Django reports:

CVE-2023-23969: Potential denial-of-service via Accept-Language headers.

NIST reports:

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Prometheus team reports:

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

The Asterisk project reports:

AST-2022-007: Remote Crash Vulnerability in H323 channel add on

AST-2022-008: Use after free in res_pjsip_pubsub.c

AST-2022-009: GetConfig AMI Action can read files outside of Asterisk directory

Stéphane Bruckert

If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.

Tim Wojtulewicz of Corelight reports:

A missing field in the SMB FSControl script-land record could cause a heap buffer overflow when receiving packets containing those header types.

Receiving a series of packets that start with HTTP/1.0 and then switch to HTTP/0.9 could cause Zeek to spend a large amount of time processing the packets.

Receiving large numbers of FTP commands sequentially from the network with bad data in them could cause Zeek to spend a large amount of time processing the packets, and generate a large amount of events.

Gitlab reports:

Denial of Service via arbitrarily large Issue descriptions

CSRF via file upload allows an attacker to take over a repository

Sidekiq background job DoS by uploading malicious CI job artifact zips

Sidekiq background job DoS by uploading a malicious Helm package

Prometheus team reports:

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

Plex Security Team reports:

We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.

Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.

Chrome Releases reports:

This release contains 6 security fixes, including:

• [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
• [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
• [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
• [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14

re2c reports:

re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.

PowerDNS Team reports:

PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination

MITRE reports:

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated. .

Mitre reports:

etserver and etclient have predictable logfile names in /tmp and they are world-readable logfiles

MITRE reports:

It seems #90 is not completely fixed in 7.8. (that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed). In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

Peter Ammon reports:

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the fish_git_prompt function from the prompt.

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network withouti requiring user credentials.

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in "Add new question"

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in admin user page

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in FAQ comments

phpMyFAQ does not implement sufficient checks to avoid a blind stored XSS in admin open question page

phpMyFAQ does not implement sufficient checks to avoid a reflected XSS in the admin backend login

phpMyFAQ does not implement sufficient checks to avoid stored XSS on user, category, FAQ, news and configuration admin backend

phpMyFAQ does not implement sufficient checks to avoid weak passwords

Aaron Patterson reports:

CVE-2022-44570

Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.

CVE-2022-44571

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

CVE-2022-44572

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

The Apache httpd project reports:

mod_dav out of bounds read, or write of zero byte (CVE-2006-20001) (moderate)

mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)

mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (CVE-2022-37436) (moderate)

The Redis core team reports:

CVE-2022-35977

Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic.

CVE-2023-22458

Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service.

CIRCL reports:

• CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream.
• CVE-2022-40151: If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

The Tor Project reports:

TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through

This is a report from hackerone:

We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a). Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.

lu4nx reports:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

Cassandra tema reports:

This release contains 6 security fixes including

• CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
• CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
• CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
• CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
• CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
• CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.

Marcus Eriksson reports:

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.

The X.org project reports:

• CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack overflow

  The swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request.

  This issue does not affect systems where client and server use the same byte order.

• CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab out-of-bounds access

  The handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code.

• CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify use-after-free

  The handler for the XvdiSelectVideoNotify request may write to memory after it has been freed.

• CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes use-after-free

  The handler for the ScreenSaverSetAttributes request may write to memory after it has been freed.

• CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty out-of-bounds access

  The handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure.

• CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free

  The XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.

mindrot project reports:

There is an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.

Chrome Releases reports:

This release contains 17 security fixes, including:

• [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
• [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
• [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
• [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
• [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
• [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
• [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
• [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
• [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
• [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
• [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
• [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
• [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
• [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12

cacti team reports:

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

C. Michael Pilato reports:

security fix: escape revision view copy paths (#311) [CVE-2023-22464]

security fix: escape revision view changed paths (#311) [CVE-2023-22456]

Marc Lehmann reports:

The biggest issue is resolving CVE-2022-4170, which allows command execution inside urxvt from within the terminal (that means anything that can output text in the terminal can start commands in the context of the urxvt process, even remotely).

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips

Webtrees reports:

GEDCOM imports containing errors and HTML displayed unescaped.

Mediawikwi reports:

(T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files not world readable.

Netdata reports:

GHSA-xg38-3vmw-2978: Netdata Streaming Alert Command Injection

GHSA-jx85-39cw-66f2: Netdata Streaming Authentication Bypass

FreeRDP reports:

GHSA-5w4j-mrrh-jjrm: Out of bound read in zgfx decoder.

GHSA-99cm-4gw7-c8jh: Undefined behaviour in zgfx decoder.

GHSA-387j-8j96-7q35: Division by zero in urbdrc channel.

GHSA-mvxm-wfj2-5fvh: Missing length validation in urbdrc channel.

GHSA-qfq2-82qr-7f4j: Heap buffer overflow in urbdrc channel.

GHSA-c5xq-8v35-pffg: Missing path sanitation with `drive` channel.

GHSA-pmv3-wpw4-pw5h: Missing input length validation in `drive` channel.

The Gitea team reports:

Do not allow Ghost access to limited visible user/org

Fix package access for admins and inactive users

TYPO3 reports:

TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling.

TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login.

TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset.

TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework.

TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration.

TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer.

Daniel Stenberg reports:

CVE-2022-32221: POST following PUT confusion

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

CVE-2022-35260: .netrc parser out-of-bounds access

curl can be told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, write a zero byte possibly beyond its boundary. This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

CVE-2022-42915: HTTP proxy double-free

f curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet

CVE-2022-42916: HSTS bypass via IDN

curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Like this: http://curl。se。

Chrome Releases reports:

This release contains 8 security fixes, including:

• [1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15
• [1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30
• [1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07
• [1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22
• [1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09

phpmyfaq developers report:

an authenticated SQL injection when adding categories in the admin backend

a stored cross-site scripting vulnerability in the category name

a stored cross-site scripting vulnerability in the admin logging

a stored cross-site scripting vulnerability in the FAQ title

a PostgreSQL based SQL injection for the lang parameter

a SQL injection when storing an instance name in the admin backend

a SQL injection when adding attachments in the admin backend

a stored cross-site scripting vulnerability when adding users by admins

a missing "secure" flag for cookies when using TLS

a cross-site request forgery / cross-site scripting vulnerability when saving new questions

a reflected cross-site scripting vulnerability in the admin backend

The Traefik project reports:

This update is recommended for all traefik users and provides following important security fixes:

• CVE-2022-23469: Authorization header displayed in the debug logs
• CVE-2022-46153: Routes exposed with an empty TLSOption in traefik

xrdp project reports:

This update is recommended for all xrdp users and provides following important security fixes:

• CVE-2022-23468
• CVE-2022-23477
• CVE-2022-23478
• CVE-2022-23479
• CVE-2022-23480
• CVE-2022-23481
• CVE-2022-23483
• CVE-2022-23482
• CVE-2022-23484
• CVE-2022-23493

These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

The Go project reports:

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

net/http: limit canonical header cache by bytes, not entries

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Chrome Releases reports:

This release contains 1 security fix:

• [1394403] High CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29

Google is aware that an exploit for CVE-2022-4262 exists in the wild.

rpm project reports:

Fix intermediate symlinks not verified (CVE-2021-35939).

Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521).

Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address

Chrome Releases reports:

This release contains 28 security fixes, including:

• [1379054] High CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
• [1381401] High CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-11-04
• [1361066] High CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
• [1379242] High CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
• [1376099] High CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
• [1377783] High CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
• [1378564] High CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
• [1382581] High CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
• [1368739] Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
• [1251790] Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
• [1358647] Medium CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
• [1373025] Medium CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
• [1377165] Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
• [1381217] Medium CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
• [1340879] Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
• [1344647] Medium CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
• [1378997] Medium CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
• [1373941] Medium CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
• [1344514] Medium CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
• [1354518] Medium CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
• [1370562] Medium CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
• [1371926] Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06

Chrome Releases reports:

This release contains 1 security fix:

• [1392715] High CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22

Google is aware that an exploit for CVE-2022-4135 exists in the wild.

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of HTTP 0.9 packets can cause Zeek to spend large amounts of time processing the packets.

A specially-crafted FTP packet can cause Zeek to spend large amounts of time processing the command.

A specially-crafted IPv6 packet can cause Zeek to overflow memory and potentially crash.

Hiroshi Tokumaru reports:

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.

GitHub advisories reports:

Multiple vulnerabilities found in advancecomp including:

• Three segmentation faults.
• Heap buffer overflow via le_uint32_read at /lib/endianrw.h.
• Three more heap buffer overflows.

Tailscale team reports:

A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.

Apache Tomcat reports:

If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The CVSS score for this vulnerability is 7.5 High

MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:

Due to an integer overflow vulnerabilities in PAC parsing An authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service.

On 32-bit platforms an authenticated attacker may be able to cause heap corruption resulting in an RCE.

Grafana Labs reports:

When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message.

The CVSS score for this vulnerability is 5.3 Moderate

IPython project reports:

IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some default values in order to prevent potential Execution with Unnecessary Privileges.

Grafana Labs reports:

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Grafana Labs reports:

Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization.

The CVSS score for this vulnerability is 6.4 Moderate

Grafana Labs reports:

On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.

We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Grafana Labs reports:

On September 7, as a result of an internal security audit, we discovered a security vulnerability in Grafana’s basic authentication related to the usage of username and email address.

n Grafana, a user’s username and email address are unique fields, which means no other user can have the same username or email address as another user.

In addition, a user can have an email address as a username, and the Grafana login allows users to sign in with either username or email address. This creates an unusual behavior, where user_1 can register with one email address and user_2 can register their username as user_1’s email address. As a result, user_1 would be prevented from signing in to Grafana, since user_1 password won’t match with user_2 email address.

The CVSS score for this vulnerability is 4.3 moderate (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

Grafana Labs reports:

Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. As a result, an unauthenticated user can successfully query protected endpoints.

The CVSS score for this vulnerability is 9.8 Critical

phpmyfaq developers report:

a pre-auth SQL injection in then saving user comments

a reflected cross-site scripting vulnerability in the search

a stored cross-site scripting vulnerability in the meta data administration

a weak password requirement

Varnish Cache Project reports:

A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.

Tim Wojtulewicz of Corelight reports:

Fix an issue where a specially-crafted FTP packet can cause Zeek to spend large amounts of time attempting to search for valid commands in the data stream.

Fix a possible overflow in the Zeek dictionary code that may lead to a memory leak.

Fix an issue where a specially-crafted packet can cause Zeek to spend large amounts of time reporting analyzer violations.

Fix a possible assert and crash in the HTTP analyzer when receiving a specially crafted packet.

Fix an issue where a specially-crafted HTTP or SMTP packet can cause Zeek to spend a large amount of time attempting to search for filenames within the packet data.

Fix two separate possible crashes when converting processed IP headers for logging via the raw_packet event handlers.

Chrome Releases reports:

This release contains 10 security fixes, including:

• [1377816] High CVE-2022-3885: Use after free in V8. Reported by gzobqq@ on 2022-10-24
• [1372999] High CVE-2022-3886: Use after free in Speech Recognition. Reported by anonymous on 2022-10-10
• [1372695] High CVE-2022-3887: Use after free in Web Workers. Reported by anonymous on 2022-10-08
• [1375059] High CVE-2022-3888: Use after free in WebCodecs. Reported by Peter Nemeth on 2022-10-16
• [1380063] High CVE-2022-3889: Type Confusion in V8. Reported by anonymous on 2022-11-01
• [1380083] High CVE-2022-3890: Heap buffer overflow in Crashpad. Reported by anonymous on 2022-11-01

Varnish Cache Project reports:

A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both Content-Length and Host, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL.

Mitre reports:

flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability.

SO-AND-SO reports:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory

Pixman reports: for release 0.42.2

Avoid integer overflow leading to out-of-bounds write

The OpenSSL project reports:

X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) (High): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (High): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

The Go project reports:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials

Chrome Releases reports:

This release contains 1 security fix:

• [1378239] High CVE-2022-3723: Type Confusion in V8. Reported by Jan VojteÅ¡ek, Milánek, and Przemek Gmerek of Avast on 2022-10-25

The Samba Team reports:

The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet.

Chrome Releases reports:

This release contains 14 security fixes, including:

• [1369871] High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30
• [1354271] High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19
• [1365330] High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19
• [1343384] Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
• [1345275] Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18
• [1351177] Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09
• [1352817] Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14
• [1355560] Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23
• [1327505] Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20
• [1350111] Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04

From libudisks 2.9.4 NEWS:

udiskslinuxblock: Fix leaking cleartext block interface

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid CSRF when logging out an user.

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

NGINX Development Team reports:

Two security issues were identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact (CVE-2022-41741, CVE-2022-41742).

This release contains 2 security fixes:

CVE-2022-39253

When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory. Additionally, the value of `protocol.file.allow` is changed to be "user" by default.

CVE-2022-39260

An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB.

The OpenSSL project reports:

Using a Custom Cipher with NID_undef may lead to NULL encryption (low)

The Gitea team reports:

Sanitize and Escape refs in git backend

Bump golang.org/x/text

Update bluemonday

The Roundcube project reports:

Description:

Remote code execution vulnerability in roundcube-thunderbird_labels when tb_label_modify_labels is enabled.

Workaround:

If you cannot upgrade to roundcube-thunderbird_labels-1.4.13 disable the tb_label_modify_labels config option.

Chrome Releases reports:

This release contains 6 security fixes:

• [1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16
• [1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26
• [1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22
• [1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13
• [1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17
• [1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30

The Samba Team reports:

CVE-2022-2031

The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services.

CVE-2022-32744

The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.

CVE-2022-32745

Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault.

CVE-2022-32746

The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl.

CVE-2022-32742

SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer.

Lahav Schlesinger reported a bug related to online certificate revocation checking that can lead to a denial-of-service attack

.

Jenkins Security Advisory:

Description

(High) SECURITY-2886 / CVE-2022-41224

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

Due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data. We are not aware of exploitation of this vulnerability at this point in time. Starting with release 0.11.3, Routinator handles encoding errors by rejecting the snapshot or delta file and continuing with validation. In case of an invalid delta file, it will try using the snapshot instead. If a snapshot file is invalid, the update of the repository will fail and an update through rsync is attempted.

.

Django reports:

CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs.

The Go project reports:

archive/tar: unbounded memory consumption when reading headers

Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.

net/http/httputil: ReverseProxy should not forward unparseable query parameters

Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

regexp/syntax: limit memory used by parsing regexps

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.

Zyantific reports:

Zydis users of versions v3.2.0 and older that use the string functions provided in zycore in order to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like ZyanStringAppend to make incorrect calculations for the new target size, resulting in heap memory corruption.

Mediawiki reports:

(T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions..

(T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users.

(T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name.

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level

Chrome Releases reports:

This release contains 3 security fixes, including:

• [1366813] High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22
• [1366399] High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation.

.

Matrix developers report:

Two critical severity vulnerabilities in end-to-end encryption were found in the SDKs which power Element, Beeper, Cinny, SchildiChat, Circuli, Synod.im and any other clients based on matrix-js-sdk, matrix-ios-sdk or matrix-android-sdk2.

Debian Security Advisory reports:

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.

Chrome Releases reports:

This release contains 20 security fixes, including:

• [1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
• [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
• [1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
• [1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
• [1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
• [1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
• [1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
• [1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
• [1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
• [1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
• [1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
• [1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
• [1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
• [1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
• [1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
• [1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22

Mikhail Evdokimov (aka konata) reports:

Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. This problem allows a trusted client to directly access cache manager information bypassing the manager ACL protection. The available cache manager information contains records of internal network structure, client credentials, client identity and client traffic behaviour.

Grafana Labs reports:

On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.

Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.

Datasource proxy breaks this assumption:

• it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username.
• This fake datasource can be called publicly via this proxying feature.

The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

The Redis core team reports:

Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer.

Tim Wojtulewicz of Corelight reports:

Fix a possible overflow and crash in the ICMP analyzer when receiving a specially crafted packet.

Fix a possible overflow and crash in the IRC analyzer when receiving a specially crafted packet.

Fix a possible overflow and crash in the SMB analyzer when receiving a specially crafted packet.

Fix two possible crashes when converting IP headers for output via the raw_packet event.

Puppet reports:

The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.

Chrome Releases reports:

This release includes 11 security fixes, including:

• [1358381] High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-08-31
• [1358090] High CVE-2022-3196: Use after free in PDF. Reported by triplepwns on 2022-08-30
• [1358075] High CVE-2022-3197: Use after free in PDF. Reported by triplepwns on 2022-08-30
• [1355682] High CVE-2022-3198: Use after free in PDF. Reported by MerdroidSG on 2022-08-23
• [1355237] High CVE-2022-3199: Use after free in Frames. Reported by Anonymous on 2022-08-22
• [1355103] High CVE-2022-3200: Heap buffer overflow in Internals. Reported by Richard Lorenz, SAP on 2022-08-22
• [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in DevTools. Reported by NDevTK on 2022-07-09

Dendrite team reports:

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

The Gitea team reports:

Double check CloneURL is acceptable

Add more checks in migration code

Python reports:

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.

gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.

The Go project reports:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path.

Chrome Releases reports:

This release contains 1 security fix:

• [1358134] High CVE-2022-3075: Insufficient data validation in Mojo. Reported by Anonymous on 2022-08-30

Google is aware that an exploit of CVE-2022-3075 exists in the wild.

PowerDNS Team reports:

PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.

Grafana Labs reports:

On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).

Problem Description:

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

Impact:

Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in the FreeBSD base system, but may be used by third party software.

Matrix developers report:

The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.

Chrome Releases reports:

This release contains 24 security fixes, including:

• [1340253] Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
• [1343348] High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
• [1341539] High CVE-2022-3040: Use after free in Layout. Reported by Anonymous on 2022-07-03
• [1345947] High CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
• [1338553] High CVE-2022-3042: Use after free in PhoneHub. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
• [1336979] High CVE-2022-3043: Heap buffer overflow in Screen Capture. Reported by @ginggilBesel on 2022-06-16
• [1051198] High CVE-2022-3044: Inappropriate implementation in Site Isolation. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-02-12
• [1339648] High CVE-2022-3045: Insufficient validation of untrusted input in V8. Reported by Ben Noordhuis on 2022-06-26
• [1346245] High CVE-2022-3046: Use after free in Browser Tag. Reported by Rong Jian of VRI on 2022-07-21
• [1342586] Medium CVE-2022-3047: Insufficient policy enforcement in Extensions API. Reported by Maurice Dauer on 2022-07-07
• [1303308] Medium CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen. Reported by Andr.Ess on 2022-03-06
• [1316892] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
• [1337132] Medium CVE-2022-3050: Heap buffer overflow in WebUI. Reported by Zhihua Yao of KunLun Lab on 2022-06-17
• [1345245] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
• [1346154] Medium CVE-2022-3052: Heap buffer overflow in Window Manager. Reported by Khalil Zhani on 2022-07-21
• [1267867] Medium CVE-2022-3053: Inappropriate implementation in Pointer Lock. Reported by Jesper van den Ende (Pelican Party Studios) on 2021-11-08
• [1290236] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools. Reported by Kuilin Li on 2022-01-24
• [1351969] Medium CVE-2022-3055: Use after free in Passwords. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-11
• [1329460] Low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Reported by Anonymous on 2022-05-26
• [1336904] Low CVE-2022-3057: Inappropriate implementation in iframe Sandbox. Reported by Gareth Heyes on 2022-06-16
• [1337676] Low CVE-2022-3058: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-06-20

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled

Tim Wojtulewicz of Corelight reports:

Fix a possible overflow and crash in the ARP analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Fix a possible overflow and crash in the Modbus analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Fix two possible crashes when converting IP headers for output via the raw_packet event. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Note that the raw_packet event is not enabled by default so these are likely low-severity issues.

Fix an abort related to an error related to the ordering of record fields when processing DNS EDNS headers via events. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Note that the dns_EDNS events are not implemented by default so this is likely a low-severity issue.

The MariaDB project reports:

Multiple vulnerabilities, mostly segfaults, in the server component

Dendrite team reports:

The power level parsing within gomatrixserverlib was failing to parse the "events_default" key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.

In rooms where the "events_default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

Gitlab reports:

Remote Command Execution via Github import

Drupal reports:

CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process.

Chrome Releases reports:

This release contains 11 security fixes, including:

• [1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
• [1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
• [1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
• [1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
• [1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
• [1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
• [1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
• [1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
• [1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
• [1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21

Apache Tomcat reports:

The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

The XFCE project reports:

Added mime type check to the gst-thumbnailer plugin to fix an undisclosed vulnerability.

Problem Description:

A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause.

Impact:

An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel.

Openwall oss-security reports:

We have discovered a critical arbitrary file write vulnerability in the rsync utility that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. Due to the insufficient controls inside the do_server_recv function a malicious rysnc server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories.

Problem Description:

When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled.

Impact:

An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash.

Problem Description:

The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case.

Impact:

An attacker may cause the reference count to overflow, leading to a use after free (UAF).

Problem Description:

The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.

Impact:

The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox.

Varnish Cache Project reports:

A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.

The GnuTLS project reports:

When gnutls_pkcs7_verify cannot verify signature against given trust list, it starts creating a chain of certificates starting from identified signer up to known root. During the creation of this chain the signer certificate gets freed which results in double free when the same signer certificate is freed at the end of the algorithm.

wolfSSL blog reports:

In release 5.4.0 there were 3 vulnerabilities listed as fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS 1.0/1.2 denial of service attack and the other a ciphertext attack on ECC/DH operations. The last vulnerability listed was a public disclosure of a previous attack on AMD devices fixed since wolfSSL version 5.1.0. Coordination of the disclosure of the attack was done responsibly, in cooperation with the researchers, waiting for the public release of the attack details since it affects multiple security libraries.

Django reports:

CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.

The Gitea team reports:

Use git.HOME_PATH for Git HOME directory

Add write check for creating Commit status

Remove deprecated SSH ciphers from default

NLnet Labs reports:

novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating.

novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information.

The Gitea team reports:

Add write check for creating Commit status

Check for permission when fetching user controlled issues

Chrome Releases reports:

This release contains 27 security fixes, including:

• [1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
• [1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
• [1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
• [1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
• [1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
• [1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
• [1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
• [1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
• [1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
• [1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
• [1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
• [1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
• [1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
• [1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
• [1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
• [1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
• [1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
• [1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
• [1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
• [1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
• [1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
• [1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27

The Go project reports:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails

Oracle reports:

This Critical Patch Update contains 34 new security patches plus additional third party patches noted below for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Oracle reports:

Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.

Chrome Releases reports:

This release contains 11 security fixes, including:

• [1336266] High CVE-2022-2477: Use after free in Guest View. Reported by anonymous on 2022-06-14
• [1335861] High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13
• [1329987] High CVE-2022-2479: Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
• [1339844] High CVE-2022-2480: Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
• [1341603] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
• [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21

The Redis core team reports:

A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution.

Grafana Labs reports:

It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.

Grafana Labs reports:

An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)

The Go project reports:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

The git project reports:

Git is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository.

mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

Node.js reports:

HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)(CVE-2022-32213)

The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)(CVE-2022-32214)

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215)

The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

DNS rebinding in --inspect via invalid IP addresses (High)(CVE-2022-32212)

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

Attempt to read openssl.cnf from /home/iojs/build/ upon startup (Medium)(CVE-2022-32222)

When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.

OpenSSL - AES OCB fails to encrypt some bytes (Medium)(CVE-2022-2097)

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

Chrome Releases reports:

This release contains 4 security fixes, including:

• [1341043] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
• [1336869] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
• [1327087] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19

The OpenSSL project reports:

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.

The OpenSSL project reports:

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

SO-AND-SO reports:

CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.

Mediawiki reports:

(T308471) Username is not escaped in the "welcomeuser" message.

(T308473) Username not escaped in the contributions-title message.

(T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.

(T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.

Matrix developers report:

This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

Note that:

• Homeservers with the url_preview_enabled configuration option set to false (the default value) are unaffected.
• Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables the URL preview functionality.

The cURL project reports:

• CVE-2022-32205: Set-Cookie denial of service
• CVE-2022-32206: HTTP compression denial of service
• CVE-2022-32207: Unpreserved file permissions
• CVE-2022-32208: FTP-KRB bad message verification

Jenkins Security Advisory:

Description

(High) SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)

Multiple XSS vulnerabilities

(Medium) SECURITY-2566 / CVE-2022-34174

Observable timing discrepancy allows determining username validity

(Medium) Unauthorized view fragment access

SECURITY-2777 / CVE-2022-34175

The OpenSSL project reports:

Circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.

Chrome Releases reports:

This release contains 14 security fixes, including:

• [1335458] Critical CVE-2022-2156: Use after free in Base. Reported by Mark Brand of Google Project Zero on 2022-06-11
• [1327312] High CVE-2022-2157: Use after free in Interest groups. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-19
• [1321078] High CVE-2022-2158: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-04-29
• [1116450] Medium CVE-2022-2160: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-08-14
• [1330289] Medium CVE-2022-2161: Use after free in WebApp Provider. Reported by Zhihua Yao of KunLun Lab on 2022-05-30
• [1307930] Medium CVE-2022-2162: Insufficient policy enforcement in File System API. Reported by Abdelhamid Naceri (halov) on 2022-03-19
• [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
• [1268445] Low CVE-2022-2164: Inappropriate implementation in Extensions API. Reported by José Miguel Moreno Computer Security Lab (COSEC) at UC3M on 2021-11-10
• [1250993] Low CVE-2022-2165: Insufficient data validation in URL formatting. Reported by Rayyan Bijoora on 2021-09-19

Zeyu Zhang reports:

In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.

Unless you use mitmproxy to protect an HTTP/1 service, no action is required.

Tor organization reports:

TROVE-2022-001

Debian Security tracker reports:

ExifTool.pm in ExifTool before 12.38 mishandles a file special characters check, leading to command injection

XFCE Project reports:

Prevent executing possibly malicious .desktop files from online sources (ftp://, http:// etc.).

Numpy reports:

At most call-sites for PyArray_DescrNew, there are no validations of its return, but an invalid address may be returned.

The Apache httpd project reports:

• CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
• CVE-2022-30556: Information Disclosure in mod_lua with websockets. Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
• CVE-2022-30522: mod_sed denial of service. If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
• CVE-2022-29404: Denial of service in mod_lua r:parsebody. In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
• CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
• CVE-2022-28614: read beyond bounds via ap_rwrite(). The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.
• CVE-2022-28330: read beyond bounds in mod_isapi. Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.
• CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.

Chrome Releases reports:

This release contains 7 security fixes, including:

• [1326210] High CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17
• [1317673] High CVE-2022-2008: Out of bounds memory access in WebGL. Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19
• [1325298] High CVE-2022-2010: Out of bounds read in compositing. Reported by Mark Brand of Google Project Zero on 2022-05-13
• [1330379] High CVE-2022-2011: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-05-31

The Go project reports:

crypto/rand: rand.Read hangs with extremely large buffers

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

os/exec: empty Cmd.Path can result in running unintended binary on Windows

If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

path/filepath: Clean(`.\c:`) returns `c:` on Windows

On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

Nils Bars reports:

During the processing of [a specially fuzzed disk image], an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV).

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass

Tim Wojtulewicz of Corelight reports:

Fix potential hang in the DNS analyzer when receiving a specially-crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Chrome Releases reports:

This release contains 32 security fixes, including:

• [1324864] Critical CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous on 2022-05-12
• [1320024] High CVE-2022-1854: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-27
• [1228661] High CVE-2022-1855: Use after free in Messaging. Reported by Anonymous on 2021-07-13
• [1323239] High CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
• [1227995] High CVE-2022-1857: Insufficient policy enforcement in File System API. Reported by Daniel Rhea on 2021-07-11
• [1314310] High CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad on 2022-04-07
• [1322744] High CVE-2022-1859: Use after free in Performance Manager. Reported by Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab on 2022-05-05
• [1297209] High CVE-2022-1860: Use after free in UI Foundations. Reported by @ginggilBesel on 2022-02-15
• [1316846] High CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani on 2022-04-16
• [1236325] Medium CVE-2022-1862: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2021-08-04
• [1292870] Medium CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg on 2022-02-01
• [1320624] Medium CVE-2022-1864: Use after free in WebApp Installs. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab on 2022-04-28
• [1289192] Medium CVE-2022-1865: Use after free in Bookmarks. Reported by Rong Jian of VRI on 2022-01-20
• [1292264] Medium CVE-2022-1866: Use after free in Tablet Mode. Reported by @ginggilBesel on 2022-01-29
• [1315563] Medium CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer. Reported by Michal Bentkowski of Securitum on 2022-04-12
• [1301203] Medium CVE-2022-1868: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-02-28
• [1309467] Medium CVE-2022-1869: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-23
• [1323236] Medium CVE-2022-1870: Use after free in App Service. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
• [1308199] Low CVE-2022-1871: Insufficient policy enforcement in File System API. Reported by Thomas Orlita on 2022-03-21
• [1310461] Low CVE-2022-1872: Insufficient policy enforcement in Extensions API. Reported by ChaobinZhang on 2022-03-26
• [1305394] Low CVE-2022-1873: Insufficient policy enforcement in COOP. Reported by NDevTK on 2022-03-11
• [1251588] Low CVE-2022-1874: Insufficient policy enforcement in Safe Browsing. Reported by hjy79425575 on 2021-09-21
• [1306443] Low CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK on 2022-03-15
• [1313600] Low CVE-2022-1876: Heap buffer overflow in DevTools. Reported by @ginggilBesel on 2022-04-06

The MariaDB project reports:

MariaDB fixed 23 vulnerabilities across all supported versions

Oracle reports:

The 2022 April Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The ClamAV project reports:

Fixed a possible double-free vulnerability in the OLE2 file parser. Issue affects versions 0.104.0 through 0.104.2. Issue identified by OSS-Fuzz.

Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank you to Michał Dardas for reporting this issue.

Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

The Go project reports:

When called with a non-zero flags parameter, the syscall.Faccessat function could incorrectly report that a file is accessible. This bug only occurs on Linux systems.

The curl project reports:

CVE-2022-27778: curl removes wrong file on error

CVE-2022-27779: cookie for trailing dot TLD

CVE-2022-27780: percent-encoded path separator in URL host

CVE-2022-27781: CERTINFO never-ending busy-loop

CVE-2022-27782: TLS and SSH connection too eager reuse

CVE-2022-30115: HSTS bypass via trailing dot

The PostgreSQL project reports:

Confine additional operations within "security restricted operation" sandboxes.

Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the "security restricted operation" protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.

Chrome Releases reports:

This release contains 13 security fixes, including:

• [1316990] High CVE-2022-1633: Use after free in Sharesheet. Reported by Khalil Zhani on 2022-04-18
• [1314908] High CVE-2022-1634: Use after free in Browser UI. Reported by Khalil Zhani on 2022-04-09
• [1319797] High CVE-2022-1635: Use after free in Permission Prompts. Reported by Anonymous on 2022-04-26
• [1297283] High CVE-2022-1636: Use after free in Performance APIs. Reported by Seth Brenith, Microsoft on 2022-02-15
• [1311820] High CVE-2022-1637: Inappropriate implementation in Web Contents. Reported by Alesandro Ortiz on 2022-03-31
• [1316946] High CVE-2022-1638: Heap buffer overflow in V8 Internationalization. Reported by DoHyun Lee (@l33d0hyun) of DNSLab, Korea University on 2022-04-17
• [1317650] High CVE-2022-1639: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-19
• [1320592] High CVE-2022-1640: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-28
• [1305068] Medium CVE-2022-1641: Use after free in Web UI Diagnostics. Reported by Rong Jian of VRI on 2022-03-10

Rainer Gerhards reports:

Modules for TCP syslog reception have a heap buffer overflow when octet-counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible..

The gogs project reports:

Repository issues page allows HTML attachments with arbitrary JS code.

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go

The OpenSSL project reports:

• The c_rehash script allows command injection (CVE-2022-1292) (Moderate)
  
  The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
• OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) (Moderate)
  
  The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.
• Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) (Low)
  
  The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable.
• Resource leakage when decoding certificates and keys (CVE-2022-1473) (Low)
  
  The OPENSSL_LH_flush() function, which empties a hash table, containsa bug that breaks reuse of the memory occuppied by the removed hash table entries.

Simon Scannell reports:

The code vulnerability can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client. When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.

The Go project reports:

encoding/pem: fix stack overflow in Decode.

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

crypto/elliptic: tolerate all oversized scalars in generic P-256.

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18.

Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.

Ruby on Rails blog:

This is an announcement to let you know that Rails 7.0.2.4, 6.1.5.1, 6.0.4.8, and 5.2.7.1 have been released!

These are security releases so please update as soon as you can. Once again we've made these releases based on the last release tag, so hopefully upgrading will go smoothly.

The releases address two vulnerabilities, CVE-2022-22577, and CVS-2022-27777. They are both XSS vulnerabilities, so please take a look at the forum posts to see how (or if) they might possibly impact your application.

hiredis maintainers report:

Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data. When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX. If it can not, and the calloc() call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.

Chrome Releases reports:

This release contains 30 security fixes, including:

• [1313905] High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-04-06
• [1299261] High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park (SeHwa) on 2022-02-20
• [1305190] High CVE-2022-1479: Use after free in ANGLE. Reported by Jeonghoon Shin of Theori on 2022-03-10
• [1307223] High CVE-2022-1480: Use after free in Device API. Reported by @uwu7586 on 2022-03-17
• [1302949] High CVE-2022-1481: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-03-04
• [1304987] High CVE-2022-1482: Inappropriate implementation in WebGL. Reported by Christoph Diehl, Microsoft on 2022-03-10
• [1314754] High CVE-2022-1483: Heap buffer overflow in WebGPU. Reported by Mark Brand of Google Project Zero on 2022-04-08
• [1297429] Medium CVE-2022-1484: Heap buffer overflow in Web UI Settings. Reported by Chaoyuan Peng (@ret2happy) on 2022-02-15
• [1299743] Medium CVE-2022-1485: Use after free in File System API. Reported by Anonymous on 2022-02-22
• [1314616] Medium CVE-2022-1486: Type Confusion in V8. Reported by Brendon Tiszka on 2022-04-08
• [1304368] Medium CVE-2022-1487: Use after free in Ozone. Reported by Sri on 2022-03-09
• [1302959] Medium CVE-2022-1488: Inappropriate implementation in Extensions API. Reported by Thomas Beverley from Wavebox.io on 2022-03-04
• [1300561] Medium CVE-2022-1489: Out of bounds memory access in UI Shelf. Reported by Khalil Zhani on 2022-02-25
• [1301840] Medium CVE-2022-1490: Use after free in Browser Switcher. Reported by raven at KunLun lab on 2022-03-01
• [1305706] Medium CVE-2022-1491: Use after free in Bookmarks. Reported by raven at KunLun lab on 2022-03-12
• [1315040] Medium CVE-2022-1492: Insufficient data validation in Blink Editing. Reported by Michal Bentkowski of Securitum on 2022-04-11
• [1275414] Medium CVE-2022-1493: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-12-01
• [1298122] Medium CVE-2022-1494: Insufficient data validation in Trusted Types. Reported by Masato Kinugawa on 2022-02-17
• [1301180] Medium CVE-2022-1495: Incorrect security UI in Downloads. Reported by Umar Farooq on 2022-02-28
• [1306391] Medium CVE-2022-1496: Use after free in File Manager. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2022-03-15
• [1264543] Medium CVE-2022-1497: Inappropriate implementation in Input. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-10-29
• [1297138] Low CVE-2022-1498: Inappropriate implementation in HTML Parser. Reported by SeungJu Oh (@real_as3617) on 2022-02-14
• [1000408] Low CVE-2022-1499: Inappropriate implementation in WebAuthentication. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-04
• [1223475] Low CVE-2022-1500: Insufficient data validation in Dev Tools. Reported by Hoang Nguyen on 2021-06-25
• [1293191] Low CVE-2022-1501: Inappropriate implementation in iframe. Reported by Oriol Brufau on 2022-02-02

The cURL project reports:

• OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
• Credential leak on redirect (CVE-2022-27774)
• Bad local IPv6 connection reuse (CVE-2022-27775)
• Auth/cookie leak on redirect (CVE-2022-27776)

Aviv Yahav reports:

CVE-2022-24735

By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.

CVE-2022-24736

An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process.

Kazuhiro Ito reports:

Potential buffer overrun vulnerability is found in eb/multiplex.c.

Tim Wojtulewicz of Corelight reports:

Fix potential unbounded state growth in the FTP analyzer when receiving a specially-crafted stream of commands. This may lead to a buffer overflow and cause Zeek to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerabilty.

RedHat reports:

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

reports:

SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:` SMTP command and begin injecting arbitrary SMTP commands.

Chrome Releases reports:

This release contains 2 security fixes, including:

• [1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-0-13

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.

piao reports:

Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.

Composer developers reports:

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

Subversion project reports:

Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed.

piao reports:

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

Django Release reports:

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.

Tavis Ormandy reports:

mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys

Chrome Releases reports:

This release contains 11 security fixes, including:

• [1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07
• [1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21
• [1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
• [1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci (@sametbekmezci) on 2021-12-28
• [1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17
• [1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18
• [1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28
• [1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30
• [1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16
• [1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09

Problem Description:

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084]

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085]

Impact:

On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

Problem Description:

Certain inputs can cause zlib's compression routine to overwrite an internal buffer with compressed data. This issue may require the use of uncommon or non-default compression parameters.

Impact:

The out-of-bounds write may result in memory corruption and an application crash or kernel panic.

Problem Description:

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small.

Impact:

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context.

The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.

Problem Description:

The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.

Impact:

While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

Chrome Releases reports:

This release includes one security fix:

• [1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30

Mediawiki reports:

(T297543, CVE-2022-28202) Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

(T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki.

(T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS.

(T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

Petr Menšík reports:

Possible vulnerability [...] found in latest dnsmasq. It [was] found with help of oss-fuzz Google project by me and short after that independently also by Richard Johnson of Trellix Threat Labs.

It is affected only by DHCPv6 requests, which could be crafted to modify already freed memory. [...] We think it might be triggered remotely, but we do not think it could be used to execute remote code.

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.

Chrome Releases reports:

This release contains 28 security fixes, including:

• [1292261] High CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani on 2022-01-29
• [1291891] High CVE-2022-1127: Use after free in QR Code Generator. Reported by anonymous on 2022-01-28
• [1301920] High CVE-2022-1128: Inappropriate implementation in Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of Shielder on 2022-03-01
• [1300253] High CVE-2022-1129: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2022-02-24
• [1142269] High CVE-2022-1130: Insufficient validation of untrusted input in WebOTP. Reported by Sergey Toshin of Oversecurity Inc. on 2020-10-25
• [1297404] High CVE-2022-1131: Use after free in Cast UI. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2022-02-15
• [1303410] High CVE-2022-1132: Inappropriate implementation in Virtual Keyboard. Reported by Andr.Ess on 2022-03-07
• [1305776] High CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous on 2022-03-13
• [1308360] High CVE-2022-1134: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-21
• [1285601] Medium CVE-2022-1135: Use after free in Shopping Cart. Reported by Wei Yuan of MoyunSec VLab on 2022-01-09
• [1280205] Medium CVE-2022-1136: Use after free in Tab Strip. Reported by Krace on 2021-12-15
• [1289846] Medium CVE-2022-1137: Inappropriate implementation in Extensions. Reported by Thomas Orlita on 2022-01-22
• [1246188] Medium CVE-2022-1138: Inappropriate implementation in Web Cursor. Reported by Alesandro Ortiz on 2021-09-03
• [1268541] Medium CVE-2022-1139: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-10
• [1303253] Medium CVE-2022-1141: Use after free in File Manager. Reported by raven at KunLun lab on 2022-03-05
• [1303613] Medium CVE-2022-1142: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
• [1303615] Medium CVE-2022-1143: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
• [1304145] Medium CVE-2022-1144: Use after free in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-08
• [1304545] Medium CVE-2022-1145: Use after free in Extensions. Reported by Yakun Zhang of Baidu Security on 2022-03-09
• [1290150] Low CVE-2022-1146: Inappropriate implementation in Resource Timing. Reported by Sohom Datta on 2022-01-23

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

Chrome Releases reports:

This release contains 1 security fix:

• [1309225] High CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23

Google is aware that an exploit for CVE-2022-1096 exists in the wild.

Debian Security Advisory reports:

A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.

The Tcpdump Group reports:

heap-based use-after-free in extract_slice()

The Go project reports:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

David Sommerseth reports:

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.

The Weechat project reports:

After changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the TLS verification function is lost. Consequently, any connection to a server with TLS is made without verifying the certificate, which could lead to a man-in-the-middle attack. Connection to IRC servers with TLS is affected, as well as any connection a server made by a plugin or a script using the function hook_connect.

wordpress developers reports:

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release: -Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency -Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability -Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor

Problem Description:

The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" reported a number of security vulnerabilities in the 802.11 specification related to frame aggregation and fragmentation.

Additionally, FreeBSD 12.x missed length validation of SSIDs and Information Elements (IEs).

Impact:

As reported on the FragAttacks website, the "design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." Under suitable conditions an attacker may be able to extract sensitive data or inject data.

The OpenSSL project reports:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

• TLS clients consuming server certificates
• TLS servers consuming client certificates
• Hosting providers taking certificates or private keys from customers
• Certificate authorities parsing certification requests from subscribers
• Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.

The Apache httpd project reports:

• mod_lua: Use of uninitialized value of in r:parsebody (moderate) (CVE-2022-22719)

  A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

• HTTP request smuggling vulnerability (important) (CVE-2022-22720)

  httpd fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

• core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (low) (CVE-2022-22721)

  If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

• mod_sed: Read/write beyond bounds (important) (CVE-2022-23924)

  Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

Chrome Releases reports:

This release contains 11 security fixes, including:

• [1299422] Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
• [1301320] High CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
• [1297498] High CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
• [1291986] High CVE-2022-0974: Use after free in Splitscreen. Reported by @ginggilBesel on 2022-01-28
• [1295411] High CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
• [1296866] High CVE-2022-0976: Heap buffer overflow in GPU. Reported by Omair on 2022-02-13
• [1299225] High CVE-2022-0977: Use after free in Browser UI. Reported by Khalil Zhani on 2022-02-20
• [1299264] High CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-20
• [1302644] High CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
• [1302157] Medium CVE-2022-0980: Use after free in New Tab Page. Reported by Krace on 2022-03-02

NVD reports:

Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.

Chrome Releases reports:

This release contains 28 security fixes, including:

• [1289383] High CVE-2022-0789: Heap buffer overflow in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-01-21
• [1274077] High CVE-2022-0790: Use after free in Cast UI. Reported by Anonymous on 2021-11-26
• [1278322] High CVE-2022-0791: Use after free in Omnibox. Reported by Zhihua Yao of KunLun Lab on 2021-12-09
• [1285885] High CVE-2022-0792: Out of bounds read in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2022-01-11
• [1291728] High CVE-2022-0793: Use after free in Views. Reported by Thomas Orlita on 2022-01-28
• [1294097] High CVE-2022-0794: Use after free in WebShare. Reported by Khalil Zhani on 2022-02-04
• [1282782] High CVE-2022-0795: Type Confusion in Blink Layout. Reported by 0x74960 on 2021-12-27
• [1295786] High CVE-2022-0796: Use after free in Media. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-10
• [1281908] High CVE-2022-0797: Out of bounds memory access in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-12-21
• [1283402] Medium CVE-2022-0798: Use after free in MediaStream. Reported by Samet Bekmezci @sametbekmezci on 2021-12-30
• [1279188] Medium CVE-2022-0799: Insufficient policy enforcement in Installer. Reported by Abdelhamid Naceri (halov) on 2021-12-12
• [1242962] Medium CVE-2022-0800: Heap buffer overflow in Cast UI. Reported by Khalil Zhani on 2021-08-24
• [1231037] Medium CVE-2022-0801: Inappropriate implementation in HTML parser. Reported by Michal Bentkowski of Securitum on 2021-07-20
• [1270052] Medium CVE-2022-0802: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-14
• [1280233] Medium CVE-2022-0803: Inappropriate implementation in Permissions. Reported by Abdulla Aldoseri on 2021-12-15
• [1264561] Medium CVE-2022-0804: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-10-29
• [1290700] Medium CVE-2022-0805: Use after free in Browser Switcher. Reported by raven at KunLun Lab on 2022-01-25
• [1283434] Medium CVE-2022-0806: Data leak in Canvas. Reported by Paril on 2021-12-31
• [1287364] Medium CVE-2022-0807: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2022-01-14
• [1292271] Medium CVE-2022-0808: Use after free in Chrome OS Shell. Reported by @ginggilBesel on 2022-01-29
• [1293428] Medium CVE-2022-0809: Out of bounds memory access in WebXR. Reported by @uwu7586 on 2022-02-03

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Fix off by one error

The TYPO3 project reports:

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

The FLAC 1.3.4 release reports:

Fix 12 decoder bugs found by oss-fuzz.

Fix encoder bug CVE-2021-0561.

Crypto++ 8.6 release notes reports:

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Escape password for SQL insert/update commands.

Kenny Levinsen reports:

seatd-launch could use a user-specified socket path instead of the internally generated socket path, and would unlink the socket path before use to guard against collision with leftover sockets. This meant that a caller could freely control what file path would be unlinked and replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious user to remove files with the privileges of the owner of seatd-launch, which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, and the user-owned socket file is at the current time not believed to be directly useful for further exploitation.

NVD reports:

python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.

The Qt Company reports:

Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.

Zhengjie Du reports:

There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.

The Go project reports:

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches.

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions resulting from fuzzing tests

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions without further detailed information.

Chrome Releases reports:

This release contains 11 security fixes, including:

• [1290008] High CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
• [1273397] High CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24
• [1286940] High CVE-2022-0605: Use after free in Webstore API. Reported by Thomas Orlita on 2022-01-13
• [1288020] High CVE-2022-0606: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-01-17
• [1250655] High CVE-2022-0607: Use after free in GPU. Reported by 0x74960 on 2021-09-17
• [1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-11-16
• [1296150] High CVE-2022-0609: Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google' Threat Analysis Group on 2022-02-10
• [1285449] Medium CVE-2022-0610: Inappropriate implementation in Gamepad API. Reported by Anonymous on 2022-01-08

xrdp project reports:

An integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is accessible to a sesman server (listens by default on localhost when installing xrdp, but can be remote if configured otherwise) to execute code as root.

Twisted developers report:

Cookie and Authorization headers are leaked when following cross-origin redirects in twited.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent.

Node.js reports:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

Grafana Labs reports:

On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

Grafana Labs reports:

On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

Grafana Labs reports:

On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:

• /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
• /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
• /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Marc Cornellà reports:

Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

Jenkins Security Advisory:

Description

(Medium) SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)

DoS vulnerability in bundled XStream library

The X.org project reports:

XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server.

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.

Emil Lerner reports:

When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o.

This internal state includes traffic of other connections in unencrypted form and TLS session tickets.

This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability.

Problem Description:

Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory.

Impact:

Users with access to the system console may be able to cause system misbehaviour.

Chrome Releases reports:

This release contains 27 security fixes, including:

• [1284584] High CVE-2022-0452: Use after free in Safe Browsing. Reported by avaue at S.S.L. on 2022-01-05
• [1284916] High CVE-2022-0453: Use after free in Reader Mode. Reported by Rong Jian of VRI on 2022-01-06
• [1287962] High CVE-2022-0454: Heap buffer overflow in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2022-01-17
• [1270593] High CVE-2022-0455: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-16
• [1289523] High CVE-2022-0456: Use after free in Web Search. Reported by Zhihua Yao of KunLun Lab on 2022-01-21
• [1274445] High CVE-2022-0457: Type Confusion in V8. Reported by rax of the Group0x58 on 2021-11-29
• [1267060] High CVE-2022-0458: Use after free in Thumbnail Tab Strip. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-05
• [1244205] High CVE-2022-0459: Use after free in Screen Capture. Reported by raven (@raid_akame) on 2021-08-28
• [1250227] Medium CVE-2022-0460: Use after free in Window Dialog. Reported by 0x74960 on 2021-09-16
• [1256823] Medium CVE-2022-0461: Policy bypass in COOP. Reported by NDevTK on 2021-10-05
• [1270470] Medium CVE-2022-0462: Inappropriate implementation in Scroll. Reported by Youssef Sammouda on 2021-11-16
• [1268240] Medium CVE-2022-0463: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-09
• [1270095] Medium CVE-2022-0464: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-14
• [1281941] Medium CVE-2022-0465: Use after free in Extensions. Reported by Samet Bekmezci @sametbekmezci on 2021-12-22
• [1115460] Medium CVE-2022-0466: Inappropriate implementation in Extensions Platform. Reported by David Erceg on 2020-08-12
• [1239496] Medium CVE-2022-0467: Inappropriate implementation in Pointer Lock. Reported by Alesandro Ortiz on 2021-08-13
• [1252716] Medium CVE-2022-0468: Use after free in Payments. Reported by Krace on 2021-09-24
• [1279531] Medium CVE-2022-0469: Use after free in Cast. Reported by Thomas Orlita on 2021-12-14
• [1269225] Low CVE-2022-0470: Out of bounds memory access in V8. Reported by Looben Yang on 2021-11-11

The Samba Team reports:

• CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition.
• CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share.
• CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution.
• CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services.

Varnish Cache Project reports:

A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

The OpenSSL project reports:

BN_mod_exp may produce incorrect results on MIPS (Moderate)

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

Cary Phillips reports:

[OpenEXR Version 3.1.4 is a] patch release that [...] addresses one public security vulnerability: CVE-2021-45942 Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute [and several] specific OSS-fuzz issues [...].

huntr.dev reports:

In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.

Qualys reports:

We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

Strongswan Release Notes reports:

Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.

Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.

Strongswan Release Notes reports:

Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079.

David Bouman reports:

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

Aide uses a fixed size (16k bytes) for the return buffer in encode_base64/decode_base64 functions. This results in a segfault if aide processes a file with too large extended attribute value or ACL.

Chrome Releases reports:

This release contains 26 security fixes, including:

• [1284367] Critical CVE-2022-0289: Use after free in Safe browsing. Reported by Sergei Glazunov of Google Project Zero on 2022-01-05
• [1260134][1260007] High CVE-2022-0290: Use after free in Site isolation. Reported by Brendon Tiszka and Sergei Glazunov of Google Project Zero on 2021-10-15
• [1281084] High CVE-2022-0291: Inappropriate implementation in Storage. Reported by Anonymous on 2021-12-19
• [1270358] High CVE-2022-0292: Inappropriate implementation in Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
• [1283371] High CVE-2022-0293: Use after free in Web packaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-30
• [1273017] High CVE-2022-0294: Inappropriate implementation in Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-11-23
• [1278180] High CVE-2022-0295: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-09
• [1283375] High CVE-2022-0296: Use after free in Printing. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-30
• [1274316] High CVE-2022-0297: Use after free in Vulkan. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
• [1212957] High CVE-2022-0298: Use after free in Scheduling. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
• [1275438] High CVE-2022-0300: Use after free in Text Input Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-01
• [1276331] High CVE-2022-0301: Heap buffer overflow in DevTools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-12-03
• [1278613] High CVE-2022-0302: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-10
• [1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
• [1282118] High CVE-2022-0304: Use after free in Bookmarks. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-22
• [1282354] High CVE-2022-0305: Inappropriate implementation in Service Worker API. Reported by @uwu7586 on 2021-12-23
• [1283198] High CVE-2022-0306: Heap buffer overflow in PDFium. Reported by Sergei Glazunov of Google Project Zero on 2021-12-29
• [1281881] Medium CVE-2022-0307: Use after free in Optimization Guide. Reported by Samet Bekmezci @sametbekmezci on 2021-12-21
• [1282480] Medium CVE-2022-0308: Use after free in Data Transfer. Reported by @ginggilBesel on 2021-12-24
• [1240472] Medium CVE-2022-0309: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2021-08-17
• [1283805] Medium CVE-2022-0310: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
• [1283807] Medium CVE-2022-0311: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03

Oracle reports:

This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 7.4

The Prosody teaM reports:

It was discovered that an internal Prosody library to load XML based on does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

The WordPress project reports:

• Issue with stored XSS through post slugs
• Issue with Object injection in some multisite installations
• SQL injection vulnerability in WP_Query
• SQL injection vulnerability in WP_Meta_Query

Laurent Delosieres reports:

Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

Jenkins Security Advisory:

Description

(Medium) SECURITY-2558 / CVE-2022-20612

CSRF vulnerability in build triggers

Upstream project reports:

Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed.

Django Release reports:

CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator.

CVE-2021-45116: Potential information disclosure in dictsort template filter.

CVE-2021-45452: Potential directory-traversal via Storage.save().

nlnetlabs reports:

Release 0.10.2 contains fixes for the following issues:

• Medium CVE-2021-43172: Infinite length chain of RRDP repositories. Credit: Koen van Hove. Date: 2021-11-09
• Medium CVE-2021-43173: Hanging RRDP request. Credit: Koen van Hove. Date: 2021-11-09
• Medium CVE-2021-43174: gzip transfer encoding caused out-of-memory crash. Credit Koen van Hove. Date: 2021-11-09

Chrome Releases reports:

This release contains 37 security fixes, including:

• [$TBD][1275020] Critical CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30
• [1117173] High CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17
• [1273609] High CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24
• [1245629] High CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01
• [1238209] High CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10
• [1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame) on 2021-09-14
• [1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14
• [1272266] High CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair on 2021-11-21
• [1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25
• [1274376] High CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
• [1278960] High CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10
• [1248438] Medium CVE-2022-0107: Use after free in File Manager API. Reported by raven (@raid_akame) on 2021-09-10
• [1248444] Medium CVE-2022-0108: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2021-09-10
• [1261689] Medium CVE-2022-0109: Inappropriate implementation in Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2021-10-20
• [1237310] Medium CVE-2022-0110: Incorrect security UI in Autofill. Reported by Alesandro Ortiz on 2021-08-06
• [1241188] Medium CVE-2022-0111: Inappropriate implementation in Navigation. Reported by garygreen on 2021-08-18
• [1255713] Medium CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas Orlita on 2021-10-04
• [1039885] Medium CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
• [1267627] Medium CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by Looben Yang on 2021-11-06
• [1268903] Medium CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand of Google Project Zero on 2021-11-10
• [1272250] Medium CVE-2022-0116: Inappropriate implementation in Compositing. Reported by Irvan Kurniawan (sourc7) on 2021-11-20
• [1115847] Low CVE-2022-0117: Policy bypass in Service Workers. Reported by Dongsung Kim (@kid1ng) on 2020-08-13
• [1238631] Low CVE-2022-0118: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2021-08-11
• [1262953] Low CVE-2022-0120: Inappropriate implementation in Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25

The Roundcube project reports:

Cross-site scripting (XSS) via HTML messages with malicious CSS content

OpenDMARC releases prior to 1.4.1 are susceptible to the following vulnerabilities:

• (CVE-2019-16378) OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.
• (CVE-2019-20790) OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
• (CVE-2020-12272) OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message.
• (CVE-2020-12460) OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption.

Manuel Pégourié-Gonnard reports:

If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory condition), then calling mbedtls_ssl_session_free() and mbedtls_ssl_free() in the usual manner would cause an internal session buffer to be freed twice, due to two structures both having valid pointers to it after a call to ssl_session_copy().

An attacker could potentially trigger the out of memory condition, and therefore use this bug to create memory corruption, which could then be further exploited or targetted.

OpenDMARC 1.4.1 and 1.4.1.1 will dereference a NULL pointer when encountering a multi-value From: header field. A remote attacker can send a specially crafted message resulting in a denial of service.

minio developers report:

AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field

This API is mainly used to create a user or update a user's password.

However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

OpenSearch reports:

CVE-2021-45046 was issued shortly following the release of OpenSearch 1.2.1. This new CVE advises upgrading from Log4j 2.15.0 (used in OpenSearch 1.2.1) to Log4j 2.16.0. Out of an abundance of caution, the team is releasing OpenSearch 1.2.2 which includes Log4j 2.16.0. While there has been no observed reproduction of the issue described in CVE-2021-45046, Log4j 2.16.0 takes much more extensive JNDI mitigation measures.

OpenSearch reports:

CVE-2021-45105 for Log4j was issued after the release of OpenSearch 1.2.2. This CVE advises upgrading to Log4j 2.17.0. While there has been no observed reproduction of the issue described in CVE-2021-45105 in OpenSearch, we have released OpenSearch 1.2.3 which updates Log4j to version 2.17.0.

Mediawiki reports:

(T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.

(T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel.

(T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages.

(T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions.

(T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action

(T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.

(T294686) Special:Nuke doesn't actually delete pages.

Bobby Rauch of Accenture reports:

I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok <1.6.8 and was reported to Oracle. The vulnerability has now been patched in OpenGrok 1.6.9, and has been issued a CVE. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2322)

The Apache httpd project reports:

moderate: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (CVE-2021-44224)

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

high: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).

Apache Software Foundation reports:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Serviio reports:

Serviio is affectred by the log4j vulnerability.

Privoxy reports:

cgi_error_no_template(): Encode the template name to prevent XSS (cross-site scripting) when Privoxy is configured to servce the user-manual itself.

Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov

get_url_spec_param(): Free memory of compiled pattern spec before bailing. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.

process_encrypted_request_headers(): Free header memory when failing to get the request destination. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.

send_http_request(): Prevent memory leaks when handling errors Reported by Joshua Rogers (Opera) who also provided the fix. Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.

The OpenSSL project reports:

Invalid handling of X509_verify_cert() internal errors in libssl (Moderate)

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

FreeBSD port maintainer reports:

Bastillion uses log4j.

Chrome Releases reports:

This release contains 5 security fixes, including:

• [1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
• [1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
• [1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
• [1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
• [1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09

Matrix developers report:

Today we are releasing security updates to libolm, matrix-js-sdk, and several clients including Element Web / Desktop. Users are encouraged to upgrade as soon as possible.

These releases mitigate a buffer overflow in olm_session_describe, a libolm debugging function used by matrix-js-sdk in its end-to-end encryption (E2EE) implementation. If you rely on matrix-js-sdk for E2EE, you are affected.

OpenSearch reports:

A recently published security issue (CVE-2021-44228) affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable example in OpenSearch of remote code execution (RCE) described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released OpenSearch 1.2.1, which updates Log4j to version 2.15.0. For those who cannot upgrade to 1.2.1, the Log4j website outlines additional measures to mitigate the issue. This patch release also addresses CVE-2021-4352 in the OpenSearch Docker distributions..

Solr reports:

Apache Solr affected by Apache Log4J

Openhab reports:

Any openHAB instance that is publicly available or which consumes untrusted content from remote servers is potentially a target of this attack.

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/ds/query

Apache Software Foundation repos:

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or paramters can execute arbitrary code from attacker-controller LDAP servers when message lookup substitution is enabled.

Grafana Labs reports:

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

• Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
• The link is to an unauthenticated page. The following pages are vulnerable:
  • /dashboard-solo/snapshot/*
  • /dashboard/snapshot/*
  • /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

NVD reports:

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

Grafana Labs reports:

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

Grafana Labs reports:

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

• /public/plugins/alertlist/
• /public/plugins/annolist/
• /public/plugins/barchart/
• /public/plugins/bargauge/
• /public/plugins/candlestick/
• /public/plugins/cloudwatch/
• /public/plugins/dashlist/
• /public/plugins/elasticsearch/
• /public/plugins/gauge/
• /public/plugins/geomap/
• /public/plugins/gettingstarted/
• /public/plugins/grafana-azure-monitor-datasource/
• /public/plugins/graph/
• /public/plugins/heatmap/
• /public/plugins/histogram/
• /public/plugins/influxdb/
• /public/plugins/jaeger/
• /public/plugins/logs/
• /public/plugins/loki/
• /public/plugins/mssql/
• /public/plugins/mysql/
• /public/plugins/news/
• /public/plugins/nodeGraph/
• /public/plugins/opentsdb
• /public/plugins/piechart/
• /public/plugins/pluginlist/
• /public/plugins/postgres/
• /public/plugins/prometheus/
• /public/plugins/stackdriver/
• /public/plugins/stat/
• /public/plugins/state-timeline/
• /public/plugins/status-history/
• /public/plugins/table/
• /public/plugins/table-old/
• /public/plugins/tempo/
• /public/plugins/testdata/
• /public/plugins/text/
• /public/plugins/timeseries/
• /public/plugins/welcome/
• /public/plugins/zipkin/

The Go project reports:

net/http: limit growth of header canonicalization cache. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

syscall: don’t close fd 0 on ForkExec error. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

Chrome Releases reports:

This release contains 22 security fixes, including:

• [1267661] High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
• [1267791] High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08
• [1265806] High CVE-2021-4079: Out of bounds write in WebRTC. Reported by Brendon Tiszka on 2021-11-01
• [1239760] High CVE-2021-4054: Incorrect security UI in autofill. Reported by Alesandro Ortiz on 2021-08-13
• [1268738] High CVE-2021-4078: Type confusion in V8. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2021-11-09
• [1266510] High CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen Rong on 2021-11-03
• [1260939] High CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360 Alpha Lab on 2021-10-18
• [1262183] High CVE-2021-4057: Use after free in file API. Reported by Sergei Glazunov of Google Project Zero on 2021-10-21
• [1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-06
• [1270990] High CVE-2021-4059: Insufficient data validation in loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
• [1271456] High CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini on 2021-11-18
• [1272403] High CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-22
• [1273176] High CVE-2021-4063: Use after free in developer tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-11-23
• [1273197] High CVE-2021-4064: Use after free in screen capture. Reported by @ginggilBesel on 2021-11-23
• [1273674] High CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010 on 2021-11-25
• [1274499] High CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
• [1274641] High CVE-2021-4067: Use after free in window manager. Reported by @ginggilBesel on 2021-11-29
• [1265197] Low CVE-2021-4068: Insufficient validation of untrusted input in new tab page. Reported by NDevTK on 2021-10-31

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI

The Mozilla project reports:

Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures (Critical)

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.

Mark Sapiro reports:

A list moderator or list member can potentially carry out a CSRF attack by getting a list admin to visit a crafted web page.

chamal reports:

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

Stanislav Valkanov reports:

Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

Matrix developers report:

This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository.

Note that:

• This only affects homeservers using Synapse's built-in media repository, as opposed to synapse-s3-storage-provider or matrix-media-repo.
• Attackers cannot control the exact name or destination of the stored file.

Joonun Jang reports:

heap buffer overflow running advzip with "-l poc" option

Running 'advzip -l poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack. I expected the program to terminate without segfault, but the program crashes as follow. [...]

and other vulnerabilities.

Chrome Releases reports:

This release contains 25 security fixes, including:

• [1263620] High CVE-2021-38008: Use after free in media. Reported by Marcin Towalski of Cisco Talos on 2021-10-26
• [1260649] High CVE-2021-38009: Inappropriate implementation in cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16
• [1240593] High CVE-2021-38006: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-08-17
• [1254189] High CVE-2021-38007: Type Confusion in V8. Reported by Polaris Feng and SGFvamll at Singular Security Lab on 2021-09-29
• [1241091] High CVE-2021-38005: Use after free in loader. Reported by Sergei Glazunov of Google Project Zero on 2021-08-18
• [1264477] High CVE-2021-38010: Inappropriate implementation in service workers. Reported by Sergei Glazunov of Google Project Zero on 2021-10-28
• [1268274] High CVE-2021-38011: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-11-09
• [1262791] Medium CVE-2021-38012: Type Confusion in V8. Reported by Yonghwi Jin (@jinmo123) on 2021-10-24
• [1242392] Medium CVE-2021-38013: Heap buffer overflow in fingerprint recognition. Reported by raven (@raid_akame) on 2021-08-23
• [1248567] Medium CVE-2021-38014: Out of bounds write in Swiftshader. Reported by Atte Kettunen of OUSPG on 2021-09-10
• [957553] Medium CVE-2021-38015: Inappropriate implementation in input. Reported by David Erceg on 2019-04-29
• [1244289] Medium CVE-2021-38016: Insufficient policy enforcement in background fetch. Reported by Maurice Dauer on 2021-08-28
• [1256822] Medium CVE-2021-38017: Insufficient policy enforcement in iframe sandbox. Reported by NDevTK on 2021-10-05
• [1197889] Medium CVE-2021-38018: Inappropriate implementation in navigation. Reported by Alesandro Ortiz on 2021-04-11
• [1251179] Medium CVE-2021-38019: Insufficient policy enforcement in CORS. Reported by Maurice Dauer on 2021-09-20
• [1259694] Medium CVE-2021-38020: Insufficient policy enforcement in contacts picker. Reported by Luan Herrera (@lbherrera_) on 2021-10-13
• [1233375] Medium CVE-2021-38021: Inappropriate implementation in referrer. Reported by Prakash (@1lastBr3ath) and Jun Kokatsu on 2021-07-27
• [1248862] Low CVE-2021-38022: Inappropriate implementation in WebAuthentication. Reported by Michal Kepkowski on 2021-09-13

The Roundcube project reports:

XSS issue in handling attachment filename extension in mimetype mismatch warning

possible SQL injection via some session variables

Mark Sapiro reports:

A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401).

A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-43332 (LP: #1949403)

The PostgreSQL Project reports:

CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

Puppet reports:

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

The Samba Team reports:

• CVE-2020-25717: A user in an AD Domain could become root on domain members.
• CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
• CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
• CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
• CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored.
• CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
• CVE-2021-3738: Use after free in Samba AD DC RPC server.
• CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.

Puppet reports:

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first pluginsync.

Oracle reports:

This Critical Patch Update contains 66 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

Note: MariaDB only vulnerable against CVE-2021-35604

Nathaniel McCallum reports:

packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack.

The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.

The Go project reports:

debug/macho fails out when loading a file that contains a dynamic symbol table command that indicates a larger number of symbols than exist in the loaded symbol table.

Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument.

Jenkins Security Advisory:

Description

(Critical) SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control

(High) SECURITY-2423 / CVE-2021-21696

Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin

(High) SECURITY-2428 / CVE-2021-21697

Agent-to-controller access control allows reading/writing most content of build directories

(Medium) SECURITY-2506 / CVE-2021-21698

Path traversal vulnerability in Subversion Plugin allows reading arbitrary files

The Gitea Team reports for release 1.15.5:

• Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
• Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address

Chrome Releases reports:

This release contains 8 security fixes, including:

• [1259864] High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
• [1259587] High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13
• [1251541] High CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
• [1249962] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15
• [1260577] High CVE-2021-38001 : Type Confusion in V8. Reported by @s0rrymybad of Kunlun Lab via Tianfu Cup on 2021-10-16
• [1260940] High CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, ? via Tianfu Cup on 2021-10-16
• [1263462] High CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Gross from Google Project Zero on 2021-10-26

Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.

Jakub Żoczek reports:

Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences (\n~) are available in "foreign" input (for instance in whois output).

minio developers report:

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts.

• svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true'
• sts accounts have always been using right permissions, do not need an explicit lookup
• regular users always have proper policy mapping

Mark Sapiro reports:

A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.

Chrome Releases reports:

This release contains 19 security fixes, including:

• [1246631] High CVE-2021-37981: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04
• [1248661] High CVE-2021-37982: Use after free in Incognito. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-11
• [1249810] High CVE-2021-37983: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-09-15
• [1253399] High CVE-2021-37984: Heap buffer overflow in PDFium. Reported by Antti Levomäki, Joonas Pihlaja andChristian Jali from Forcepoint on 2021-09-27
• [1241860] High CVE-2021-37985: Use after free in V8. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-20
• [1242404] Medium CVE-2021-37986: Heap buffer overflow in Settings. Reported by raven (@raid_akame) on 2021-08-23
• [1206928] Medium CVE-2021-37987: Use after free in Network APIs. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-08
• [1228248] Medium CVE-2021-37988: Use after free in Profiles. Reported by raven (@raid_akame) on 2021-07-12
• [1233067] Medium CVE-2021-37989: Inappropriate implementation in Blink. Reported by Matt Dyas, Ankur Sundara on 2021-07-26
• [1247395] Medium CVE-2021-37990: Inappropriate implementation in WebView. Reported by Kareem Selim of CyShield on 2021-09-07
• [1250660] Medium CVE-2021-37991: Race in V8. Reported by Samuel Gross of Google Project Zero on 2021-09-17
• [1253746] Medium CVE-2021-37992: Out of bounds read in WebAudio. Reported by sunburst@Ant Security Light-Year Lab on 2021-09-28
• [1255332] Medium CVE-2021-37993: Use after free in PDF Accessibility. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-02
• [1243020] Medium CVE-2021-37996: Insufficient validation of untrusted input in Downloads. Reported by Anonymous on 2021-08-24
• [1100761] Low CVE-2021-37994: Inappropriate implementation in iFrame Sandbox. Reported by David Erceg on 2020-06-30
• [1242315] Low CVE-2021-37995: Inappropriate implementation in WebApp Installer. Reported by Terence Eden on 2021-08-23

Node.js reports:

HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)

The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)

The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

OpenBSD Project reports:

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5).

Cory Sabol reports:

A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality.

Red Hat reports:

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

The Apache Openoffice project reports:

Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the allocated space, leading to the execution of arbitrary code by altering the contents of the program stack. This issue affects Apache OpenOffice up to and including version 4.1.10

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory

It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory.

The Go project reports:

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy after rebuilding any modules.

Chrome Releases reports:

This release contains 4 security fixes, including:

• [1252878] High CVE-2021-37977: Use after free in Garbage Collection. Reported by Anonymous on 2021-09-24
• [1236318] High CVE-2021-37978: Heap buffer overflow in Blink. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-04
• [1247260] High CVE-2021-37979: Heap buffer overflow in WebRTC. Reported by Marcin Towalski of Cisco Talos on 2021-09-07
• [1254631] High CVE-2021-37980: Inappropriate implementation in Sandbox. Reported by Yonghwi Jin (@jinmo123) on 2021-09-30

Jenkins Security Advisory:

Description

(Medium) SECURITY-2475 / CVE-2014-3577

Jenkins core bundles vulnerable version of the commons-httpclient library

The Apache http server project reports:

critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Acknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka

The Apache http server project reports:

• moderate: null pointer dereference in h2 fuzzing (CVE-2021-41524)
• important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)

Grafana Labs reports:

Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

• /dashboard/snapshot/:key, or
• /api/snapshots/:key

If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

• /api/snapshots-delete/:deleteKey

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

• /api/snapshots/:key, or
• /api/snapshots-delete/:deleteKey

The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

The Redis Team reports:

CVE-2021-41099

Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured.

CVE-2021-32762

Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms.

CVE-2021-32687

Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value.

CVE-2021-32675

Denial Of Service when processing RESP request payloads with a large number of elements on many connections.

CVE-2021-32672

Random heap reading issue with Lua Debugger.

CVE-2021-32628

Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value.

CVE-2021-32627

Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit.

CVE-2021-32626

Specially crafted Lua scripts may result with Heap buffer overflow.

Bacula-Web reports:

Address Smarty CVE

Mediawiki reports:

(T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.

(T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan.

(T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions.

(T279090, CVE-2021-41801) SECURITY: ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked).

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry

Alexander Cherepanov reports:

Version 0.999b and older of ha archiver is susceptible to directory traversal vulnerabilities via absolute and relative paths.

Chrome Releases/Stable updates reports:

This release contains 4 security fixes, including:

• [1245578] High CVE-2021-37974: Use after free in Safe Browsing. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-01
• [1252918] High CVE-2021-37975: Use after free in V8. Reported by Anonymous on 2021-09-24
• [1251787] Medium CVE-2021-37976: Information leak in core. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.

Sonatype reports:

• CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack

Sonatype reports:

• CVE-2020-15012: NXRM2 Directory Traversal vulnerability

The Apache project reports:

• moderate: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)
• moderate: NULL pointer dereference in httpd core (CVE-2021-34798)
• moderate: mod_proxy_uwsgi out of bound read (CVE-2021-36160)
• low: ap_escape_quotes buffer overflow (CVE-2021-39275)
• high: mod_proxy SSRF (CVE-2021-40438)

The cURL project reports:

• UAF and double-free in MQTT sending (CVE-2021-22945)
• Protocol downgrade required TLS bypassed (CVE-2021-22946)
• STARTTLS protocol injection via MITM (CVE-2021-22945)

The WebKitGTK project reports vulnerabilities:

• CVE-2021-30858: Processing maliciously crafted web content may lead to arbitrary code execution.

Chrome Releases reports:

][1251727] High CVE-2021-37973 : Use after free in Portals. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google is aware that an exploit for CVE-2021-37973 exists in the wild.

Jakub Hrozek reports:

Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html

Tim Wojtulewicz of Corelight reports:

Paths from log stream make it into system() unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity.

Fix potential unbounded state growth in the PIA analyzer when receiving a connection with either a large number of zero-length packets, or one which continues ack-ing unseen segments. It is possible to run Zeek out of memory in these instances and cause it to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Chrome Releases reports:

This update contains 19 security fixes, including:

• [1243117] High CVE-2021-37956: Use after free in Offline use. Reported by Huyna at Viettel Cyber Security on 2021-08-24
• [1242269] High CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang on 2021-08-23
• [1223290] High CVE-2021-37958: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2021-06-24
• [1229625] High CVE-2021-37959: Use after free in Task Manager. Reported by raven (@raid_akame) on 2021-07-15
• [1247196] High CVE-2021-37960: Inappropriate implementation in Blink graphics. Reported by Atte Kettunen of OUSPG on 2021-09-07
• [1228557] Medium CVE-2021-37961: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-07-13
• [1231933] Medium CVE-2021-37962: Use after free in Performance Manager. Reported by Sri on 2021-07-22
• [1199865] Medium CVE-2021-37963: Side-channel information leakage in DevTools. Reported by Daniel Genkin and Ayush Agarwal, University of Michigan, Eyal Ronen and Shaked Yehezkel, Tel Aviv University, Sioli O'Connell, University of Adelaide, and Jason Kim, Georgia Institute of Technology on 2021-04-16
• [1203612] Medium CVE-2021-37964: Inappropriate implementation in ChromeOS Networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2021-04-28
• [1239709] Medium CVE-2021-37965: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-08-13
• [1238944] Medium CVE-2021-37966: Inappropriate implementation in Compositing. Reported by Mohit Raj (shadow2639) on 2021-08-11
• [1243622] Medium CVE-2021-37967: Inappropriate implementation in Background Fetch API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-26
• [1245053] Medium CVE-2021-37968: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-08-30
• [1245879] Medium CVE-2021-37969: Inappropriate implementation in Google Updater. Reported by Abdelhamid Naceri (halov) on 2021-09-02
• [1248030] Medium CVE-2021-37970: Use after free in File System API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-09-09
• [1219354] Low CVE-2021-37971: Incorrect security UI in Web Browser UI. Reported by Rayyan Bijoora on 2021-06-13
• [1234259] Low CVE-2021-37972: Out of bounds read in libjpeg-turbo. Reported by Xu Hanyu and Lu Yutao from Panguite-Forensics-Lab of Qianxin on 2021-07-29

libssh security advisories:

The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called `secret_hash` and and the other `session_id`. Initially, both of them are the same, but after key re-exchange, previous `session_id` is kept and used as an input to new `secret_hash`.

Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating `secret_hash` of different size than the `session_id` has.

This becomes an issue when the `session_id` memory is zeroized or when it is used again during second key re-exchange.

Node.js reports:

npm 6 update - node-tar, arborist, npm cli modules

These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.

Node.js reports:

cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)

Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Use after free on close http2 on stream canceling (High) (CVE-2021-22940)

Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Node.js reports:

libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918)

Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)

Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High) (CVE-2021-27290)

This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.

npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362)

This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.

Node.js reports:

Use after free on close http2 on stream canceling (High) (CVE-2021-22930)

Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Kenny Levinsen reports:

seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH.

If seatd-launch had the SUID bit set, this could be used by a malicious user with the ability to execute seatd-launch to mount a privilege escalation attack to the owner of seatd-launch, which is likely root.

Chrome Releases reports:

This release includes 11 security fixes, including:

• [1237533] High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
• [1241036] High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
• [1245786] High CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
• [1241123] High CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
• [1243646] High CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-26
• [1244568] High CVE-2021-30630: Inappropriate implementation in Blink. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
• [1246932] High CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
• [1247763] High CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
• [1247766] High CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08

Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild.

Matrix developers report:

Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat.

Specifically, in certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.

Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver.

Hashicorp reports:

HashiCorp Consul Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.

The Go project reports:

An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is reasonable.

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

Version 5.9_2 contains security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server configuration were not affected.

Python reports:

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.