vulnerabilities found in advancecomp including:
- Three segmentation faults.
- Heap buffer overflow via le_uint32_read at /lib/endianrw.h.
- Three more heap buffer overflows.
more... | advancecomp
more detail |
2022-11-22 | VuXML ID e0f26ac5-6a17-11ed-93e7-901b0e9408dc
Tailscale team reports:
A vulnerability identified in the Tailscale client allows a
malicious website to access the peer API, which can then be used
to access Tailscale environment variables.
more... | tailscale
more detail |
2022-11-18 | VuXML ID 556fdf03-6785-11ed-953b-002b67dfc673
Apache Tomcat reports:
If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
The CVSS score for this vulnerability is 7.5 High
more... | tomcat tomcat-devel tomcat10 tomcat101 tomcat85 tomcat9
more detail |
2022-11-15 | VuXML ID 094e4a5b-6511-11ed-8c5e-206a8a720317
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:
Due to an integer overflow vulnerabilities in PAC parsing
An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.
On 32-bit platforms an authenticated attacker may be able to
cause heap corruption resulting in an RCE.
more... | krb5 krb5-119 krb5-120 krb5-devel
more detail |
2022-11-12 | VuXML ID 0a80f159-629b-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
When using the forget password on the login page, a POST request is made
to the /api/user/password/sent-reset-email URL. When the username
or email does not exist, a JSON response contains a âÂÂuser not foundâ message.
The CVSS score for this vulnerability is 5.3 Moderate
more... | grafana grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 35d1e192-628e-11ed-8c5e-641c67a117d8
IPython project reports:
IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some
default values in order to prevent potential Execution with Unnecessary
Privileges.
more... | py310-ipython py311-ipython py37-ipython py38-ipython py39-ipython
more detail |
2022-11-12 | VuXML ID 4e60d660-6298-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On July 4th as a result of an internal security audit we have discovered
a bypass in the plugin signature verification by exploiting a versioning flaw.
We believe that this vulnerability is rated at CVSS 6.1
(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 6877e164-6296-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On September 7th as a result of an internal security audit we have discovered
that Grafana could leak the authentication cookie of users to plugins. After
further analysis the vulnerability impacts data source and plugin proxy
endpoints under certain conditions.
We believe that this vulnerability is rated at CVSS 6.8
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 6eb6a442-629a-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
Grafana admins can invite other members to the organization they are
an admin for. When admins add members to the organization, non existing users
get an email invite, existing members are added directly to the organization.
When an invite link is sent, it allows users to sign up with whatever
username/email address the user chooses and become a member of the organization.
The CVSS score for this vulnerability is 6.4 Moderate
more... | grafana grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 6f6c9420-6297-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On June 26 a security researcher contacted Grafana Labs to disclose
a vulnerability with the GitLab data source plugin that could leak the API key
to GitLab. After further analysis the vulnerability impacts data source
and plugin proxy endpoints with authentication tokens but under some conditions.
We believe that this vulnerability is rated at CVSS 4.9
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-11-12 | VuXML ID 909a80ba-6294-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
On September 7, as a result of an internal security audit, we discovered
a security vulnerability in GrafanaâÂÂs basic authentication related to the usage
of username and email address.
n Grafana, a userâÂÂs username and email address are unique fields, which
means no other user can have the same username or email address as another user.
In addition, a user can have an email address as a username, and the Grafana
login allows users to sign in with either username or email address. This
creates an unusual behavior, where user_1 can register with one email
address and user_2 can register their username as user_1âÂÂs
email address. As a result, user_1 would be prevented from signing
in to Grafana, since user_1 password wonâÂÂt match with user_2
email address.
The CVSS score for this vulnerability is 4.3 moderate
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
more... | grafana grafana8 grafana9
more detail |
2022-11-12 | VuXML ID db895ed0-6298-11ed-9ca2-6c3be5272acd
Grafana Labs reports:
Internal security audit identified a race condition in the Grafana codebase,
which allowed an unauthenticated user to query an arbitrary endpoint in Grafana.
A race condition in the
HTTP context creation could make a HTTP request being assigned
the authentication/authorization middlewares of another call. Under heavy load
it is possible that a call protected by a privileged middleware receives instead
the middleware of a public query. As a result, an unauthenticated user can
successfully query protected endpoints.
The CVSS score for this vulnerability is 9.8 Critical
more... | grafana grafana9
more detail |
2022-11-11 | VuXML ID f5a48a7a-61d3-11ed-9094-589cfc0f81b0
phpmyfaq developers report:
a pre-auth SQL injection in then saving user comments
a reflected cross-site scripting vulnerability in the search
a stored cross-site scripting vulnerability in the meta data administration
a weak password requirement
more... | phpmyfaq
more detail |
2022-11-09 | VuXML ID 5b8d8dee-6088-11ed-8c5e-641c67a117d8
Varnish Cache Project reports:
A request forgery attack can be performed on Varnish Cache servers that
have the HTTP/2 protocol turned on. An attacker may introduce
characters through the HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to
produce invalid HTTP/1 requests to the backend. This may in turn be
used to successfully exploit vulnerabilities in a server behind the
Varnish server.
more... | varnish6 varnish7
more detail |
2022-11-09 | VuXML ID 60d4d31a-a573-41bd-8c1e-5af7513c1ee9
Tim Wojtulewicz of Corelight reports:
Fix an issue where a specially-crafted FTP packet can
cause Zeek to spend large amounts of time attempting to
search for valid commands in the data stream.
Fix a possible overflow in the Zeek dictionary code
that may lead to a memory leak.
Fix an issue where a specially-crafted packet can
cause Zeek to spend large amounts of time reporting
analyzer violations.
Fix a possible assert and crash in the HTTP analyzer
when receiving a specially crafted packet.
Fix an issue where a specially-crafted HTTP or SMTP
packet can cause Zeek to spend a large amount of time
attempting to search for filenames within the packet data.
Fix two separate possible crashes when converting
processed IP headers for logging via the raw_packet event
handlers.
more... | zeek
more detail |
2022-11-09 | VuXML ID 6b04476f-601c-11ed-92ce-3065ec8fd3ec
Chrome Releases reports:
This release contains 10 security fixes, including:
- [1377816] High CVE-2022-3885: Use after free in V8. Reported by gzobqq@ on 2022-10-24
- [1372999] High CVE-2022-3886: Use after free in Speech Recognition. Reported by anonymous on 2022-10-10
- [1372695] High CVE-2022-3887: Use after free in Web Workers. Reported by anonymous on 2022-10-08
- [1375059] High CVE-2022-3888: Use after free in WebCodecs. Reported by Peter Nemeth on 2022-10-16
- [1380063] High CVE-2022-3889: Type Confusion in V8. Reported by anonymous on 2022-11-01
- [1380083] High CVE-2022-3890: Heap buffer overflow in Crashpad. Reported by anonymous on 2022-11-01
more... | chromium ungoogled-chromium
more detail |
2022-11-09 | VuXML ID b10d1afa-6087-11ed-8c5e-641c67a117d8
Varnish Cache Project reports:
A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the backend.
Among the headers that can be filtered this way are both Content-Length
and Host, making it possible for an attacker to both break the HTTP/1
protocol framing, and bypass request to host routing in VCL.
more... | varnish7
more detail |
2022-11-08 | VuXML ID 9c399521-5f80-11ed-8ac4-b42e991fc52e
Mitre reports:
flaw was found in darkhttpd. Invalid error handling allows
remote attackers to cause denial-of-service by accessing a
file with a large modification date. The highest threat
from this vulnerability is to system availability.
more... | darkhttpd
more detail |
2022-11-07 | VuXML ID 3310014a-5ef9-11ed-812b-206a8a720317
SO-AND-SO reports:
Sudo 1.8.0 through 1.9.12, with the crypt() password backend,
contains a plugins/sudoers/auth/passwd.c array-out-of-bounds
error that can result in a heap-based buffer over-read. This
can be triggered by arbitrary local users with access to sudo
by entering a password of seven characters or fewer. The impact
could vary depending on the system libraries, compiler,
and processor architecture.
more... | sudo
more detail |
2022-11-05 | VuXML ID 16f7ec68-5cce-11ed-9be7-454b1dd82c64
Gitlab reports:
DAST analyzer sends custom request headers with every request
Stored-XSS with CSP-bypass via scoped labels' color
Maintainer can leak Datadog API key by changing integration URL
Uncontrolled resource consumption when parsing URLs
Issue HTTP requests when users view an OpenAPI document and click buttons
Command injection in CI jobs via branch name in CI pipelines
Open redirection
Prefill variables do not check permission of the project in external CI config
Disclosure of audit events to insufficiently permissioned group and project members
Arbitrary GFM references rendered in Jira issue description leak private/confidential resources
Award emojis API for an internal note is accessible to users without access to the note
Open redirect in pipeline artifacts when generating HTML documents
Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines
Project-level Secure Files can be written out of the target directory
more... | gitlab-ce
more detail |
2022-11-03 | VuXML ID b278783f-5c1d-11ed-a21f-001fc69cd6dc
Pixman reports: for release 0.42.2
Avoid integer overflow leading to out-of-bounds write
more... | pixman
more detail |
2022-11-01 | VuXML ID 0844671c-5a09-11ed-856e-d4c9ef517024
The OpenSSL project reports:
X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) (High):
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking.
X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
(High): A buffer overrun can be triggered in X.509 certificate
verification, specifically in name constraint checking.
more... | openssl-devel
more detail |
2022-11-01 | VuXML ID 26b1100a-5a27-11ed-abfe-29ac76ec31b5
The Go project reports:
syscall, os/exec: unsanitized NUL in environment
variables
On Windows, syscall.StartProcess and os/exec.Cmd did not
properly check for invalid environment variable values. A
malicious environment variable value could exploit this
behavior to set a value for a different environment
variable. For example, the environment variable string
"A=B\x00C=D" set the variables "A=B" and "C=D".
more... | go118 go119
more detail |
2022-10-30 | VuXML ID 4b9c1c17-587c-11ed-856e-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 37 new security patches for
Oracle MySQL. 11 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials
more... | mysql-client57 mysql-client80 mysql-connector-c++ mysql-connector-odbc mysql-server57 mysql-server80
more detail |
2022-10-28 | VuXML ID 1225c888-56ea-11ed-b5c3-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1378239] High CVE-2022-3723: Type Confusion in V8. Reported by Jan VojteÃ
¡ek, Milánek, and Przemek Gmerek of Avast on 2022-10-25
more... | chromium ungoogled-chromium
more detail |
2022-10-25 | VuXML ID 1c5f3fd7-54bf-11ed-8d1e-005056a311d1
The Samba Team reports:
The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.
more... | samba412 samba413 samba416
more detail |
2022-10-25 | VuXML ID b4ef02f4-549f-11ed-8ad9-3065ec8fd3ec
Chrome Releases reports:
This release contains 14 security fixes, including:
- [1369871] High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30
- [1354271] High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19
- [1365330] High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19
- [1343384] Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
- [1345275] Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18
- [1351177] Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09
- [1352817] Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14
- [1355560] Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23
- [1327505] Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20
- [1350111] Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04
more... | chromium ungoogled-chromium
more detail |
2022-10-22 | VuXML ID 68fcee9b-5259-11ed-89c9-0800276af896
From libudisks 2.9.4 NEWS:
udiskslinuxblock: Fix leaking cleartext block interface
more... | libudisks
more detail |
2022-10-21 | VuXML ID c253c4aa-5126-11ed-8a21-589cfc0f81b0
phpmyfaq developers report:
phpMyFAQ does not implement sufficient checks to avoid
CSRF when logging out an user.
more... | phpmyfaq
more detail |
2022-10-20 | VuXML ID d6d088c9-5064-11ed-bade-080027881239
Python reports:
gh-97616: Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses
a shell to run openssl commands. Issue reported and initial fix by
Caleb Shortt. Patch by Victor Stinner.
more... | python310 python37 python38 python39
more detail |
2022-10-19 | VuXML ID 676d4f16-4fb3-11ed-a374-8c164567ca3c
NGINX Development Team reports:
Two security issues were identified in the ngx_http_mp4_module,
which might allow an attacker to cause a worker process crash
or worker process memory disclosure by using a specially crafted
mp4 file, or might have potential other impact (CVE-2022-41741,
CVE-2022-41742).
more... | nginx nginx-devel
more detail |
2022-10-18 | VuXML ID 2523bc76-4f01-11ed-929b-002590f2a714
This release contains 2 security fixes:
CVE-2022-39253
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
CVE-2022-39260
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
more... | git git-lite git-tiny
more detail |
2022-10-18 | VuXML ID 7392e1e3-4eb9-11ed-856e-d4c9ef517024
The OpenSSL project reports:
Using a Custom Cipher with NID_undef may lead to NULL encryption (low)
more... | openssl-devel
more detail |
2022-10-15 | VuXML ID d713d709-4cc9-11ed-a621-0800277bb8a8
The Gitea team reports:
Sanitize and Escape refs in git backend
Bump golang.org/x/text
Update bluemonday
more... | gitea
more detail |
2022-10-12 | VuXML ID 127674c6-4a27-11ed-9f93-002b67dfc673
The Roundcube project reports:
Description:
Remote code execution vulnerability in
roundcube-thunderbird_labels when tb_label_modify_labels is enabled.
Workaround:
If you cannot upgrade to roundcube-thunderbird_labels-1.4.13 disable the
tb_label_modify_labels config option.
more... | roundcube-thunderbird_labels
more detail |
2022-10-12 | VuXML ID 7cb12ee0-4a13-11ed-8ad9-3065ec8fd3ec
Chrome Releases reports:
This release contains 6 security fixes:
- [1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16
- [1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26
- [1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22
- [1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13
- [1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17
- [1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30
more... | chromium ungoogled-chromium
more detail |
2022-10-11 | VuXML ID f9140ad4-4920-11ed-a07e-080027f5fec9
The Samba Team reports:
- CVE-2022-2031
-
The KDC and the kpasswd service share a single account
and set of keys, allowing them to decrypt each other's
tickets. A user who has been requested to change their
password can exploit this to obtain and use tickets to
other services.
- CVE-2022-32744
-
The KDC accepts kpasswd requests encrypted with any key
known to it. By encrypting forged kpasswd requests with
its own key, a user can change the passwords of other
users, enabling full domain takeover.
- CVE-2022-32745
-
Samba AD users can cause the server to access
uninitialised data with an LDAP add or modify request,
usually resulting in a segmentation fault.
- CVE-2022-32746
-
The AD DC database audit logging module can be made to
access LDAP message values that have been freed by a
preceding database module, resulting in a
use-after-free. This is only possible when modifying
certain privileged attributes, such as
userAccountControl.
- CVE-2022-32742
-
SMB1 Client with write access to a share can cause
server memory contents to be written into a file or
printer.
more... | samba412 samba413
more detail |
2022-10-10 | VuXML ID 0ae56f3e-488c-11ed-bb31-b42e99a1b9c3
Lahav Schlesinger reported a bug related to online
certificate revocation checking that can lead to a
denial-of-service attack
.
more... | strongswan
more detail |
2022-10-07* | VuXML ID c2a89e8f-44e9-11ed-9215-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-2886 / CVE-2022-41224
Jenkins 2.367 through 2.369 (both inclusive) does not escape
tooltips of the l:helpIcon UI component used for some help icons on
the Jenkins web UI.
This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control tooltips for this
component.
Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.
more... | jenkins
more detail |
2022-10-07 | VuXML ID e4133d8b-ab33-451a-bc68-3719de73d54a
Due to a mistake in error handling, data in RRDP snapshot and delta files
that isnâÂÂt correctly base 64 encoded is treated as a fatal error and causes
Routinator to exit.
Worst case impact of this vulnerability is denial of service for the RPKI
data that Routinator provides to routers. This may stop your network from
validating route origins based on RPKI data. This vulnerability does not
allow an attacker to manipulate RPKI data. We are not aware of exploitation
of this vulnerability at this point in time.
Starting with release 0.11.3, Routinator handles encoding errors by rejecting
the snapshot or delta file and continuing with validation. In case of an
invalid delta file, it will try using the snapshot instead. If a snapshot file
is invalid, the update of the repository will fail and an update through rsync
is attempted.
.
more... | routinator
more detail |
2022-10-06 | VuXML ID f4f15051-4574-11ed-81a1-080027881239
Django reports:
CVE-2022-41323: Potential denial-of-service vulnerability in
internationalized URLs.
more... | py310-django32 py310-django40 py310-django41 py37-django32 py38-django32 py38-django40 py38-django41 py39-django32 py39-django40 py39-django41
more detail |
2022-10-04 | VuXML ID 854c2afb-4424-11ed-af97-adcabf310f9b
The Go project reports:
archive/tar: unbounded memory consumption when reading
headers
Reader.Read did not set a limit on the maximum size of
file headers. A maliciously crafted archive could cause
Read to allocate unbounded amounts of memory, potentially
causing resource exhaustion or panics. Reader.Read now
limits the maximum size of header blocks to 1 MiB.
net/http/httputil: ReverseProxy should not forward
unparseable query parameters
Requests forwarded by ReverseProxy included the raw
query parameters from the inbound request, including
unparseable parameters rejected by net/http. This could
permit query parameter smuggling when a Go proxy
forwards a parameter with an unparseable value.
ReverseProxy will now sanitize the query parameters in
the forwarded query when the outbound request's Form
field is set after the ReverseProxy.Director function
returns, indicating that the proxy has parsed the query
parameters. Proxies which do not parse query parameters
continue to forward the original query parameters
unchanged.
regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be
as high as 40,000, making relatively small regexps consume
much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB
memory footprint. Regular expressions whose
representation would use more space than that are now
rejected. Normal use of regular expressions is
unaffected.
more... | go118 go119
more detail |
2022-10-04 | VuXML ID d487d4fc-43a8-11ed-8b01-b42e991fc52e
Zyantific reports:
Zydis users of versions v3.2.0 and older
that use the string functions provided in zycore in order to
append untrusted user data to the formatter buffer within
their custom formatter hooks can run into heap buffer
overflows. Older versions of Zydis failed to properly
initialize the string object within the formatter buffer,
forgetting to initialize a few fields, leaving their value
to chance. This could then in turn cause zycore functions
like ZyanStringAppend to make incorrect calculations for the
new target size, resulting in heap memory corruption.
more... | zydis
more detail |
2022-10-02 | VuXML ID 67057b48-41f4-11ed-86c3-080027881239
Mediawiki reports:
(T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
in an IP range check on Special:Contributions..
(T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
of hidden users.
(T307278, CVE-2022-41766) SECURITY: On action=rollback the message
"alreadyrolled" can leak revision deleted user name.
more... | mediawiki135 mediawiki137 mediawiki138
more detail |
2022-09-30 | VuXML ID 04422df1-40d8-11ed-9be7-454b1dd82c64
Gitlab reports:
Denial of Service via cloning an issue
Arbitrary PUT request as victim user through Sentry error list
Content injection via External Status Checks
Project maintainers can access Datadog API Key from logs
Unsafe serialization of Json data could lead to sensitive data leakage
Import bug allows importing of private local git repos
Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)
Unauthorized users able to create issues in any project
Bypass group IP restriction on Dependency Proxy
Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system
Disclosure of Todo details to guest users
A user's primary email may be disclosed through group member events webhooks
Content manipulation due to branch/tag name confusion with the default branch name
Leakage of email addresses in WebHook logs
Specially crafted output makes job logs inaccessible
Enforce editing approval rules on project level
more... | gitlab-ce
more detail |
2022-09-30 | VuXML ID d459c914-4100-11ed-9bc7-3065ec8fd3ec
Chrome Releases reports:
This release contains 3 security fixes, including:
- [1366813] High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22
- [1366399] High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21
more... | chromium
more detail |
2022-09-29 | VuXML ID 5a1c2e06-3fb7-11ed-a402-b42e991fc52e
A vulnerability named 'Non-Responsive Delegation Attack'
(NRDelegation Attack) has been discovered in various DNS
resolving software. The NRDelegation Attack works by having
a malicious delegation with a considerable number of non
responsive nameservers. The attack starts by querying a
resolver for a record that relies on those unresponsive
nameservers. The attack can cause a resolver to spend a lot
of time/resources resolving records under a malicious
delegation point where a considerable number of unresponsive
NS records reside. It can trigger high CPU usage in some
resolver implementations that continually look in the cache
for resolved NS records in that delegation.
.
more... | unbound
more detail |
2022-09-28 | VuXML ID cb902a77-3f43-11ed-9402-901b0e9408dc
Matrix developers report:
Two critical severity vulnerabilities in end-to-end encryption were
found in the SDKs which power Element, Beeper, Cinny, SchildiChat,
Circuli, Synod.im and any other clients based on matrix-js-sdk,
matrix-ios-sdk or matrix-android-sdk2.
more... | cinny element-web
more detail |
2022-09-27 | VuXML ID 0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9
Debian Security Advisory reports:
Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.
more... | expat
more detail |
2022-09-27 | VuXML ID 18529cb0-3e9c-11ed-9bc7-3065ec8fd3ec
Chrome Releases reports:
This release contains 20 security fixes, including:
- [1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
- [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
- [1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
- [1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
- [1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
- [1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
- [1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
- [1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
- [1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
- [1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
- [1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
- [1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
- [1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
- [1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
- [1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
- [1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
more... | chromium
more detail |
2022-09-26 | VuXML ID f9ada0b5-3d80-11ed-9330-080027f5fec9
Mikhail Evdokimov (aka konata) reports:
Due to inconsistent handling of internal URIs Squid is
vulnerable to Exposure of Sensitive Information about
clients using the proxy. This problem allows a trusted
client to directly access cache manager information
bypassing the manager ACL protection. The available cache
manager information contains records of internal network
structure, client credentials, client identity and client
traffic behaviour.
more... | squid
more detail |
2022-09-21 | VuXML ID 95e6e6ca-3986-11ed-8e0c-6c3be5272acd
Grafana Labs reports:
On August 9 an internal security review identified a vulnerability
in the Grafana which allows an escalation from Admin privileges
to Server Admin when Auth proxy authentication is used.
Auth proxy allows to authenticate a user by only providing the username
(or email) in a X-WEBAUTH-USER HTTP header: the trust assumption
is that a front proxy will take care of authentication and that Grafana server
is publicly reachable only with this front proxy.
Datasource proxy breaks this assumption:
- it is possible to configure a fake datasource pointing to a localhost
Grafana install with a
X-WEBAUTH-USER HTTP header containing
admin username.
- This fake datasource can be called publicly via this proxying feature.
The CVSS score for this vulnerability is 6.6 Moderate
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-09-21 | VuXML ID f1f637d1-39eb-11ed-ab44-080027f5fec9
The Redis core team reports:
Executing a XAUTOCLAIM command on a stream key in a
specific state, with a specially crafted COUNT argument,
may cause an integer overflow, a subsequent heap overflow,
and potentially lead to remote code execution. The problem
affects Redis versions 7.0.0 or newer.
more... | redis
more detail |
2022-09-19 | VuXML ID 656b0152-faa9-4755-b08d-aee4a774bd04
Tim Wojtulewicz of Corelight reports:
Fix a possible overflow and crash in the ICMP analyzer
when receiving a specially crafted packet.
Fix a possible overflow and crash in the IRC analyzer
when receiving a specially crafted packet.
Fix a possible overflow and crash in the SMB analyzer
when receiving a specially crafted packet.
Fix two possible crashes when converting IP headers for
output via the raw_packet event.
more... | zeek
more detail |
2022-09-16 | VuXML ID aeb4c85b-3600-11ed-b52d-589cfc007716
Puppet reports:
The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.
more... | puppetdb6 puppetdb7
more detail |
2022-09-14 | VuXML ID b59847e0-346d-11ed-8fe9-3065ec8fd3ec
Chrome Releases reports:
This release includes 11 security fixes, including:
- [1358381] High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-08-31
- [1358090] High CVE-2022-3196: Use after free in PDF. Reported by triplepwns on 2022-08-30
- [1358075] High CVE-2022-3197: Use after free in PDF. Reported by triplepwns on 2022-08-30
- [1355682] High CVE-2022-3198: Use after free in PDF. Reported by MerdroidSG on 2022-08-23
- [1355237] High CVE-2022-3199: Use after free in Frames. Reported by Anonymous on 2022-08-22
- [1355103] High CVE-2022-3200: Heap buffer overflow in Internals. Reported by Richard Lorenz, SAP on 2022-08-22
- [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in DevTools. Reported by NDevTK on 2022-07-09
more... | chromium
more detail |
2022-09-12 | VuXML ID 4ebaa983-3299-11ed-95f8-901b0e9408dc
Dendrite team reports:
Events retrieved from a remote homeserver using /get_missing_events did
not have their signatures verified correctly. This could potentially allow
a remote homeserver to provide invalid/modified events to Dendrite via this
endpoint.
Note that this does not apply to events retrieved through other endpoints
(e.g. /event, /state) as they have been correctly verified.
Homeservers that have federation disabled are not vulnerable.
more... | dendrite
more detail |
2022-09-11 | VuXML ID f75722ce-31b0-11ed-8b56-0800277bb8a8
The Gitea team reports:
Double check CloneURL is acceptable
Add more checks in migration code
more... | gitea
more detail |
2022-09-08 | VuXML ID 80e057e7-2f0a-11ed-978f-fcaa147e860e
Python reports:
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal),
16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number
of digits in string form is above a limit to avoid potential denial of service attacks
due to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when
an URI path starts with //. Vulnerability discovered, and initial fix proposed, by
Hamza Avvan.
more... | python310 python37 python38 python39
more detail |
2022-09-07 | VuXML ID 6fea7103-2ea4-11ed-b403-3dae8ac60d3e
The Go project reports:
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever
waiting for a clean shutdown that was preempted by a
subsequent fatal error. This failure mode could be
exploited to cause a denial of service.
net/url: JoinPath does not strip relative path components
in all circumstances
JoinPath and URL.JoinPath would not remove ../ path
components appended to a relative path.
more... | go118 go119
more detail |
2022-09-03 | VuXML ID f38d25ac-2b7a-11ed-a1ef-3065ec8fd3ec
Chrome Releases reports:
This release contains 1 security fix:
- [1358134] High CVE-2022-3075: Insufficient data validation in Mojo. Reported by Anonymous on 2022-08-30
Google is aware that an exploit of CVE-2022-3075 exists in the wild.
more... | chromium
more detail |
2022-09-01 | VuXML ID 5418b360-29cc-11ed-a6d4-6805ca2fa271
PowerDNS Team reports:
PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.
more... | powerdns-recursor
more detail |
2022-09-01 | VuXML ID 827b95ff-290e-11ed-a2e7-6c3be5272acd
Grafana Labs reports:
On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for âÂÂprintingâ of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-08-31 | VuXML ID a1323a76-28f1-11ed-a72a-002590c1f29c
Problem Description:
zlib through 1.2.12 has a heap-based buffer over-read or buffer
overflow in inflate in inflate.c via a large gzip header extra
field.
Impact:
Applications that call inflateGetHeader may be vulnerable to a
buffer overflow. Note that inflateGetHeader is not used by anything
in the FreeBSD base system, but may be used by third party
software.
more... | FreeBSD
more detail |
2022-08-31 | VuXML ID e4d93d07-297a-11ed-95f8-901b0e9408dc
Matrix developers report:
The vulnerabilities give an adversary who you share a
room with the ability to carry out a denial-of-service
attack against the affected clients, making it not show all
of a user's rooms or spaces and/or causing minor temporary
corruption.
more... | cinny element-web
more detail |
2022-08-31 | VuXML ID f2043ff6-2916-11ed-a1ef-3065ec8fd3ec
Chrome Releases reports:
This release contains 24 security fixes, including:
- [1340253] Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
- [1343348] High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
- [1341539] High CVE-2022-3040: Use after free in Layout. Reported by Anonymous on 2022-07-03
- [1345947] High CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
- [1338553] High CVE-2022-3042: Use after free in PhoneHub. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
- [1336979] High CVE-2022-3043: Heap buffer overflow in Screen Capture. Reported by @ginggilBesel on 2022-06-16
- [1051198] High CVE-2022-3044: Inappropriate implementation in Site Isolation. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-02-12
- [1339648] High CVE-2022-3045: Insufficient validation of untrusted input in V8. Reported by Ben Noordhuis on 2022-06-26
- [1346245] High CVE-2022-3046: Use after free in Browser Tag. Reported by Rong Jian of VRI on 2022-07-21
- [1342586] Medium CVE-2022-3047: Insufficient policy enforcement in Extensions API. Reported by Maurice Dauer on 2022-07-07
- [1303308] Medium CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen. Reported by Andr.Ess on 2022-03-06
- [1316892] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
- [1337132] Medium CVE-2022-3050: Heap buffer overflow in WebUI. Reported by Zhihua Yao of KunLun Lab on 2022-06-17
- [1345245] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
- [1346154] Medium CVE-2022-3052: Heap buffer overflow in Window Manager. Reported by Khalil Zhani on 2022-07-21
- [1267867] Medium CVE-2022-3053: Inappropriate implementation in Pointer Lock. Reported by Jesper van den Ende (Pelican Party Studios) on 2021-11-08
- [1290236] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools. Reported by Kuilin Li on 2022-01-24
- [1351969] Medium CVE-2022-3055: Use after free in Passwords. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-11
- [1329460] Low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Reported by Anonymous on 2022-05-26
- [1336904] Low CVE-2022-3057: Inappropriate implementation in iframe Sandbox. Reported by Gareth Heyes on 2022-06-16
- [1337676] Low CVE-2022-3058: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-06-20
more... | chromium
more detail |
2022-08-30 | VuXML ID e6b994e2-2891-11ed-9be7-454b1dd82c64
Gitlab reports:
Remote Command Execution via GitHub import
Stored XSS via labels color
Content injection via Incidents Timeline description
Lack of length validation in Snippets leads to Denial of Service
Group IP allow-list not fully respected by the Package Registry
Abusing Gitaly.GetTreeEntries calls leads to denial of service
Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags
Regular Expression Denial of Service via special crafted input
Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events
Regex backtracking through the Commit message field
Read repository content via LivePreview feature
Denial of Service via the Create branch API
Denial of Service via Issue preview
IDOR in Zentao integration leaked issue details
Brute force attack may guess a password even when 2FA is enabled
more... | gitlab-ce
more detail |
2022-08-26 | VuXML ID 3110b29e-c82d-4287-9f6c-db82bb883b1e
Tim Wojtulewicz of Corelight reports:
Fix a possible overflow and crash in the ARP analyzer
when receiving a specially crafted packet. Due to the
possibility of this happening with packets received from
the network, this is a potential DoS vulnerability.
Fix a possible overflow and crash in the Modbus analyzer
when receiving a specially crafted packet. Due to the
possibility of this happening with packets received from
the network, this is a potential DoS vulnerability.
Fix two possible crashes when converting IP headers for
output via the raw_packet event. Due to the possibility of
this happening with packets received from the network, this
is a potential DoS vulnerability. Note that the raw_packet
event is not enabled by default so these are likely
low-severity issues.
Fix an abort related to an error related to the ordering
of record fields when processing DNS EDNS headers via events.
Due to the possibility of this happening with packets
received from the network, this is a potential DoS
vulnerability. Note that the dns_EDNS events are not
implemented by default so this is likely a low-severity
issue.
more... | zeek
more detail |
2022-08-25 | VuXML ID 36d10af7-248d-11ed-856e-d4c9ef517024
The MariaDB project reports:
Multiple vulnerabilities, mostly segfaults, in
the server component
more... | mariadb103-server mariadb104-server mariadb105-server mariadb106-server
more detail |
2022-08-25* | VuXML ID d658042c-1c98-11ed-95f8-901b0e9408dc
Dendrite team reports:
The power level parsing within gomatrixserverlib was failing to parse the "events_default"
key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.
In rooms where the "events_default" power level had been changed, this could result in
events either being incorrectly authorised or rejected by Dendrite servers.
more... | dendrite
more detail |
2022-08-23 | VuXML ID 8a0cd618-22a0-11ed-b1e7-001b217b3468
Gitlab reports:
Remote Command Execution via Github import
more... | gitlab-ce
more detail |
2022-08-20 | VuXML ID 03bb8373-2026-11ed-9d70-080027240888
Drupal reports:
CVE-2022-31175: Cross-site scripting (XSS) caused by the editor
instance destroying process.
more... | drupal9
more detail |
2022-08-17 | VuXML ID f12368a8-1e05-11ed-a1ef-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
- [1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
- [1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
- [1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
- [1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
- [1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
- [1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
- [1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
- [1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
- [1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
more... | chromium
more detail |
2022-08-14 | VuXML ID e2e7faf9-1b51-11ed-ae46-002b67dfc673
Apache Tomcat reports:
The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
more... | tomcat tomcat-devel tomcat10 tomcat85 tomcat9
more detail |
2022-08-12 | VuXML ID 75c073cc-1a1d-11ed-bea0-48ee0c739857
The XFCE project reports:
Added mime type check to the gst-thumbnailer plugin
to fix an undisclosed vulnerability.
more... | xfce4-tumbler
more detail |
2022-08-10 | VuXML ID 02fb9764-1893-11ed-9b22-002590c1f29c
Problem Description:
A particular case of memory sharing is mishandled in the virtual
memory system. This is very similar to SA-21:08.vm, but with a
different root cause.
Impact:
An unprivileged local user process can maintain a mapping of a page
after it is freed, allowing that process to read private data
belonging to other processes or the kernel.
more... | FreeBSD-kernel
more detail |
2022-08-10 | VuXML ID 21f43976-1887-11ed-9911-40b034429ecf
Openwall oss-security reports:
We have discovered a critical arbitrary file write vulnerability
in the rsync utility that allows malicious remote servers to write
arbitrary files inside the directories of connecting peers.
The server chooses which files/directories are sent to the client.
Due to the insufficient controls inside the do_server_recv function
a malicious rysnc server (or Man-in-The-Middle attacker) can
overwrite arbitrary files in the rsync client target directory and
subdirectories.
more... | rsync
more detail |
2022-08-10 | VuXML ID 5028c1ae-1890-11ed-9b22-002590c1f29c
Problem Description:
When dumping core and saving process information, proc_getargv()
might return an sbuf which have a sbuf_len() of 0 or -1, which is not
properly handled.
Impact:
An out-of-bound read can happen when user constructs a specially
crafted ps_string, which in turn can cause the kernel to crash.
more... | FreeBSD-kernel
more detail |
2022-08-10* | VuXML ID 5ddbe47b-1891-11ed-9b22-002590c1f29c
Problem Description:
The aio_aqueue function, used by the lio_listio system call, fails
to release a reference to a credential in an error case.
Impact:
An attacker may cause the reference count to overflow, leading to a
use after free (UAF).
more... | FreeBSD-kernel
more detail |
2022-08-10 | VuXML ID 8eaaf135-1893-11ed-9b22-002590c1f29c
Problem Description:
The implementation of lib9p's handling of RWALK messages was
missing a bounds check needed when unpacking the message contents.
The missing check means that the receipt of a specially crafted
message will cause lib9p to overwrite unrelated memory.
Impact:
The bug can be triggered by a malicious bhyve guest kernel to
overwrite memory in the bhyve(8) process. This could potentially lead
to user-mode code execution on the host, subject to bhyve's Capsicum
sandbox.
more... | FreeBSD
more detail |
2022-08-10 | VuXML ID c3610f39-18f1-11ed-9854-641c67a117d8
Varnish Cache Project reports:
A denial of service attack can be performed against Varnish Cache
servers by specially formatting the reason phrase of the backend response
status line. In order to execute an attack, the attacker would have to
be able to influence the HTTP/1 responses that the Varnish Server
receives from its configured backends. A successful attack would cause
the Varnish Server to assert and automatically restart.
more... | varnish7
more detail |
2022-08-09 | VuXML ID 1cd0c17a-17c0-11ed-91a5-080027f5fec9
The GnuTLS project reports:
When gnutls_pkcs7_verify cannot verify signature against
given trust list, it starts creating a chain of
certificates starting from identified signer up to known
root. During the creation of this chain the signer
certificate gets freed which results in double free when
the same signer certificate is freed at the end of the
algorithm.
more... | gnutls
more detail |
2022-08-08 | VuXML ID 9b9a5f6e-1755-11ed-adef-589cfc01894a
wolfSSL blog reports:
In release 5.4.0 there were 3 vulnerabilities listed as
fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS
1.0/1.2 denial of service attack and the other a ciphertext attack on
ECC/DH operations. The last vulnerability listed was a public
disclosure of a previous attack on AMD devices fixed since wolfSSL
version 5.1.0. Coordination of the disclosure of the attack was done
responsibly, in cooperation with the researchers, waiting for the
public release of the attack details since it affects multiple
security libraries.
more... | wolfssl
more detail |
2022-08-05 | VuXML ID 3b47104f-1461-11ed-a0c5-080027240888
Django reports:
CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.
more... | py310-django32 py310-django40 py38-django32 py38-django40 py39-django32 py39-django40
more detail |
2022-08-05 | VuXML ID 8bec3994-104d-11ed-a7ac-0800273f11ea
The Gitea team reports:
Use git.HOME_PATH for Git HOME directory
Add write check for creating Commit status
Remove deprecated SSH ciphers from default
more... | gitea
more detail |
2022-08-05 | VuXML ID bc43a578-14ec-11ed-856e-d4c9ef517024
NLnet Labs reports:
novel type of the "ghost domain names" attack. The vulnerability
works by targeting an Unbound instance. Unbound is queried for a
rogue domain name when the cached delegation information is about to
expire. The rogue nameserver delays the response so that the cached
delegation information is expired. Upon receiving the delayed answer
containing the delegation information, Unbound overwrites the now
expired entries. This action can be repeated when the delegation
information is about to expire making the rogue delegation
information ever-updating.
novel type of the "ghost domain names" attack. The vulnerability
works by targeting an Unbound instance. Unbound is queried for a
subdomain of a rogue domain name. The rogue nameserver returns
delegation information for the subdomain that updates Unbound's
delegation cache. This action can be repeated before expiry of the
delegation information by querying Unbound for a second level
subdomain which the rogue nameserver provides new delegation
information.
more... | unbound
more detail |
2022-08-05 | VuXML ID df29c391-1046-11ed-a7ac-0800273f11ea
The Gitea team reports:
Add write check for creating Commit status
Check for permission when fetching user controlled issues
more... | gitea
more detail |
2022-08-03 | VuXML ID 96a41723-133a-11ed-be3b-3065ec8fd3ec
Chrome Releases reports:
This release contains 27 security fixes, including:
- [1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
- [1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
- [1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
- [1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
- [1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
- [1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
- [1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
- [1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
- [1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
- [1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
- [1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
- [1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
- [1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
- [1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
- [1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
- [1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
- [1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
- [1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
- [1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
- [1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
- [1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
- [1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27
more... | chromium
more detail |
2022-08-02 | VuXML ID 7f8d5435-125a-11ed-9a69-10c37b4ac2ea
The Go project reports:
encoding/gob & math/big: decoding big.Float and
big.Rat can panic
Decoding big.Float and big.Rat types can panic if the
encoded message is too short.
more... | go117 go118
more detail |
2022-07-30 | VuXML ID 4c26f668-0fd2-11ed-a83d-001b217b3468
Gitlab reports:
Revoke access to confidential notes todos
Pipeline subscriptions trigger new pipelines with the wrong author
Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email
Import via git protocol allows to bypass checks on repository
Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages
Maintainer can leak Packagist and other integration access tokens by changing integration URL
Unauthenticated access to victims Grafana datasources through path traversal
Unauthorized users can filter issues by contact and organization
Malicious Maintainer may change the visibility of project or a group
Stored XSS in job error messages
Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant
Non project members can view public project's Deploy Keys
IDOR in project with Jira integration leaks project owner's other projects Jira issues
Group Bot Users and Tokens not deleted after group deletion
Email invited members can join projects even after the member lock has been enabled
Datadog integration returns user emails
more... | gitlab-ce
more detail |
2022-07-21 | VuXML ID 8e150606-08c9-11ed-856e-d4c9ef517024
Oracle reports:
This Critical Patch Update contains 34 new security patches plus
additional third party patches noted below for Oracle MySQL. 10 of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials.
more... | mysql-client80 mysql-server56 mysql-server57 mysql-server80
more detail |
2022-07-21 | VuXML ID e1387e95-08d0-11ed-be26-001999f8d30b
Oracle reports:
Easily exploitable vulnerability allows high privileged
attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox.
Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle VM VirtualBox.
more... | virtualbox-ose
more detail |
2022-07-20 | VuXML ID 27cc4258-0805-11ed-8ac1-3065ec8fd3ec
Chrome Releases reports:
This release contains 11 security fixes, including:
- [1336266] High CVE-2022-2477: Use after free in Guest View. Reported by anonymous on 2022-06-14
- [1335861] High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13
- [1329987] High CVE-2022-2479: Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
- [1339844] High CVE-2022-2480: Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
- [1341603] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
- [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
more... | chromium
more detail |
2022-07-18 | VuXML ID 871d93f9-06aa-11ed-8d5f-080027f5fec9
The Redis core team reports:
A specially crafted XAUTOCLAIM command on a stream key in
a specific state may result with heap overflow, and
potentially remote code execution.
more... | redis
more detail |
2022-07-15 | VuXML ID 0859e6d5-0415-11ed-a53b-6c3be5272acd
Grafana Labs reports:
It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.
more... | grafana grafana7 grafana8 grafana9
more detail |
2022-07-15 | VuXML ID 0c367e98-0415-11ed-a53b-6c3be5272acd
Grafana Labs reports:
An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)
more... | grafana grafana8 grafana9
more detail |
2022-07-13 | VuXML ID a4f2416c-02a0-11ed-b817-10c37b4ac2ea
The Go project reports:
net/http: improper sanitization of Transfer-Encoding
header
The HTTP/1 client accepted some invalid
Transfer-Encoding headers as indicating a "chunked"
encoding. This could potentially allow for request
smuggling, but only if combined with an intermediate
server that also improperly failed to reject the header
as invalid.
When httputil.ReverseProxy.ServeHTTP was called with a
Request.Header map containing a nil value for the
X-Forwarded-For header, ReverseProxy would set the client
IP as the value of the X-Forwarded-For header, contrary to
its documentation. In the more usual case where a Director
function set the X-Forwarded-For header value to nil,
ReverseProxy would leave the header unmodified as
expected.
compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large
number of concatenated 0-length compressed files can
cause a panic due to stack exhaustion.
encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct
which has a nested field that uses the any field tag can
cause a panic due to stack exhaustion.
encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML
document can cause a panic due to stack exhaustion.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains
deeply nested structures can cause a panic due to stack
exhaustion.
path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of
path separators can cause a panic due to stack
exhaustion.
io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of
path separators can cause a panic due to stack
exhaustion.
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code
which contains deeply nested types or declarations can
cause a panic due to stack exhaustion.
more... | go117 go118
more detail |
2022-07-12 | VuXML ID b99f99f6-021e-11ed-8c6f-000c29ffbb6c
The git project reports:
Git is vulnerable to privilege escalation in all platforms.
An unsuspecting user could still be affected by the issue
reported in CVE-2022-24765, for example when navigating as
root into a shared tmp directory that is owned by them, but
where an attacker could create a git repository.
more... | git
more detail |
2022-07-10 | VuXML ID 830855f3-ffcc-11ec-9d41-d05099c8b5a7
mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../
directory traversal during the ZIP archive cleaning process. This
primarily affects mat2 web instances, in which clients could obtain
sensitive information via a crafted archive.
more... | mat2
more detail |
2022-07-09 | VuXML ID d1b35142-ff4a-11ec-8be3-001b217b3468
Gitlab reports:
Remote Command Execution via Project Imports
XSS in ZenTao integration affecting self hosted instances without strict CSP
XSS in project settings page
Unallowed users can read unprotected CI variables
IP allow-list bypass to access Container Registries
2FA status is disclosed to unauthenticated users
CI variables provided to runners outside of a group's restricted IP range
IDOR in sentry issues
Reporters can manage issues in error tracking
Regular Expression Denial of Service via malicious web server responses
Unauthorized read for conan repository
Open redirect vulnerability
Group labels are editable through subproject
Release titles visible for any users if group milestones are associated with any project releases
Restrict membership by email domain bypass
Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint
more... | gitlab-ce
more detail |
2022-07-08* | VuXML ID b9210706-feb0-11ec-81fa-1c697a616631
Node.js reports:
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
(Medium)(CVE-2022-32213)
The llhttp parser in the http module does not correctly parse and
validate Transfer-Encoding headers. This can lead to HTTP Request
Smuggling (HRS).
HTTP Request Smuggling - Improper Delimiting of Header Fields
(Medium)(CVE-2022-32214)
The llhttp parser in the http module does not strictly use the CRLF
sequence to delimit HTTP requests. This can lead to HTTP Request
Smuggling (HRS).
HTTP Request Smuggling - Incorrect Parsing of Multi-line
Transfer-Encoding (Medium)(CVE-2022-32215)
The llhttp parser in the http module does not correctly handle
multi-line Transfer-Encoding headers. This can lead to HTTP Request
Smuggling (HRS).
DNS rebinding in --inspect via invalid IP addresses
(High)(CVE-2022-32212)
The IsAllowedHost check can easily be bypassed because IsIPAddress
does not properly check if an IP address is invalid or not. When an
invalid IPv4 address is provided (for instance 10.0.2.555 is
provided), browsers (such as Firefox) will make DNS requests to the
DNS server, providing a vector for an attacker-controlled DNS server
or a MITM who can spoof DNS responses to perform a rebinding attack
and hence connect to the WebSocket debugger, allowing for arbitrary
code execution. This is a bypass of CVE-2021-22884.
Attempt to read openssl.cnf from /home/iojs/build/ upon startup
(Medium)(CVE-2022-32222)
When Node.js starts on linux based systems, it attempts to read
/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf,
which ordinarily doesn't exist. On some shared systems an attacker may
be able create this file and therefore affect the default OpenSSL
configuration for other users.
OpenSSL - AES OCB fails to encrypt some bytes
(Medium)(CVE-2022-2097)
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly
optimised implementation will not encrypt the entirety of the data
under some circumstances. This could reveal sixteen bytes of data that
was preexisting in the memory that wasn't written. In the special case
of "in place" encryption, sixteen bytes of the plaintext would be
revealed. Since OpenSSL does not support OCB based cipher suites for
TLS and DTLS, they are both unaffected.
more... | node node14 node16
more detail |
2022-07-07 | VuXML ID 744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec
Chrome Releases reports:
This release contains 4 security fixes, including:
- [1341043] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
- [1336869] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
- [1327087] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
more... | chromium
more detail |
2022-07-05 | VuXML ID a28e8b7e-fc70-11ec-856e-d4c9ef517024
The OpenSSL project reports:
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
more... | openssl openssl-devel
more detail |
2022-07-05* | VuXML ID f0e45968-faff-11ec-856e-d4c9ef517024
The OpenSSL project reports:
The OpenSSL 3.0.4 release introduced a serious bug in the RSA
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
This issue makes the RSA implementation with 2048 bit private keys
incorrect on such machines and memory corruption will happen during
the computation. As a consequence of the memory corruption an attacker
may be able to trigger a remote code execution on the machine performing
the computation.
SSL/TLS servers or other servers using 2048 bit RSA private keys running
on machines supporting AVX512IFMA instructions of the X86_64 architecture
are affected by this issue.
more... | openssl-devel
more detail |
2022-07-04 | VuXML ID 5be19b0d-fb85-11ec-95cd-080027b24e86
SO-AND-SO reports:
CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) arguments.
more... | py310-django32 py310-django40 py37-django32 py38-django32 py38-django40 py39-django32 py39-django40
more detail |
2022-07-03 | VuXML ID 5ab54ea0-fa94-11ec-996c-080027b24e86
Mediawiki reports:
(T308471) Username is not escaped in the "welcomeuser" message.
(T308473) Username not escaped in the contributions-title message.
(T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.
(T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.
more... | mediawiki135 mediawiki137 mediawiki138
more detail |
2022-06-29 | VuXML ID 07c0d782-f758-11ec-acaa-901b0e9408dc
Matrix developers report:
This release fixes a vulnerability with Synapse's URL preview feature. URL previews
of some web pages can lead to unbounded recursion, causing the request to either fail,
or in some cases crash the running Synapse process.
Note that:
- Homeservers with the url_preview_enabled configuration option set to false
(the default value) are unaffected.
- Instances with the enable_media_repo configuration option set to false are
also unaffected, as this also disables the URL preview functionality.
more... | py310-matrix-synapse py311-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse
more detail |
2022-06-27 | VuXML ID ae5722a6-f5f0-11ec-856e-d4c9ef517024
The cURL project reports:
- CVE-2022-32205: Set-Cookie denial of service
- CVE-2022-32206: HTTP compression denial of service
- CVE-2022-32207: Unpreserved file permissions
- CVE-2022-32208: FTP-KRB bad message verification
more... | curl
more detail |
2022-06-22 | VuXML ID 25be46f0-f25d-11ec-b62a-00e081b7aa2d
Jenkins Security Advisory:
Description
(High) SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)
Multiple XSS vulnerabilities
(Medium) SECURITY-2566 / CVE-2022-34174
Observable timing discrepancy allows determining username validity
(Medium) Unauthorized view fragment access
SECURITY-2777 / CVE-2022-34175
more... | jenkins jenkins-lts
more detail |
2022-06-22 | VuXML ID 4eeb93bf-f204-11ec-8fbd-d4c9ef517024
The OpenSSL project reports:
Circumstances where the c_rehash script does not properly
sanitise shell metacharacters to prevent command injection were
found by code review.
more... | openssl openssl-devel openssl-quictls
more detail |
2022-06-22 | VuXML ID b2a4c5f1-f1fe-11ec-bcd2-3065ec8fd3ec
Chrome Releases reports:
This release contains 14 security fixes, including:
- [1335458] Critical CVE-2022-2156: Use after free in Base. Reported by Mark Brand of Google Project Zero on 2022-06-11
- [1327312] High CVE-2022-2157: Use after free in Interest groups. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-19
- [1321078] High CVE-2022-2158: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-04-29
- [1116450] Medium CVE-2022-2160: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-08-14
- [1330289] Medium CVE-2022-2161: Use after free in WebApp Provider. Reported by Zhihua Yao of KunLun Lab on 2022-05-30
- [1307930] Medium CVE-2022-2162: Insufficient policy enforcement in File System API. Reported by Abdelhamid Naceri (halov) on 2022-03-19
- [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
- [1268445] Low CVE-2022-2164: Inappropriate implementation in Extensions API. Reported by José Miguel Moreno Computer Security Lab (COSEC) at UC3M on 2021-11-10
- [1250993] Low CVE-2022-2165: Insufficient data validation in URL formatting. Reported by Rayyan Bijoora on 2021-09-19
more... | chromium
more detail |
2022-06-20 | VuXML ID ad37a349-ebb7-11ec-b9f7-21427354249d
Zeyu Zhang reports:
In mitmproxy 7.0.4 and below, a malicious client or server is able to
perform HTTP request smuggling attacks through mitmproxy. This means
that a malicious client/server could smuggle a request/response through
mitmproxy as part of another request/response's HTTP message body. While
mitmproxy would only see one request, the target server would see
multiple requests. A smuggled request is still captured as part of
another request's body, but it does not appear in the request list and
does not go through the usual mitmproxy event hooks, where users may
have implemented custom access control checks or input sanitization.
Unless you use mitmproxy to protect an HTTP/1 service, no action is required.
more... | mitmproxy
more detail |
2022-06-17 | VuXML ID 5d1e4f6a-ee4f-11ec-86c2-485b3931c969
Tor organization reports:
TROVE-2022-001
more... | tor
more detail |
2022-06-11 | VuXML ID 482456fb-e9af-11ec-93b6-318d1419ea39
Debian Security tracker reports:
ExifTool.pm in ExifTool before 12.38 mishandles a file special characters check, leading to command injection
more... | p5-Image-ExifTool
more detail |
2022-06-11 | VuXML ID 55cff5d2-e95c-11ec-ae20-001999f8d30b
XFCE Project reports:
Prevent executing possibly malicious .desktop files
from online sources (ftp://, http:// etc.).
more... | libexo
more detail |
2022-06-11 | VuXML ID b51cfaea-e919-11ec-9fba-080027240888
Numpy reports:
At most call-sites for PyArray_DescrNew, there are no validations of its return,
but an invalid address may be returned.
more... | py310-numpy py38-numpy py39-numpy
more detail |
2022-06-10* | VuXML ID 49adfbe5-e7d1-11ec-8fbd-d4c9ef517024
The Apache httpd project reports:
- CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop
mechanism. Apache HTTP Server 2.4.53 and earlier may not send the
X-Forwarded-* headers to the origin server based on client side
Connection header hop-by-hop mechanism. This may be used to bypass
IP based authentication on the origin server/application.
- CVE-2022-30556: Information Disclosure in mod_lua with websockets.
Apache HTTP Server 2.4.53 and earlier may return lengths to
applications calling r:wsread() that point past the end of the
storage allocated for the buffer.
- CVE-2022-30522: mod_sed denial of service. If Apache HTTP Server
2.4.53 is configured to do transformations with mod_sed in contexts
where the input to mod_sed may be very large, mod_sed may make
excessively large memory allocations and trigger an abort.
- CVE-2022-29404: Denial of service in mod_lua r:parsebody. In Apache
HTTP Server 2.4.53 and earlier, a malicious request to a lua script
that calls r:parsebody(0) may cause a denial of service due to no
default limit on possible input size.
- CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). Apache
HTTP Server 2.4.53 and earlier may crash or disclose information due
to a read beyond bounds in ap_strcmp_match() when provided with an
extremely large input buffer. While no code distributed with the
server can be coerced into such a call, third-party modules or lua
scripts that use ap_strcmp_match() may hypothetically be affected.
- CVE-2022-28614: read beyond bounds via ap_rwrite(). The ap_rwrite()
function in Apache HTTP Server 2.4.53 and earlier may read unintended
memory if an attacker can cause the server to reflect very large
input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts()
function.
- CVE-2022-28330: read beyond bounds in mod_isapi. Apache HTTP Server
2.4.53 and earlier on Windows may read beyond bounds when configured
to process requests with the mod_isapi module.
- CVE-2022-26377: mod_proxy_ajp: Possible request smuggling.
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it forwards
requests to.
more... | apache24
more detail |
2022-06-09 | VuXML ID c80ce2dd-e831-11ec-bcd2-3065ec8fd3ec
Chrome Releases reports:
This release contains 7 security fixes, including:
- [1326210] High CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17
- [1317673] High CVE-2022-2008: Out of bounds memory access in WebGL. Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19
- [1325298] High CVE-2022-2010: Out of bounds read in compositing. Reported by Mark Brand of Google Project Zero on 2022-05-13
- [1330379] High CVE-2022-2011: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-05-31
more... | chromium
more detail |
2022-06-07 | VuXML ID 15888c7e-e659-11ec-b7fe-10c37b4ac2ea
The Go project reports:
crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a
buffer larger than 1 << 32 - 1 bytes.
crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain
a randomly generated ticket_age_add. This allows an
attacker that can observe TLS handshakes to correlate
successive connections by comparing ticket ages during
session resumption.
os/exec: empty Cmd.Path can result in running unintended
binary on Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or
cmd.CombinedOutput are executed when Cmd.Path is unset
and, in the working directory, there are binaries named
either "..com" or "..exe", they will be executed.
path/filepath: Clean(`.\c:`) returns `c:` on Windows
On Windows, the filepath.Clean function could convert an
invalid path to a valid, absolute path. For example,
Clean(`.\c:`) returned `c:`.
more... | go117 go118
more detail |
2022-06-05 | VuXML ID a58f3fde-e4e0-11ec-8340-2d623369b8b5
Nils Bars reports:
During the processing of [a specially fuzzed disk image], an
out-of-bounds write is triggered and causes a segmentation fault
(SIGSEGV).
more... | e2fsprogs e2fsprogs-nobootfsck e2fsprogs-roothardlinks
more detail |
2022-06-04 | VuXML ID f414d69f-e43d-11ec-9ea4-001b217b3468
Gitlab reports:
Account take over via SCIM email change
Stored XSS in Jira integration
Quick action commands susceptible to XSS
IP allowlist bypass when using Trigger tokens
IP allowlist bypass when using Project Deploy Tokens
Improper authorization in the Interactive Web Terminal
Subgroup member can list members of parent group
Group member lock bypass
more... | gitlab-ce
more detail |
2022-06-03 | VuXML ID 204f1a7a-43df-412f-ad25-7dbe88f54fa4
Tim Wojtulewicz of Corelight reports:
Fix potential hang in the DNS analyzer when receiving
a specially-crafted packet. Due to the possibility of
this happening with packets received from the network,
this is a potential DoS vulnerability.
more... | zeek
more detail |
2022-05-24 | VuXML ID 40e2c35e-db99-11ec-b0cf-3065ec8fd3ec
Chrome Releases reports:
This release contains 32 security fixes, including:
- [1324864] Critical CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous on 2022-05-12
- [1320024] High CVE-2022-1854: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-27
- [1228661] High CVE-2022-1855: Use after free in Messaging. Reported by Anonymous on 2021-07-13
- [1323239] High CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
- [1227995] High CVE-2022-1857: Insufficient policy enforcement in File System API. Reported by Daniel Rhea on 2021-07-11
- [1314310] High CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad on 2022-04-07
- [1322744] High CVE-2022-1859: Use after free in Performance Manager. Reported by Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab on 2022-05-05
- [1297209] High CVE-2022-1860: Use after free in UI Foundations. Reported by @ginggilBesel on 2022-02-15
- [1316846] High CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani on 2022-04-16
- [1236325] Medium CVE-2022-1862: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2021-08-04
- [1292870] Medium CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg on 2022-02-01
- [1320624] Medium CVE-2022-1864: Use after free in WebApp Installs. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab on 2022-04-28
- [1289192] Medium CVE-2022-1865: Use after free in Bookmarks. Reported by Rong Jian of VRI on 2022-01-20
- [1292264] Medium CVE-2022-1866: Use after free in Tablet Mode. Reported by @ginggilBesel on 2022-01-29
- [1315563] Medium CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer. Reported by Michal Bentkowski of Securitum on 2022-04-12
- [1301203] Medium CVE-2022-1868: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-02-28
- [1309467] Medium CVE-2022-1869: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-23
- [1323236] Medium CVE-2022-1870: Use after free in App Service. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
- [1308199] Low CVE-2022-1871: Insufficient policy enforcement in File System API. Reported by Thomas Orlita on 2022-03-21
- [1310461] Low CVE-2022-1872: Insufficient policy enforcement in Extensions API. Reported by ChaobinZhang on 2022-03-26
- [1305394] Low CVE-2022-1873: Insufficient policy enforcement in COOP. Reported by NDevTK on 2022-03-11
- [1251588] Low CVE-2022-1874: Insufficient policy enforcement in Safe Browsing. Reported by hjy79425575 on 2021-09-21
- [1306443] Low CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK on 2022-03-15
- [1313600] Low CVE-2022-1876: Heap buffer overflow in DevTools. Reported by @ginggilBesel on 2022-04-06
more... | chromium
more detail |
2022-05-23 | VuXML ID 04fecc47-dad2-11ec-8fbd-d4c9ef517024
The MariaDB project reports:
MariaDB fixed 23 vulnerabilities across all supported versions
more... | mariadb103-client mariadb103-server mariadb104-client mariadb104-server mariadb105-client mariadb105-server mariadb106-client mariadb106-server
more detail |
|