FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2023-01-25 11:36:57 UTC

List all Vulnerabilities, by package

VuXML entries as processed by FreshPorts
DateDecscriptionPort(s)
2023-01-25VuXML ID 3d0a3eb0-9ca3-11ed-a925-3065ec8fd3ec

Chrome Releases reports:

This release contains 6 security fixes, including:

  • [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
  • [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
  • [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
  • [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14
more...
chromium
ungoogled-chromium

more detail
2023-01-25VuXML ID b0e1fa2b-9c86-11ed-9296-002b67dfc673

re2c reports:

re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.

more...
re2c

more detail
2023-01-24VuXML ID b8a0fea2-9be9-11ed-8acf-0800277bb8a8

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.

more...
gitea

more detail
2023-01-23VuXML ID 28b69630-9b10-11ed-97a6-6805ca2fa271

PowerDNS Team reports:

PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination

more...
powerdns-recursor

more detail
2023-01-23VuXML ID 7844789a-9b1f-11ed-9a3f-b42e991fc52e

MITRE reports:

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated. .

more...
krill

more detail
2023-01-23VuXML ID b6f7ad7d-9b19-11ed-9a3f-b42e991fc52e

Mitre reports:

etserver and etclient have predictable logfile names in /tmp and they are world-readable logfiles

more...
eternalterminal

more detail
2023-01-23VuXML ID bba3f684-9b1d-11ed-9a3f-b42e991fc52e

MITRE reports:

It seems #90 is not completely fixed in 7.8. (that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed). In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

more...
awstats

more detail
2023-01-21VuXML ID a3b10c9b-99d9-11ed-aa55-d05099fed512

Peter Ammon reports:

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the fish_git_prompt function from the prompt.

more...
fish

more detail
2023-01-21VuXML ID dc49f6dc-99d2-11ed-86e9-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network withouti requiring user credentials.

more...
mysql-client57
mysql-client80
mysql-connector-c++
mysql-connector-odbc
mysql-server57
mysql-server80

more detail
2023-01-20VuXML ID 005dfb48-990d-11ed-b9d3-589cfc0f81b0

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in "Add new question"

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in admin user page

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in FAQ comments

phpMyFAQ does not implement sufficient checks to avoid a blind stored XSS in admin open question page

phpMyFAQ does not implement sufficient checks to avoid a reflected XSS in the admin backend login

phpMyFAQ does not implement sufficient checks to avoid stored XSS on user, category, FAQ, news and configuration admin backend

phpMyFAQ does not implement sufficient checks to avoid weak passwords

more...
phpmyfaq

more detail
2023-01-19VuXML ID 95176ba5-9796-11ed-bfbf-080027f5fec9

Aaron Patterson reports:

CVE-2022-44570
Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
CVE-2022-44571
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
CVE-2022-44572
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
more...
rubygem-rack
rubygem-rack16
rubygem-rack22

more detail
2023-01-17VuXML ID 00919005-96a3-11ed-86e9-d4c9ef517024

The Apache httpd project reports:

mod_dav out of bounds read, or write of zero byte (CVE-2006-20001) (moderate)

mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)

mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (CVE-2022-37436) (moderate)

more...
apache24

more detail
2023-01-16VuXML ID 5fa68bd9-95d9-11ed-811a-080027f5fec9

The Redis core team reports:

CVE-2022-35977
Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic.
CVE-2023-22458
Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service.
more...
redis
redis-devel
redis6
redis62

more detail
2023-01-16VuXML ID 9d9e9439-959e-11ed-b464-b42e991fc52e

CIRCL reports:

  • CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream.
  • CVE-2022-40151: If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
more...
keycloak

more detail
2023-01-14VuXML ID 847f16e5-9406-11ed-a925-3065ec8fd3ec

The Tor Project reports:

TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through

This is a report from hackerone:

We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a). Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.

more...
tor

more detail
2023-01-12VuXML ID 76e2fcce-92d2-11ed-a635-080027f5fec9

lu4nx reports:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

more...
emacs
emacs-canna
emacs-devel
emacs-devel-nox
emacs-nox

more detail
2023-01-11VuXML ID 3a023570-91ab-11ed-8950-001b217b3468

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

more...
gitlab-ce

more detail
2023-01-11VuXML ID 53caf29b-9180-11ed-acbe-b42e991fc52e

Cassandra tema reports:

This release contains 6 security fixes including

  • CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
  • CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
  • CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
  • CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
  • CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
  • CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
more...
cassandra3

more detail
2023-01-11VuXML ID 60624f63-9180-11ed-acbe-b42e991fc52e

Marcus Eriksson reports:

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.

more...
cassandra3

more detail
2023-01-11VuXML ID 9fa7b139-c1e9-409e-bed0-006aadcf5845

The X.org project reports:

  • CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack overflow

    The swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request.

    This issue does not affect systems where client and server use the same byte order.

  • CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab out-of-bounds access

    The handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code.

  • CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify use-after-free

    The handler for the XvdiSelectVideoNotify request may write to memory after it has been freed.

  • CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes use-after-free

    The handler for the ScreenSaverSetAttributes request may write to memory after it has been freed.

  • CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty out-of-bounds access

    The handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure.

  • CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free

    The XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.

more...
xephyr
xorg-nestserver
xorg-server
xorg-vfbserver
xwayland
xwayland-devel

more detail
2023-01-11VuXML ID b3fd12ea-917a-11ed-acbe-b42e991fc52e

mindrot project reports:

There is an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.

more...
cassandra3

more detail
2023-01-10VuXML ID 7b929503-911d-11ed-a925-3065ec8fd3ec

Chrome Releases reports:

This release contains 17 security fixes, including:

  • [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
  • [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
  • [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
  • [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
  • [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
  • [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
  • [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
  • [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
  • [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
  • [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
  • [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
  • [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
  • [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
  • [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12
more...
chromium
ungoogled-chromium

more detail
2023-01-09*VuXML ID 59c284f4-8d2e-11ed-9ce0-b42e991fc52e

cacti team reports:

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

more...
cacti

more detail
2023-01-05VuXML ID 541696ed-8d12-11ed-af80-ecf4bbc0bda0

C. Michael Pilato reports:

security fix: escape revision view copy paths (#311) [CVE-2023-22464]

security fix: escape revision view changed paths (#311) [CVE-2023-22456]

more...
py37-viewvc-devel
py38-viewvc-devel
py39-viewvc-devel

more detail
2023-01-03VuXML ID 5b2eac07-8b4d-11ed-8b23-a0f3c100ae18

Marc Lehmann reports:

The biggest issue is resolving CVE-2022-4170, which allows command execution inside urxvt from within the terminal (that means anything that can output text in the terminal can start commands in the context of the urxvt process, even remotely).

more...
rxvt-unicode

more detail
2023-01-02VuXML ID 86c330fe-bbae-4ca7-85f7-5321e627a4eb

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips

more...
gitea

more detail
2022-12-29VuXML ID 140a20e1-8769-11ed-b074-002b67dfc673

Webtrees reports:

GEDCOM imports containing errors and HTML displayed unescaped.

more...
webtrees

more detail
2022-12-29VuXML ID d379aa14-8729-11ed-b988-080027d3a315

Mediawikwi reports:

(T322637, CVE-2022-PENDING) SECURITY: Make sqlite DB files not world readable.

more...
mediawiki135
mediawiki138
mediawiki139

more detail
2022-12-27VuXML ID 4b60c3d9-8640-11ed-a762-482ae324f959

Netdata reports:

GHSA-xg38-3vmw-2978: Netdata Streaming Alert Command Injection

GHSA-jx85-39cw-66f2: Netdata Streaming Authentication Bypass

more...
netdata

more detail
2022-12-24VuXML ID 1f0421b1-8398-11ed-973d-002b67dfc673

FreeRDP reports:

GHSA-5w4j-mrrh-jjrm: Out of bound read in zgfx decoder.

GHSA-99cm-4gw7-c8jh: Undefined behaviour in zgfx decoder.

GHSA-387j-8j96-7q35: Division by zero in urbdrc channel.

GHSA-mvxm-wfj2-5fvh: Missing length validation in urbdrc channel.

GHSA-qfq2-82qr-7f4j: Heap buffer overflow in urbdrc channel.

GHSA-c5xq-8v35-pffg: Missing path sanitation with `drive` channel.

GHSA-pmv3-wpw4-pw5h: Missing input length validation in `drive` channel.

more...
freerdp

more detail
2022-12-22VuXML ID d0da046a-81e6-11ed-96ca-0800277bb8a8

The Gitea team reports:

Do not allow Ghost access to limited visible user/org

Fix package access for admins and inactive users

more...
gitea

more detail
2022-12-17VuXML ID d9e154c9-7de9-11ed-adca-080027d3a315

TYPO3 reports:

TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling.

TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login.

TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset.

TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework.

TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration.

TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer.

more...
typo3-11-php81
typo3-12-php81

more detail
2022-12-14VuXML ID 0f99a30c-7b4b-11ed-9168-080027f5fec9

Daniel Stenberg reports:

CVE-2022-32221: POST following PUT confusion
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-35260: .netrc parser out-of-bounds access
curl can be told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, write a zero byte possibly beyond its boundary. This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.
CVE-2022-42915: HTTP proxy double-free
f curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet
CVE-2022-42916: HSTS bypass via IDN
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Like this: http://curl。se。
more...
curl

more detail
2022-12-14VuXML ID 83eb9374-7b97-11ed-be8f-3065ec8fd3ec

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15
  • [1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30
  • [1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07
  • [1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22
  • [1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09
more...
chromium
ungoogled-chromium

more detail
2022-12-12VuXML ID 439f3f81-7a49-11ed-97ac-589cfc0f81b0

phpmyfaq developers report:

an authenticated SQL injection when adding categories in the admin backend

a stored cross-site scripting vulnerability in the category name

a stored cross-site scripting vulnerability in the admin logging

a stored cross-site scripting vulnerability in the FAQ title

a PostgreSQL based SQL injection for the lang parameter

a SQL injection when storing an instance name in the admin backend

a SQL injection when adding attachments in the admin backend

a stored cross-site scripting vulnerability when adding users by admins

a missing "secure" flag for cookies when using TLS

a cross-site request forgery / cross-site scripting vulnerability when saving new questions

a reflected cross-site scripting vulnerability in the admin backend

more...
phpmyfaq

more detail
2022-12-10VuXML ID 508da89c-78b9-11ed-854f-5404a68ad561

The Traefik project reports:

This update is recommended for all traefik users and provides following important security fixes:

  • CVE-2022-23469: Authorization header displayed in the debug logs
  • CVE-2022-46153: Routes exposed with an empty TLSOption in traefik
more...
traefik

more detail
2022-12-10VuXML ID ba94433c-7890-11ed-859e-1c61b4739ac9

xrdp project reports:

This update is recommended for all xrdp users and provides following important security fixes:

  • CVE-2022-23468
  • CVE-2022-23477
  • CVE-2022-23478
  • CVE-2022-23479
  • CVE-2022-23480
  • CVE-2022-23481
  • CVE-2022-23483
  • CVE-2022-23482
  • CVE-2022-23484
  • CVE-2022-23493

These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.

more...
xrdp

more detail
2022-12-07VuXML ID 050eba46-7638-11ed-820d-080027d3a315

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

more...
python310
python311
python37
python38
python39

more detail
2022-12-06VuXML ID 6f5192f5-75a7-11ed-83c0-411d43ce7fe4

The Go project reports:

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

net/http: limit canonical header cache by bytes, not entries

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

more...
go118
go119

more detail
2022-12-03VuXML ID 2899da38-7300-11ed-92ce-3065ec8fd3ec

Chrome Releases reports:

This release contains 1 security fix:

  • [1394403] High CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29

Google is aware that an exploit for CVE-2022-4262 exists in the wild.

more...
chromium
ungoogled-chromium

more detail
2022-12-01VuXML ID 0c52abde-717b-11ed-98ca-40b034429ecf

rpm project reports:

Fix intermediate symlinks not verified (CVE-2021-35939).

Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521).

Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)

more...
rpm4

more detail
2022-12-01VuXML ID 3cde510a-7135-11ed-a28b-bff032704f00

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address

more...
gitlab-ce

more detail
2022-11-30VuXML ID 5f7ed6ea-70a7-11ed-92ce-3065ec8fd3ec

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1379054] High CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
  • [1381401] High CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-11-04
  • [1361066] High CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
  • [1379242] High CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
  • [1376099] High CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
  • [1377783] High CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
  • [1378564] High CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
  • [1382581] High CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
  • [1368739] Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
  • [1251790] Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
  • [1358647] Medium CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
  • [1373025] Medium CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
  • [1377165] Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
  • [1381217] Medium CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
  • [1340879] Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
  • [1344647] Medium CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
  • [1378997] Medium CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
  • [1373941] Medium CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
  • [1344514] Medium CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
  • [1354518] Medium CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
  • [1370562] Medium CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
  • [1371926] Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06
more...
chromium
ungoogled-chromium

more detail
2022-11-25VuXML ID 8d3838b0-6ca8-11ed-92ce-3065ec8fd3ec

Chrome Releases reports:

This release contains 1 security fix:

  • [1392715] High CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22

Google is aware that an exploit for CVE-2022-4135 exists in the wild.

more...
chromium
ungoogled-chromium

more detail
2022-11-24VuXML ID 658b9198-8106-4c3d-a2aa-dc4a0a7cc3b6

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of HTTP 0.9 packets can cause Zeek to spend large amounts of time processing the packets.

A specially-crafted FTP packet can cause Zeek to spend large amounts of time processing the command.

A specially-crafted IPv6 packet can cause Zeek to overflow memory and potentially crash.

more...
zeek

more detail
2022-11-24VuXML ID 84ab03b6-6c20-11ed-b519-080027f5fec9

Hiroshi Tokumaru reports:

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.

more...
ruby
ruby27
ruby30
ruby31
ruby32
rubygem-cgi

more detail
2022-11-24VuXML ID b6a84729-6bd0-11ed-8d9a-b42e991fc52e

GitHub advisories reports:

Multiple vulnerabilities found in advancecomp including:

  • Three segmentation faults.
  • Heap buffer overflow via le_uint32_read at /lib/endianrw.h.
  • Three more heap buffer overflows.
more...
advancecomp

more detail
2022-11-22VuXML ID e0f26ac5-6a17-11ed-93e7-901b0e9408dc

Tailscale team reports:

A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.

more...
tailscale

more detail
2022-11-18VuXML ID 556fdf03-6785-11ed-953b-002b67dfc673

Apache Tomcat reports:

If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The CVSS score for this vulnerability is 7.5 High

more...
tomcat
tomcat-devel
tomcat10
tomcat101
tomcat85
tomcat9

more detail
2022-11-15VuXML ID 094e4a5b-6511-11ed-8c5e-206a8a720317

MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:

Due to an integer overflow vulnerabilities in PAC parsing An authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service.

On 32-bit platforms an authenticated attacker may be able to cause heap corruption resulting in an RCE.

more...
krb5
krb5-119
krb5-120
krb5-devel

more detail
2022-11-12VuXML ID 0a80f159-629b-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message.

The CVSS score for this vulnerability is 5.3 Moderate

more...
grafana
grafana8
grafana9

more detail
2022-11-12VuXML ID 35d1e192-628e-11ed-8c5e-641c67a117d8

IPython project reports:

IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some default values in order to prevent potential Execution with Unnecessary Privileges.

more...
py310-ipython
py311-ipython
py37-ipython
py38-ipython
py39-ipython

more detail
2022-11-12VuXML ID 4e60d660-6298-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

more...
grafana
grafana7
grafana8
grafana9

more detail
2022-11-12VuXML ID 6877e164-6296-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

more...
grafana
grafana7
grafana8
grafana9

more detail
2022-11-12VuXML ID 6eb6a442-629a-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization.

The CVSS score for this vulnerability is 6.4 Moderate

more...
grafana
grafana8
grafana9

more detail
2022-11-12VuXML ID 6f6c9420-6297-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.

We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

more...
grafana
grafana7
grafana8
grafana9

more detail
2022-11-12VuXML ID 909a80ba-6294-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

On September 7, as a result of an internal security audit, we discovered a security vulnerability in Grafana’s basic authentication related to the usage of username and email address.

n Grafana, a user’s username and email address are unique fields, which means no other user can have the same username or email address as another user.

In addition, a user can have an email address as a username, and the Grafana login allows users to sign in with either username or email address. This creates an unusual behavior, where user_1 can register with one email address and user_2 can register their username as user_1’s email address. As a result, user_1 would be prevented from signing in to Grafana, since user_1 password won’t match with user_2 email address.

The CVSS score for this vulnerability is 4.3 moderate (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

more...
grafana
grafana8
grafana9

more detail
2022-11-12VuXML ID db895ed0-6298-11ed-9ca2-6c3be5272acd

Grafana Labs reports:

Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. As a result, an unauthenticated user can successfully query protected endpoints.

The CVSS score for this vulnerability is 9.8 Critical

more...
grafana
grafana9

more detail
2022-11-11VuXML ID f5a48a7a-61d3-11ed-9094-589cfc0f81b0

phpmyfaq developers report:

a pre-auth SQL injection in then saving user comments

a reflected cross-site scripting vulnerability in the search

a stored cross-site scripting vulnerability in the meta data administration

a weak password requirement

more...
phpmyfaq

more detail
2022-11-09VuXML ID 5b8d8dee-6088-11ed-8c5e-641c67a117d8

Varnish Cache Project reports:

A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.

more...
varnish6
varnish7

more detail
2022-11-09VuXML ID 60d4d31a-a573-41bd-8c1e-5af7513c1ee9

Tim Wojtulewicz of Corelight reports:

Fix an issue where a specially-crafted FTP packet can cause Zeek to spend large amounts of time attempting to search for valid commands in the data stream.

Fix a possible overflow in the Zeek dictionary code that may lead to a memory leak.

Fix an issue where a specially-crafted packet can cause Zeek to spend large amounts of time reporting analyzer violations.

Fix a possible assert and crash in the HTTP analyzer when receiving a specially crafted packet.

Fix an issue where a specially-crafted HTTP or SMTP packet can cause Zeek to spend a large amount of time attempting to search for filenames within the packet data.

Fix two separate possible crashes when converting processed IP headers for logging via the raw_packet event handlers.

more...
zeek

more detail
2022-11-09VuXML ID 6b04476f-601c-11ed-92ce-3065ec8fd3ec

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1377816] High CVE-2022-3885: Use after free in V8. Reported by gzobqq@ on 2022-10-24
  • [1372999] High CVE-2022-3886: Use after free in Speech Recognition. Reported by anonymous on 2022-10-10
  • [1372695] High CVE-2022-3887: Use after free in Web Workers. Reported by anonymous on 2022-10-08
  • [1375059] High CVE-2022-3888: Use after free in WebCodecs. Reported by Peter Nemeth on 2022-10-16
  • [1380063] High CVE-2022-3889: Type Confusion in V8. Reported by anonymous on 2022-11-01
  • [1380083] High CVE-2022-3890: Heap buffer overflow in Crashpad. Reported by anonymous on 2022-11-01
more...
chromium
ungoogled-chromium

more detail
2022-11-09VuXML ID b10d1afa-6087-11ed-8c5e-641c67a117d8

Varnish Cache Project reports:

A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both Content-Length and Host, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL.

more...
varnish7

more detail
2022-11-08VuXML ID 9c399521-5f80-11ed-8ac4-b42e991fc52e

Mitre reports:

flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability.

more...
darkhttpd

more detail
2022-11-07VuXML ID 3310014a-5ef9-11ed-812b-206a8a720317

SO-AND-SO reports:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

more...
sudo

more detail
2022-11-05VuXML ID 16f7ec68-5cce-11ed-9be7-454b1dd82c64

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory

more...
gitlab-ce

more detail
2022-11-03VuXML ID b278783f-5c1d-11ed-a21f-001fc69cd6dc

Pixman reports: for release 0.42.2

Avoid integer overflow leading to out-of-bounds write

more...
pixman

more detail
2022-11-01VuXML ID 0844671c-5a09-11ed-856e-d4c9ef517024

The OpenSSL project reports:

X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) (High): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (High): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

more...
openssl-devel

more detail
2022-11-01VuXML ID 26b1100a-5a27-11ed-abfe-29ac76ec31b5

The Go project reports:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

more...
go118
go119

more detail
2022-10-30VuXML ID 4b9c1c17-587c-11ed-856e-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials

more...
mysql-client57
mysql-client80
mysql-connector-c++
mysql-connector-odbc
mysql-server57
mysql-server80

more detail
2022-10-28VuXML ID 1225c888-56ea-11ed-b5c3-3065ec8fd3ec

Chrome Releases reports:

This release contains 1 security fix:

  • [1378239] High CVE-2022-3723: Type Confusion in V8. Reported by Jan VojteÅ¡ek, Milánek, and Przemek Gmerek of Avast on 2022-10-25
more...
chromium
ungoogled-chromium

more detail
2022-10-25VuXML ID 1c5f3fd7-54bf-11ed-8d1e-005056a311d1

The Samba Team reports:

The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet.

more...
samba412
samba413
samba416

more detail
2022-10-25VuXML ID b4ef02f4-549f-11ed-8ad9-3065ec8fd3ec

Chrome Releases reports:

This release contains 14 security fixes, including:

  • [1369871] High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30
  • [1354271] High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19
  • [1365330] High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19
  • [1343384] Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
  • [1345275] Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18
  • [1351177] Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09
  • [1352817] Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14
  • [1355560] Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23
  • [1327505] Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20
  • [1350111] Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04
more...
chromium
ungoogled-chromium

more detail
2022-10-22VuXML ID 68fcee9b-5259-11ed-89c9-0800276af896

From libudisks 2.9.4 NEWS:

udiskslinuxblock: Fix leaking cleartext block interface

more...
libudisks

more detail
2022-10-21VuXML ID c253c4aa-5126-11ed-8a21-589cfc0f81b0

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid CSRF when logging out an user.

more...
phpmyfaq

more detail
2022-10-20VuXML ID d6d088c9-5064-11ed-bade-080027881239

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

more...
python310
python37
python38
python39

more detail
2022-10-19VuXML ID 676d4f16-4fb3-11ed-a374-8c164567ca3c

NGINX Development Team reports:

Two security issues were identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact (CVE-2022-41741, CVE-2022-41742).

more...
nginx
nginx-devel

more detail
2022-10-18VuXML ID 2523bc76-4f01-11ed-929b-002590f2a714

This release contains 2 security fixes:

CVE-2022-39253

When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory. Additionally, the value of `protocol.file.allow` is changed to be "user" by default.

CVE-2022-39260

An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB.

more...
git
git-lite
git-tiny

more detail
2022-10-18VuXML ID 7392e1e3-4eb9-11ed-856e-d4c9ef517024

The OpenSSL project reports:

Using a Custom Cipher with NID_undef may lead to NULL encryption (low)

more...
openssl-devel

more detail
2022-10-15VuXML ID d713d709-4cc9-11ed-a621-0800277bb8a8

The Gitea team reports:

Sanitize and Escape refs in git backend

Bump golang.org/x/text

Update bluemonday

more...
gitea

more detail
2022-10-12VuXML ID 127674c6-4a27-11ed-9f93-002b67dfc673

The Roundcube project reports:

Description:

Remote code execution vulnerability in roundcube-thunderbird_labels when tb_label_modify_labels is enabled.

Workaround:

If you cannot upgrade to roundcube-thunderbird_labels-1.4.13 disable the tb_label_modify_labels config option.

more...
roundcube-thunderbird_labels

more detail
2022-10-12VuXML ID 7cb12ee0-4a13-11ed-8ad9-3065ec8fd3ec

Chrome Releases reports:

This release contains 6 security fixes:

  • [1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16
  • [1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26
  • [1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22
  • [1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13
  • [1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17
  • [1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30
more...
chromium
ungoogled-chromium

more detail
2022-10-11VuXML ID f9140ad4-4920-11ed-a07e-080027f5fec9

The Samba Team reports:

CVE-2022-2031
The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services.
CVE-2022-32744
The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.
CVE-2022-32745
Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault.
CVE-2022-32746
The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl.
CVE-2022-32742
SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer.
more...
samba412
samba413

more detail
2022-10-10VuXML ID 0ae56f3e-488c-11ed-bb31-b42e99a1b9c3

Lahav Schlesinger reported a bug related to online certificate revocation checking that can lead to a denial-of-service attack

.

more...
strongswan

more detail
2022-10-07*VuXML ID c2a89e8f-44e9-11ed-9215-00e081b7aa2d

Jenkins Security Advisory:

Description

(High) SECURITY-2886 / CVE-2022-41224

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

more...
jenkins

more detail
2022-10-07VuXML ID e4133d8b-ab33-451a-bc68-3719de73d54a

Due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data. We are not aware of exploitation of this vulnerability at this point in time. Starting with release 0.11.3, Routinator handles encoding errors by rejecting the snapshot or delta file and continuing with validation. In case of an invalid delta file, it will try using the snapshot instead. If a snapshot file is invalid, the update of the repository will fail and an update through rsync is attempted.

.

more...
routinator

more detail
2022-10-06VuXML ID f4f15051-4574-11ed-81a1-080027881239

Django reports:

CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs.

more...
py310-django32
py310-django40
py310-django41
py37-django32
py38-django32
py38-django40
py38-django41
py39-django32
py39-django40
py39-django41

more detail
2022-10-04VuXML ID 854c2afb-4424-11ed-af97-adcabf310f9b

The Go project reports:

archive/tar: unbounded memory consumption when reading headers

Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.

net/http/httputil: ReverseProxy should not forward unparseable query parameters

Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

regexp/syntax: limit memory used by parsing regexps

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.

more...
go118
go119

more detail
2022-10-04VuXML ID d487d4fc-43a8-11ed-8b01-b42e991fc52e

Zyantific reports:

Zydis users of versions v3.2.0 and older that use the string functions provided in zycore in order to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like ZyanStringAppend to make incorrect calculations for the new target size, resulting in heap memory corruption.

more...
zydis

more detail
2022-10-02VuXML ID 67057b48-41f4-11ed-86c3-080027881239

Mediawiki reports:

(T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions..

(T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users.

(T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name.

more...
mediawiki135
mediawiki137
mediawiki138

more detail
2022-09-30VuXML ID 04422df1-40d8-11ed-9be7-454b1dd82c64

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level

more...
gitlab-ce

more detail
2022-09-30VuXML ID d459c914-4100-11ed-9bc7-3065ec8fd3ec

Chrome Releases reports:

This release contains 3 security fixes, including:

  • [1366813] High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22
  • [1366399] High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21
more...
chromium

more detail
2022-09-29VuXML ID 5a1c2e06-3fb7-11ed-a402-b42e991fc52e

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation.

.

more...
unbound

more detail
2022-09-28VuXML ID cb902a77-3f43-11ed-9402-901b0e9408dc

Matrix developers report:

Two critical severity vulnerabilities in end-to-end encryption were found in the SDKs which power Element, Beeper, Cinny, SchildiChat, Circuli, Synod.im and any other clients based on matrix-js-sdk, matrix-ios-sdk or matrix-android-sdk2.

more...
cinny
element-web

more detail
2022-09-27VuXML ID 0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9

Debian Security Advisory reports:

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.

more...
expat

more detail
2022-09-27VuXML ID 18529cb0-3e9c-11ed-9bc7-3065ec8fd3ec

Chrome Releases reports:

This release contains 20 security fixes, including:

  • [1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
  • [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
  • [1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
  • [1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
  • [1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
  • [1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
  • [1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
  • [1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
  • [1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
  • [1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
  • [1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
  • [1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
  • [1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
  • [1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
  • [1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
  • [1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
more...
chromium

more detail
2022-09-26VuXML ID f9ada0b5-3d80-11ed-9330-080027f5fec9

Mikhail Evdokimov (aka konata) reports:

Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. This problem allows a trusted client to directly access cache manager information bypassing the manager ACL protection. The available cache manager information contains records of internal network structure, client credentials, client identity and client traffic behaviour.

more...
squid

more detail
2022-09-21VuXML ID 95e6e6ca-3986-11ed-8e0c-6c3be5272acd

Grafana Labs reports:

On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.

Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.

Datasource proxy breaks this assumption:

  • it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username.
  • This fake datasource can be called publicly via this proxying feature.

The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

more...
grafana
grafana7
grafana8
grafana9

more detail
2022-09-21VuXML ID f1f637d1-39eb-11ed-ab44-080027f5fec9

The Redis core team reports:

Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer.

more...
redis

more detail
2022-09-19VuXML ID 656b0152-faa9-4755-b08d-aee4a774bd04

Tim Wojtulewicz of Corelight reports:

Fix a possible overflow and crash in the ICMP analyzer when receiving a specially crafted packet.

Fix a possible overflow and crash in the IRC analyzer when receiving a specially crafted packet.

Fix a possible overflow and crash in the SMB analyzer when receiving a specially crafted packet.

Fix two possible crashes when converting IP headers for output via the raw_packet event.

more...
zeek

more detail
2022-09-16VuXML ID aeb4c85b-3600-11ed-b52d-589cfc007716

Puppet reports:

The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.

more...
puppetdb6
puppetdb7

more detail
2022-09-14VuXML ID b59847e0-346d-11ed-8fe9-3065ec8fd3ec

Chrome Releases reports:

This release includes 11 security fixes, including:

  • [1358381] High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-08-31
  • [1358090] High CVE-2022-3196: Use after free in PDF. Reported by triplepwns on 2022-08-30
  • [1358075] High CVE-2022-3197: Use after free in PDF. Reported by triplepwns on 2022-08-30
  • [1355682] High CVE-2022-3198: Use after free in PDF. Reported by MerdroidSG on 2022-08-23
  • [1355237] High CVE-2022-3199: Use after free in Frames. Reported by Anonymous on 2022-08-22
  • [1355103] High CVE-2022-3200: Heap buffer overflow in Internals. Reported by Richard Lorenz, SAP on 2022-08-22
  • [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in DevTools. Reported by NDevTK on 2022-07-09
more...
chromium

more detail
2022-09-12VuXML ID 4ebaa983-3299-11ed-95f8-901b0e9408dc

Dendrite team reports:

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

more...
dendrite

more detail
2022-09-11VuXML ID f75722ce-31b0-11ed-8b56-0800277bb8a8

The Gitea team reports:

Double check CloneURL is acceptable

Add more checks in migration code

more...
gitea

more detail
2022-09-08VuXML ID 80e057e7-2f0a-11ed-978f-fcaa147e860e

Python reports:

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.

gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.

more...
python310
python37
python38
python39

more detail
2022-09-07VuXML ID 6fea7103-2ea4-11ed-b403-3dae8ac60d3e

The Go project reports:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path.

more...
go118
go119

more detail
2022-09-03VuXML ID f38d25ac-2b7a-11ed-a1ef-3065ec8fd3ec

Chrome Releases reports:

This release contains 1 security fix:

  • [1358134] High CVE-2022-3075: Insufficient data validation in Mojo. Reported by Anonymous on 2022-08-30

Google is aware that an exploit of CVE-2022-3075 exists in the wild.

more...
chromium

more detail
2022-09-01VuXML ID 5418b360-29cc-11ed-a6d4-6805ca2fa271

PowerDNS Team reports:

PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.

more...
powerdns-recursor

more detail
2022-09-01VuXML ID 827b95ff-290e-11ed-a2e7-6c3be5272acd

Grafana Labs reports:

On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).

more...
grafana
grafana7
grafana8
grafana9

more detail
2022-08-31VuXML ID a1323a76-28f1-11ed-a72a-002590c1f29c

Problem Description:

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

Impact:

Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in the FreeBSD base system, but may be used by third party software.

more...
FreeBSD

more detail
2022-08-31VuXML ID e4d93d07-297a-11ed-95f8-901b0e9408dc

Matrix developers report:

The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.

more...
cinny
element-web

more detail
2022-08-31VuXML ID f2043ff6-2916-11ed-a1ef-3065ec8fd3ec

Chrome Releases reports:

This release contains 24 security fixes, including:

  • [1340253] Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
  • [1343348] High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
  • [1341539] High CVE-2022-3040: Use after free in Layout. Reported by Anonymous on 2022-07-03
  • [1345947] High CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
  • [1338553] High CVE-2022-3042: Use after free in PhoneHub. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
  • [1336979] High CVE-2022-3043: Heap buffer overflow in Screen Capture. Reported by @ginggilBesel on 2022-06-16
  • [1051198] High CVE-2022-3044: Inappropriate implementation in Site Isolation. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-02-12
  • [1339648] High CVE-2022-3045: Insufficient validation of untrusted input in V8. Reported by Ben Noordhuis on 2022-06-26
  • [1346245] High CVE-2022-3046: Use after free in Browser Tag. Reported by Rong Jian of VRI on 2022-07-21
  • [1342586] Medium CVE-2022-3047: Insufficient policy enforcement in Extensions API. Reported by Maurice Dauer on 2022-07-07
  • [1303308] Medium CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen. Reported by Andr.Ess on 2022-03-06
  • [1316892] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
  • [1337132] Medium CVE-2022-3050: Heap buffer overflow in WebUI. Reported by Zhihua Yao of KunLun Lab on 2022-06-17
  • [1345245] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
  • [1346154] Medium CVE-2022-3052: Heap buffer overflow in Window Manager. Reported by Khalil Zhani on 2022-07-21
  • [1267867] Medium CVE-2022-3053: Inappropriate implementation in Pointer Lock. Reported by Jesper van den Ende (Pelican Party Studios) on 2021-11-08
  • [1290236] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools. Reported by Kuilin Li on 2022-01-24
  • [1351969] Medium CVE-2022-3055: Use after free in Passwords. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-11
  • [1329460] Low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Reported by Anonymous on 2022-05-26
  • [1336904] Low CVE-2022-3057: Inappropriate implementation in iframe Sandbox. Reported by Gareth Heyes on 2022-06-16
  • [1337676] Low CVE-2022-3058: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-06-20
more...
chromium

more detail
2022-08-30VuXML ID e6b994e2-2891-11ed-9be7-454b1dd82c64

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled

more...
gitlab-ce

more detail
2022-08-26VuXML ID 3110b29e-c82d-4287-9f6c-db82bb883b1e

Tim Wojtulewicz of Corelight reports:

Fix a possible overflow and crash in the ARP analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Fix a possible overflow and crash in the Modbus analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Fix two possible crashes when converting IP headers for output via the raw_packet event. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Note that the raw_packet event is not enabled by default so these are likely low-severity issues.

Fix an abort related to an error related to the ordering of record fields when processing DNS EDNS headers via events. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Note that the dns_EDNS events are not implemented by default so this is likely a low-severity issue.

more...
zeek

more detail
2022-08-25VuXML ID 36d10af7-248d-11ed-856e-d4c9ef517024

The MariaDB project reports:

Multiple vulnerabilities, mostly segfaults, in the server component

more...
mariadb103-server
mariadb104-server
mariadb105-server
mariadb106-server

more detail
2022-08-25*VuXML ID d658042c-1c98-11ed-95f8-901b0e9408dc

Dendrite team reports:

The power level parsing within gomatrixserverlib was failing to parse the "events_default" key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.

In rooms where the "events_default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

more...
dendrite

more detail
2022-08-23VuXML ID 8a0cd618-22a0-11ed-b1e7-001b217b3468

Gitlab reports:

Remote Command Execution via Github import

more...
gitlab-ce

more detail
2022-08-20VuXML ID 03bb8373-2026-11ed-9d70-080027240888

Drupal reports:

CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process.

more...
drupal9

more detail
2022-08-17VuXML ID f12368a8-1e05-11ed-a1ef-3065ec8fd3ec

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
  • [1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
  • [1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
  • [1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
  • [1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
  • [1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
  • [1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
  • [1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
  • [1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
  • [1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
more...
chromium

more detail
2022-08-14VuXML ID e2e7faf9-1b51-11ed-ae46-002b67dfc673

Apache Tomcat reports:

The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

more...
tomcat
tomcat-devel
tomcat10
tomcat85
tomcat9

more detail
2022-08-12VuXML ID 75c073cc-1a1d-11ed-bea0-48ee0c739857

The XFCE project reports:

Added mime type check to the gst-thumbnailer plugin to fix an undisclosed vulnerability.

more...
xfce4-tumbler

more detail
2022-08-10VuXML ID 02fb9764-1893-11ed-9b22-002590c1f29c

Problem Description:

A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause.

Impact:

An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel.

more...
FreeBSD-kernel

more detail
2022-08-10VuXML ID 21f43976-1887-11ed-9911-40b034429ecf

Openwall oss-security reports:

We have discovered a critical arbitrary file write vulnerability in the rsync utility that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. Due to the insufficient controls inside the do_server_recv function a malicious rysnc server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories.

more...
rsync

more detail
2022-08-10VuXML ID 5028c1ae-1890-11ed-9b22-002590c1f29c

Problem Description:

When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled.

Impact:

An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash.

more...
FreeBSD-kernel

more detail
2022-08-10*VuXML ID 5ddbe47b-1891-11ed-9b22-002590c1f29c

Problem Description:

The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case.

Impact:

An attacker may cause the reference count to overflow, leading to a use after free (UAF).

more...
FreeBSD-kernel

more detail
2022-08-10VuXML ID 8eaaf135-1893-11ed-9b22-002590c1f29c

Problem Description:

The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.

Impact:

The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox.

more...
FreeBSD

more detail
2022-08-10VuXML ID c3610f39-18f1-11ed-9854-641c67a117d8

Varnish Cache Project reports:

A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.

more...
varnish7

more detail
2022-08-09VuXML ID 1cd0c17a-17c0-11ed-91a5-080027f5fec9

The GnuTLS project reports:

When gnutls_pkcs7_verify cannot verify signature against given trust list, it starts creating a chain of certificates starting from identified signer up to known root. During the creation of this chain the signer certificate gets freed which results in double free when the same signer certificate is freed at the end of the algorithm.

more...
gnutls

more detail
2022-08-08VuXML ID 9b9a5f6e-1755-11ed-adef-589cfc01894a

wolfSSL blog reports:

In release 5.4.0 there were 3 vulnerabilities listed as fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS 1.0/1.2 denial of service attack and the other a ciphertext attack on ECC/DH operations. The last vulnerability listed was a public disclosure of a previous attack on AMD devices fixed since wolfSSL version 5.1.0. Coordination of the disclosure of the attack was done responsibly, in cooperation with the researchers, waiting for the public release of the attack details since it affects multiple security libraries.

more...
wolfssl

more detail
2022-08-05VuXML ID 3b47104f-1461-11ed-a0c5-080027240888

Django reports:

CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.

more...
py310-django32
py310-django40
py38-django32
py38-django40
py39-django32
py39-django40

more detail
2022-08-05VuXML ID 8bec3994-104d-11ed-a7ac-0800273f11ea

The Gitea team reports:

Use git.HOME_PATH for Git HOME directory

Add write check for creating Commit status

Remove deprecated SSH ciphers from default

more...
gitea

more detail
2022-08-05VuXML ID bc43a578-14ec-11ed-856e-d4c9ef517024

NLnet Labs reports:

novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating.

novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information.

more...
unbound

more detail
2022-08-05VuXML ID df29c391-1046-11ed-a7ac-0800273f11ea

The Gitea team reports:

Add write check for creating Commit status

Check for permission when fetching user controlled issues

more...
gitea

more detail
2022-08-03VuXML ID 96a41723-133a-11ed-be3b-3065ec8fd3ec

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
  • [1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
  • [1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
  • [1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
  • [1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
  • [1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
  • [1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
  • [1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
  • [1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
  • [1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
  • [1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
  • [1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
  • [1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
  • [1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
  • [1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
  • [1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
  • [1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
  • [1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
  • [1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
  • [1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
  • [1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
  • [1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27
more...
chromium

more detail
2022-08-02VuXML ID 7f8d5435-125a-11ed-9a69-10c37b4ac2ea

The Go project reports:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.

more...
go117
go118

more detail
2022-07-30VuXML ID 4c26f668-0fd2-11ed-a83d-001b217b3468

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails

more...
gitlab-ce

more detail
2022-07-21VuXML ID 8e150606-08c9-11ed-856e-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 34 new security patches plus additional third party patches noted below for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

more...
mysql-client80
mysql-server56
mysql-server57
mysql-server80

more detail
2022-07-21VuXML ID e1387e95-08d0-11ed-be26-001999f8d30b

Oracle reports:

Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.

more...
virtualbox-ose

more detail
2022-07-20VuXML ID 27cc4258-0805-11ed-8ac1-3065ec8fd3ec

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1336266] High CVE-2022-2477: Use after free in Guest View. Reported by anonymous on 2022-06-14
  • [1335861] High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13
  • [1329987] High CVE-2022-2479: Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
  • [1339844] High CVE-2022-2480: Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
  • [1341603] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
  • [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
more...
chromium

more detail
2022-07-18VuXML ID 871d93f9-06aa-11ed-8d5f-080027f5fec9

The Redis core team reports:

A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution.

more...
redis

more detail
2022-07-15VuXML ID 0859e6d5-0415-11ed-a53b-6c3be5272acd

Grafana Labs reports:

It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.

more...
grafana
grafana7
grafana8
grafana9

more detail
2022-07-15VuXML ID 0c367e98-0415-11ed-a53b-6c3be5272acd

Grafana Labs reports:

An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)

more...
grafana
grafana8
grafana9

more detail
2022-07-13VuXML ID a4f2416c-02a0-11ed-b817-10c37b4ac2ea

The Go project reports:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

more...
go117
go118

more detail
2022-07-12VuXML ID b99f99f6-021e-11ed-8c6f-000c29ffbb6c

The git project reports:

Git is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository.

more...
git

more detail
2022-07-10VuXML ID 830855f3-ffcc-11ec-9d41-d05099c8b5a7

mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.

more...
mat2

more detail
2022-07-09VuXML ID d1b35142-ff4a-11ec-8be3-001b217b3468

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

more...
gitlab-ce

more detail
2022-07-08*VuXML ID b9210706-feb0-11ec-81fa-1c697a616631

Node.js reports:

HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)(CVE-2022-32213)

The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)(CVE-2022-32214)

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215)

The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

DNS rebinding in --inspect via invalid IP addresses (High)(CVE-2022-32212)

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

Attempt to read openssl.cnf from /home/iojs/build/ upon startup (Medium)(CVE-2022-32222)

When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.

OpenSSL - AES OCB fails to encrypt some bytes (Medium)(CVE-2022-2097)

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

more...
node
node14
node16

more detail
2022-07-07VuXML ID 744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec

Chrome Releases reports:

This release contains 4 security fixes, including:

  • [1341043] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
  • [1336869] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
  • [1327087] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
more...
chromium

more detail
2022-07-05VuXML ID a28e8b7e-fc70-11ec-856e-d4c9ef517024

The OpenSSL project reports:

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.

more...
openssl
openssl-devel

more detail
2022-07-05*VuXML ID f0e45968-faff-11ec-856e-d4c9ef517024

The OpenSSL project reports:

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

more...
openssl-devel

more detail
2022-07-04VuXML ID 5be19b0d-fb85-11ec-95cd-080027b24e86

SO-AND-SO reports:

CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.

more...
py310-django32
py310-django40
py37-django32
py38-django32
py38-django40
py39-django32
py39-django40

more detail
2022-07-03VuXML ID 5ab54ea0-fa94-11ec-996c-080027b24e86

Mediawiki reports:

(T308471) Username is not escaped in the "welcomeuser" message.

(T308473) Username not escaped in the contributions-title message.

(T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.

(T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.

more...
mediawiki135
mediawiki137
mediawiki138

more detail
2022-06-29VuXML ID 07c0d782-f758-11ec-acaa-901b0e9408dc

Matrix developers report:

This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

Note that:

  • Homeservers with the url_preview_enabled configuration option set to false (the default value) are unaffected.
  • Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables the URL preview functionality.
more...
py310-matrix-synapse
py311-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2022-06-27VuXML ID ae5722a6-f5f0-11ec-856e-d4c9ef517024

The cURL project reports:

  • CVE-2022-32205: Set-Cookie denial of service
  • CVE-2022-32206: HTTP compression denial of service
  • CVE-2022-32207: Unpreserved file permissions
  • CVE-2022-32208: FTP-KRB bad message verification
more...
curl

more detail
2022-06-22VuXML ID 25be46f0-f25d-11ec-b62a-00e081b7aa2d

Jenkins Security Advisory:

Description

(High) SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)

Multiple XSS vulnerabilities

(Medium) SECURITY-2566 / CVE-2022-34174

Observable timing discrepancy allows determining username validity

(Medium) Unauthorized view fragment access

SECURITY-2777 / CVE-2022-34175

more...
jenkins
jenkins-lts

more detail
2022-06-22VuXML ID 4eeb93bf-f204-11ec-8fbd-d4c9ef517024

The OpenSSL project reports:

Circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.

more...
openssl
openssl-devel
openssl-quictls

more detail
2022-06-22VuXML ID b2a4c5f1-f1fe-11ec-bcd2-3065ec8fd3ec

Chrome Releases reports:

This release contains 14 security fixes, including:

  • [1335458] Critical CVE-2022-2156: Use after free in Base. Reported by Mark Brand of Google Project Zero on 2022-06-11
  • [1327312] High CVE-2022-2157: Use after free in Interest groups. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-19
  • [1321078] High CVE-2022-2158: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-04-29
  • [1116450] Medium CVE-2022-2160: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-08-14
  • [1330289] Medium CVE-2022-2161: Use after free in WebApp Provider. Reported by Zhihua Yao of KunLun Lab on 2022-05-30
  • [1307930] Medium CVE-2022-2162: Insufficient policy enforcement in File System API. Reported by Abdelhamid Naceri (halov) on 2022-03-19
  • [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
  • [1268445] Low CVE-2022-2164: Inappropriate implementation in Extensions API. Reported by José Miguel Moreno Computer Security Lab (COSEC) at UC3M on 2021-11-10
  • [1250993] Low CVE-2022-2165: Insufficient data validation in URL formatting. Reported by Rayyan Bijoora on 2021-09-19
more...
chromium

more detail
2022-06-20VuXML ID ad37a349-ebb7-11ec-b9f7-21427354249d

Zeyu Zhang reports:

In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.

Unless you use mitmproxy to protect an HTTP/1 service, no action is required.

more...
mitmproxy

more detail
2022-06-17VuXML ID 5d1e4f6a-ee4f-11ec-86c2-485b3931c969

Tor organization reports:

TROVE-2022-001

more...
tor

more detail
2022-06-11VuXML ID 482456fb-e9af-11ec-93b6-318d1419ea39

Debian Security tracker reports:

ExifTool.pm in ExifTool before 12.38 mishandles a file special characters check, leading to command injection

more...
p5-Image-ExifTool

more detail
2022-06-11VuXML ID 55cff5d2-e95c-11ec-ae20-001999f8d30b

XFCE Project reports:

Prevent executing possibly malicious .desktop files from online sources (ftp://, http:// etc.).

more...
libexo

more detail
2022-06-11VuXML ID b51cfaea-e919-11ec-9fba-080027240888

Numpy reports:

At most call-sites for PyArray_DescrNew, there are no validations of its return, but an invalid address may be returned.

more...
py310-numpy
py38-numpy
py39-numpy

more detail
2022-06-10*VuXML ID 49adfbe5-e7d1-11ec-8fbd-d4c9ef517024

The Apache httpd project reports:

  • CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
  • CVE-2022-30556: Information Disclosure in mod_lua with websockets. Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
  • CVE-2022-30522: mod_sed denial of service. If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
  • CVE-2022-29404: Denial of service in mod_lua r:parsebody. In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
  • CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
  • CVE-2022-28614: read beyond bounds via ap_rwrite(). The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.
  • CVE-2022-28330: read beyond bounds in mod_isapi. Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.
  • CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.
more...
apache24

more detail
2022-06-09VuXML ID c80ce2dd-e831-11ec-bcd2-3065ec8fd3ec

Chrome Releases reports:

This release contains 7 security fixes, including:

  • [1326210] High CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17
  • [1317673] High CVE-2022-2008: Out of bounds memory access in WebGL. Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19
  • [1325298] High CVE-2022-2010: Out of bounds read in compositing. Reported by Mark Brand of Google Project Zero on 2022-05-13
  • [1330379] High CVE-2022-2011: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-05-31
more...
chromium

more detail
2022-06-07VuXML ID 15888c7e-e659-11ec-b7fe-10c37b4ac2ea

The Go project reports:

crypto/rand: rand.Read hangs with extremely large buffers

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

os/exec: empty Cmd.Path can result in running unintended binary on Windows

If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

path/filepath: Clean(`.\c:`) returns `c:` on Windows

On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

more...
go117
go118

more detail
2022-06-05VuXML ID a58f3fde-e4e0-11ec-8340-2d623369b8b5

Nils Bars reports:

During the processing of [a specially fuzzed disk image], an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV).

more...
e2fsprogs
e2fsprogs-nobootfsck
e2fsprogs-roothardlinks

more detail
2022-06-04VuXML ID f414d69f-e43d-11ec-9ea4-001b217b3468

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass

more...
gitlab-ce

more detail
2022-06-03VuXML ID 204f1a7a-43df-412f-ad25-7dbe88f54fa4

Tim Wojtulewicz of Corelight reports:

Fix potential hang in the DNS analyzer when receiving a specially-crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

more...
zeek

more detail
2022-05-24VuXML ID 40e2c35e-db99-11ec-b0cf-3065ec8fd3ec

Chrome Releases reports:

This release contains 32 security fixes, including:

  • [1324864] Critical CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous on 2022-05-12
  • [1320024] High CVE-2022-1854: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-27
  • [1228661] High CVE-2022-1855: Use after free in Messaging. Reported by Anonymous on 2021-07-13
  • [1323239] High CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
  • [1227995] High CVE-2022-1857: Insufficient policy enforcement in File System API. Reported by Daniel Rhea on 2021-07-11
  • [1314310] High CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad on 2022-04-07
  • [1322744] High CVE-2022-1859: Use after free in Performance Manager. Reported by Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab on 2022-05-05
  • [1297209] High CVE-2022-1860: Use after free in UI Foundations. Reported by @ginggilBesel on 2022-02-15
  • [1316846] High CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani on 2022-04-16
  • [1236325] Medium CVE-2022-1862: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2021-08-04
  • [1292870] Medium CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg on 2022-02-01
  • [1320624] Medium CVE-2022-1864: Use after free in WebApp Installs. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab on 2022-04-28
  • [1289192] Medium CVE-2022-1865: Use after free in Bookmarks. Reported by Rong Jian of VRI on 2022-01-20
  • [1292264] Medium CVE-2022-1866: Use after free in Tablet Mode. Reported by @ginggilBesel on 2022-01-29
  • [1315563] Medium CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer. Reported by Michal Bentkowski of Securitum on 2022-04-12
  • [1301203] Medium CVE-2022-1868: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-02-28
  • [1309467] Medium CVE-2022-1869: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-23
  • [1323236] Medium CVE-2022-1870: Use after free in App Service. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
  • [1308199] Low CVE-2022-1871: Insufficient policy enforcement in File System API. Reported by Thomas Orlita on 2022-03-21
  • [1310461] Low CVE-2022-1872: Insufficient policy enforcement in Extensions API. Reported by ChaobinZhang on 2022-03-26
  • [1305394] Low CVE-2022-1873: Insufficient policy enforcement in COOP. Reported by NDevTK on 2022-03-11
  • [1251588] Low CVE-2022-1874: Insufficient policy enforcement in Safe Browsing. Reported by hjy79425575 on 2021-09-21
  • [1306443] Low CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK on 2022-03-15
  • [1313600] Low CVE-2022-1876: Heap buffer overflow in DevTools. Reported by @ginggilBesel on 2022-04-06
more...
chromium

more detail
2022-05-23VuXML ID 04fecc47-dad2-11ec-8fbd-d4c9ef517024

The MariaDB project reports:

MariaDB fixed 23 vulnerabilities across all supported versions

more...
mariadb103-client
mariadb103-server
mariadb104-client
mariadb104-server
mariadb105-client
mariadb105-server
mariadb106-client
mariadb106-server

more detail
2022-05-23*VuXML ID add683be-bd76-11ec-a06f-d4c9ef517024

Oracle reports:

The 2022 April Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

more...
mysql57-server
mysql80-client
mysql80-server

more detail
2022-05-19VuXML ID b2407db1-d79f-11ec-a15f-589cfc0f81b0

The ClamAV project reports:

Fixed a possible double-free vulnerability in the OLE2 file parser. Issue affects versions 0.104.0 through 0.104.2. Issue identified by OSS-Fuzz.

Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank you to Michał Dardas for reporting this issue.

Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

more...
clamav
clamav-lts

more detail
2022-05-15VuXML ID a1360138-d446-11ec-8ea1-10c37b4ac2ea

The Go project reports:

When called with a non-zero flags parameter, the syscall.Faccessat function could incorrectly report that a file is accessible. This bug only occurs on Linux systems.

more...
go
go117

more detail
2022-05-13VuXML ID 11e36890-d28c-11ec-a06f-d4c9ef517024

The curl project reports:

CVE-2022-27778: curl removes wrong file on error

CVE-2022-27779: cookie for trailing dot TLD

CVE-2022-27780: percent-encoded path separator in URL host

CVE-2022-27781: CERTINFO never-ending busy-loop

CVE-2022-27782: TLS and SSH connection too eager reuse

CVE-2022-30115: HSTS bypass via trailing dot

more...
curl

more detail
2022-05-11VuXML ID 157ce083-d145-11ec-ab9b-6cc21735f730

The PostgreSQL project reports:

Confine additional operations within "security restricted operation" sandboxes.

Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the "security restricted operation" protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.

more...
postgresql10-server
postgresql11-server
postgresql12-server
postgresql13-server
postgresql14-server

more detail
2022-05-10VuXML ID ac91cf5e-d098-11ec-bead-3065ec8fd3ec

Chrome Releases reports:

This release contains 13 security fixes, including:

  • [1316990] High CVE-2022-1633: Use after free in Sharesheet. Reported by Khalil Zhani on 2022-04-18
  • [1314908] High CVE-2022-1634: Use after free in Browser UI. Reported by Khalil Zhani on 2022-04-09
  • [1319797] High CVE-2022-1635: Use after free in Permission Prompts. Reported by Anonymous on 2022-04-26
  • [1297283] High CVE-2022-1636: Use after free in Performance APIs. Reported by Seth Brenith, Microsoft on 2022-02-15
  • [1311820] High CVE-2022-1637: Inappropriate implementation in Web Contents. Reported by Alesandro Ortiz on 2022-03-31
  • [1316946] High CVE-2022-1638: Heap buffer overflow in V8 Internationalization. Reported by DoHyun Lee (@l33d0hyun) of DNSLab, Korea University on 2022-04-17
  • [1317650] High CVE-2022-1639: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-19
  • [1320592] High CVE-2022-1640: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-28
  • [1305068] Medium CVE-2022-1641: Use after free in Web UI Diagnostics. Reported by Rong Jian of VRI on 2022-03-10
more...
chromium

more detail
2022-05-06VuXML ID b9837fa1-cd72-11ec-98f1-6805ca0b3d42

Rainer Gerhards reports:

Modules for TCP syslog reception have a heap buffer overflow when octet-counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible..

more...
rsyslog

more detail
2022-05-05VuXML ID 647ac600-cc70-11ec-9cfc-10c37b4ac2ea

The gogs project reports:

Repository issues page allows HTML attachments with arbitrary JS code.

more...
gogs

more detail
2022-05-05VuXML ID 95ee401d-cc6a-11ec-9cfc-10c37b4ac2ea

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go

more...
gitea

more detail
2022-05-05*VuXML ID fceb2b08-cb76-11ec-a06f-d4c9ef517024

The OpenSSL project reports:

  • The c_rehash script allows command injection (CVE-2022-1292) (Moderate)

    The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
  • OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) (Moderate)

    The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.
  • Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) (Low)

    The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable.
  • Resource leakage when decoding certificates and keys (CVE-2022-1473) (Low)

    The OPENSSL_LH_flush() function, which empties a hash table, containsa bug that breaks reuse of the memory occuppied by the removed hash table entries.
more...
openssl
openssl-devel
openssl-quictls

more detail
2022-05-03VuXML ID a8118db0-cac2-11ec-9288-0800270512f4

Simon Scannell reports:

The code vulnerability can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client. When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.

more...
rainloop-community-php74
rainloop-community-php80
rainloop-community-php81
rainloop-php74
rainloop-php80
rainloop-php81

more detail
2022-05-02VuXML ID 61bce714-ca0c-11ec-9cfc-10c37b4ac2ea

The Go project reports:

encoding/pem: fix stack overflow in Decode.

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

crypto/elliptic: tolerate all oversized scalars in generic P-256.

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18.

Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.

more...
go
go117

more detail
2022-04-30VuXML ID 9db93f3d-c725-11ec-9618-000d3ac47524

Ruby on Rails blog:

This is an announcement to let you know that Rails 7.0.2.4, 6.1.5.1, 6.0.4.8, and 5.2.7.1 have been released!

These are security releases so please update as soon as you can. Once again we've made these releases based on the last release tag, so hopefully upgrading will go smoothly.

The releases address two vulnerabilities, CVE-2022-22577, and CVS-2022-27777. They are both XSS vulnerabilities, so please take a look at the forum posts to see how (or if) they might possibly impact your application.

more...
rubygem-actionpack52
rubygem-actionpack60
rubygem-actionpack61
rubygem-actionpack70
rubygem-actionview52
rubygem-actionview60
rubygem-actionview61
rubygem-actionview70

more detail
2022-04-29VuXML ID 2220827b-c732-11ec-b272-901b0e934d69

hiredis maintainers report:

Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data. When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX. If it can not, and the calloc() call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.

more...
hiredis

more detail
2022-04-28VuXML ID 26f2123b-c6c6-11ec-b66f-3065ec8fd3ec

Chrome Releases reports:

This release contains 30 security fixes, including:

  • [1313905] High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-04-06
  • [1299261] High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park (SeHwa) on 2022-02-20
  • [1305190] High CVE-2022-1479: Use after free in ANGLE. Reported by Jeonghoon Shin of Theori on 2022-03-10
  • [1307223] High CVE-2022-1480: Use after free in Device API. Reported by @uwu7586 on 2022-03-17
  • [1302949] High CVE-2022-1481: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-03-04
  • [1304987] High CVE-2022-1482: Inappropriate implementation in WebGL. Reported by Christoph Diehl, Microsoft on 2022-03-10
  • [1314754] High CVE-2022-1483: Heap buffer overflow in WebGPU. Reported by Mark Brand of Google Project Zero on 2022-04-08
  • [1297429] Medium CVE-2022-1484: Heap buffer overflow in Web UI Settings. Reported by Chaoyuan Peng (@ret2happy) on 2022-02-15
  • [1299743] Medium CVE-2022-1485: Use after free in File System API. Reported by Anonymous on 2022-02-22
  • [1314616] Medium CVE-2022-1486: Type Confusion in V8. Reported by Brendon Tiszka on 2022-04-08
  • [1304368] Medium CVE-2022-1487: Use after free in Ozone. Reported by Sri on 2022-03-09
  • [1302959] Medium CVE-2022-1488: Inappropriate implementation in Extensions API. Reported by Thomas Beverley from Wavebox.io on 2022-03-04
  • [1300561] Medium CVE-2022-1489: Out of bounds memory access in UI Shelf. Reported by Khalil Zhani on 2022-02-25
  • [1301840] Medium CVE-2022-1490: Use after free in Browser Switcher. Reported by raven at KunLun lab on 2022-03-01
  • [1305706] Medium CVE-2022-1491: Use after free in Bookmarks. Reported by raven at KunLun lab on 2022-03-12
  • [1315040] Medium CVE-2022-1492: Insufficient data validation in Blink Editing. Reported by Michal Bentkowski of Securitum on 2022-04-11
  • [1275414] Medium CVE-2022-1493: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-12-01
  • [1298122] Medium CVE-2022-1494: Insufficient data validation in Trusted Types. Reported by Masato Kinugawa on 2022-02-17
  • [1301180] Medium CVE-2022-1495: Incorrect security UI in Downloads. Reported by Umar Farooq on 2022-02-28
  • [1306391] Medium CVE-2022-1496: Use after free in File Manager. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2022-03-15
  • [1264543] Medium CVE-2022-1497: Inappropriate implementation in Input. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-10-29
  • [1297138] Low CVE-2022-1498: Inappropriate implementation in HTML Parser. Reported by SeungJu Oh (@real_as3617) on 2022-02-14
  • [1000408] Low CVE-2022-1499: Inappropriate implementation in WebAuthentication. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-04
  • [1223475] Low CVE-2022-1500: Insufficient data validation in Dev Tools. Reported by Hoang Nguyen on 2021-06-25
  • [1293191] Low CVE-2022-1501: Inappropriate implementation in iframe. Reported by Oriol Brufau on 2022-02-02
more...
chromium

more detail
2022-04-28VuXML ID 92a4d881-c6cf-11ec-a06f-d4c9ef517024

The cURL project reports:

  • OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
  • Credential leak on redirect (CVE-2022-27774)
  • Bad local IPv6 connection reuse (CVE-2022-27775)
  • Auth/cookie leak on redirect (CVE-2022-27776)
more...
curl

more detail
2022-04-27VuXML ID cc42db1c-c65f-11ec-ad96-0800270512f4

Aviv Yahav reports:

CVE-2022-24735
By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.
CVE-2022-24736
An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process.
more...
redis
redis-devel
redis62

more detail
2022-04-26VuXML ID 17a30a24-c579-11ec-bbbd-0800270512f4

Kazuhiro Ito reports:

Potential buffer overrun vulnerability is found in eb/multiplex.c.

more...
ja-eb

more detail
2022-04-21VuXML ID a00c76d9-0c05-4d99-bef7-ae4521cb2a4d

Tim Wojtulewicz of Corelight reports:

Fix potential unbounded state growth in the FTP analyzer when receiving a specially-crafted stream of commands. This may lead to a buffer overflow and cause Zeek to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerabilty.

more...
zeek

more detail
2022-04-19VuXML ID b019585a-bfea-11ec-b46c-b42e991fc52e

RedHat reports:

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

more...
gzip

more detail
2022-04-17VuXML ID 2a314635-be46-11ec-a06f-d4c9ef517024

reports:

SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:` SMTP command and begin injecting arbitrary SMTP commands.

more...
nextcloud-calendar

more detail
2022-04-15VuXML ID a25ea27b-bced-11ec-87b5-3065ec8fd3ec

Chrome Releases reports:

This release contains 2 security fixes, including:

  • [1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-0-13
more...
chromium

more detail
2022-04-14VuXML ID 8838abf0-bc47-11ec-b516-0897988a1c07

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.

more...
asterisk16
asterisk18

more detail
2022-04-14VuXML ID a5de43ed-bc49-11ec-b516-0897988a1c07

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.

more...
asterisk16
asterisk18

more detail
2022-04-13VuXML ID 06ed6a49-bad4-11ec-9cfe-0800270512f4

piao reports:

Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.

more...
ruby
ruby27
ruby30
ruby31
ruby32

more detail
2022-04-13VuXML ID 24a9bd2b-bb43-11ec-af81-0897988a1c07

Composer developers reports:

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

more...
php74-composer
php74-composer2
php80-composer
php80-composer2
php81-composer
php81-composer2

more detail
2022-04-13VuXML ID 3a1dc8c8-bb27-11ec-98d1-d43d7eed0ce2

Subversion project reports:

Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed.

more...
mod_dav_svn
mod_dav_svn-lts
subversion
subversion-lts

more detail
2022-04-13VuXML ID f22144d7-bad1-11ec-9cfe-0800270512f4

piao reports:

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

more...
ruby
ruby30
ruby31
ruby32

more detail
2022-04-12VuXML ID 0db46f84-b9fa-11ec-89df-080027240888

Django Release reports:

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.

more...
py310-django22
py310-django32
py310-django40
py37-django22
py37-django32
py38-django22
py38-django32
py38-django40
py39-django22
py39-django32
py39-django40

more detail
2022-04-12VuXML ID 6eb9cf14-bab0-11ec-8f59-4437e6ad11c4

Tavis Ormandy reports:

mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys

more...
mutt

more detail
2022-04-12VuXML ID b582a85a-ba4a-11ec-8d1e-3065ec8fd3ec

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07
  • [1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21
  • [1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
  • [1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci (@sametbekmezci) on 2021-12-28
  • [1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17
  • [1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18
  • [1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28
  • [1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30
  • [1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16
  • [1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09
more...
chromium

more detail
2022-04-07VuXML ID 27d39055-b61b-11ec-9ebc-1c697aa5a594

Problem Description:

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084]

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085]

Impact:

On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

more...
FreeBSD-kernel

more detail
2022-04-07VuXML ID 38f2e3a0-b61e-11ec-9ebc-1c697aa5a594

Problem Description:

Certain inputs can cause zlib's compression routine to overwrite an internal buffer with compressed data. This issue may require the use of uncommon or non-default compression parameters.

Impact:

The out-of-bounds write may result in memory corruption and an application crash or kernel panic.

more...
FreeBSD

more detail
2022-04-07VuXML ID 703c4761-b61d-11ec-9ebc-1c697aa5a594

Problem Description:

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small.

Impact:

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.

more...
FreeBSD-kernel

more detail
2022-04-07VuXML ID ba796b98-b61c-11ec-9ebc-1c697aa5a594

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context.

The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.

more...
FreeBSD-kernel

more detail
2022-04-07VuXML ID d4cc994f-b61d-11ec-9ebc-1c697aa5a594

Problem Description:

The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.

Impact:

While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

more...
FreeBSD-kernel

more detail
2022-04-05VuXML ID fe15f30a-b4c9-11ec-94a3-3065ec8fd3ec

Chrome Releases reports:

This release includes one security fix:

  • [1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30
more...
chromium

more detail
2022-04-04VuXML ID 79ea6066-b40e-11ec-8b93-080027b24e86

Mediawiki reports:

(T297543, CVE-2022-28202) Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

(T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki.

(T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS.

(T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.

more...
mediawiki135
mediawiki136
mediawiki137

more detail
2022-04-04VuXML ID 8657eedd-b423-11ec-9559-001b217b3468

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

more...
gitlab-ce

more detail
2022-04-03VuXML ID 3f321a5a-b33b-11ec-80c2-1bb2c6a00592

Petr Menšík reports:

Possible vulnerability [...] found in latest dnsmasq. It [was] found with help of oss-fuzz Google project by me and short after that independently also by Richard Johnson of Trellix Threat Labs.

It is affected only by DHCPv6 requests, which could be crafted to modify already freed memory. [...] We think it might be triggered remotely, but we do not think it could be used to execute remote code.

more...
dnsmasq
dnsmasq-devel

more detail
2022-03-29VuXML ID 0ff80f41-aefe-11ec-b4b6-d05099c0c059

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

more...
gitea

more detail
2022-03-29VuXML ID 83466f76-aefe-11ec-b4b6-d05099c0c059

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.

more...
gitea

more detail
2022-03-29VuXML ID ab2d7f62-af9d-11ec-a0b8-3065ec8fd3ec

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1292261] High CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani on 2022-01-29
  • [1291891] High CVE-2022-1127: Use after free in QR Code Generator. Reported by anonymous on 2022-01-28
  • [1301920] High CVE-2022-1128: Inappropriate implementation in Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of Shielder on 2022-03-01
  • [1300253] High CVE-2022-1129: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2022-02-24
  • [1142269] High CVE-2022-1130: Insufficient validation of untrusted input in WebOTP. Reported by Sergey Toshin of Oversecurity Inc. on 2020-10-25
  • [1297404] High CVE-2022-1131: Use after free in Cast UI. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2022-02-15
  • [1303410] High CVE-2022-1132: Inappropriate implementation in Virtual Keyboard. Reported by Andr.Ess on 2022-03-07
  • [1305776] High CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous on 2022-03-13
  • [1308360] High CVE-2022-1134: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-21
  • [1285601] Medium CVE-2022-1135: Use after free in Shopping Cart. Reported by Wei Yuan of MoyunSec VLab on 2022-01-09
  • [1280205] Medium CVE-2022-1136: Use after free in Tab Strip. Reported by Krace on 2021-12-15
  • [1289846] Medium CVE-2022-1137: Inappropriate implementation in Extensions. Reported by Thomas Orlita on 2022-01-22
  • [1246188] Medium CVE-2022-1138: Inappropriate implementation in Web Cursor. Reported by Alesandro Ortiz on 2021-09-03
  • [1268541] Medium CVE-2022-1139: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-10
  • [1303253] Medium CVE-2022-1141: Use after free in File Manager. Reported by raven at KunLun lab on 2022-03-05
  • [1303613] Medium CVE-2022-1142: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
  • [1303615] Medium CVE-2022-1143: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
  • [1304145] Medium CVE-2022-1144: Use after free in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-08
  • [1304545] Medium CVE-2022-1145: Use after free in Extensions. Reported by Yakun Zhang of Baidu Security on 2022-03-09
  • [1290150] Low CVE-2022-1146: Inappropriate implementation in Resource Timing. Reported by Sohom Datta on 2022-01-23
more...
chromium

more detail
2022-03-27VuXML ID 2cda5c88-add4-11ec-9bc8-6805ca2fa271

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

more...
powerdns

more detail
2022-03-27VuXML ID cb84b940-add5-11ec-9bc8-6805ca2fa271

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

more...
powerdns-recursor

more detail
2022-03-25VuXML ID 323f900d-ac6d-11ec-a0b8-3065ec8fd3ec

Chrome Releases reports:

This release contains 1 security fix:

  • [1309225] High CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23

Google is aware that an exploit for CVE-2022-1096 exists in the wild.

more...
chromium

more detail
2022-03-25VuXML ID 955f377e-7bc3-11ec-a51c-7533f219d428

Debian Security Advisory reports:

A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.

more...
p5-Image-ExifTool

more detail
2022-03-22VuXML ID 61f416ff-aa00-11ec-b439-000d3a450398

The Tcpdump Group reports:

heap-based use-after-free in extract_slice()

more...
tcpslice

more detail
2022-03-19VuXML ID e2af876f-a7c8-11ec-9a2a-002324b2fba8

The Go project reports:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

more...
go

more detail
2022-03-17VuXML ID 45a72180-a640-11ec-a08b-85298243e224

David Sommerseth reports:

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.

more...
openvpn
openvpn-mbedtls

more detail
2022-03-16VuXML ID 3ba1ca94-a563-11ec-8be6-d4c9ef517024

The Weechat project reports:

After changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the TLS verification function is lost. Consequently, any connection to a server with TLS is made without verifying the certificate, which could lead to a man-in-the-middle attack. Connection to IRC servers with TLS is affected, as well as any connection a server made by a plugin or a script using the function hook_connect.

more...
weechat

more detail
2022-03-16VuXML ID 5df757ef-a564-11ec-85fa-a0369f7f7be0

wordpress developers reports:

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release: -Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency -Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability -Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor

more...
de-wordpress
fr-wordpress
ja-wordpress
ru-wordpress
th_TW-wordpress
wordpress
zh_CN-wordpress

more detail
2022-03-16VuXML ID 8d20bd48-a4f3-11ec-90de-1c697aa5a594

Problem Description:

The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" reported a number of security vulnerabilities in the 802.11 specification related to frame aggregation and fragmentation.

Additionally, FreeBSD 12.x missed length validation of SSIDs and Information Elements (IEs).

Impact:

As reported on the FragAttacks website, the "design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." Under suitable conditions an attacker may be able to extract sensitive data or inject data.

more...
FreeBSD-kernel

more detail
2022-03-16*VuXML ID ea05c456-a4fd-11ec-90de-1c697aa5a594

The OpenSSL project reports:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

  • TLS clients consuming server certificates
  • TLS servers consuming client certificates
  • Hosting providers taking certificates or private keys from customers
  • Certificate authorities parsing certification requests from subscribers
  • Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.

more...
FreeBSD
libressl
libressl-devel
openssl
openssl-devel
openssl-quictls

more detail
2022-03-15VuXML ID 6601c08d-a46c-11ec-8be6-d4c9ef517024

The Apache httpd project reports:

  • mod_lua: Use of uninitialized value of in r:parsebody (moderate) (CVE-2022-22719)

    A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

  • HTTP request smuggling vulnerability (important) (CVE-2022-22720)

    httpd fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

  • core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (low) (CVE-2022-22721)

    If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

  • mod_sed: Read/write beyond bounds (important) (CVE-2022-23924)

    Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

more...
apache24

more detail
2022-03-15VuXML ID 857be71a-a4b0-11ec-95fc-3065ec8fd3ec

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1299422] Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
  • [1301320] High CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
  • [1297498] High CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
  • [1291986] High CVE-2022-0974: Use after free in Splitscreen. Reported by @ginggilBesel on 2022-01-28
  • [1295411] High CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
  • [1296866] High CVE-2022-0976: Heap buffer overflow in GPU. Reported by Omair on 2022-02-13
  • [1299225] High CVE-2022-0977: Use after free in Browser UI. Reported by Khalil Zhani on 2022-02-20
  • [1299264] High CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-20
  • [1302644] High CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
  • [1302157] Medium CVE-2022-0980: Use after free in New Tab Page. Reported by Krace on 2022-03-02
more...
chromium

more detail
2022-03-10VuXML ID 5aaf534c-a069-11ec-acdc-14dae9d5a9d2

NVD reports:

Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.

more...
teeworlds

more detail
2022-03-09VuXML ID 2823048d-9f8f-11ec-8c9c-001b217b3468

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments

more...
gitlab-ce

more detail
2022-03-05VuXML ID 964c5460-9c66-11ec-ad3a-001999f8d30b

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.

more...
asterisk16
asterisk18

more detail
2022-03-02VuXML ID e0914087-9a09-11ec-9e61-3065ec8fd3ec

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1289383] High CVE-2022-0789: Heap buffer overflow in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-01-21
  • [1274077] High CVE-2022-0790: Use after free in Cast UI. Reported by Anonymous on 2021-11-26
  • [1278322] High CVE-2022-0791: Use after free in Omnibox. Reported by Zhihua Yao of KunLun Lab on 2021-12-09
  • [1285885] High CVE-2022-0792: Out of bounds read in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2022-01-11
  • [1291728] High CVE-2022-0793: Use after free in Views. Reported by Thomas Orlita on 2022-01-28
  • [1294097] High CVE-2022-0794: Use after free in WebShare. Reported by Khalil Zhani on 2022-02-04
  • [1282782] High CVE-2022-0795: Type Confusion in Blink Layout. Reported by 0x74960 on 2021-12-27
  • [1295786] High CVE-2022-0796: Use after free in Media. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-10
  • [1281908] High CVE-2022-0797: Out of bounds memory access in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-12-21
  • [1283402] Medium CVE-2022-0798: Use after free in MediaStream. Reported by Samet Bekmezci @sametbekmezci on 2021-12-30
  • [1279188] Medium CVE-2022-0799: Insufficient policy enforcement in Installer. Reported by Abdelhamid Naceri (halov) on 2021-12-12
  • [1242962] Medium CVE-2022-0800: Heap buffer overflow in Cast UI. Reported by Khalil Zhani on 2021-08-24
  • [1231037] Medium CVE-2022-0801: Inappropriate implementation in HTML parser. Reported by Michal Bentkowski of Securitum on 2021-07-20
  • [1270052] Medium CVE-2022-0802: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-14
  • [1280233] Medium CVE-2022-0803: Inappropriate implementation in Permissions. Reported by Abdulla Aldoseri on 2021-12-15
  • [1264561] Medium CVE-2022-0804: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-10-29
  • [1290700] Medium CVE-2022-0805: Use after free in Browser Switcher. Reported by raven at KunLun Lab on 2022-01-25
  • [1283434] Medium CVE-2022-0806: Data leak in Canvas. Reported by Paril on 2021-12-31
  • [1287364] Medium CVE-2022-0807: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2022-01-14
  • [1292271] Medium CVE-2022-0808: Use after free in Chrome OS Shell. Reported by @ginggilBesel on 2022-01-29
  • [1293428] Medium CVE-2022-0809: Out of bounds memory access in WebXR. Reported by @uwu7586 on 2022-02-03
more...
chromium

more detail
2022-02-28VuXML ID a80c6273-988c-11ec-83ac-080027415d17

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Fix off by one error

more...
cyrus-sasl

more detail
2022-02-27VuXML ID 0eab001a-9708-11ec-96c9-589cfc0f81b0

The TYPO3 project reports:

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

more...
typo3-10-php74
typo3-11-php74
typo3-11-php80
typo3-11-php81

more detail
2022-02-24VuXML ID 5e1440c6-95af-11ec-b320-f8b156b6dcc8

The FLAC 1.3.4 release reports:

Fix 12 decoder bugs found by oss-fuzz.

Fix encoder bug CVE-2021-0561.

more...
flac

more detail
2022-02-24VuXML ID 7695b0af-958f-11ec-9aa3-4ccc6adda413

Crypto++ 8.6 release notes reports:

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

more...
cryptopp

more detail
2022-02-23VuXML ID 022dde12-8f4a-11ec-83ac-080027415d17

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Escape password for SQL insert/update commands.

more...
cyrus-sasl-sql

more detail
2022-02-22*VuXML ID 1cd565da-455e-41b7-a5b9-86ad8e81e33e

Kenny Levinsen reports:

seatd-launch could use a user-specified socket path instead of the internally generated socket path, and would unlink the socket path before use to guard against collision with leftover sockets. This meant that a caller could freely control what file path would be unlinked and replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious user to remove files with the privileges of the owner of seatd-launch, which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, and the user-owned socket file is at the current time not believed to be directly useful for further exploitation.

more...
seatd

more detail
2022-02-22VuXML ID 85d976be-93e3-11ec-aaad-14dae9d5a9d2

NVD reports:

python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.

more...
py310-tuf
py311-tuf
py37-tuf
py38-tuf
py39-tuf

more detail
2022-02-21VuXML ID 43ae57f6-92ab-11ec-81b4-2cf05d620ecc

The Qt Company reports:

Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.

more...
qt5-core

more detail
2022-02-20VuXML ID 4d763c65-9246-11ec-9aa3-4ccc6adda413

Zhengjie Du reports:

There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.

more...
libmysofa

more detail
2022-02-18VuXML ID 096ab080-907c-11ec-bb14-002324b2fba8

The Go project reports:

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches.

more...
go

more detail
2022-02-18VuXML ID 27bf9378-8ffd-11ec-8be6-d4c9ef517024

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions resulting from fuzzing tests

more...
mariadb103-client
mariadb103-server
mariadb104-client
mariadb104-server
mariadb105-client
mariadb105-server

more detail
2022-02-17*VuXML ID ff5606f7-8a45-11ec-8be6-d4c9ef517024

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions without further detailed information.

more...
mariadb103-client
mariadb103-server
mariadb104-client
mariadb104-server
mariadb105-client
mariadb105-server

more detail
2022-02-15VuXML ID e12432af-8e73-11ec-8bc4-3065ec8fd3ec

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1290008] High CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
  • [1273397] High CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24
  • [1286940] High CVE-2022-0605: Use after free in Webstore API. Reported by Thomas Orlita on 2022-01-13
  • [1288020] High CVE-2022-0606: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-01-17
  • [1250655] High CVE-2022-0607: Use after free in GPU. Reported by 0x74960 on 2021-09-17
  • [1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-11-16
  • [1296150] High CVE-2022-0609: Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google' Threat Analysis Group on 2022-02-10
  • [1285449] Medium CVE-2022-0610: Inappropriate implementation in Gamepad API. Reported by Anonymous on 2022-01-08
more...
chromium

more detail
2022-02-15*VuXML ID fc2a9541-8893-11ec-9d01-80ee73419af3

xrdp project reports:

An integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is accessible to a sesman server (listens by default on localhost when installing xrdp, but can be remote if configured otherwise) to execute code as root.

more...
xrdp
xrdp-devel

more detail
2022-02-13VuXML ID 24049967-88ec-11ec-88f5-901b0e934d69

Twisted developers report:

Cookie and Authorization headers are leaked when following cross-origin redirects in twited.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent.

more...
py310-twisted
py37-twisted
py38-twisted
py39-twisted

more detail
2022-02-12VuXML ID 972ba0e8-8b8a-11ec-b369-6c3be5272acd

Node.js reports:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

more...
node
node14
node16

more detail
2022-02-12VuXML ID cecbc674-8b83-11ec-b369-6c3be5272acd

Grafana Labs reports:

On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

more...
grafana6
grafana7
grafana8

more detail
2022-02-12VuXML ID d4284c2e-8b83-11ec-b369-6c3be5272acd

Grafana Labs reports:

On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

more...
grafana6
grafana7
grafana8

more detail
2022-02-12VuXML ID d71d154a-8b83-11ec-b369-6c3be5272acd

Grafana Labs reports:

On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:

  • /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
  • /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
  • /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

more...
grafana6
grafana7
grafana8

more detail
2022-02-12VuXML ID d923fb0c-8c2f-11ec-aa85-0800270512f4

Marc Cornellà reports:

Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

more...
zsh

more detail
2022-02-10VuXML ID 0b0ad196-1ee8-4a98-89b1-4d5d82af49a9

Jenkins Security Advisory:

Description

(Medium) SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)

DoS vulnerability in bundled XStream library

more...
jenkins
jenkins-lts

more detail
2022-02-08*VuXML ID 58d6ed66-c2e8-11eb-9fb0-6451062f0f7a

The X.org project reports:

XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server.

more...
libX11

more detail
2022-02-04VuXML ID 3507bfb3-85d5-11ec-8c9c-001b217b3468

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

more...
gitlab-ce

more detail
2022-02-03*VuXML ID ee26f513-826e-11ec-8be6-d4c9ef517024

The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.

more...
rust
rust-nightly

more detail
2022-02-02VuXML ID 1d3677a8-9143-42d8-84a3-0585644dff4b

Emil Lerner reports:

When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o.

This internal state includes traffic of other connections in unencrypted form and TLS session tickets.

This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability.

more...
h2o-devel

more detail
2022-02-02VuXML ID b1b6d623-83e4-11ec-90de-1c697aa5a594

Problem Description:

Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory.

Impact:

Users with access to the system console may be able to cause system misbehaviour.

more...
FreeBSD

more detail
2022-02-02VuXML ID e852f43c-846e-11ec-b043-3065ec8fd3ec

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1284584] High CVE-2022-0452: Use after free in Safe Browsing. Reported by avaue at S.S.L. on 2022-01-05
  • [1284916] High CVE-2022-0453: Use after free in Reader Mode. Reported by Rong Jian of VRI on 2022-01-06
  • [1287962] High CVE-2022-0454: Heap buffer overflow in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2022-01-17
  • [1270593] High CVE-2022-0455: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-16
  • [1289523] High CVE-2022-0456: Use after free in Web Search. Reported by Zhihua Yao of KunLun Lab on 2022-01-21
  • [1274445] High CVE-2022-0457: Type Confusion in V8. Reported by rax of the Group0x58 on 2021-11-29
  • [1267060] High CVE-2022-0458: Use after free in Thumbnail Tab Strip. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-05
  • [1244205] High CVE-2022-0459: Use after free in Screen Capture. Reported by raven (@raid_akame) on 2021-08-28
  • [1250227] Medium CVE-2022-0460: Use after free in Window Dialog. Reported by 0x74960 on 2021-09-16
  • [1256823] Medium CVE-2022-0461: Policy bypass in COOP. Reported by NDevTK on 2021-10-05
  • [1270470] Medium CVE-2022-0462: Inappropriate implementation in Scroll. Reported by Youssef Sammouda on 2021-11-16
  • [1268240] Medium CVE-2022-0463: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-09
  • [1270095] Medium CVE-2022-0464: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-14
  • [1281941] Medium CVE-2022-0465: Use after free in Extensions. Reported by Samet Bekmezci @sametbekmezci on 2021-12-22
  • [1115460] Medium CVE-2022-0466: Inappropriate implementation in Extensions Platform. Reported by David Erceg on 2020-08-12
  • [1239496] Medium CVE-2022-0467: Inappropriate implementation in Pointer Lock. Reported by Alesandro Ortiz on 2021-08-13
  • [1252716] Medium CVE-2022-0468: Use after free in Payments. Reported by Krace on 2021-09-24
  • [1279531] Medium CVE-2022-0469: Use after free in Cast. Reported by Thomas Orlita on 2021-12-14
  • [1269225] Low CVE-2022-0470: Out of bounds memory access in V8. Reported by Looben Yang on 2021-11-11
more...
chromium

more detail
2022-02-01VuXML ID 8579074c-839f-11ec-a3b2-005056a311d1

The Samba Team reports:

  • CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition.
  • CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share.
  • CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution.
  • CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services.
more...
samba413
samba414
samba415

more detail
2022-01-29VuXML ID b0c83e1a-8153-11ec-84f9-641c67a117d8

Varnish Cache Project reports:

A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

more...
varnish4
varnish6

more detail
2022-01-28VuXML ID 1aaaa5c6-804d-11ec-8be6-d4c9ef517024

The OpenSSL project reports:

BN_mod_exp may produce incorrect results on MIPS (Moderate)

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

more...
openssl
openssl-devel
openssl-quictls

more detail
2022-01-28VuXML ID b6ef8a53-8062-11ec-9af3-fb232efe4d2e

Cary Phillips reports:

[OpenEXR Version 3.1.4 is a] patch release that [...] addresses one public security vulnerability: CVE-2021-45942 Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute [and several] specific OSS-fuzz issues [...].

more...
openexr

more detail
2022-01-27VuXML ID 65847d9d-7f3e-11ec-8624-b42e991fc52e

huntr.dev reports:

In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.

more...
phpmustache

more detail
2022-01-26VuXML ID 0f8bf913-7efa-11ec-8c04-2cf05d620ecc

Qualys reports:

We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

more...
polkit

more detail
2022-01-25VuXML ID 58528a94-5100-4208-a04d-edc01598cf01

Strongswan Release Notes reports:

Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.

Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.

more...
strongswan

more detail
2022-01-25VuXML ID ccaea96b-7dcd-11ec-93df-00224d821998

Strongswan Release Notes reports:

Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079.

more...
strongswan

more detail
2022-01-23VuXML ID 309c35f4-7c9f-11ec-a739-206a8a720317

David Bouman reports:

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

Aide uses a fixed size (16k bytes) for the return buffer in encode_base64/decode_base64 functions. This results in a segfault if aide processes a file with too large extended attribute value or ACL.

more...
aide

more detail
2022-01-20VuXML ID 51496cbc-7a0e-11ec-a323-3065ec8fd3ec

Chrome Releases reports:

This release contains 26 security fixes, including:

  • [1284367] Critical CVE-2022-0289: Use after free in Safe browsing. Reported by Sergei Glazunov of Google Project Zero on 2022-01-05
  • [1260134][1260007] High CVE-2022-0290: Use after free in Site isolation. Reported by Brendon Tiszka and Sergei Glazunov of Google Project Zero on 2021-10-15
  • [1281084] High CVE-2022-0291: Inappropriate implementation in Storage. Reported by Anonymous on 2021-12-19
  • [1270358] High CVE-2022-0292: Inappropriate implementation in Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
  • [1283371] High CVE-2022-0293: Use after free in Web packaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-30
  • [1273017] High CVE-2022-0294: Inappropriate implementation in Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-11-23
  • [1278180] High CVE-2022-0295: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-09
  • [1283375] High CVE-2022-0296: Use after free in Printing. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-30
  • [1274316] High CVE-2022-0297: Use after free in Vulkan. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • [1212957] High CVE-2022-0298: Use after free in Scheduling. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
  • [1275438] High CVE-2022-0300: Use after free in Text Input Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-01
  • [1276331] High CVE-2022-0301: Heap buffer overflow in DevTools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-12-03
  • [1278613] High CVE-2022-0302: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-10
  • [1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
  • [1282118] High CVE-2022-0304: Use after free in Bookmarks. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-22
  • [1282354] High CVE-2022-0305: Inappropriate implementation in Service Worker API. Reported by @uwu7586 on 2021-12-23
  • [1283198] High CVE-2022-0306: Heap buffer overflow in PDFium. Reported by Sergei Glazunov of Google Project Zero on 2021-12-29
  • [1281881] Medium CVE-2022-0307: Use after free in Optimization Guide. Reported by Samet Bekmezci @sametbekmezci on 2021-12-21
  • [1282480] Medium CVE-2022-0308: Use after free in Data Transfer. Reported by @ginggilBesel on 2021-12-24
  • [1240472] Medium CVE-2022-0309: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2021-08-17
  • [1283805] Medium CVE-2022-0310: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
  • [1283807] Medium CVE-2022-0311: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
more...
chromium

more detail
2022-01-19VuXML ID 7262f826-795e-11ec-8be6-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 7.4

more...
mysql-connector-c++
mysql-connector-java
mysql-connector-java51
mysql-connector-odbc
mysql-server55
mysql-server56
mysql-server57
mysql-server80

more detail
2022-01-14VuXML ID e3ec8b30-757b-11ec-922f-654747404482

The Prosody teaM reports:

It was discovered that an internal Prosody library to load XML based on does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

more...
prosody

more detail
2022-01-13VuXML ID 79b65dc5-749f-11ec-8be6-d4c9ef517024

The WordPress project reports:

  • Issue with stored XSS through post slugs
  • Issue with Object injection in some multisite installations
  • SQL injection vulnerability in WP_Query
  • SQL injection vulnerability in WP_Meta_Query
more...
wordpress

more detail
2022-01-12VuXML ID 2a6106c6-73e5-11ec-8fa2-0800270512f4

Laurent Delosieres reports:

Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

more...
clamav
clamav-lts

more detail
2022-01-12VuXML ID 43f84437-73ab-11ec-a587-001b217b3468

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

more...
gitlab-ce

more detail
2022-01-12VuXML ID 672eeea9-a070-4f88-b0f1-007e90a2cbc3

Jenkins Security Advisory:

Description

(Medium) SECURITY-2558 / CVE-2022-20612

CSRF vulnerability in build triggers

more...
jenkins
jenkins-lts

more detail
2022-01-09VuXML ID b927b654-7146-11ec-ad4b-5404a68ad561

Upstream project reports:

Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed.

more...
uriparser

more detail
2022-01-06VuXML ID d3e023fb-6e88-11ec-b948-080027240888

Django Release reports:

CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator.

CVE-2021-45116: Potential information disclosure in dictsort template filter.

CVE-2021-45452: Potential directory-traversal via Storage.save().

more...
py37-django22
py37-django32
py37-django40
py38-django22
py38-django32
py38-django40
py39-django22
py39-django32
py39-django40

more detail
2022-01-05VuXML ID 9c990e67-6e30-11ec-82db-b42e991fc52e

nlnetlabs reports:

Release 0.10.2 contains fixes for the following issues:

  • Medium CVE-2021-43172: Infinite length chain of RRDP repositories. Credit: Koen van Hove. Date: 2021-11-09
  • Medium CVE-2021-43173: Hanging RRDP request. Credit: Koen van Hove. Date: 2021-11-09
  • Medium CVE-2021-43174: gzip transfer encoding caused out-of-memory crash. Credit Koen van Hove. Date: 2021-11-09
more...
routinator

more detail
2022-01-05VuXML ID 9eeccbf3-6e26-11ec-bb10-3065ec8fd3ec

Chrome Releases reports:

This release contains 37 security fixes, including:

  • [$TBD][1275020] Critical CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30
  • [1117173] High CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17
  • [1273609] High CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24
  • [1245629] High CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01
  • [1238209] High CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10
  • [1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame) on 2021-09-14
  • [1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14
  • [1272266] High CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair on 2021-11-21
  • [1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25
  • [1274376] High CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • [1278960] High CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10
  • [1248438] Medium CVE-2022-0107: Use after free in File Manager API. Reported by raven (@raid_akame) on 2021-09-10
  • [1248444] Medium CVE-2022-0108: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2021-09-10
  • [1261689] Medium CVE-2022-0109: Inappropriate implementation in Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2021-10-20
  • [1237310] Medium CVE-2022-0110: Incorrect security UI in Autofill. Reported by Alesandro Ortiz on 2021-08-06
  • [1241188] Medium CVE-2022-0111: Inappropriate implementation in Navigation. Reported by garygreen on 2021-08-18
  • [1255713] Medium CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas Orlita on 2021-10-04
  • [1039885] Medium CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
  • [1267627] Medium CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by Looben Yang on 2021-11-06
  • [1268903] Medium CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand of Google Project Zero on 2021-11-10
  • [1272250] Medium CVE-2022-0116: Inappropriate implementation in Compositing. Reported by Irvan Kurniawan (sourc7) on 2021-11-20
  • [1115847] Low CVE-2022-0117: Policy bypass in Service Workers. Reported by Dongsung Kim (@kid1ng) on 2020-08-13
  • [1238631] Low CVE-2022-0118: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2021-08-11
  • [1262953] Low CVE-2022-0120: Inappropriate implementation in Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25
more...
chromium

more detail
2021-12-31VuXML ID 47197b47-6a1a-11ec-8be6-d4c9ef517024

The Roundcube project reports:

Cross-site scripting (XSS) via HTML messages with malicious CSS content

more...
roundcube

more detail
2021-12-30VuXML ID 937aa1d6-685e-11ec-a636-000c29061ce6

OpenDMARC releases prior to 1.4.1 are susceptible to the following vulnerabilities:

  • (CVE-2019-16378) OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.
  • (CVE-2019-20790) OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
  • (CVE-2020-12272) OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message.
  • (CVE-2020-12460) OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption.
more...
opendmarc

more detail
2021-12-30VuXML ID c1b2b492-6999-11ec-a50c-001cc0382b2f

Manuel Pégourié-Gonnard reports:

If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory condition), then calling mbedtls_ssl_session_free() and mbedtls_ssl_free() in the usual manner would cause an internal session buffer to be freed twice, due to two structures both having valid pointers to it after a call to ssl_session_copy().

An attacker could potentially trigger the out of memory condition, and therefore use this bug to create memory corruption, which could then be further exploited or targetted.

more...
mbedtls

more detail
2021-12-30VuXML ID ede832bf-6576-11ec-a636-000c29061ce6

OpenDMARC 1.4.1 and 1.4.1.1 will dereference a NULL pointer when encountering a multi-value From: header field. A remote attacker can send a specially crafted message resulting in a denial of service.

more...
opendmarc

more detail
2021-12-29VuXML ID a4ff3673-d742-4b83-8c2b-3ddafe732034

minio developers report:

AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field

This API is mainly used to create a user or update a user's password.

However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

more...
minio

more detail
2021-12-27VuXML ID b0f49cb9-6736-11ec-9eea-589cfc007716

OpenSearch reports:

CVE-2021-45046 was issued shortly following the release of OpenSearch 1.2.1. This new CVE advises upgrading from Log4j 2.15.0 (used in OpenSearch 1.2.1) to Log4j 2.16.0. Out of an abundance of caution, the team is releasing OpenSearch 1.2.2 which includes Log4j 2.16.0. While there has been no observed reproduction of the issue described in CVE-2021-45046, Log4j 2.16.0 takes much more extensive JNDI mitigation measures.

more...
opensearch

more detail
2021-12-27VuXML ID d1be3d73-6737-11ec-9eea-589cfc007716

OpenSearch reports:

CVE-2021-45105 for Log4j was issued after the release of OpenSearch 1.2.2. This CVE advises upgrading to Log4j 2.17.0. While there has been no observed reproduction of the issue described in CVE-2021-45105 in OpenSearch, we have released OpenSearch 1.2.3 which updates Log4j to version 2.17.0.

more...
opensearch

more detail
2021-12-21VuXML ID 0a50bb48-625f-11ec-a1fb-080027cb2f6f

Mediawiki reports:

(T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.

(T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel.

(T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages.

(T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions.

(T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action

(T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.

(T294686) Special:Nuke doesn't actually delete pages.

more...
mediawiki135
mediawiki136
mediawiki137

more detail
2021-12-21VuXML ID 1135e939-62b4-11ec-b8e2-1c1b0d9ea7e6

Bobby Rauch of Accenture reports:

I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok <1.6.8 and was reported to Oracle. The vulnerability has now been patched in OpenGrok 1.6.9, and has been issued a CVE. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2322)

more...
opengrok

more detail
2021-12-20VuXML ID ca982e2d-61a9-11ec-8be6-d4c9ef517024

The Apache httpd project reports:

moderate: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (CVE-2021-44224)

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

high: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).

more...
apache24

more detail
2021-12-17VuXML ID 650734b2-7665-4170-9a0a-eeced5e10a5e

Apache Software Foundation reports:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

more...
graylog

more detail
2021-12-15VuXML ID 1ea05bb8-5d74-11ec-bb1e-001517a2e1a4

Serviio reports:

Serviio is affectred by the log4j vulnerability.

more...
serviio

more detail
2021-12-15VuXML ID 897e1962-5d5a-11ec-a3ed-040e3c3cf7e7

Privoxy reports:

cgi_error_no_template(): Encode the template name to prevent XSS (cross-site scripting) when Privoxy is configured to servce the user-manual itself.

Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov

get_url_spec_param(): Free memory of compiled pattern spec before bailing. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.

process_encrypted_request_headers(): Free header memory when failing to get the request destination. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.

send_http_request(): Prevent memory leaks when handling errors Reported by Joshua Rogers (Opera) who also provided the fix. Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.

more...
dropbear

more detail
2021-12-14VuXML ID 0132ca5b-5d11-11ec-8be6-d4c9ef517024

The OpenSSL project reports:

Invalid handling of X509_verify_cert() internal errors in libssl (Moderate)

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

more...
openssl-devel

more detail
2021-12-14VuXML ID 515df85a-5cd7-11ec-a16d-001517a2e1a4

FreeBSD port maintainer reports:

Bastillion uses log4j.

more...
bastillion

more detail
2021-12-14VuXML ID fb9ba490-5cc4-11ec-aac7-3065ec8fd3ec

Chrome Releases reports:

This release contains 5 security fixes, including:

  • [1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
  • [1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
  • [1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
  • [1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
  • [1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
more...
chromium

more detail
2021-12-13VuXML ID 0dcf68fa-5c31-11ec-875e-901b0e9408dc

Matrix developers report:

Today we are releasing security updates to libolm, matrix-js-sdk, and several clients including Element Web / Desktop. Users are encouraged to upgrade as soon as possible.

These releases mitigate a buffer overflow in olm_session_describe, a libolm debugging function used by matrix-js-sdk in its end-to-end encryption (E2EE) implementation. If you rely on matrix-js-sdk for E2EE, you are affected.

more...
cinny
element-web

more detail
2021-12-13VuXML ID 4b1ac5a3-5bd4-11ec-8602-589cfc007716

OpenSearch reports:

A recently published security issue (CVE-2021-44228) affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable example in OpenSearch of remote code execution (RCE) described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released OpenSearch 1.2.1, which updates Log4j to version 2.15.0. For those who cannot upgrade to 1.2.1, the Log4j website outlines additional measures to mitigate the issue. This patch release also addresses CVE-2021-4352 in the OpenSearch Docker distributions..

more...
opensearch

more detail
2021-12-13*VuXML ID 66cf7c43-5be3-11ec-a587-001b217b3468

Solr reports:

Apache Solr affected by Apache Log4J

more...
apache-solr

more detail
2021-12-13VuXML ID 93a1c9a7-5bef-11ec-a47a-001517a2e1a4

Openhab reports:

Any openHAB instance that is publicly available or which consumes untrusted content from remote servers is potentially a target of this attack.

more...
openhab
openhab2

more detail
2021-12-12VuXML ID a994ff7d-5b3f-11ec-8398-6c3be5272acd

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files

more...
grafana
grafana6
grafana7
grafana8

more detail
2021-12-12VuXML ID c2a7de31-5b42-11ec-8398-6c3be5272acd

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/ds/query

more...
grafana
grafana8

more detail
2021-12-11VuXML ID 3fadd7e4-f8fb-45a0-a218-8fd6423c338f

Apache Software Foundation repos:

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or paramters can execute arbitrary code from attacker-controller LDAP servers when message lookup substitution is enabled.

more...
graylog

more detail
2021-12-11VuXML ID 4b478274-47a0-11ec-bd24-6c3be5272acd

Grafana Labs reports:

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

  • Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
  • The link is to an unauthenticated page. The following pages are vulnerable:
    • /dashboard-solo/snapshot/*
    • /dashboard/snapshot/*
    • /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

more...
grafana
grafana8

more detail
2021-12-11VuXML ID 942fff11-5ac4-11ec-89ea-c85b76ce9b5a

NVD reports:

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

more...
p7zip

more detail
2021-12-11VuXML ID 99bff2bd-4852-11ec-a828-6c3be5272acd

Grafana Labs reports:

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

more...
grafana
grafana8

more detail
2021-12-11VuXML ID e33880ed-5802-11ec-8398-6c3be5272acd

Grafana Labs reports:

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

  • /public/plugins/alertlist/
  • /public/plugins/annolist/
  • /public/plugins/barchart/
  • /public/plugins/bargauge/
  • /public/plugins/candlestick/
  • /public/plugins/cloudwatch/
  • /public/plugins/dashlist/
  • /public/plugins/elasticsearch/
  • /public/plugins/gauge/
  • /public/plugins/geomap/
  • /public/plugins/gettingstarted/
  • /public/plugins/grafana-azure-monitor-datasource/
  • /public/plugins/graph/
  • /public/plugins/heatmap/
  • /public/plugins/histogram/
  • /public/plugins/influxdb/
  • /public/plugins/jaeger/
  • /public/plugins/logs/
  • /public/plugins/loki/
  • /public/plugins/mssql/
  • /public/plugins/mysql/
  • /public/plugins/news/
  • /public/plugins/nodeGraph/
  • /public/plugins/opentsdb
  • /public/plugins/piechart/
  • /public/plugins/pluginlist/
  • /public/plugins/postgres/
  • /public/plugins/prometheus/
  • /public/plugins/stackdriver/
  • /public/plugins/stat/
  • /public/plugins/state-timeline/
  • /public/plugins/status-history/
  • /public/plugins/table/
  • /public/plugins/table-old/
  • /public/plugins/tempo/
  • /public/plugins/testdata/
  • /public/plugins/text/
  • /public/plugins/timeseries/
  • /public/plugins/welcome/
  • /public/plugins/zipkin/
more...
grafana
grafana8

more detail
2021-12-09VuXML ID 720505fe-593f-11ec-9ba8-002324b2fba8

The Go project reports:

net/http: limit growth of header canonicalization cache. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

syscall: don’t close fd 0 on ForkExec error. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

more...
go

more detail
2021-12-07VuXML ID 18ac074c-579f-11ec-aac7-3065ec8fd3ec

Chrome Releases reports:

This release contains 22 security fixes, including:

  • [1267661] High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
  • [1267791] High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08
  • [1265806] High CVE-2021-4079: Out of bounds write in WebRTC. Reported by Brendon Tiszka on 2021-11-01
  • [1239760] High CVE-2021-4054: Incorrect security UI in autofill. Reported by Alesandro Ortiz on 2021-08-13
  • [1268738] High CVE-2021-4078: Type confusion in V8. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2021-11-09
  • [1266510] High CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen Rong on 2021-11-03
  • [1260939] High CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360 Alpha Lab on 2021-10-18
  • [1262183] High CVE-2021-4057: Use after free in file API. Reported by Sergei Glazunov of Google Project Zero on 2021-10-21
  • [1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-06
  • [1270990] High CVE-2021-4059: Insufficient data validation in loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
  • [1271456] High CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini on 2021-11-18
  • [1272403] High CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-22
  • [1273176] High CVE-2021-4063: Use after free in developer tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-11-23
  • [1273197] High CVE-2021-4064: Use after free in screen capture. Reported by @ginggilBesel on 2021-11-23
  • [1273674] High CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010 on 2021-11-25
  • [1274499] High CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
  • [1274641] High CVE-2021-4067: Use after free in window manager. Reported by @ginggilBesel on 2021-11-29
  • [1265197] Low CVE-2021-4068: Insufficient validation of untrusted input in new tab page. Reported by NDevTK on 2021-10-31
more...
chromium

more detail
2021-12-07VuXML ID b299417a-5725-11ec-a587-001b217b3468

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI

more...
gitlab-ce

more detail
2021-12-02VuXML ID 47695a9c-5377-11ec-8be6-d4c9ef517024

The Mozilla project reports:

Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures (Critical)

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.

more...
nss

more detail
2021-12-01VuXML ID 0d6efbe3-52d9-11ec-9472-e3667ed6088e

Mark Sapiro reports:

A list moderator or list member can potentially carry out a CSRF attack by getting a list admin to visit a crafted web page.

more...
mailman
mailman-exim4
mailman-exim4-with-htdig
mailman-postfix
mailman-postfix-with-htdig
mailman-with-htdig

more detail
2021-11-24VuXML ID 2c6af5c3-4d36-11ec-a539-0800270512f4

chamal reports:

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

more...
ruby
ruby27
ruby30
rubygem-cgi

more detail
2021-11-24VuXML ID 4548ec97-4d38-11ec-a539-0800270512f4

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

more...
ruby
ruby26
ruby27
ruby30
rubygem-cgi

more detail
2021-11-24*VuXML ID 6916ea94-4628-11ec-bbe2-0800270512f4

Stanislav Valkanov reports:

Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

more...
ruby
ruby26
ruby27
ruby30
rubygem-date

more detail
2021-11-23VuXML ID 27aa2253-4c72-11ec-b6b9-e86a64caca56

Matrix developers report:

This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository.

Note that:

  • This only affects homeservers using Synapse's built-in media repository, as opposed to synapse-s3-storage-provider or matrix-media-repo.
  • Attackers cannot control the exact name or destination of the stored file.
more...
py310-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2021-11-19VuXML ID 0bf816f6-3cfe-11ec-86cd-dca632b19f10

Joonun Jang reports:

heap buffer overflow running advzip with "-l poc" option

Running 'advzip -l poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack. I expected the program to terminate without segfault, but the program crashes as follow. [...]

and other vulnerabilities.

more...
advancecomp

more detail
2021-11-16VuXML ID b8c0cbca-472d-11ec-83dc-3065ec8fd3ec

Chrome Releases reports:

This release contains 25 security fixes, including:

  • [1263620] High CVE-2021-38008: Use after free in media. Reported by Marcin Towalski of Cisco Talos on 2021-10-26
  • [1260649] High CVE-2021-38009: Inappropriate implementation in cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16
  • [1240593] High CVE-2021-38006: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-08-17
  • [1254189] High CVE-2021-38007: Type Confusion in V8. Reported by Polaris Feng and SGFvamll at Singular Security Lab on 2021-09-29
  • [1241091] High CVE-2021-38005: Use after free in loader. Reported by Sergei Glazunov of Google Project Zero on 2021-08-18
  • [1264477] High CVE-2021-38010: Inappropriate implementation in service workers. Reported by Sergei Glazunov of Google Project Zero on 2021-10-28
  • [1268274] High CVE-2021-38011: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-11-09
  • [1262791] Medium CVE-2021-38012: Type Confusion in V8. Reported by Yonghwi Jin (@jinmo123) on 2021-10-24
  • [1242392] Medium CVE-2021-38013: Heap buffer overflow in fingerprint recognition. Reported by raven (@raid_akame) on 2021-08-23
  • [1248567] Medium CVE-2021-38014: Out of bounds write in Swiftshader. Reported by Atte Kettunen of OUSPG on 2021-09-10
  • [957553] Medium CVE-2021-38015: Inappropriate implementation in input. Reported by David Erceg on 2019-04-29
  • [1244289] Medium CVE-2021-38016: Insufficient policy enforcement in background fetch. Reported by Maurice Dauer on 2021-08-28
  • [1256822] Medium CVE-2021-38017: Insufficient policy enforcement in iframe sandbox. Reported by NDevTK on 2021-10-05
  • [1197889] Medium CVE-2021-38018: Inappropriate implementation in navigation. Reported by Alesandro Ortiz on 2021-04-11
  • [1251179] Medium CVE-2021-38019: Insufficient policy enforcement in CORS. Reported by Maurice Dauer on 2021-09-20
  • [1259694] Medium CVE-2021-38020: Insufficient policy enforcement in contacts picker. Reported by Luan Herrera (@lbherrera_) on 2021-10-13
  • [1233375] Medium CVE-2021-38021: Inappropriate implementation in referrer. Reported by Prakash (@1lastBr3ath) and Jun Kokatsu on 2021-07-27
  • [1248862] Low CVE-2021-38022: Inappropriate implementation in WebAuthentication. Reported by Michal Kepkowski on 2021-09-13
more...
chromium

more detail
2021-11-15VuXML ID 42a4d82d-4603-11ec-8be6-d4c9ef517024

The Roundcube project reports:

XSS issue in handling attachment filename extension in mimetype mismatch warning

possible SQL injection via some session variables

more...
roundcube

more detail
2021-11-13VuXML ID 9d7a2b54-4468-11ec-8532-0d24c37c72c8

Mark Sapiro reports:

A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401).

A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-43332 (LP: #1949403)

more...
mailman
mailman-exim4
mailman-exim4-with-htdig
mailman-postfix
mailman-postfix-with-htdig
mailman-with-htdig

more detail
2021-11-10VuXML ID 2ccd71bd-426b-11ec-87db-6cc21735f730

The PostgreSQL Project reports:

CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

more...
postgresql10-server
postgresql11-server
postgresql12-server
postgresql13-server
postgresql14-server
postgresql96-server

more detail
2021-11-10VuXML ID 3bd3c9f8-41ee-11ec-9bac-589cfc007716

Puppet reports:

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

more...
puppet6
puppet7
puppetserver6
puppetserver7

more detail
2021-11-10VuXML ID 646923b0-41c7-11ec-a3b2-005056a311d1

The Samba Team reports:

  • CVE-2020-25717: A user in an AD Domain could become root on domain members.
  • CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
  • CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
  • CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
  • CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored.
  • CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
  • CVE-2021-3738: Use after free in Samba AD DC RPC server.
  • CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
more...
samba413
samba414
samba415

more detail
2021-11-10VuXML ID bfea59e0-41ee-11ec-9bac-589cfc007716

Puppet reports:

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first pluginsync.

more...
puppet6
puppet7

more detail
2021-11-09*VuXML ID c9387e4d-2f5f-11ec-8be6-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 66 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

Note: MariaDB only vulnerable against CVE-2021-35604

more...
mariadb103-server
mariadb104-server
mariadb105-server
mysql-connector-java
mysql57-server
mysql80-client
mysql80-server

more detail
2021-11-05VuXML ID 17702e54-3da0-11ec-b7e0-3085a9a95629

Nathaniel McCallum reports:

packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack.

The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.

more...
py310-pyrad
py36-pyrad
py37-pyrad
py38-pyrad
py39-pyrad

more detail
2021-11-05VuXML ID 930def19-3e05-11ec-9ba8-002324b2fba8

The Go project reports:

debug/macho fails out when loading a file that contains a dynamic symbol table command that indicates a larger number of symbols than exist in the loaded symbol table.

Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument.

more...
go

more detail
2021-11-04VuXML ID 2bf56269-90f8-4a82-b82f-c0e289f2a0dc

Jenkins Security Advisory:

Description

(Critical) SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control

(High) SECURITY-2423 / CVE-2021-21696

Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin

(High) SECURITY-2428 / CVE-2021-21697

Agent-to-controller access control allows reading/writing most content of build directories

(Medium) SECURITY-2506 / CVE-2021-21698

Path traversal vulnerability in Subversion Plugin allows reading arbitrary files

more...
jenkins
jenkins-lts

more detail
2021-11-04VuXML ID df794e5d-3975-11ec-84e8-0800273f11ea

The Gitea Team reports for release 1.15.5:

  • Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  • Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
more...
gitea

more detail
2021-10-30VuXML ID 33557582-3958-11ec-90ba-001b217b3468

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address

more...
gitlab-ce

more detail
2021-10-29VuXML ID 976d7bf9-38ea-11ec-b3b0-3065ec8fd3ec

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1259864] High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
  • [1259587] High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13
  • [1251541] High CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
  • [1249962] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15
  • [1260577] High CVE-2021-38001 : Type Confusion in V8. Reported by @s0rrymybad of Kunlun Lab via Tianfu Cup on 2021-10-16
  • [1260940] High CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, ? via Tianfu Cup on 2021-10-16
  • [1263462] High CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Gross from Google Project Zero on 2021-10-26

Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.

more...
chromium

more detail
2021-10-28VuXML ID c848059a-318b-11ec-aa15-0800270512f4

Jakub Żoczek reports:

Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences (\n~) are available in "foreign" input (for instance in whois output).

more...
py310-fail2ban
py36-fail2ban
py37-fail2ban
py38-fail2ban
py39-fail2ban

more detail
2021-10-23VuXML ID f4b15f7d-d33a-4cd0-a97b-709d6af0e43e

minio developers report:

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts.

  • svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true'
  • sts accounts have always been using right permissions, do not need an explicit lookup
  • regular users always have proper policy mapping
more...
minio

more detail
2021-10-20VuXML ID 8d65aa3b-31ce-11ec-8c32-a14e8e520dc7

Mark Sapiro reports:

A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.

more...
mailman
mailman-with-htdig

more detail
2021-10-19VuXML ID bdaecfad-3117-11ec-b3b0-3065ec8fd3ec

Chrome Releases reports:

This release contains 19 security fixes, including:

  • [1246631] High CVE-2021-37981: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04
  • [1248661] High CVE-2021-37982: Use after free in Incognito. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-11
  • [1249810] High CVE-2021-37983: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-09-15
  • [1253399] High CVE-2021-37984: Heap buffer overflow in PDFium. Reported by Antti Levomäki, Joonas Pihlaja andChristian Jali from Forcepoint on 2021-09-27
  • [1241860] High CVE-2021-37985: Use after free in V8. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-20
  • [1242404] Medium CVE-2021-37986: Heap buffer overflow in Settings. Reported by raven (@raid_akame) on 2021-08-23
  • [1206928] Medium CVE-2021-37987: Use after free in Network APIs. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-08
  • [1228248] Medium CVE-2021-37988: Use after free in Profiles. Reported by raven (@raid_akame) on 2021-07-12
  • [1233067] Medium CVE-2021-37989: Inappropriate implementation in Blink. Reported by Matt Dyas, Ankur Sundara on 2021-07-26
  • [1247395] Medium CVE-2021-37990: Inappropriate implementation in WebView. Reported by Kareem Selim of CyShield on 2021-09-07
  • [1250660] Medium CVE-2021-37991: Race in V8. Reported by Samuel Gross of Google Project Zero on 2021-09-17
  • [1253746] Medium CVE-2021-37992: Out of bounds read in WebAudio. Reported by sunburst@Ant Security Light-Year Lab on 2021-09-28
  • [1255332] Medium CVE-2021-37993: Use after free in PDF Accessibility. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-02
  • [1243020] Medium CVE-2021-37996: Insufficient validation of untrusted input in Downloads. Reported by Anonymous on 2021-08-24
  • [1100761] Low CVE-2021-37994: Inappropriate implementation in iFrame Sandbox. Reported by David Erceg on 2020-06-30
  • [1242315] Low CVE-2021-37995: Inappropriate implementation in WebApp Installer. Reported by Terence Eden on 2021-08-23
more...
chromium

more detail
2021-10-14VuXML ID a9c5e89d-2d15-11ec-8363-0022489ad614

Node.js reports:

HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)

The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)

The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

more...
node
node14

more detail
2021-10-12VuXML ID 2a1b931f-2b86-11ec-8acd-c80aa9043978

OpenBSD Project reports:

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5).

more...
openssh-portable
openssh-portable-gssapi
openssh-portable-hpn

more detail
2021-10-12VuXML ID a7dd4c2d-77e4-46de-81a2-c453c317f9de

Cory Sabol reports:

A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality.

more...
couchdb

more detail
2021-10-11VuXML ID 9a8514f3-2ab8-11ec-b3a1-8c164582fbac

Red Hat reports:

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

more...
py310-ansible
py310-ansible-base
py310-ansible-core
py310-ansible2
py36-ansible
py36-ansible-base
py36-ansible-core
py36-ansible2
py37-ansible
py37-ansible-base
py37-ansible-core
py37-ansible2
py38-ansible
py38-ansible-base
py38-ansible-core
py38-ansible2
py39-ansible
py39-ansible-base
py39-ansible-core
py39-ansible2

more detail
2021-10-09VuXML ID 04d2cf7f-2942-11ec-b48c-1c1b0d9ea7e6

The Apache Openoffice project reports:

Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the allocated space, leading to the execution of arbitrary code by altering the contents of the program stack. This issue affects Apache OpenOffice up to and including version 4.1.10

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory

It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory.

more...
apache-openoffice
apache-openoffice-devel

more detail
2021-10-09VuXML ID 4fce9635-28c0-11ec-9ba8-002324b2fba8

The Go project reports:

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy after rebuilding any modules.

more...
go

more detail
2021-10-08VuXML ID 7d3d94d3-2810-11ec-9c51-3065ec8fd3ec

Chrome Releases reports:

This release contains 4 security fixes, including:

  • [1252878] High CVE-2021-37977: Use after free in Garbage Collection. Reported by Anonymous on 2021-09-24
  • [1236318] High CVE-2021-37978: Heap buffer overflow in Blink. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-04
  • [1247260] High CVE-2021-37979: Heap buffer overflow in WebRTC. Reported by Marcin Towalski of Cisco Talos on 2021-09-07
  • [1254631] High CVE-2021-37980: Inappropriate implementation in Sandbox. Reported by Yonghwi Jin (@jinmo123) on 2021-09-30
more...
chromium

more detail
2021-10-07VuXML ID 9bad457e-b396-4452-8773-15bec67e1ceb

Jenkins Security Advisory:

Description

(Medium) SECURITY-2475 / CVE-2014-3577

Jenkins core bundles vulnerable version of the commons-httpclient library

more...
jenkins
jenkins-lts

more detail
2021-10-07VuXML ID d001c189-2793-11ec-8fb1-206a8a720317

The Apache http server project reports:

critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Acknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka

more...
apache24

more detail
2021-10-06*VuXML ID 25b78bdd-25b8-11ec-a341-d4c9ef517024

The Apache http server project reports:

  • moderate: null pointer dereference in h2 fuzzing (CVE-2021-41524)
  • important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
more...
apache24

more detail
2021-10-06VuXML ID 757ee63b-269a-11ec-a616-6c3be5272acd

Grafana Labs reports:

Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

  • /dashboard/snapshot/:key, or
  • /api/snapshots/:key

If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

  • /api/snapshots-delete/:deleteKey

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

  • /api/snapshots/:key, or
  • /api/snapshots-delete/:deleteKey

The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

more...
grafana
grafana6
grafana7
grafana8

more detail
2021-10-05VuXML ID 9b4806c1-257f-11ec-9db5-0800270512f4

The Redis Team reports:

CVE-2021-41099
Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured.
CVE-2021-32762
Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms.
CVE-2021-32687
Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value.
CVE-2021-32675
Denial Of Service when processing RESP request payloads with a large number of elements on many connections.
CVE-2021-32672
Random heap reading issue with Lua Debugger.
CVE-2021-32628
Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value.
CVE-2021-32627
Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit.
CVE-2021-32626
Specially crafted Lua scripts may result with Heap buffer overflow.
more...
redis
redis-devel
redis5
redis6

more detail
2021-10-05VuXML ID f05dbd1f-2599-11ec-91be-001b217b3468

Bacula-Web reports:

Address Smarty CVE

more...
bacula-web

more detail
2021-10-01VuXML ID f84ab297-2285-11ec-9e79-08002789875b

Mediawiki reports:

(T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.

(T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan.

(T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions.

(T279090, CVE-2021-41801) SECURITY: ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked).

more...
mediawiki131
mediawiki135
mediawiki136

more detail
2021-09-30VuXML ID 1bdd4db6-2223-11ec-91be-001b217b3468

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry

more...
gitlab-ce

more detail
2021-09-30VuXML ID 5436f9a2-2190-11ec-a90b-0cc47a49470e

Alexander Cherepanov reports:

Version 0.999b and older of ha archiver is susceptible to directory traversal vulnerabilities via absolute and relative paths.

more...
ha

more detail
2021-09-30VuXML ID 777edbbe-2230-11ec-8869-704d7b472482

Chrome Releases/Stable updates reports:

This release contains 4 security fixes, including:

  • [1245578] High CVE-2021-37974: Use after free in Safe Browsing. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-01
  • [1252918] High CVE-2021-37975: Use after free in V8. Reported by Anonymous on 2021-09-24
  • [1251787] Medium CVE-2021-37976: Information leak in core. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.

more...
chromium

more detail
2021-09-29VuXML ID 730e922f-20e7-11ec-a574-080027eedc6a

Sonatype reports:

  • CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack
more...
nexus2-oss

more detail
2021-09-29VuXML ID b2f1f86f-20e6-11ec-a574-080027eedc6a

Sonatype reports:

  • CVE-2020-15012: NXRM2 Directory Traversal vulnerability
more...
nexus2-oss

more detail
2021-09-28*VuXML ID 882a38f9-17dd-11ec-b335-d4c9ef517024

The Apache project reports:

  • moderate: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)
  • moderate: NULL pointer dereference in httpd core (CVE-2021-34798)
  • moderate: mod_proxy_uwsgi out of bound read (CVE-2021-36160)
  • low: ap_escape_quotes buffer overflow (CVE-2021-39275)
  • high: mod_proxy SSRF (CVE-2021-40438)
more...
apache24

more detail
2021-09-28*VuXML ID c9221ec9-17a2-11ec-b335-d4c9ef517024

The cURL project reports:

  • UAF and double-free in MQTT sending (CVE-2021-22945)
  • Protocol downgrade required TLS bypassed (CVE-2021-22946)
  • STARTTLS protocol injection via MITM (CVE-2021-22945)
more...
curl

more detail
2021-09-24VuXML ID 576aa394-1d85-11ec-8b7d-4f5b624574e2

The WebKitGTK project reports vulnerabilities:

  • CVE-2021-30858: Processing maliciously crafted web content may lead to arbitrary code execution.
more...
webkit2-gtk3

more detail
2021-09-24VuXML ID b6c875f1-1d76-11ec-ae80-704d7b472482

Chrome Releases reports:

][1251727] High CVE-2021-37973 : Use after free in Portals. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google is aware that an exploit for CVE-2021-37973 exists in the wild.

more...
chromium

more detail
2021-09-22VuXML ID 7bba5b3b-1b7f-11ec-b335-d4c9ef517024

Jakub Hrozek reports:

Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html

more...
mod_auth_mellon

more detail
2021-09-22VuXML ID d4d21998-bdc4-4a09-9849-2898d9b41459

Tim Wojtulewicz of Corelight reports:

Paths from log stream make it into system() unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity.

Fix potential unbounded state growth in the PIA analyzer when receiving a connection with either a large number of zero-length packets, or one which continues ack-ing unseen segments. It is possible to run Zeek out of memory in these instances and cause it to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

more...
zeek

more detail
2021-09-21VuXML ID 3551e106-1b17-11ec-a8a7-704d7b472482

Chrome Releases reports:

This update contains 19 security fixes, including:

  • [1243117] High CVE-2021-37956: Use after free in Offline use. Reported by Huyna at Viettel Cyber Security on 2021-08-24
  • [1242269] High CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang on 2021-08-23
  • [1223290] High CVE-2021-37958: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2021-06-24
  • [1229625] High CVE-2021-37959: Use after free in Task Manager. Reported by raven (@raid_akame) on 2021-07-15
  • [1247196] High CVE-2021-37960: Inappropriate implementation in Blink graphics. Reported by Atte Kettunen of OUSPG on 2021-09-07
  • [1228557] Medium CVE-2021-37961: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-07-13
  • [1231933] Medium CVE-2021-37962: Use after free in Performance Manager. Reported by Sri on 2021-07-22
  • [1199865] Medium CVE-2021-37963: Side-channel information leakage in DevTools. Reported by Daniel Genkin and Ayush Agarwal, University of Michigan, Eyal Ronen and Shaked Yehezkel, Tel Aviv University, Sioli O'Connell, University of Adelaide, and Jason Kim, Georgia Institute of Technology on 2021-04-16
  • [1203612] Medium CVE-2021-37964: Inappropriate implementation in ChromeOS Networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2021-04-28
  • [1239709] Medium CVE-2021-37965: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-08-13
  • [1238944] Medium CVE-2021-37966: Inappropriate implementation in Compositing. Reported by Mohit Raj (shadow2639) on 2021-08-11
  • [1243622] Medium CVE-2021-37967: Inappropriate implementation in Background Fetch API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-26
  • [1245053] Medium CVE-2021-37968: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-08-30
  • [1245879] Medium CVE-2021-37969: Inappropriate implementation in Google Updater. Reported by Abdelhamid Naceri (halov) on 2021-09-02
  • [1248030] Medium CVE-2021-37970: Use after free in File System API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-09-09
  • [1219354] Low CVE-2021-37971: Incorrect security UI in Web Browser UI. Reported by Rayyan Bijoora on 2021-06-13
  • [1234259] Low CVE-2021-37972: Out of bounds read in libjpeg-turbo. Reported by Xu Hanyu and Lu Yutao from Panguite-Forensics-Lab of Qianxin on 2021-07-29
more...
chromium

more detail
2021-09-21VuXML ID 57b1ee25-1a7c-11ec-9376-0800272221cc

libssh security advisories:

The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called `secret_hash` and and the other `session_id`. Initially, both of them are the same, but after key re-exchange, previous `session_id` is kept and used as an input to new `secret_hash`.

Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating `secret_hash` of different size than the `session_id` has.

This becomes an issue when the `session_id` memory is zeroized or when it is used again during second key re-exchange.

more...
libssh

more detail
2021-09-21VuXML ID 7062bce0-1b17-11ec-9d9d-0022489ad614

Node.js reports:

npm 6 update - node-tar, arborist, npm cli modules

These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.

more...
node14

more detail
2021-09-21VuXML ID b092bd4f-1b16-11ec-9d9d-0022489ad614

Node.js reports:

cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)

Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Use after free on close http2 on stream canceling (High) (CVE-2021-22940)

Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

more...
node
node14

more detail
2021-09-21VuXML ID c174118e-1b11-11ec-9d9d-0022489ad614

Node.js reports:

libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918)

Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)

Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High) (CVE-2021-27290)

This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.

npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362)

This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.

more...
node
node14

more detail
2021-09-21VuXML ID f53dab71-1b15-11ec-9d9d-0022489ad614

Node.js reports:

Use after free on close http2 on stream canceling (High) (CVE-2021-22930)

Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

more...
node
node14

more detail
2021-09-18*VuXML ID 49c35943-0eeb-421c-af4f-78e04582e5fb

Kenny Levinsen reports:

seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH.

If seatd-launch had the SUID bit set, this could be used by a malicious user with the ability to execute seatd-launch to mount a privilege escalation attack to the owner of seatd-launch, which is likely root.

more...
seatd

more detail
2021-09-14VuXML ID 47b571f2-157b-11ec-ae98-704d7b472482

Chrome Releases reports:

This release includes 11 security fixes, including:

  • [1237533] High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
  • [1241036] High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
  • [1245786] High CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
  • [1241123] High CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
  • [1243646] High CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-26
  • [1244568] High CVE-2021-30630: Inappropriate implementation in Blink. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
  • [1246932] High CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
  • [1247763] High CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
  • [1247766] High CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08

Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild.

more...
chromium

more detail
2021-09-13VuXML ID 93eb0e48-14ba-11ec-875e-901b0e9408dc

Matrix developers report:

Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat.

Specifically, in certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.

Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver.

more...
cinny
element-web
nheko

more detail
2021-09-11VuXML ID 376df2f1-1295-11ec-859e-000c292ee6b8

Hashicorp reports:

HashiCorp Consul Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.

more...
consul

more detail
2021-09-10VuXML ID 4ea1082a-1259-11ec-b4fa-dd5a552bdd17

The Go project reports:

An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is reasonable.

more...
go

more detail
2021-09-09VuXML ID 145ce848-1165-11ec-ac7e-08002789875b

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

more...
python38

more detail
2021-09-09VuXML ID f55921aa-10c9-11ec-8647-00e0670f2660

Version 5.9_2 contains security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server configuration were not affected.

more...
mpd5

more detail
2021-09-07VuXML ID 0e561173-0fa9-11ec-a2fa-080027948c12

Python reports:

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

more...
python36
python37

more detail
2021-09-07VuXML ID 15e74795-0fd7-11ec-9f2e-dca632b19f10

libpano13 developers reports:

Fix crash and security issue caused by malformed filename prefix

more...
libpano13

more detail
2021-09-05VuXML ID 65f05b71-0e3c-11ec-b335-d4c9ef517024

The WeeChat project reports:

Crash when decoding a malformed websocket frame in relay plugin.

more...
weechat

more detail
2021-09-03VuXML ID ed8a4215-675c-11ec-8dd4-a0f3c100ae18

GitHub Advisory Database reports:

Uncontrolled Resource Consumption in pillow.

The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

References:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-23437
  • https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
  • https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
  • https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
  • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/
  • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/
more...
py38-pillow

more detail
2021-09-02VuXML ID 032643d7-0ba7-11ec-a689-080027e50e6d

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-41180: Add auditing events to the marshal module, and stop raising code.__init__ events for every unmarshalled code object. Directly instantiated code objects will continue to raise an event, and audit event handlers should inspect or collect the raw marshal data. This reduces a significant performance overhead when loading from .pyc files.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

more...
python39

more detail
2021-09-02VuXML ID a67e358c-0bf6-11ec-875e-901b0e9408dc

Matrix developers report:

This release patches two moderate severity issues which could reveal metadata about private rooms:

  • CVE-2021-39164: Enumerating a private room's list of members and their display names.
  • CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.
more...
py310-matrix-synapse
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2021-09-01VuXML ID 3d915d96-0b1f-11ec-8d9f-080027415d17

Cyrus IMAP 3.4.2 Release Notes states:

Fixed CVE-2021-33582: Certain user inputs are used as hash table keys during processing. A poorly chosen string hashing algorithm meant that the user could control which bucket their data was stored in, allowing a malicious user to direct many inputs to a single bucket. Each subsequent insertion to the same bucket requires a strcmp of every other entry in it. At tens of thousands of entries, each new insertion could keep the CPU busy in a strcmp loop for minutes. The string hashing algorithm has been replaced with a better one, and now also uses a random seed per hash table, so malicious inputs cannot be precomputed.

more...
cyrus-imapd23
cyrus-imapd24
cyrus-imapd25
cyrus-imapd30
cyrus-imapd32
cyrus-imapd34

more detail
2021-09-01VuXML ID a7732806-0b2a-11ec-836b-3065ec8fd3ec

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1233975] High CVE-2021-30606: Use after free in Blink. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-28
  • [1235949] High CVE-2021-30607: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-03
  • [1219870] High CVE-2021-30608: Use after free in Web Share. Reported by Huyna at Viettel Cyber Security on 2021-06-15
  • [1239595] High CVE-2021-30609: Use after free in Sign-In. Reported by raven (@raid_akame) on 2021-08-13
  • [1200440] High CVE-2021-30610: Use after free in Extensions API. Reported by Igor Bukanov from Vivaldi on 2021-04-19
  • [1233942] Medium CVE-2021-30611: Use after free in WebRTC. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-28
  • [1234284] Medium CVE-2021-30612: Use after free in WebRTC. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-29
  • [1209622] Medium CVE-2021-30613: Use after free in Base internals. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-16
  • [1207315] Medium CVE-2021-30614: Heap buffer overflow in TabStrip. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-05-10
  • [1208614] Medium CVE-2021-30615: Cross-origin data leak in Navigation. Reported by NDevTK on 2021-05-12
  • [1231432] Medium CVE-2021-30616: Use after free in Media. Reported by Anonymous on 2021-07-21
  • [1226909] Medium CVE-2021-30617: Policy bypass in Blink. Reported by NDevTK on 2021-07-07
  • [1232279] Medium CVE-2021-30618: Inappropriate implementation in DevTools. Reported by @DanAmodio and @mattaustin from Contrast Security on 2021-07-23
  • [1235222] Medium CVE-2021-30619: UI Spoofing in Autofill. Reported by Alesandro Ortiz on 2021-08-02
  • [1063518] Medium CVE-2021-30620: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-20
  • [1204722] Medium CVE-2021-30621: UI Spoofing in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-04-30
  • [1224419] Medium CVE-2021-30622: Use after free in WebApp Installs. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2021-06-28
  • [1223667] Low CVE-2021-30623: Use after free in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-06-25
  • [1230513] Low CVE-2021-30624: Use after free in Autofill. Reported by Wei Yuan of MoyunSec VLab on 2021-07-19
more...
chromium

more detail
2021-08-31VuXML ID 6c22bb39-0a9a-11ec-a265-001b217b3468

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference

more...
gitlab-ce

more detail
2021-08-26VuXML ID 1d6410e8-06c1-11ec-a35d-03ca114d16d6

Problem:

In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation.

more...
fetchmail

more detail
2021-08-25VuXML ID 3e9d2fde-0567-11ec-b69d-4062311215d5

Problem Description:

The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).

Impact:

A malicious ggated(8) or an attacker in a priviledged network position can overwrite the stack with crafted content and potentially execute arbitrary code.

more...
FreeBSD

more detail
2021-08-25*VuXML ID 96811d4a-04ec-11ec-9b84-d4c9ef517024

The OpenSSL project reports:

SM2 Decryption Buffer Overflow (CVE-2021-3711: High)

Read buffer overruns processing ASN.1 strings (CVE-2021-3712: Moderate)

more...
FreeBSD
openssl
openssl-devel

more detail
2021-08-25*VuXML ID 96a21236-707b-11eb-96d8-d4c9ef517024

The OpenSSL project reports:

Null pointer deref in X509_issuer_and_serial_hash() CVE-2021-23841

(Moderate) The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.

Integer overflow in CipherUpdate CVE-2021-23840

(Low) Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

more...
FreeBSD
openssl
openssl-devel

more detail
2021-08-25VuXML ID a6d5d4c1-0564-11ec-b69d-4062311215d5

Problem Description:

Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption.

Impact:

A malicious guest may be able to crash the bhyve process. It may be possible to exploit the memory corruption bugs to achieve arbitrary code execution in the bhyve process.

more...
FreeBSD

more detail
2021-08-25VuXML ID d22b336d-0567-11ec-b69d-4062311215d5

Problem Description:

The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed.

Impact:

The connection buffer size can be controlled by a malicious FTP server because the size is increased until a newline is encountered (or no more characters are read). This also allows to move the buffer into more interesting areas within the address space, potentially parsing relevant numbers for the attacker. Since these bytes become available to the server in form of a new TCP connection to a constructed port number or even part of the IPv6 address this is a potential information leak.

more...
FreeBSD

more detail
2021-08-22VuXML ID d3180f02-031e-11ec-875f-0800273f11ea

The Gitea Team reports for release 1.15.0:

  • Encrypt LDAP bind password in db with SECRET_KEY (#15547)
  • Remove random password in Dockerfiles (#15362)
  • Upgrade to the latest version of golang-jwt and increase minimum go to 1.15 (#16590) (#16606)
  • Correctly create of git-daemon-export-ok files (#16508) (#16514)
  • Don't show private user's repo in explore view (#16550) (#16554)
  • Update node tar dependency to 6.1.6 (#16622) (#16623)
more...
gitea

more detail
2021-08-20VuXML ID 70e71a24-0151-11ec-bf0c-080027eedc6a

The Bouncy Castle team reports:

The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

more...
bouncycastle15

more detail
2021-08-20VuXML ID 733afd81-01cf-11ec-aec9-0800273f11ea

The Gitea Team reports for release 1.14.6:

  • Bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) (#16540)
  • Switch to maintained JWT lib (#16532) (#16535)
  • Upgrade to latest version of golang-jwt (as forked for 1.14) (#16590) (#16607)
more...
gitea

more detail
2021-08-20VuXML ID 89d5bca6-0150-11ec-bf0c-080027eedc6a

The Bouncy Castle team reports::

Bouncy Castle BC Java before 1.66 has a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

more...
bouncycastle
bouncycastle15

more detail
2021-08-17VuXML ID 128deba6-ff56-11eb-8514-3065ec8fd3ec

Chrome Releases reports:

This release contains 9 security fixes, including:

  • [1234764] High CVE-2021-30598: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30
  • [1234770] High CVE-2021-30599: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30
  • [1231134] High CVE-2021-30600: Use after free in Printing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-20
  • [1234009] High CVE-2021-30601: Use after free in Extensions API. Reported by koocola(@alo_cook) and Nan Wang(@eternalsakura13) of 360 Alpha Lab on 2021-07-28
  • [1230767] High CVE-2021-30602: Use after free in WebRTC. Reported by Marcin Towalski of Cisco Talos on 2021-07-19
  • [1233564] High CVE-2021-30603: Race in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2021-07-27
  • [1234829] High CVE-2021-30604: Use after free in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-07-30
more...
chromium

more detail
2021-08-15*VuXML ID e9200f8e-fd34-11eb-afb1-c85b76ce9b5a

Axel Beckert reports:

[...] I was able to capture the password given on the commandline in traffic of an TLS handshake using tcpdump and analysing it with Wireshark: [...]

more...
ja-lynx
ja-lynx-current
lynx
lynx-current

more detail
2021-08-13VuXML ID f4c54b81-bcc8-11eb-a7a6-080027f515ea

Hao Wang reports:

There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.

more...
binutils

more detail
2021-08-12VuXML ID b471130b-fb86-11eb-87db-6cc21735f730

The PostgreSQL Project reports:

A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

more...
postgresql11-server
postgresql12-server
postgresql13-server

more detail
2021-08-09VuXML ID 848bdd06-f93a-11eb-9f7d-206a8a720317

Marco Ivaldi (marco.ivaldi () mediaservice net) reports:

A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.

more...
cde

more detail
2021-08-09VuXML ID e80073d7-f8ba-11eb-b141-589cfc007716

Debian reports:

xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events including pan scrolling, "pinch and zoom" or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger.

more...
xtrlock

more detail
2021-08-05VuXML ID 880552c4-f63f-11eb-9d56-7186043316e9

The Go project reports:

A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition.

more...
go

more detail
2021-08-04VuXML ID 1d651770-f4f5-11eb-ba49-001b217b3468

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author

more...
gitlab-ce

more detail
2021-08-04*VuXML ID 38a4a043-e937-11eb-9b84-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.8.

MariaDB is affected by CVE-2021-2372 and CVE-2021-2389 only.

more...
mariadb103-server
mariadb104-server
mariadb105-server
mysql57-server
mysql80-server

more detail
2021-08-03VuXML ID 5ef14250-f47c-11eb-8f13-5b4de959822e

A Prosody XMPP server advisory reports:

It was discovered that Prosody allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address.

more...
prosody

more detail
2021-08-03VuXML ID c3c6c4a3-f47d-11eb-b632-3065ec8fd3ec

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1227777] High CVE-2021-30590: Heap buffer overflow in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-09
  • [1229298] High CVE-2021-30591: Use after free in File System API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-07-14
  • [1209469] High CVE-2021-30592: Out of bounds write in Tab Groups. Reported by David Erceg on 2021-05-15
  • [1209616] High CVE-2021-30593: Out of bounds read in Tab Strip. Reported by David Erceg on 2021-05-16
  • [1218468] High CVE-2021-30594: Use after free in Page Info UI. Reported by raven (@raid_akame) on 2021-06-10
  • [1214481] Medium CVE-2021-30596: Incorrect security UI in Navigation. Reported by Mohit Raj (shadow2639) on 2021-05-29
  • [1232617] Medium CVE-2021-30597: Use after free in Browser UI. Reported by raven (@raid_akame) on 2021-07-24
more...
chromium

more detail
2021-08-03*VuXML ID cbfd1874-efea-11eb-8fe9-036bd763ff35

Matthias Andree reports:

When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation.

more...
fetchmail

more detail
2021-08-01VuXML ID 8b571fb2-f311-11eb-b12b-fc4dd43e2b6a

ilja.farber reports:

Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

more...
tomcat10
tomcat7
tomcat85
tomcat9

more detail
2021-08-01VuXML ID cc7c85d9-f30a-11eb-b12b-fc4dd43e2b6a

rbeaudry reports:

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.

Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

more...
tomcat10
tomcat85
tomcat9

more detail
2021-08-01VuXML ID d34bef0b-f312-11eb-b12b-fc4dd43e2b6a

Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab reports:

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

more...
tomcat10
tomcat85
tomcat9

more detail
2021-07-27VuXML ID c561ce49-eabc-11eb-9c3f-0800270512f4

Huang Zhw reports:

On 32-bit versions, Redis BITFIELD command is vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.

This problem only affects 32-bit versions of Redis.

more...
redis
redis-devel
redis5

more detail
2021-07-27VuXML ID ce79167f-ee1c-11eb-9785-b42e99a1b9c3

powerdns reports:

PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server

more...
powerdns

more detail
2021-07-24VuXML ID cc553d79-e1f0-4b94-89f2-bacad42ee826

Roger Light reports:

If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault.

(Note: a CVE is referenced in the github commit but it appears to be for a python-bleach vulnerability so it is not included here.)

more...
mosquitto

more detail
2021-07-23VuXML ID 53fbffe6-ebf7-11eb-aef1-0897988a1c07

The Asterisk project reports:

Depending on the timing, it's possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.

more...
asterisk13
asterisk16
asterisk18

more detail
2021-07-23VuXML ID 92ad12b8-ec09-11eb-aef1-0897988a1c07

pjsip reports:

There are a couple of issues found in the SSL socket:

  • A race condition between callback and destroy, due to the accepted socket having no group lock.
  • SSL socket parent/listener may get destroyed during handshake.
more...
pjsip

more detail
2021-07-23VuXML ID fb3455be-ebf6-11eb-aef1-0897988a1c07

The Asterisk project reports:

If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.

more...
asterisk13
asterisk16
asterisk18

more detail
2021-07-23VuXML ID ffa364e1-ebf5-11eb-aef1-0897988a1c07

The Asterisk project reports:

When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is.

more...
asterisk16
asterisk18

more detail
2021-07-21VuXML ID 76487640-ea29-11eb-a686-3065ec8fd3ec

Chrome Releases reports:

This release contains 35 security fixes, including:

  • ][1210985] High CVE-2021-30565: Out of bounds write in Tab Groups. Reported by David Erceg on 2021-05-19
  • [1202661] High CVE-2021-30566: Stack buffer overflow in Printing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-04-26
  • [1211326] High CVE-2021-30567: Use after free in DevTools. Reported by DDV_UA on 2021-05-20
  • [1219886] High CVE-2021-30568: Heap buffer overflow in WebGL. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-06-15
  • [1218707] High CVE-2021-30569: Use after free in sqlite. Reported by Chris Salls (@salls) of Makai Security on 2021-06-11
  • [1101897] High CVE-2021-30571: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-07-03
  • [1214234] High CVE-2021-30572: Use after free in Autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-05-28
  • [1216822] High CVE-2021-30573: Use after free in GPU. Reported by Security For Everyone Team - https://securityforeveryone.com on 2021-06-06
  • [1227315] High CVE-2021-30574: Use after free in protocol handling. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-08
  • [1213313] Medium CVE-2021-30575: Out of bounds read in Autofill. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-05-26
  • [1194896] Medium CVE-2021-30576: Use after free in DevTools. Reported by David Erceg on 2021-04-01
  • [1204811] Medium CVE-2021-30577: Insufficient policy enforcement in Installer. Reported by Jan van der Put (REQON B.V) on 2021-05-01
  • [1201074] Medium CVE-2021-30578: Uninitialized Use in Media. Reported by Chaoyuan Peng on 2021-04-21
  • [1207277] Medium CVE-2021-30579: Use after free in UI framework. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-05-10
  • [1189092] Medium CVE-2021-30580: Insufficient policy enforcement in Android intents. Reported by @retsew0x01 on 2021-03-17
  • [1194431] Medium CVE-2021-30581: Use after free in DevTools. Reported by David Erceg on 2021-03-31
  • [1205981] Medium CVE-2021-30582: Inappropriate implementation in Animation. Reported by George Liu on 2021-05-05
  • [1179290] Medium CVE-2021-30583: Insufficient policy enforcement in image handling on Windows. Reported by Muneaki Nishimura (nishimunea) on 2021-02-17
  • [1213350] Medium CVE-2021-30584: Incorrect security UI in Downloads. Reported by @retsew0x01 on 2021-05-26
  • [1023503] Medium CVE-2021-30585: Use after free in sensor handling. Reported by niarci on 2019-11-11
  • [1201032] Medium CVE-2021-30586: Use after free in dialog box handling on Windows. Reported by kkomdal with kkwon and neodal on 2021-04-21
  • [1204347] Medium CVE-2021-30587: Inappropriate implementation in Compositing on Windows. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-04-30
  • [1195650] Low CVE-2021-30588: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-04
  • [1180510] Low CVE-2021-30589: Insufficient validation of untrusted input in Sharing. Reported by Kirtikumar Anandrao Ramchandani (@Kirtikumar_A_R) and Patrick Walker (@homesen) on 2021-02-20
more...
chromium

more detail
2021-07-21VuXML ID aa646c01-ea0d-11eb-9b84-d4c9ef517024

The cURL project reports:

CURLOPT_SSLCERT mixup with Secure Transport (CVE-2021-22926)

TELNET stack contents disclosure again (CVE-2021-22925)

Bad connection reuse due to flawed path name checks (CVE-2021-92254)

Metalink download sends credentials (CVE-2021-92253)

Wrong content via metalink not discarded (CVE-2021-92252)

more...
curl

more detail
2021-07-18VuXML ID 943d23b6-e65e-11eb-ad30-0800273f11ea

The Gitea Team reports for release 1.14.5:

  • Hide mirror passwords on repo settings page (#16022) (#16355)
  • Update bluemonday to v1.0.15 (#16379) (#16380)
more...
gitea

more detail
2021-07-16VuXML ID 1ba21ff1-e672-11eb-a686-3065ec8fd3ec

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1219082] High CVE-2021-30559: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-06-11
  • [1214842] High CVE-2021-30541: Use after free in V8. Reported by Richard Wheeldon on 2021-05-31
  • [1219209] High CVE-2021-30560: Use after free in Blink XSLT. Reported by Nick Wellnhofer on 2021-06-12
  • [1219630] High CVE-2021-30561: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-06-14
  • [1220078] High CVE-2021-30562: Use after free in WebSerial. Reported by Anonymous on 2021-06-15
  • [1228407] High CVE-2021-30563: Type Confusion in V8. Reported by Anonymous on 2021-07-12
  • [1221309] Medium CVE-2021-30564: Heap buffer overflow in WebXR. Reported by Ali Merchant, iQ3Connect VR Platform on 2021-06-17

Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild.

more...
chromium

more detail
2021-07-14VuXML ID 7ed5779c-e4c7-11eb-91d7-08002728f74c

Ruby news:

This release includes security fixes. Please check the topics below for details.

CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

CVE-2021-31799: A command injection vulnerability in RDoc

more...
ruby
ruby26
ruby30

more detail
2021-07-12VuXML ID c365536d-e3cf-11eb-9d8d-b37b683944c2

The Go project reports:

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

more...
go

more detail
2021-07-09VuXML ID 9b1699ff-d84c-11eb-92d6-1b6ff3dfe4d3

Mantis 2.25.1 and 2.25.2 releases report:

Security and maintenance release, PHPMailer update to 6.5.0

  • 0028552: XSS in manage_custom_field_edit_page.php (CVE-2021-33557)
  • 0028821: Update PHPMailer to 6.5.0 (CVE-2021-3603, CVE-2020-36326)
more...
mantis-php73
mantis-php74
mantis-php80

more detail
2021-07-08VuXML ID 01974420-dfaf-11eb-ba49-001b217b3468

Gitlab reports:

Arbitrary file read via design feature

more...
gitlab-ce

more detail
2021-07-02VuXML ID 8ba8278d-db06-11eb-ba49-001b217b3468

Gitlab reports:

DoS using Webhook connections

CSRF on GraphQL API allows executing mutations through GET requests

Private projects information disclosure

Denial of service of user profile page

Single sign-on users not getting blocked

Some users can push to Protected Branch with Deploy keys

A deactivated user can access data through GraphQL

Reflected XSS in release edit page

Clipboard DOM-based XSS

Stored XSS on Audit Log

Forks of public projects by project members could leak codebase

Improper text rendering

HTML Injection in full name field

more...
gitlab-ce

more detail
2021-07-02VuXML ID f2596f27-db4c-11eb-8bc6-c556d71493c9

Cary Phillips reports:

  • 1038 fix/extend part number validation in MultiPart methods
  • 1037 verify data size in deepscanlines with NO_COMPRESSION
  • 1036 detect buffer overflows in RleUncompress
more...
openexr

more detail
2021-07-01VuXML ID 9d271bab-da22-11eb-86f0-94c691a700a6

Jenkins Security Advisory:

Description

(Medium) SECURITY-2278 / CVE-2021-21670

Improper permission checks allow canceling queue items and aborting builds

(High) SECURITY-2371 / CVE-2021-21671

Session fixation vulnerability

more...
jenkins
jenkins-lts

more detail
2021-06-30VuXML ID d49f86ab-d9c7-11eb-a200-00155d01f201

Exiv2 teams reports:

Multiple vulnerabilities covering buffer overflows, out-of-bounds, read of uninitialized memory and denial of serivce. The heap overflow is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file.

more...
exiv2

more detail
2021-06-28VuXML ID 7003b62d-7252-46ff-a9df-1b1900f1e65b

Jonathon Knudsen of Synopsys Cybersecurity Research Center reports:

All versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious client can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.

more...
rabbitmq

more detail
2021-06-25VuXML ID 41bc849f-d5ef-11eb-ae37-589cfc007716

Puppet reports:

Fixed an issue where someone with the ability to query PuppetDB could arbitrarily write, update, or delete data CVE-2021-27021 PDB-5138.

more...
puppetdb6
puppetdb7

more detail
2021-06-25*VuXML ID 4c9159ea-d4c9-11eb-aeee-8c164582fbac

Ansible developers report:

Templating engine fix for not preserving usnafe status when trying to preserve newlines.

more...
py36-ansible
py36-ansible-base
py36-ansible-core
py36-ansible2
py37-ansible
py37-ansible-base
py37-ansible-core
py37-ansible2
py38-ansible
py38-ansible-base
py38-ansible-core
py38-ansible2
py39-ansible
py39-ansible-base
py39-ansible-core
py39-ansible2

more detail
2021-06-25VuXML ID 7c555ce3-658d-4589-83dd-4b6a31c5d610

alanxz reports:

When parsing a frame header, validate that the frame_size is less than or equal to INT32_MAX. Given frame_max is limited between 0 and INT32_MAX in amqp_login and friends, this does not change the API. This prevents a potential buffer overflow when a malicious client sends a frame_size that is close to UINT32_MAX, in which causes an overflow when computing state->target_size resulting in a small value there. A buffer is then allocated with the small amount, then memcopy copies the frame_size writing to memory beyond the end of the buffer.

more...
rabbitmq-c
rabbitmq-c-devel

more detail
2021-06-24*VuXML ID e4cd0b38-c9f9-11eb-87e1-08002750c711

Cati team reports:

Due to a lack of validation, data_debug.php can be the source of a SQL injection.

more...
cacti

more detail
2021-06-23*VuXML ID 3000acee-c45d-11eb-904f-14dae9d5a9d2

Sviatoslav Sydorenko reports:

Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

more...
py36-aiohttp
py37-aiohttp
py38-aiohttp
py39-aiohttp

more detail
2021-06-22VuXML ID d18f431d-d360-11eb-a32c-00a0989e4ec1

Dovecot team reports:

CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.

CVE-2021-33515: On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.

more...
dovecot

more detail
2021-06-22VuXML ID f3fc2b50-d36a-11eb-a32c-00a0989e4ec1

Dovecot team reports reports:

Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Fixed by limiting the user CPU time per single script execution and cumulatively over several script runs within a configurable timeout period. Sufficiently large CPU time usage is summed in the Sieve script binary and execution is blocked when the sum exceeds the limit within that time. The block is lifted when the script is updated after the resource usage times out.

more...
dovecot-pigeonhole

more detail
2021-06-19VuXML ID 0e561c06-d13a-11eb-92be-0800273f11ea

The Gitea Team reports for release 1.14.3:

  • Encrypt migration credentials at rest (#15895) (#16187)
  • Only check access tokens if they are likely to be tokens (#16164) (#16171)
  • Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039)
  • Fix setting of SameSite on cookies (#15989) (#15991)
more...
gitea

more detail
2021-06-18VuXML ID afdc7579-d023-11eb-bcad-3065ec8fd3ec

Chrome Releases reports:

This release includes 4 security fixes, including:

  • [1219857] High CVE-2021-30554: Use after free in WebGL. Reported by anonymous on 2021-06-15
  • [1215029] High CVE-2021-30555: Use after free in Sharing. Reported by David Erceg on 2021-06-01
  • [1212599] High CVE-2021-30556: Use after free in WebAudio. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24
  • [1202102] High CVE-2021-30557: Use after free in TabGroups. Reported by David Erceg on 2021-04-23
more...
chromium

more detail
2021-06-11VuXML ID c9e2a1a7-caa1-11eb-904f-14dae9d5a9d2

NVD reports:

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

more...
rubygem-dragonfly

more detail
2021-06-10VuXML ID 20b3ab21-c9df-11eb-8558-3065ec8fd3ec

Chrome Releases reports:

This release contains 14 security fixes, including:

  • [1212618] Critical CVE-2021-30544: Use after free in BFCache. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-05-24
  • [1201031] High CVE-2021-30545: Use after free in Extensions. Reported by kkwon with everpall and kkomdal on 2021-04-21
  • [1206911] High CVE-2021-30546: Use after free in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-05-08
  • [1210414] High CVE-2021-30547: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-05-18
  • [1210487] High CVE-2021-30548: Use after free in Loader. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2021-05-18
  • [1212498] High CVE-2021-30549: Use after free in Spell check. Reported by David Erceg on 2021-05-23
  • [1212500] High CVE-2021-30550: Use after free in Accessibility. Reported by David Erceg on 2021-05-23
  • [1216437] High CVE-2021-30551: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-06-04
  • [1200679] Medium CVE-2021-30552: Use after free in Extensions. Reported by David Erceg on 2021-04-20
  • [1209769] Medium CVE-2021-30553: Use after free in Network service. Reported by Anonymous on 2021-05-17

Google is aware that an exploit for CVE-2021-30551 exists in the wild.

more...
chromium

more detail
2021-06-10VuXML ID cce76eca-ca16-11eb-9b84-d4c9ef517024

The Apache httpd reports:

  • moderate: mod_proxy_wstunnel tunneling of non Upgraded connections (CVE-2019-17567)
  • moderate: Improper Handling of Insufficient Privileges (CVE-2020-13938)
  • low: mod_proxy_http NULL pointer dereference (CVE-2020-13950)
  • low: mod_auth_digest possible stack overflow by one nul byte (CVE-2020-35452)
  • low: mod_session NULL pointer dereference (CVE-2021-26690)
  • low: mod_session response handling heap overflow (CVE-2021-26691)
  • moderate: Unexpected URL matching with 'MergeSlashes OFF' (CVE-2021-30641)
  • important: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)
more...
apache24

more detail
2021-06-08VuXML ID fc1bcbca-c88b-11eb-9120-f02f74d0e4bd

Dino team reports:

It was discovered that when a user receives and downloads a file in Dino, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user.

more...
dino

more detail
2021-06-06VuXML ID 45b8716b-c707-11eb-b9a0-6805ca0b3d42

2ndQuadrant reports:

  • Fix pg_dump/pg_restore execution (CVE-2021-3515)



    Correctly escape the connection string for both pg_dump and pg_restore so that exotic database and user names are handled correctly.



    Reported by Pedro Gallegos
more...
pglogical

more detail
2021-06-06VuXML ID f70ab05e-be06-11eb-b983-000c294bb613

Drupal Security team reports:

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

more...
drupal7

more detail
2021-06-04VuXML ID 36a35d83-c560-11eb-84ab-e0d55e2a8bf9

Cedric Buissart reports:

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to dbus-daemon. These unique names are assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it.

more...
polkit

more detail
2021-06-04VuXML ID c7855866-c511-11eb-ae1d-b42e991fc52e

The :class:`~urllib.request.AbstractBasicAuthHandler` class of the :mod:`urllib.request` module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service

more...
tauthon

more detail
2021-06-03VuXML ID 079b3641-c4bd-11eb-a22a-693f0544ae52

The Go project reports:

The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.

more...
go

more detail
2021-06-02VuXML ID 69815a1d-c31d-11eb-9633-b42e99a1b9c3

sogo.nu reports:

SOGo was not validating the signatures of any SAML assertions it received.

This means any actor with network access to the deployment could impersonate

users when SAML was the authentication method.

more...
sogo
sogo-activesync
sogo2
sogo2-activesync

more detail
2021-06-02VuXML ID a550d62c-f78d-4407-97d9-93876b6741b9

Tim Wojtulewicz of Corelight reports:

Fix potential Undefined Behavior in decode_netbios_name() and decode_netbios_name_type() BIFs. The latter has a possibility of a remote heap-buffer-overread, making this a potential DoS vulnerability.

Add some extra length checking when parsing mobile ipv6 packets. Due to the possibility of reading invalid headers from remote sources, this is a potential DoS vulnerability.

more...
zeek

more detail
2021-06-02VuXML ID c7ec6375-c3cf-11eb-904f-14dae9d5a9d2

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

more...
py36-yaml
py37-yaml
py38-yaml
py39-yaml

more detail
2021-06-02VuXML ID e24fb8f8-c39a-11eb-9370-b42e99a1b9c3

Michael McNally reports:

Program code used by the ISC DHCP package to read and parse stored leases

has a defect that can be exploited by an attacker to cause one of several undesirable outcomes

more...
isc-dhcp44-client
isc-dhcp44-relay
isc-dhcp44-server

more detail
2021-06-01VuXML ID 417de1e6-c31b-11eb-9633-b42e99a1b9c3

entrouvert reports:

When AuthnResponse messages are not signed (which is permitted by the specifiation), all assertion's signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one is considered the main assertion.

more...
lasso

more detail
2021-06-01VuXML ID 59ab72fb-bccf-11eb-a38d-6805ca1caf5c

Prometheus reports:

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

more...
prometheus2

more detail
2021-06-01VuXML ID 5f52d646-c31f-11eb-8dcf-001b217b3468

Gitlab reports:

Stealing GitLab OAuth access tokens using XSLeaks in Safari

Denial of service through recursive triggered pipelines

Unauthenticated CI lint API may lead to information disclosure and SSRF

Server-side DoS through rendering crafted Markdown documents

Issue and merge request length limit is not being enforced

Insufficient Expired Password Validation

XSS in blob viewer of notebooks

Logging of Sensitive Information

On-call rotation information exposed when removing a member

Spoofing commit author for signed commits

Enable qsh verification for Atlassian Connect

more...
gitlab-ce

more detail
2021-06-01VuXML ID 8eb69cd0-c2ec-11eb-b6e7-8c164567ca3c

Redis development team reports:

An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477.

more...
redis
redis-devel

more detail
2021-05-31VuXML ID fd24a530-c202-11eb-b217-b42e99639323

Tobias Stoeckmann reports:

The libXcursor fix for CVE-2013-2003 has never been imported into wayland, leaving it vulnerable to it.

more...
wayland

more detail
2021-05-27VuXML ID 107c7a76-beaa-11eb-b87a-901b0ef719ab

Problem Description:

libradius did not perform sufficient validation of received messages.

rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field.

When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop.

Impact:

A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem.

The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages.

more...
FreeBSD

more detail
2021-05-27VuXML ID d1ac6a6a-bea8-11eb-b87a-901b0ef719ab

Problem Description:

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode.

Impact:

This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.

more...
FreeBSD-kernel

more detail
2021-05-26VuXML ID 674ed047-be0a-11eb-b927-3065ec8fd3ec

Chrome Releases reports:

This release contains 32 security fixes, including:

  • [1208721] High CVE-2021-30521: Heap buffer overflow in Autofill. Reported by ZhanJia Song on 2021-05-13
  • [1176218] High CVE-2021-30522: Use after free in WebAudio. Reported by Piotr Bania of Cisco Talos on 2021-02-09
  • [1187797] High CVE-2021-30523: Use after free in WebRTC. Reported by Tolyan Korniltsev on 2021-03-13
  • [1197146] High CVE-2021-30524: Use after free in TabStrip. Reported by David Erceg on 2021-04-08
  • [1197888] High CVE-2021-30525: Use after free in TabGroups. Reported by David Erceg on 2021-04-11
  • [1198717] High CVE-2021-30526: Out of bounds write in TabStrip. Reported by David Erceg on 2021-04-13
  • [1199198] High CVE-2021-30527: Use after free in WebUI. Reported by David Erceg on 2021-04-15
  • [1206329] High CVE-2021-30528: Use after free in WebAuthentication. Reported by Man Yue Mo of GitHub Security Lab on 2021-05-06
  • [1195278] Medium CVE-2021-30529: Use after free in Bookmarks. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-04-02
  • [1201033] Medium CVE-2021-30530: Out of bounds memory access in WebAudio. Reported by kkwon on 2021-04-21
  • [1115628] Medium CVE-2021-30531: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-12
  • [1117687] Medium CVE-2021-30532: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-18
  • [1145553] Medium CVE-2021-30533: Insufficient policy enforcement in PopupBlocker. Reported by Eliya Stein on 2020-11-04
  • [1151507] Medium CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox. Reported by Alesandro Ortiz on 2020-11-20
  • [1194899] Medium CVE-2021-30535: Double free in ICU. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2021-04-01
  • [1145024] Medium CVE-2021-21212: Insufficient data validation in networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2020-11-03
  • [1194358] Low CVE-2021-30536: Out of bounds read in V8. Reported by Chris Salls (@salls) on 2021-03-31
  • [830101] Low CVE-2021-30537: Insufficient policy enforcement in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-06
  • [1115045] Low CVE-2021-30538: Insufficient policy enforcement in content security policy. Reported by Tianze Ding (@D1iv3) of Tencent Security Xuanwu Lab on 2020-08-11
  • [971231] Low CVE-2021-30539: Insufficient policy enforcement in content security policy. Reported by unnamed researcher on 2019-06-05
  • [1184147] Low CVE-2021-30540: Incorrect security UI in payments. Reported by @retsew0x01 on 2021-03-03
more...
chromium

more detail
2021-05-25VuXML ID 0882f019-bd60-11eb-9bdd-8c164567ca3c

NGINX team reports:

1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution.

more...
nginx
nginx-devel

more detail
2021-05-25VuXML ID 21ec4428-bdaa-11eb-a04e-641c67a117d8

Google's oss-fuzz project reports:

Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them.

more...
libzmq4

more detail
2021-05-25VuXML ID 6954a2b0-bda8-11eb-a04e-641c67a117d8

Fang-Pen Lin reports:

A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

more...
libzmq4

more detail
2021-05-24VuXML ID 58b22f3a-bc71-11eb-b9c9-6cc21735f730

PG Partition Manager reports:

In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.

more...
pg_partman

more detail
2021-05-24VuXML ID 5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9

Kurt Seifried reports:

So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.).

A billion laughs attack is a type of denial-of-service attack which is aimed at parsers of XML documents.

more...
expat

more detail
2021-05-23VuXML ID 524bd03a-bb75-11eb-bf35-080027f515ea

Daniel Veillard reports:

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

more...
libxml2

more detail
2021-05-14VuXML ID 62da9702-b4cc-11eb-b9c9-6cc21735f730

The PostgreSQL project reports:

Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE

Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will..

Buffer overrun from integer overflow in array subscripting calculations

While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.

more...
postgresql10-server
postgresql11-server
postgresql12-server
postgresql13-server
postgresql96-server

more detail
2021-05-14VuXML ID 76e0bb86-b4cb-11eb-b9c9-6cc21735f730

The PostgreSQL project reports:

Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will.

more...
postgresql11-server
postgresql12-server
postgresql13-server

more detail
2021-05-13VuXML ID 3e0ca488-b3f6-11eb-a5f7-a0f3c100ae18

CVE reports:

Several vulnerabilities have been discovered in ImageMagick:

  • CVE-2021-20309: A flaw was found in ImageMagick in versions before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick.
  • CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 in gem.c. This flaw allows an attacker who submits a crafted file that is processed by ImageMagick to trigger undefined behavior through a division by zero.
  • CVE-2020-29599: ImageMagick before 6.9.11-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files.
  • And maybe some others…
more...
ImageMagick6
ImageMagick6-nox11

more detail
2021-05-13VuXML ID a7c60af1-b3f1-11eb-a5f7-a0f3c100ae18

CVE reports:

Several vulnerabilities have been discovered in ImageMagick:

  • CVE-2021-20313: A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible.
  • CVE-2021-20312: A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick.
  • CVE-2021-20311: A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick.
  • CVE-2021-20310: A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick.
  • CVE-2021-20309: A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick.
  • And several others…
more...
ImageMagick7
ImageMagick7-nox11

more detail
2021-05-13VuXML ID fc75570a-b417-11eb-a23d-c7ab331fd711

The Prosody security advisory 2021-05-12 reports:

This advisory details 5 new security vulnerabilities discovered in the Prosody.im XMPP server software. All issues are fixed in the 0.11.9 release default configuration.

  • CVE-2021-32918: DoS via insufficient memory consumption controls
  • CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption
  • CVE-2021-32921: Use of timing-dependent string comparison with sensitive values
  • CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration
  • CVE-2021-32919: Undocumented dialback-without-dialback option insecure
more...
prosody

more detail
2021-05-12VuXML ID f947aa26-b2f9-11eb-a5f7-a0f3c100ae18

python-pillow reports:

This release fixes several vulnerabilities found with `OSS-Fuzz`.

  • `CVE-2021-25288`: Fix OOB read in Jpeg2KDecode. This dates to Pillow 2.4.0.
  • `CVE-2021-28675`: Fix DOS in PsdImagePlugin. This dates to the PIL fork.
  • `CVE-2021-28676`: Fix FLI DOS. This dates to the PIL fork.
  • `CVE-2021-28677`: Fix EPS DOS on _open. This dates to the PIL fork.
  • `CVE-2021-28678`: Fix BLP DOS. This dates to Pillow 5.1.0.
  • Fix memory DOS in ImageFont. This dates to the PIL fork.
more...
py38-pillow

more detail
2021-05-11VuXML ID 278561d7-b261-11eb-b788-901b0e934d69

Matrix developers report:

"Push rules" can specify conditions under which they will match, including event_match, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.

more...
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2021-05-11VuXML ID 3cac007f-b27e-11eb-97a0-e09467587c17

Chrome Releases reports:

This release contains 19 security fixes, including:

  • [1180126] High CVE-2021-30506: Incorrect security UI in Web App Installs. Reported by @retsew0x01 on 2021-02-19
  • [1178202] High CVE-2021-30507: Inappropriate implementation in Offline. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-14
  • [1195340] High CVE-2021-30508: Heap buffer overflow in Media Feeds. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-04-02
  • [1196309] High CVE-2021-30509: Out of bounds write in Tab Strip. Reported by David Erceg on 2021-04-06
  • [1197436] High CVE-2021-30510: Race in Aura. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-04-09
  • [1197875] High CVE-2021-30511: Out of bounds read in Tab Groups. Reported by David Erceg on 2021-04-10
  • [1200019] High CVE-2021-30512: Use after free in Notifications. Reported by ZhanJia Song on 2021-04-17
  • [1200490] High CVE-2021-30513: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2021-04-19
  • [1200766] High CVE-2021-30514: Use after free in Autofill. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-04-20
  • [1201073] High CVE-2021-30515: Use after free in File API. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-04-21
  • [1201446] High CVE-2021-30516: Heap buffer overflow in History. Reported by ZhanJia Song on 2021-04-22
  • [1203122] High CVE-2021-30517: Type Confusion in V8. Reported by laural on 2021-04-27
  • [1203590] High CVE-2021-30518: Heap buffer overflow in Reader Mode. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2021-04-28
  • [1194058] Medium CVE-2021-30519: Use after free in Payments. Reported by asnine on 2021-03-30
  • [1193362] Medium CVE-2021-30520: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-04-03
more...
chromium

more detail
2021-05-10VuXML ID 12156786-b18a-11eb-8cba-080027b00c2e

Cyrus IMAP 3.4.1 Release Notes states:

Fixed CVE-2021-32056: Remote authenticated users could bypass intended access restrictions on certain server annotations. Additionally, a long-standing bug in replication did not allow server annotations to be replicated. Combining these two bugs, a remote authenticated user could stall replication, requiring administrator intervention.

more...
cyrus-imapd32
cyrus-imapd34

more detail
2021-05-10VuXML ID b1aa54ae-74cb-42a0-b462-cbb6831c5c50

Pivotal.io reports:

All versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint.

more...
rabbitmq

more detail
2021-05-08VuXML ID 49346de2-b015-11eb-9bdf-f8b156b6dcc8

Oss-Fuzz reports:

There is a possible out of bounds read due to a heap buffer overflow in FLAC__bitreader_read_rice_signed_block of bitreader.c.

more...
flac

more detail
2021-05-07VuXML ID f7a00ad7-ae75-11eb-8113-08002728f74c

Ruby on Rails blog:

Rails versions 6.1.3.2, 6.0.3.7, and 5.2.6 have been released! These releases contain important security fixes. Here is a list of the issues fixed:

CVE-2021-22885: Possible Information Disclosure / Unintended Method Execution in Action Pack

CVE-2021-22902: Possible Denial of Service vulnerability in Action Dispatch

CVE-2021-22903: Possible Open Redirect Vulnerability in Action Pack

CVE-2021-22904: Possible DoS Vulnerability in Action Controller Token Authentication

more...
rubygem-actionpack52
rubygem-actionpack60
rubygem-actionpack61

more detail
2021-05-06VuXML ID 7f242313-aea5-11eb-8151-67f74cf7c704

The Go project reports:

http.ReadRequest can stack overflow due to recursion when given a request with a very large header (~8-10MB depending on the architecture). A http.Server which overrides the default max header of 1MB by setting Server.MaxHeaderBytes to a much larger value could also be vulnerable in the same way.

more...
go

more detail
2021-05-05VuXML ID 1766359c-ad6e-11eb-b2a4-080027e50e6d

Django Release reports:

CVE-2021-31542:Potential directory-traversal via uploaded files.

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

more...
py36-django22
py36-django31
py36-django32
py37-django22
py37-django31
py37-django32
py38-django22
py38-django31
py38-django32
py39-django22
py39-django31
py39-django32

more detail
2021-05-05VuXML ID 50ec3a01-ad77-11eb-8528-8c164582fbac

NVD reports:

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems..

more...
py36-ansible
py36-ansible27
py36-ansible28
py37-ansible
py37-ansible27
py37-ansible28
py38-ansible
py38-ansible27
py38-ansible28
py39-ansible
py39-ansible27
py39-ansible28

more detail
2021-05-05VuXML ID bffa40db-ad50-11eb-86b8-080027846a02

Python reports:

bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks.

bpo-43472: Ensures interpreter-level audit hooks receive the cpython. PyInterpreterState_New event when called through the _xxsubinterpreters module.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.

more...
python38
python39

more detail
2021-05-04*VuXML ID 56ba4513-a1be-11eb-9072-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 49 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

MariaDB is affected by CVE-2021-2166 and CVE-2021-2154 only

more...
mariadb103-server
mariadb104-server
mariadb105-server
mysql56-server
mysql57-server
mysql80-server

more detail
2021-05-03VuXML ID 1606b03b-ac57-11eb-9bdd-8c164567ca3c

Redis project reports:

Vulnerability in the STRALGO LCS command
An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution.
Vulnerability in the COPY command for large intsets
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2).
more...
redis
redis-devel

more detail
2021-05-02VuXML ID 57027417-ab7f-11eb-9596-080027f515ea

Alexandr Savca reports:

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

more...
rubygem-rdoc

more detail
2021-05-01VuXML ID 6f33d38b-aa18-11eb-b3f1-005056a311d1

The Samba Team reports:

  • CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.
more...
samba412
samba413
samba414

more detail
2021-04-28VuXML ID 518a119c-a864-11eb-8ddb-001b217b3468

Gitlab reports:

Read API scoped tokens can execute mutations

Pull mirror credentials were exposed

Denial of Service when querying repository branches API

Non-owners can set system_note_timestamp when creating / updating issues

DeployToken will impersonate a User with the same ID when using Dependency Proxy

more...
gitlab-ce

more detail
2021-04-28VuXML ID 76a07f31-a860-11eb-8ddb-001b217b3468

Community reports:

Fix Code Injection vulnerability in CarrierWave::RMagick

Fix SSRF vulnerability in the remote file download feature

more...
rubygem-carrierwave

more detail
2021-04-27VuXML ID 31a7ffb1-a80a-11eb-b159-f8b156c2bfe9

Earlier versions of Sympa require a parameter named cookie in sympa.conf configuration file.

This parameter was used to make some identifiers generated by the system unpredictable. For example, it was used as following:

  • To be used as a salt to encrypt passwords stored in the database by the RC4 symmetric key algorithm.

    Note that RC4 is no longer considered secure enough and is not supported in the current version of Sympa.

  • To prevent attackers from sending crafted messages to achieve XSS and so on in message archives.

There were the following problems with the use of this parameter.

  1. This parameter, for its purpose, should be different for each installation, and once set, it cannot be changed. As a result, some sites have been operating without setting this parameter. This completely invalidates the security measures described above.
  2. Even if this parameter is properly set, it may be considered not being strong enough against brute force attacks.
more...
sympa

more detail
2021-04-27VuXML ID 9fba80e0-a771-11eb-97a0-e09467587c17

Chrome Releases reports:

This release contains 9 security fixes, including:

  • [1199345] High CVE-2021-21227: Insufficient data validation in V8. Reported by Gengming Liu of Singular Security Lab on 2021-04-15
  • [1175058] High CVE-2021-21232: Use after free in Dev Tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-05
  • [1182937] High CVE-2021-21233: Heap buffer overflow in ANGLE. Reported by Omair on 2021-02-26
  • [1139156] Medium CVE-2021-21228: Insufficient policy enforcement in extensions. Reported by Rob Wu on 2020-10-16
  • [$TBD][1198165] Medium CVE-2021-21229: Incorrect security UI in downloads. Reported by Mohit Raj (shadow2639) on 2021-04-12
  • [1198705] Medium CVE-2021-21230: Type Confusion in V8. Reported by Manfred Paul on 2021-04-13
  • [1198696] Low CVE-2021-21231: Insufficient data validation in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-04-13
more...
chromium

more detail
2021-04-26VuXML ID e4403051-a667-11eb-b9c9-6cc21735f730

Shibboleth project reports:

Session recovery feature contains a null pointer deference.

The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems *not* using the feature if a specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker.

more...
shibboleth-sp

more detail
2021-04-21VuXML ID bc83cfc9-42cf-4b00-97ad-d352ba0c5e2b

Jon Siwek of Corelight reports:

Fix null-pointer dereference when encountering an invalid enum name in a config/input file that tries to read it into a set[enum]. For those that have such an input feed whose contents may come from external/remote sources, this is a potential DoS vulnerability.

more...
zeek

more detail
2021-04-21VuXML ID cb13a765-a277-11eb-97a0-e09467587c17

Chrome Reelases reports:

This release includes 7 security fixes, including:

  • 1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30
  • [1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
  • [1195777] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05
  • [1195977] High CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05
  • [1197904] High CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11
more...
chromium

more detail
2021-04-21VuXML ID efb965be-a2c0-11eb-8956-1951a8617e30

Gert Döring reports:

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

more...
openvpn
openvpn-mbedtls

more detail
2021-04-20*VuXML ID 76b5068c-8436-11eb-9469-080027f515ea

OpenBSD Project reports:

ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket.

On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions.

The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.

more...
openssh-portable
openssh-portable-gssapi
openssh-portable-hpn

more detail
2021-04-20VuXML ID e358b470-b37d-4e47-bc8a-2cd9adbeb63c

Jenkins Security Advisory:

Description

(High) JENKINS-65280 / CVE-2021-28165

Denial of service vulnerability in bundled Jetty

more...
jenkins
jenkins-lts

more detail
2021-04-20VuXML ID e87c2647-a188-11eb-8806-1c1b0d9ea7e6

The Apache Openofffice project reports:

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.

more...
apache-openoffice
apache-openoffice-devel

more detail
2021-04-19VuXML ID 20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a

The Apache Maven project reports:

We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues:

  • Possible Man-In-The-Middle-Attack due to custom repositories using HTTP. More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with blocked parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning "any external URL using HTTP". The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
  • Possible Domain Hijacking due to custom repositories using abandoned domains Sonatype has analyzed which domains were abandoned and has claimed these domains.
  • Possible hijacking of downloads by redirecting to custom repositories This one was the hardest to analyze and explain. The short story is: you're safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.
more...
maven

more detail
2021-04-17VuXML ID 093a6baf-9f99-11eb-b150-000c292ee6b8

Hashicorp reports:

Add content-type headers to raw KV responses to prevent XSS attacks (CVE-2020-25864). audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log (CVE-2021-28156).

more...
consul

more detail
2021-04-15VuXML ID 40b481a9-9df7-11eb-9bc3-8c164582fbac

Rust Security Response Working Group reports:

The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query.

more...
mdbook

more detail
2021-04-15VuXML ID 75aae50b-9e3c-11eb-9bc3-8c164582fbac

NVD reports:

Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.

more...
accountsservice

more detail
2021-04-15VuXML ID f3d86439-9def-11eb-97a0-e09467587c17

Chrome Releases reports:

This release contains 37 security fixes, including:

  • [1025683] High CVE-2021-21201: Use after free in permissions. Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security Lab on 2019-11-18
  • [1188889] High CVE-2021-21202: Use after free in extensions. Reported by David Erceg on 2021-03-16
  • [1192054] High CVE-2021-21203: Use after free in Blink. Reported by asnine on 2021-03-24
  • [1189926] High CVE-2021-21204: Use after free in Blink. Reported by Chelse Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander of Seesaw on 2021-03-19
  • [1165654] High CVE-2021-21205: Insufficient policy enforcement in navigation. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-01-12
  • [1195333] High CVE-2021-21221: Insufficient validation of untrusted input in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
  • [1185732] Medium CVE-2021-21207: Use after free in IndexedDB. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-03-08
  • [1039539] Medium CVE-2021-21208: Insufficient data validation in QR scanner. Reported by Ahmed Elsobky (@0xsobky) on 2020-01-07
  • [1143526] Medium CVE-2021-21209: Inappropriate implementation in storage. Reported by Tom Van Goethem (@tomvangoethem) on 2020-10-29
  • [1184562] Medium CVE-2021-21210: Inappropriate implementation in Network. Reported by @bananabr on 2021-03-04
  • [1103119] Medium CVE-2021-21211: Inappropriate implementation in Navigation. Reported by Akash Labade (m0ns7er) on 2020-07-08
  • [1145024] Medium CVE-2021-21212: Incorrect security UI in Network Config UI. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2020-11-03
  • [1161806] Medium CVE-2021-21213: Use after free in WebMIDI. Reported by raven (@raid_akame) on 2020-12-25
  • [1170148] Medium CVE-2021-21214: Use after free in Network API. Reported by Anonymous on 2021-01-24
  • [1172533] Medium CVE-2021-21215: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-01-30
  • [1173297] Medium CVE-2021-21216: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-02
  • [1166462] Low CVE-2021-21217: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
  • [1166478] Low CVE-2021-21218: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
  • [1166972] Low CVE-2021-21219: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-15
more...
chromium

more detail
2021-04-15VuXML ID fb6e53ae-9df6-11eb-ba8c-001b217b3468

SO-AND-SO reports:

Remote code execution when uploading specially crafted image files

Update Rexml

more...
gitlab-ce

more detail
2021-04-14VuXML ID 7c0d71a9-9d48-11eb-97a0-e09467587c17

Chrome Releases reports:

This release contains two security fixes:

  • [1196781] High CVE-2021-21206: Use after free in Blink. Reported by Anonymous on 2021-04-07
  • [1196683] High CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_) and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07>
more...
chromium

more detail
2021-04-13VuXML ID 465db5b6-9c6d-11eb-8e8a-bc542f4bd1dd

X.Org server security reports for release 1.20.11:

  • Fix XChangeFeedbackControl() request underflow

.

more...
xorg-server
xwayland
xwayland-devel

more detail
2021-04-12VuXML ID 9ee01e60-6045-43df-98e5-a794007e54ef

syncthing developers report:

syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field.

The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field.

more...
syncthing

more detail
2021-04-11VuXML ID 094fb2ec-9aa3-11eb-83cb-0800278d94f0

The Gitea Team reports for release 1.14.0:

  • Validate email in external authenticator registration form
  • Ensure validation occurs on clone addresses too
more...
gitea

more detail
2021-04-10VuXML ID b1194286-958e-11eb-9c34-080027f515ea

Daniel Stenberg reports:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

more...
curl

more detail
2021-04-10VuXML ID d10fc771-958f-11eb-9c34-080027f515ea

Daniel Stenberg reports:

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

more...
curl

more detail
2021-04-10VuXML ID f671c282-95ef-11eb-9c34-080027f515ea

David Schwörer reports:

Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.

more...
python38
python39

more detail
2021-04-09VuXML ID 8ba23a62-997d-11eb-9f0e-0800278d94f0

The Gitea Team reports for release 1.13.7:

  • Update to bluemonday-1.0.6
  • Clusterfuzz found another way
more...
gitea

more detail
2021-04-08VuXML ID 9595d002-edeb-4602-be2d-791cd654247e

Jenkins Security Advisory:

Description

(Low) SECURITY-1721 / CVE-2021-21639

Lack of type validation in agent related REST API

(Medium) SECURITY-1871 / CVE-2021-21640

View name validation bypass

more...
jenkins
jenkins-lts

more detail
2021-04-07VuXML ID 13d37672-9791-11eb-b87a-901b0ef719ab

Problem Description:

A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose.

Impact:

An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel.

more...
FreeBSD-kernel

more detail
2021-04-07*VuXML ID 5a668ab3-8d86-11eb-b8d6-d4c9ef517024

The OpenSSL project reports:

High: CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default.

High: NULL pointer deref in signature_algorithms processing (CVE-2021-3449)

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.

more...
FreeBSD
openssl

more detail
2021-04-07VuXML ID 9ae2c00f-97d0-11eb-8cd6-080027f515ea

Micah Snyder reports:

CVE-2021-1252
Excel XLM parser infinite loop
CVE-2021-1404
PDF parser buffer over-read; possible crash.
CVE-2021-1405
Mail parser NULL-dereference crash.
more...
clamav

more detail
2021-04-07VuXML ID a7b97d26-9792-11eb-b87a-901b0ef719ab

Problem Description:

Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

Impact:

A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system.

more...
FreeBSD-kernel

more detail
2021-04-07VuXML ID c0c1834c-9761-11eb-acfd-0022489ad614

Node.js reports:

OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh

more...
node
node10
node12
node14

more detail
2021-04-07VuXML ID f8e1e2a6-9791-11eb-b87a-901b0ef719ab

Problem Description:

An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information.

If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free.

Impact:

The bug may be exploited to trigger local privilege escalation or kernel memory disclosure.

more...
FreeBSD-kernel

more detail
2021-04-06VuXML ID 56abf87b-96ad-11eb-a218-001b217b3468

Gitlab reports:

Arbitrary File Read During Project Import

Kroki Arbitrary File Read/Write

Stored Cross-Site-Scripting in merge requests

Access data of an internal project through a public project fork as an anonymous user

Incident metric images can be deleted by any user

Infinite Loop When a User Access a Merge Request

Stored XSS in scoped labels

Admin CSRF in System Hooks Execution Through API

Update OpenSSL dependency

Update PostgreSQL dependency

more...
gitlab-ce

more detail
2021-04-06VuXML ID 79fa9f23-9725-11eb-b530-7085c2fb2c14

Mitre reports:

A stack overflow in pupnp 1.16.1 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.

more...
upnp

more detail
2021-04-05VuXML ID dec7e4b6-961a-11eb-9c34-080027f515ea

Juho Nurminen reports:

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

more...
ruby
rubygem-rexml

more detail
2021-03-31VuXML ID bddadaa4-9227-11eb-99c5-e09467587c17

Chrome Releases reports:

This update contains 8 security fixes, including:

  • [1181228] High CVE-2021-21194: Use after free in screen capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-02-23
  • [1182647] High CVE-2021-21195: Use after free in V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent Security Xuanwu Lab on 2021-02-26
  • [1175992] High CVE-2021-21196: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-08
  • [1173903] High CVE-2021-21197: Heap buffer overflow in TabStrip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03
  • [1184399] High CVE-2021-21198: Out of bounds read in IPC. Reported by Mark Brand of Google Project Zero on 2021-03-03
  • [1179635] High CVE-2021-21199: Use Use after free in Aura. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group and Evangelos Foutras
more...
chromium

more detail
2021-03-30VuXML ID 9f27ac74-cdee-11eb-930d-fc4dd43e2b6a

Michael Ortmann reports:

ircii has a bug in parsing CTCP UTC messages.

Its unknown if this could also be used for arbitrary code execution.

more...
ircii

more detail
2021-03-28VuXML ID 1f6d97da-8f72-11eb-b3f1-005056a311d1

The Samba Team reports:

  • CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible.
  • CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server.
more...
samba411
samba412
samba413
samba414

more detail
2021-03-27VuXML ID 80f9dbd3-8eec-11eb-b9e8-3525f51429a0

Niels Möller reports:

I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix a serious bug in the function to verify ECDSA signatures. Implications include an assertion failure, which could be used for denial-of-service, when verifying signatures on the secp_224r1 and secp521_r1 curves.

Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. [...] It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis.

more...
linux-c7-nettle
nettle

more detail
2021-03-24VuXML ID ec04f3d0-8cd9-11eb-bb9f-206a8a720317

The Apache SpamAssassin project reports:

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

more...
spamassassin

more detail
2021-03-23VuXML ID c4d2f950-8c27-11eb-a3ae-0800278d94f0

The Gitea Team reports for release 1.13.6:

  • Fix bug on avatar middleware
  • Fix another clusterfuzz identified issue
more...
gitea

more detail
2021-03-21VuXML ID 1431a25c-8a70-11eb-bd16-0800278d94f0

The Gitea Team reports for release 1.13.5:

  • Update to goldmark 1.3.3
more...
gitea

more detail
2021-03-18VuXML ID 50e59056-87f2-11eb-b6a2-001b217b3468

Gigtlab reports:

Remote code execution via unsafe user-controlled markdown rendering options

more...
gitlab-ce

more detail
2021-03-18VuXML ID 5b72b1ff-877c-11eb-bd4f-2f1d57dafe46

Simon Kelley reports:

[In configurations where the forwarding server address contains an @ character for specifying a sending interface or source address, the] random source port behavior was disabled, making cache poisoning attacks possible.

This only affects configurations of the form server=1.1.1.1@em0 or server=1.1.1.1@192.0.2.1, i. e. those that specify an interface to send through, or an IP address to send from, or use together with NetworkManager.

more...
dnsmasq
dnsmasq-devel

more detail
2021-03-17VuXML ID b073677f-253a-41f9-bf2b-2d16072a25f6

minio developer report:

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.

more...
minio

more detail
2021-03-16VuXML ID b81ad6d6-8633-11eb-99c5-e09467587c17

Chrome Releases reports:

This release includes 5 security fixes, including:

  • [1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
  • [1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23
  • [1186287] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09
more...
chromium

more detail
2021-03-16VuXML ID eeca52dc-866c-11eb-b8d6-d4c9ef517024

OpenBSD reports:

A TLS client using session resumption may cause a use-after-free.

more...
libressl

more detail
2021-03-15VuXML ID 317487c6-85ca-11eb-80fa-14dae938ec40

Phillip Lougher reports:

Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.

more...
squashfs-tools

more detail
2021-03-10VuXML ID 2dc8927b-54e0-11eb-9342-1c697a013f4b

Mantis 2.24.4 release reports:

Security and maintenance release, addressing 6 CVEs:

  • 0027726: CVE-2020-29603: disclosure of private project name
  • 0027727: CVE-2020-29605: disclosure of private issue summary
  • 0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and attachments
  • 0027361: Private category can be access/used by a non member of a private project (IDOR)
  • 0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls
  • 0026794: User Account - Takeover
  • 0027363: Fixed in version can be changed to a version that doesn't exist
  • 0027350: When updating an issue, a Viewer user can be set as Reporter
  • 0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
  • 0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
  • 0027444: Printing unsanitized user input in install.php
more...
mantis-php72
mantis-php73
mantis-php74
mantis-php80

more detail
2021-03-10VuXML ID 72709326-81f7-11eb-950a-00155d646401

The Go project reports:

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with "../".

more...
go

more detail
2021-03-09VuXML ID 2f3cd69e-7dee-11eb-b92e-0022489ad614

Node.js reports:

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

DNS rebinding in --inspect (CVE-2021-22884)

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt

more...
node
node10
node12
node14

more detail
2021-03-05VuXML ID 8bf856ea-7df7-11eb-9aad-001b217b3468

Gitlab reports:

JWT token leak via Workhorse

Stored XSS in wiki pages

Group Maintainers are able to use the Group CI/CD Variables API

Insecure storage of GitLab session keys

more...
gitlab-ce

more detail
2021-03-04VuXML ID 9e8f0766-7d21-11eb-a2be-001999f8d30b

The Asterisk project reports:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.

more...
asterisk16
asterisk18

more detail
2021-03-04VuXML ID f00b65d8-7ccb-11eb-b3be-e09467587c17

Chrome Releases reports:

This release includes 47 security fixes, including the below. Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild. Please see URL for details.

more...
chromium

more detail
2021-03-03VuXML ID 3a469cbc-7a66-11eb-bd3f-08002728f74c

JasPer Releases:

- Fix memory-related bugs in the JPEG-2000 codec resulting from attempting to decode invalid code streams. (#264, #265)

This fix is associated with CVE-2021-26926 and CVE-2021-26927.

- Fix wrong return value under some compilers (#260)

- Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)

more...
jasper

more detail
2021-03-03VuXML ID a1e03a3d-7be0-11eb-b392-20cf30e32f6d

SaltStack reports multiple security vulnerabilities in Salt

  • CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
  • CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.
  • CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
  • CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.
  • CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion
  • CVE-2021-3148: command injection in salt.utils.thin.gen_thin()
  • CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.
  • CVE-2021-3144: eauth Token can be used once after expiration.
  • CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
  • CVE-2020-28243: Local Privilege Escalation in the Minion.
more...
py36-salt
py36-salt-2019
py37-salt
py37-salt-2019
py38-salt
py38-salt-2019
py39-salt

more detail
2021-02-27VuXML ID 52bd2d59-4ab5-4bef-a599-7aac4e92238b

vault developers report:

Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries.

more...
vault

more detail
2021-02-25VuXML ID 31ad2f10-7711-11eb-b87a-901b0ef719ab

Problem Description:

Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes.

Impact:

A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.

more...
FreeBSD-kernel

more detail
2021-02-25VuXML ID 5b8c6e1e-770f-11eb-b87a-901b0ef719ab

Problem Description:

Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation.

Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery.

Impact:

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver.

more...
FreeBSD-kernel

more detail
2021-02-25VuXML ID a8654f1d-770d-11eb-b87a-901b0ef719ab

Problem Description:

A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored.

Impact:

The configuration in login.access(5) may not be applied, permitting login access to users even when the system is configured to deny it.

more...
FreeBSD

more detail
2021-02-25VuXML ID bba850fd-770e-11eb-b87a-901b0ef719ab

Problem Description:

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

Impact:

A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.

more...
FreeBSD-kernel

more detail
2021-02-23VuXML ID 0e38b8f8-75dd-11eb-83f2-8c164567ca3c

Redis Development team reports:

Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption.

more...
redis
redis-devel
redis5

more detail
2021-02-22VuXML ID 3e9624b3-e92b-4460-8a5a-93247c52c5a1

Jon Siwek of Corelight reports:

Fix ASCII Input reader's treatment of input files containing null-bytes. An input file containing null-bytes could lead to a buffer-over-read, crash Zeek, and be exploited to cause Denial of Service.

more...
zeek

more detail
2021-02-20VuXML ID 9c03845c-7398-11eb-bc0e-2cf05d620ecc

Redland Issue Tracker reports:

due to an out of bounds array access in raptor_xml_writer_start_element_common.

more...
raptor2

more detail
2021-02-20VuXML ID a45d945a-cc2c-4cd7-a941-fb58fdb1b01e

Jenkins Security Advisory:

Description

(high) SECURITY-2195 / CVE-2021-22112

Privilege escalation vulnerability in bundled Spring Security library

more...
jenkins

more detail
2021-02-18VuXML ID 1bb2826b-7229-11eb-8386-001999f8d30b

The Asterisk project reports:

Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur.

more...
asterisk13
asterisk16
asterisk18

more detail
2021-02-18VuXML ID 5d8ef725-7228-11eb-8386-001999f8d30b

The Asterisk project reports:

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.

more...
asterisk13
asterisk16
asterisk18

more detail
2021-02-18VuXML ID b330db5f-7225-11eb-8386-001999f8d30b

The Asterisk project reports:

If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash.

more...
asterisk13
asterisk16
asterisk18

more detail
2021-02-18VuXML ID ca21f5e7-7228-11eb-8386-001999f8d30b

The Asterisk project reports:

Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession.

more...
asterisk16
asterisk18

more detail
2021-02-18VuXML ID e3894955-7227-11eb-8386-001999f8d30b

The Asterisk project reports:

When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.

more...
asterisk16
asterisk18

more detail
2021-02-17VuXML ID 48514901-711d-11eb-9846-e09467587c17

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1138143] High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14
  • [1172192] High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29
  • [1165624] High CVE-2021-21151: Use after free in Payments. Reported by Khalil Zhani on 2021-01-12
  • [1166504] High CVE-2021-21152: Heap buffer overflow in Media. Reported by Anonymous on 2021-01-14
  • [1155974] High CVE-2021-21153: Stack overflow in GPU Process. Reported by Jan Ruge of ERNW GmbH on 2020-12-06
  • [1173269] High CVE-2021-21154: Heap buffer overflow in Tab Strip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-01
  • [1175500] High CVE-2021-21155: Heap buffer overflow in Tab Strip. Reported by Khalil Zhani on 2021-02-07
  • [1177341] High CVE-2021-21156: Heap buffer overflow in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-02-11
  • [1170657] Medium CVE-2021-21157: Use after free in Web Sockets. Reported by Anonymous on 2021-01-26
more...
chromium

more detail
2021-02-17VuXML ID 8e670b85-706e-11eb-abb2-08002728f74c

Ruby on Rails blog:

Rails version 5.2.4.5, 6.0.3.5 and 6.1.2.1 have been released! Those version are security releases and addresses two issues:

CVE-2021-22880: Possible DoS Vulnerability in Active Record PostgreSQL adapter.

CVE-2021-22881: Possible Open Redirect in Host Authorization Middleware.

more...
rubygem-actionpack60
rubygem-actionpack61
rubygem-activerecord52
rubygem-activerecord60
rubygem-activerecord61

more detail
2021-02-12VuXML ID 1020d401-6d2d-11eb-ab0b-001b217b3468

Gitlab reports:

Improper Certificate Validation for Fortinet OTP

Denial of Service Attack on gitlab-shell

Resource exhaustion due to pending jobs

Confidential issue titles were exposed

Improper access control allowed demoted project members to access authored merge requests

Improper access control allowed unauthorized users to access analytic pages

Unauthenticated CI lint API may lead to information disclosure and SSRF

Prometheus integration in Gitlab may lead to SSRF

more...
gitlab-ce

more detail
2021-02-12VuXML ID 3003ba60-6cec-11eb-8815-040e3c1b8a02

SO-AND-SO reports:

In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

more...
oauth2-proxy

more detail
2021-02-12VuXML ID 98044aba-6d72-11eb-aed7-1b1b8a70cc8b

Cary Phillips reports:

Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files[...].

more...
ilmbase
openexr

more detail
2021-02-10VuXML ID 06a5abd4-6bc2-11eb-b292-90e2baa3bafc

Subversion project reports:

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL.

more...
mod_dav_svn

more detail
2021-02-06VuXML ID 0add6e6b-6883-11eb-b0cb-f8b156c2bfe9

Sympa community reports:

Unauthorised full access via SOAP API due to illegal cookie

more...
sympa

more detail
2021-02-06VuXML ID 502ba001-7ffa-11eb-911c-0800278d94f0

The Gitea Team reports for release 1.13.3:

  • Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one

The Gitea Team reports for release 1.13.4:

  • Fix issue popups
more...
gitea

more detail
2021-02-06VuXML ID cdb10765-6879-11eb-a7d8-08002734b9ed

The Gitea Team reports for release 1.13.2:

  • Prevent panic on fuzzer provided string
  • Add secure/httpOnly attributes to the lang cookie
more...
gitea

more detail
2021-02-05VuXML ID 3e01aad2-680e-11eb-83e2-e09467587c17

Chrome Releases reports:

[1170176] High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24. Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.

more...
chromium

more detail
2021-02-03VuXML ID 479fdfda-6659-11eb-83e2-e09467587c17

Chrome Releases reports:

This update include 6 security fixes:

  • 1169317] Critical CVE-2021-21142: Use after free in Payments. Reported by Khalil Zhani on 2021-01-21
  • [1163504] High CVE-2021-21143: Heap buffer overflow in Extensions. Reported by Allen Parker and Alex Morgan of MU on 2021-01-06
  • [1163845] High CVE-2021-21144: Heap buffer overflow in Tab Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-01-07
  • [1154965] High CVE-2021-21145: Use after free in Fonts. Reported by Anonymous on 2020-12-03
  • [1161705] High CVE-2021-21146: Use after free in Navigation. Reported by Alison Huffman and Choongwoo Han of Microsoft Browser Vulnerability Research on 2020-12-24
  • [1162942] Medium CVE-2021-21147: Inappropriate implementation in Skia. Reported by Roman Starkov on 2021-01-04
more...
chromium

more detail
2021-02-02VuXML ID 66d1c277-652a-11eb-bb3f-001b217b3468

Gitlab reports:

Stored XSS in merge request

Stored XSS in epic's pages

Sensitive GraphQL variables exposed in structured log

Guest user can see tag names in private projects

Information disclosure via error message

DNS rebinding protection bypass

Validate existence of private project

more...
gitlab-ce

more detail
2021-01-31VuXML ID 8ec7d426-055d-46bc-8f5a-a9d73a5a71ab

Minio developers report:

Thanks to @phith0n from our community upon a code review, discovered an SSRF (Server Side Request Forgery) in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large.

All users are advised to upgrade ASAP.

The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.).

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.

more...
minio

more detail
2021-01-29VuXML ID 5d91370b-61fd-11eb-b87a-901b0ef719ab

Problem Description:

Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued.

As the queue is unbound, a guest may be able to trigger a OOM in the backend.

more...
FreeBSD-kernel

more detail
2021-01-29VuXML ID a9c6e9be-61fb-11eb-b87a-901b0ef719ab

Problem Description:

Several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems. This problem is not present in FreeBSD 11.

Additionally, msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.

Impact:

Kernel stack disclosures may leak sensitive information which could be used to compromise the security of the system.

more...
FreeBSD-kernel

more detail
2021-01-28VuXML ID 13ca36b8-6141-11eb-8a36-7085c2fb2c14

The libpng project reports:

pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used). Both bugs are fixed in version 3.0.1, released on 24 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

more...
pngcheck

more detail
2021-01-26VuXML ID 425f2143-8876-4b0a-af84-e0238c5c2062

Jenkins Security Advisory:

Description

(Medium) SECURITY-2197 / CVE-2021-21615

Arbitrary file read vulnerability in workspace browsers

more...
jenkins
jenkins-lts

more detail
2021-01-26VuXML ID f3cf4b33-6013-11eb-9a0e-206a8a720317

Todd C. Miller reports:

When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.

Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.

more...
sudo

more detail
2021-01-26VuXML ID fb67567a-5d95-11eb-a955-08002728f74c

pysaml2 Releases:

Fix processing of invalid SAML XML documents - CVE-2021-21238

Fix unspecified xmlsec1 key-type preference - CVE-2021-21239

more...
py36-pysaml2
py37-pysaml2
py38-pysaml2
py39-pysaml2

more detail
2021-01-23VuXML ID 31344707-5d87-11eb-929d-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 34 new security patches for Oracle MySQL Server and 4 for MySQL Client.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 6.8.

more...
mysql56-client
mysql56-server
mysql57-client
mysql57-server
mysql80-client
mysql80-server

more detail
2021-01-23VuXML ID 387bbade-5d1d-11eb-bf20-4437e6ad11c4

Tavis Ormandy reports:

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.

more...
mutt

more detail
2021-01-22VuXML ID 13c54e6d-5c45-11eb-b4e2-001b217b3468

Nokogiri reports:

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

more...
rubygem-nokogiri
rubygem-nokogiri18

more detail
2021-01-22VuXML ID 35aef72c-5c8e-11eb-8309-4ccc6adda413

Michal Dardas from LogicalTrust reports:

The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack.

more...
chocolate-doom
crispy-doom

more detail
2021-01-22VuXML ID 4ed0e43c-5cef-11eb-bafd-3065ec8fd3ec

Chrome Releases reports:

This release contains 36 security fixes, including:

  • [1137179] Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome. Reported by Rory McNamara on 2020-10-10
  • [1161357] High CVE-2021-21118: Insufficient data validation in V8. Reported by Tyler Nighswander (@tylerni7) of Theori on 2020-12-23
  • [1160534] High CVE-2021-21119: Use after free in Media. Reported by Anonymous on 2020-12-20
  • [1160602] High CVE-2021-21120: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2020-12-21
  • [1161143] High CVE-2021-21121: Use after free in Omnibox. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22
  • [1162131] High CVE-2021-21122: Use after free in Blink. Reported by Renata Hodovan on 2020-12-28
  • [1137247] High CVE-2021-21123: Insufficient data validation in File System API. Reported by Maciej Pulikowski on 2020-10-11
  • [1131346] High CVE-2021-21124: Potential user after free in Speech Recognizer. Reported by Chaoyang Ding(@V4kst1z) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-09-23
  • [1152327] High CVE-2021-21125: Insufficient policy enforcement in File System API. Reported by Ron Masas (Imperva) on 2020-11-24
  • [1163228] High CVE-2020-16044: Use after free in WebRTC. Reported by Ned Williamson of Project Zero on 2021-01-05
  • [1108126] Medium CVE-2021-21126: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-22
  • [1115590] Medium CVE-2021-21127: Insufficient policy enforcement in extensions. Reported by Jasminder Pal Singh, Web Services Point WSP, Kotkapura on 2020-08-12
  • [1138877] Medium CVE-2021-21128: Heap buffer overflow in Blink. Reported by Liang Dong on 2020-10-15
  • [1140403] Medium CVE-2021-21129: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1140410] Medium CVE-2021-21130: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1140417] Medium CVE-2021-21131: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1128206] Medium CVE-2021-21132: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-09-15
  • [1157743] Medium CVE-2021-21133: Insufficient policy enforcement in Downloads. Reported by wester0x01 (https://twitter.com/wester0x01) on 2020-12-11
  • [1157800] Medium CVE-2021-21134: Incorrect security UI in Page Info. Reported by wester0x01 (https://twitter.com/wester0x01) on 2020-12-11
  • [1157818] Medium CVE-2021-21135: Inappropriate implementation in Performance API. Reported by ndevtk on 2020-12-11
  • [1038002] Low CVE-2021-21136: Insufficient policy enforcement in WebView. Reported by Shiv Sahni, Movnavinothan V and Imdad Mohammed on 2019-12-27
  • [1093791] Low CVE-2021-21137: Inappropriate implementation in DevTools. Reported by bobblybear on 2020-06-11
  • [1122487] Low CVE-2021-21138: Use after free in DevTools. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-08-27
  • [1136327] Low CVE-2021-21140: Uninitialized Use in USB. Reported by David Manouchehri on 2020-10-08
  • [1140435] Low CVE-2021-21141: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
more...
chromium

more detail
2021-01-20VuXML ID 5b5cf6e5-5b51-11eb-95ac-7f9491278677

Simon Kelley reports:

There are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]

the second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk.

more...
dnsmasq
dnsmasq-devel

more detail
2021-01-19VuXML ID 6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9

The Go project reports:

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running "go get", or any other command that builds code. Only users who build untrusted code (and don't execute it) are affected. In addition to Windows users, this can also affect Unix users who have "." listed explicitly in their PATH and are running "go get" or build commands outside of a module or with module mode disabled.

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

more...
go

more detail
2021-01-19VuXML ID 8899298f-5a92-11eb-8558-3085a9a47796

cloud-init reports:

cloud-init release 20.4.1 is now available. This is a hotfix release, that contains a single patch to address a security issue in cloud-init 20.4.

Briefly, for users who provide more than one unique SSH key to cloud-init and have a shared AuthorizedKeysFile configured in sshd_config, cloud-init 20.4 started writing all of these keys to such a file, granting all such keys SSH access as root.

It's worth restating this implication: if you are using the default AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be, then you are _not_ affected by this issue.

more...
cloud-init

more detail
2021-01-18VuXML ID abed4ff0-7da1-4236-880d-de33e4895315

MoinMoin reports:

  • Security fix for CVE-2020-25074: fix remote code execution via cache action

  • Security fix for CVE-2020-15275: fix malicious SVG attachment causing stored XSS vulnerability

more...
moinmoin

more detail
2021-01-17VuXML ID 62642942-590f-11eb-a0dc-8c164582fbac

SO-AND-SO reports:

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.

more...
ghostscript9-agpl-base

more detail
2021-01-14VuXML ID 08b553ed-537a-11eb-be6e-0022489ad614

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.

more...
node
node10
node12
node14

more detail
2021-01-14VuXML ID 0a8ebf4a-5660-11eb-b4e2-001b217b3468

SO-AND-SO reports:

Ability to steal a user's API access token through GitLab Pages

more...
gitlab-ce

more detail
2021-01-14VuXML ID 6d554d6e-5638-11eb-9d36-5404a68ad561

The wavpack project reports:

src/pack_utils.c - issue #91: fix integer overflows resulting in buffer overruns (CVE-2020-35738) - sanitize configuration parameters better (improves clarity and aids debugging)

more...
wavpack

more detail
2021-01-13VuXML ID d6f76976-e86d-4f9a-9362-76c849b10db2

Jenkins Security Advisory:

Description

(Medium) SECURITY-1452 / CVE-2021-21602

Arbitrary file read vulnerability in workspace browsers

(High) SECURITY-1889 / CVE-2021-21603

XSS vulnerability in notification bar

(High) SECURITY-1923 / CVE-2021-21604

Improper handling of REST API XML deserialization errors

(High) SECURITY-2021 / CVE-2021-21605

Path traversal vulnerability in agent names

(Medium) SECURITY-2023 / CVE-2021-21606

Arbitrary file existence check in file fingerprints

(Medium) SECURITY-2025 / CVE-2021-21607

Excessive memory allocation in graph URLs leads to denial of service

(High) SECURITY-2035 / CVE-2021-21608

Stored XSS vulnerability in button labels

(Low) SECURITY-2047 / CVE-2021-21609

Missing permission check for paths with specific prefix

(High) SECURITY-2153 / CVE-2021-21610

Reflected XSS vulnerability in markup formatter preview

(High) SECURITY-2171 / CVE-2021-21611

Stored XSS vulnerability on new item page

more...
jenkins
jenkins-lts

more detail
2021-01-12VuXML ID 1f655433-551b-11eb-9cda-589cfc0f81b0

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid XSS injection for displaying tags.

more...
phpmyfaq

more detail
2021-01-11VuXML ID 6193b3f6-548c-11eb-ba01-206a8a720317

Todd C. Miller reports:

A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists.If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location.

more...
sudo

more detail
2021-01-10VuXML ID a3cef1e6-51d8-11eb-9b8d-08002728f74c

CairoSVG security advisories:

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.

more...
py36-cairosvg
py37-cairosvg
py38-cairosvg
py39-cairosvg

more detail
2021-01-09VuXML ID a2a2b34d-52b4-11eb-87cb-001b217b3468

Gitlab reports:

Ability to steal a user's API access token through GitLab Pages

Prometheus denial of service via HTTP request with custom method

Unauthorized user is able to access private repository information under specific conditions

Regular expression denial of service in NuGet API

Regular expression denial of service in package uploads

Update curl dependency

CVE-2019-3881 mitigation

more...
gitlab-ce

more detail
2021-01-07VuXML ID d153c4d2-50f8-11eb-8046-3065ec8fd3ec

Chrome Releases reports:

This release includes 16 security fixes, including:

  • [1148749] High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13
  • [1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30
  • [1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04
  • [1152334] High CVE-2021-21109: Use after free in payments. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2020-11-24
  • [1152451] High CVE-2021-21110: Use after free in safe browsing. Reported by Anonymous on 2020-11-24
  • [1149125] High CVE-2021-21111: Insufficient policy enforcement in WebUI. Reported by Alesandro Ortiz on 2020-11-15
  • [1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20
  • [1155178] High CVE-2021-21113: Heap buffer overflow in Skia. Reported by tsubmunu on 2020-12-03
  • [1148309] High CVE-2020-16043: Insufficient data validation in networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory Vishnepolsky at Armis on 2020-11-12
  • [1150065] High CVE-2021-21114: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17
  • [1157790] High CVE-2020-15995: Out of bounds write in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2020-12-11
  • [1157814] High CVE-2021-21115: Use after free in safe browsing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-11
  • [1151069] Medium CVE-2021-21116: Heap buffer overflow in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-11-19
more...
chromium

more detail
2021-01-04VuXML ID bd98066d-4ea4-11eb-b412-e86a64caca56

Aki Tuomi reports:

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.

more...
dovecot

more detail
2021-01-01VuXML ID 53e9efa1-4be7-11eb-8558-3085a9a47796

The InspIRCd development team reports:

The websocket module before v3.8.1 contains a double free vulnerability. When combined with a HTTP reverse proxy this vulnerability can be used by any user who is [GKZ]-lined to remotely crash an InspIRCd server.

more...
inspircd

more detail
2020-12-31VuXML ID 2739b88b-4b88-11eb-a4c0-08002734b9ed

The Gitea Team reports for release 1.13.1:

  • Hide private participation in Orgs
  • Fix escaping issue in diff
more...
gitea

more detail
2020-12-28VuXML ID fbcba194-ac7d-11ea-8b5e-b42e99a1b9c3

Intel reports:

Intel CPUs suffer Special Register Buffer Data Sampling vulnerability

more...
devcpu-data

more detail
2020-12-22VuXML ID 6adf6ce0-44a6-11eb-95b7-001999f8d30b

The Asterisk project reports:

AST-2020-003: A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.

AST-2020-004: A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.

more...
asterisk13
asterisk16
asterisk18

more detail
2020-12-21VuXML ID 61d89849-43cb-11eb-aba5-00a09858faf5

PowerDNS developers report:

A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.

A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature.

A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.

more...
powerdns

more detail
2020-12-21VuXML ID eb2845c4-43ce-11eb-aba5-00a09858faf5

postsrsd developer reports:

PostSRSd could be tricked into consuming a lot of CPU time with an SRS address that has an excessively long time stamp tag.

more...
postsrsd

more detail
2020-12-17VuXML ID cc1fd3da-b8fd-4f4d-a092-c38541c0f993

Vault developers report:

Vault allowed enumeration of users via the LDAP auth method. This vulnerability, was fixed in Vault 1.6.1 and 1.5.6.

An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method

more...
vault

more detail
2020-12-15*VuXML ID 1d56cfc5-3970-11eb-929d-d4c9ef517024

The OpenSSL project reports:

EDIPARTYNAME NULL pointer de-reference (High)

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

more...
FreeBSD
openssl

more detail
2020-12-13VuXML ID 85349584-3ba4-11eb-919d-08002728f74c

JasPer NEWS:

Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c.

more...
jasper

more detail
2020-12-13VuXML ID cfa0be42-3cd7-11eb-9de7-641c67a117d8

Matrix developers reports:

A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.

more...
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2020-12-12VuXML ID 388ebb5b-3c95-11eb-929d-d4c9ef517024

NLNetLabs reports:

Unbound and NSD when writing the PID file would not check if an existing file was a symlink. This could allow for a local symlink \ attack if an attacker has access to the user Unbound/NSD runs as.

more...
nsd
unbound

more detail
2020-12-12*VuXML ID 88dfd92f-3b9c-11eb-929d-d4c9ef517024

The LibreSSL project reports:

Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference.

more...
libressl
libressl-devel

more detail
2020-12-12VuXML ID fdc49972-3ca7-11eb-929d-d4c9ef517024

The p11-glue project reports:

CVE-2020-29363: Out-of-bounds write in p11_rpc_buffer_get_byte_array_value function

A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.

CVE-2020-29362: Out-of-bounds read in p11_rpc_buffer_get_byte_array function

A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.

CVE-2020-29361: Integer overflow when allocating memory for arrays of attributes and object identifiers

Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

more...
p11-kit

more detail
2020-12-09VuXML ID 3c77f139-3a09-11eb-929d-d4c9ef517024

The cURL project reports:

Trusting FTP PASV responses (CVE-2020-8284)

FTP wildcard stack overflow (CVE-2020-8285)

Inferior OCSP verification (CVE-2020-8286)

more...
curl

more detail
2020-12-07VuXML ID 5d5e5cda-38e6-11eb-bbbf-001b217b3468

Gitlab reports:

XSS in Zoom Meeting URL

Limited Information Disclosure in Private Profile

User email exposed via GraphQL endpoint

Group and project membership potentially exposed via GraphQL

Search terms logged in search parameter in rails logs

Un-authorised access to feature flag user list

A specific query on the explore page causes statement timeouts

Exposure of starred projects on private user profiles

Uncontrolled Resource Consumption in any Markdown field using Mermaid

Former group members able to view updates to confidential epics

Update GraphicsMagick dependency

Update GnuPG dependency

Update libxml dependency

more...
gitlab-ce

more detail
2020-12-06VuXML ID 8d17229f-3054-11eb-a455-ac1f6b16e566

Hashicorp reports:

Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges.

more...
consul

more detail
2020-12-05VuXML ID 01ffd06a-36ed-11eb-b655-3065ec8fd3ec

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1142331] High CVE-2020-16037: Use after free in clipboard. Reported by Ryoya Tsukasaki on 2020-10-26
  • [1138683] High CVE-2020-16038: Use after free in media. Reported by Khalil Zhani on 2020-10-14
  • [1149177] High CVE-2020-16039: Use after free in extensions. Reported by Anonymous on 2020-11-15
  • [1150649] High CVE-2020-16040: Insufficient data validation in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-11-19
  • [1151865] Medium CVE-2020-16041: Out of bounds read in networking. Reported by Sergei Glazunov and Mark Brand of Google Project Zero on 2020-11-23
  • [1151890] Medium CVE-2020-16042: Uninitialized Use in V8. Reported by André Bargull on 2020-11-2
more...
chromium

more detail
2020-12-04VuXML ID b99492b2-362b-11eb-9f86-08002734b9ed

The Gitea Team reports for release 1.13.0:

  • Add Allow-/Block-List for Migrate and Mirrors
  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port
  • Mitigate Security vulnerability in the git hook feature
  • Disable DSA ssh keys by default
  • Set TLS minimum version to 1.2
  • Use argon as default password hash algorithm
  • Escape failed highlighted files
more...
gitea

more detail
2020-12-02VuXML ID 8eed0c5c-3482-11eb-b87a-901b0ef719ab

Problem Description:

When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may extract information from the message to hand to upper-layer protocols. As a part of this operation, it may parse IPv6 header options from a packet embedded in the ICMPv6 message.

The handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free.

Impact:

A remote host may be able to trigger a read of freed kernel memory. This may trigger a kernel panic if the address had been unmapped.

more...
FreeBSD-kernel

more detail
2020-12-02VuXML ID e2748c9d-3483-11eb-b87a-901b0ef719ab

Problem Description:

Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer.

Impact:

It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root. Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening.

In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process.

more...
FreeBSD

more detail
2020-12-01VuXML ID 76c8b690-340b-11eb-a2b7-54e1ad3d6335

The X.org project reports:

These issues can lead to privileges elevations for authorized clients on systems where the X server is running privileged.

Insufficient checks on the lengths of the XkbSetMap request can lead to out of bounds memory accesses in the X server.

Insufficient checks on input of the XkbSetDeviceInfo request can lead to a buffer overflow on the head in the X server.

more...
xephyr
xorg-dmx
xorg-nestserver
xorg-server
xorg-vfbserver
xwayland

more detail
2020-11-27VuXML ID 618010ff-3044-11eb-8112-000c292ee6b8

The HashiCorp team reports:

  • artifact: Fixed a bug where interpolation can be used in the artifact destination field to write artifact payloads outside the allocation directory.
  • template: Fixed a bug where interpolation can be used in the template source and destination fields to read or write files outside the allocation directory even when disable_file_sandbox was set to false (the default).
  • template: Fixed a bug where the disable_file_sandbox configuration was only respected for the template file function and not the template source and destination fields.
more...
nomad

more detail
2020-11-21VuXML ID 55facdb0-2c24-11eb-9aac-08002734b9ed

The Gitea Team reports for release 1.12.6:

  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port
more...
gitea

more detail
2020-11-21VuXML ID ad792169-2aa4-11eb-ab71-0022489ad614

Node.js reports:

Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues.

Denial of Service through DNS request (CVE-2020-8277)

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses.

more...
node
node12
node14

more detail
2020-11-20VuXML ID dc132c91-2b71-11eb-8cfd-4437e6ad11c4

Kevin J. McCarthy reports:

Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS.

more...
mutt

more detail
2020-11-15*VuXML ID 19259833-26b1-11eb-a239-1c697a013f4b

Mantis 2.24.3 release reports:

This release fixes 3 security issues:

  • 0027039: CVE-2020-25781: Access to private bug note attachments
  • 0027275: CVE-2020-25288: HTML Injection on bug_update_page.php
  • 0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
more...
mantis-php72
mantis-php73
mantis-php74
mantis-php80

more detail
2020-11-15*VuXML ID 8da79498-e6f6-11ea-8cbf-54e1ad3d6335

The X.org project reports:

There is an integer overflow and a double free vulnerability in the way LibX11 handles locales. The integer overflow is a necessary precursor to the double free.

more...
libX11

more detail
2020-11-12VuXML ID 50259d8b-243e-11eb-8bae-b42e99975750

SaltStack reports multiple security vulnerabilities in Salt 3002:

  • CVE-2020-16846: Prevent shell injections in netapi ssh client.
  • CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
  • CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh.
more...
py36-salt
py37-salt
py38-salt

more detail
2020-11-12VuXML ID db4b2f27-252a-11eb-865c-00155d646400

The Go project reports:

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names.

more...
go

more detail
2020-11-10VuXML ID 4f15ca7b-23ae-11eb-9f59-1c1b0d9ea7e6

The Apache Openofffice project reports:

CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents

Description

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.

Severity: Low

There are no known exploits of this vulnerability.

A proof-of-concept demonstration exists.

Thanks to the reporter for discovering this issue.

Acknowledgments

The Apache OpenOffice Security Team would like to thank Imre Rad for discovering and reporting this attack vector.

more...
apache-openoffice
apache-openoffice-devel

more detail
2020-11-09VuXML ID 07c7ae7a-224b-11eb-aa6e-e0d55e2a8bf9

CVE MITRE reports:

raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).

more...
raptor2

more detail
2020-11-08VuXML ID cf39ddf8-21be-11eb-8b47-641c67a117d8

Jupyter reports:

6.1.5 is a security release, fixing one vulnerability: Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned)

more...
py37-notebook
py38-notebook
py39-notebook

more detail
2020-11-07*VuXML ID 4fba07ca-13aa-11eb-b31e-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 48 new security patches for Oracle MySQL.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.

NOTE: MariaDB only contains CVE-2020-14812 CVE-2020-14765 CVE-2020-14776 and CVE-2020-14789

more...
mariadb103-server
mariadb104-server
mariadb105-server
mysql56-server
mysql57-server
mysql80-server

more detail
2020-11-05VuXML ID 29b7f0be-1fb7-11eb-b9d4-001999f8d30b

The Asterisk project reports:

If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

more...
asterisk13
asterisk16
asterisk18

more detail
2020-11-05VuXML ID 972fe546-1fb6-11eb-b9d4-001999f8d30b

The Asterisk project reports:

Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.

more...
asterisk13
asterisk16
asterisk18

more detail
2020-11-03VuXML ID 3ec6ab59-1e0c-11eb-a428-3065ec8fd3ec

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1138911] High CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15
  • [1139398] High CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2020-10-16
  • [1133527] High CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill Parks on 2020-09-29
  • [1125018] High CVE-2020-16007: Insufficient data validation in installer. Reported by Abdelhamid Naceri (halov) on 2020-09-04
  • [1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya Korniltsev on 2020-10-01
  • [1143772] High CVE-2020-16009: Inappropriate implementation in V8. Reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on 2020-10-29
  • [1144489] High CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei Glazunov of Google Project Zero on 2020-11-01

There are reports that an exploit for CVE-2020-16009 exists in the wild.

more...
chromium

more detail
2020-11-02VuXML ID 11325357-1d3c-11eb-ab74-4c72b94353b5

wordpress developers reports:

Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues: -Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. -Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. -Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. -Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. -Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. -Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. -Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.

more...
de-wordpress
fr-wordpress
ja-wordpress
ru-wordpress
wordpress
zh_CN-wordpress
zh_TW-wordpress

more detail
2020-11-02VuXML ID 174e466b-1d48-11eb-bd0f-001b217b3468

Gitlab reports:

Path Traversal in LFS Upload

Path traversal allows saving packages in arbitrary location

Kubernetes agent API leaks private repos

Terraform state deletion API exposes object storage URL

Stored-XSS in error message of build-dependencies

Git credentials persisted on disk

Potential Denial of service via container registry

Info leak when group is transferred from private to public group

Limited File Disclosure Via Multipart Bypass

Unauthorized user is able to access scheduled pipeline variables and values

CSRF in runner administration page allows an attacker to pause/resume runners

Regex backtracking attack in path parsing of Advanced Search result

Bypass of required CODEOWNERS approval

SAST CiConfiguration information visible without permissions

more...
gitlab-ce

more detail
2020-10-30VuXML ID 8827134c-1a8f-11eb-9bb0-08002725d892

Nicholas Marriott reports:

tmux has a stack overflow in CSI parsing.

more...
tmux

more detail
2020-10-30VuXML ID 9ca85b7c-1b31-11eb-8762-005056a311d1

The Samba Team reports:

  • CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
  • CVE-2020-14323: Unprivileged user can crash winbind
  • CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records
more...
samba410
samba411
samba412
samba413

more detail
2020-10-28VuXML ID 94ffc0d9-1915-11eb-b809-b42e991fc52e

cxsecurity.com reports:

A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request

more...
motion

more detail
2020-10-22VuXML ID 190176ce-3b3a-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

more...
glpi

more detail
2020-10-22VuXML ID 458df97f-1440-11eb-aaec-e0d55e2a8bf9

The freetype project reports:

A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6.

more...
freetype2

more detail
2020-10-22VuXML ID 695b2310-3b3a-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

more...
glpi

more detail
2020-10-21VuXML ID f4722927-1375-11eb-8711-3065ec8fd3ec

Chrome Releases reports:

This release includes 5 security fixes:

  • [1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
  • [1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
  • [1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-10-13
  • [1139963] High CVE-2020-15999: Heap buffer overflow in Freetype. Reported by Sergei Glazunov of Google Project Zero on 2020-10-19
  • [1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
more...
chromium

more detail
2020-10-18VuXML ID a2565962-1156-11eb-9c9c-d4c9ef517024

The MariaDB project reports:

Details of this vulnerability have not yet been disclosed

more...
mariadb103-client
mariadb103-server
mariadb104-client
mariadb104-server
mariadb105-client
mariadb105-server

more detail
2020-10-17VuXML ID 5f39d80f-107c-11eb-8b47-641c67a117d8

Matrix developers reports:

The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.

more...
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse
py39-matrix-synapse

more detail
2020-10-17VuXML ID 95d9d986-1078-11eb-ab74-4c72b94353b5

Drupal Security Team reports:

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

more...
drupal7

more detail
2020-10-14VuXML ID a6860b11-0dee-11eb-94ff-6805ca2fa271

PowerDNS Team reports:

CVE-2020-25829: An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).

more...
powerdns-recursor

more detail
2020-10-13VuXML ID 42926d7b-0da3-11eb-8dbd-6451062f0f7a

Adobe reports:

  • This update resolves a NULL pointer dereference vulnerability that could lead to arbitrary code execution (CVE-2020-9746).
more...
linux-flashplayer

more detail
2020-10-10VuXML ID 040707f9-0b2a-11eb-8834-00155d01f202

NIST reports:

  • Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
more...
mozjpeg

more detail
2020-10-10VuXML ID 23a667c7-0b28-11eb-8834-00155d01f202

libjpeg-turbo releases reports:

This release fixes the following security issue:

  • Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
more...
libjpeg-turbo

more detail
2020-10-10VuXML ID 95f306a6-0aee-11eb-add4-08002728f74c

Ruby on Rails blog:

Rails version 6.0.3.4 has been released! This version is a security release and addresses one possible XSS attack vector in Actionable Exceptions.

more...
rubygem-actionpack60

more detail
2020-10-07VuXML ID 64988354-0889-11eb-a01b-e09467587c17

Chrome releases reports:

This release contains 35 security fixes, including:

  • [1127322] Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
  • [1126424] High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09
  • [1124659] High CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous on 2020-09-03
  • [1108299] High CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub Security Lab on 2020-07-22
  • [1114062] High CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-08-07
  • [1115901] High CVE-2020-15972: Use after free in audio. Reported by Anonymous on 2020-08-13
  • [1133671] High CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
  • [1133688] High CVE-2020-15991: Use after free in password manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
  • [1106890] Medium CVE-2020-15973: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-17
  • [1104103] Medium CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im (junorouse) of Theori on 2020-07-10
  • [1110800] Medium CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous on 2020-07-29
  • [1123522] Medium CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee (@ashuu_lee) of Raon Whitehat on 2020-08-31
  • [1083278] Medium CVE-2020-6557: Inappropriate implementation in networking. Reported by Matthias Gierlings and Marcus Brinkmann (NDS Ruhr-University Bochum) on 2020-05-15
  • [1097724] Medium CVE-2020-15977: Insufficient data validation in dialogs. Reported by Narendra Bhati (@imnarendrabhati) on 2020-06-22
  • [1116280] Medium CVE-2020-15978: Insufficient data validation in navigation. Reported by Luan Herrera (@lbherrera_) on 2020-08-14
  • [1127319] Medium CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay Cohen (@SeraphicAlgorithms) on 2020-09-11
  • [1092453] Medium CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by Yongke Wang (@Rudykewang) and Aryb1n (@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
  • [1123023] Medium CVE-2020-15981: Out of bounds read in audio. Reported by Christoph Guttandin on 2020-08-28
  • [1039882] Medium CVE-2020-15982: Side-channel information leakage in cache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
  • [1076786] Medium CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-30
  • [1080395] Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-05-07
  • [1099276] Medium CVE-2020-15985: Inappropriate implementation in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2020-06-25
  • [1100247] Medium CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of Google Project Zero on 2020-06-29
  • [1127774] Medium CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke on 2020-09-14
  • [1110195] Medium CVE-2020-15992: Insufficient policy enforcement in networking. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-28
  • [1092518] Low CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by Samuel Attard on 2020-06-08
  • [1108351] Low CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans (Microsoft) on 2020-07-22
more...
chromium

more detail
2020-10-07VuXML ID 769a4f60-9056-4c27-89a1-1758a59a21f8

Jon Siwek of Corelight reports:

This release fixes the following security issue:

  • A memory leak in multipart MIME code has potential for remote exploitation and cause for Denial of Service via resource exhaustion.
more...
zeek

more detail
2020-10-06VuXML ID 71c71ce0-0805-11eb-a3a4-0019dbb15b3f

Payara Releases reports:

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

  • CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks
  • CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks
  • CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
  • CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
  • CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter
more...
payara

more detail
2020-10-06VuXML ID b07bdd3c-0809-11eb-a3a4-0019dbb15b3f

Payara Releases reports:

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

  • CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters
more...
payara

more detail
2020-10-06VuXML ID bd159669-0808-11eb-a3a4-0019dbb15b3f

Payara Releases reports:

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

  • CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9
more...
payara

more detail
2020-10-05VuXML ID cff0b2e2-0716-11eb-9e5d-08002728f74c

Release notes:

Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others:

CVE-2016-6328: fixed integer overflow when parsing maker notes

CVE-2017-7544: fixed buffer overread

CVE-2018-20030: Fix for recursion DoS

CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs

CVE-2020-0093: read overflow

CVE-2020-12767: fixed division by zero

CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes

CVE-2020-13113: Potential use of uninitialized memory

CVE-2020-13114: Time consumption DoS when parsing canon array markers

more...
libexif

more detail
2020-10-04VuXML ID c71ed065-0600-11eb-8758-e0d55e2a8bf9

Albert Astals Cid reports:

KDE Project Security Advisory

Title KDE Connect: packet manipulation can be exploited in a Denial of Service attack
Risk Rating Important
CVE CVE-2020-26164
Versions kdeconnect <= 20.08.1
Author Albert Vaca Cintora
Date 2 October 2020

Overview

An attacker on your local network could send maliciously crafted packets to other hosts running kdeconnect on the network, causing them to use large amounts of CPU, memory or network connections, which could be used in a Denial of Service attack within the network.

Impact

Computers that run kdeconnect are susceptible to DoS attacks from the local network.

Workaround

We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.

Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute force approach is to uninstall the kdeconnect package from your system and then run

	      kquitapp5 kdeconnectd
	  

Just install the package again once you're back in a trusted network.

Solution

KDE Connect 20.08.2 patches several code paths that could result in a DoS.

You can apply these patches on top of 20.08.1:

  • https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
  • https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306

Credits

Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.

Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.

more...
kdeconnect-kde

more detail
2020-10-03VuXML ID a23871f6-059b-11eb-8758-e0d55e2a8bf9

CVE mitre reports:

Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.

more...
upnp

more detail
2020-10-02VuXML ID a3495e61-047f-11eb-86ea-001b217b3468

Gitlab reports:

Potential Denial Of Service Via Update Release Links API

Insecure Storage of Session Key In Redis

Improper Access Expiration Date Validation

Cross-Site Scripting in Multiple Pages

Unauthorized Users Can View Custom Project Template

Cross-Site Scripting in SVG Image Preview

Incomplete Handling in Account Deletion

Insufficient Rate Limiting at Re-Sending Confirmation Email

Improper Type Check in GraphQL

To-dos Are Not Redacted When Membership Changes

Guest users can modify confidentiality attribute

Command injection on runner host

Insecure Runner Configuration in Kubernetes Environments

more...
gitlab-ce

more detail
2020-10-01VuXML ID 6a467439-3b38-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.

more...
glpi

more detail
2020-09-28VuXML ID 6d5f1b0b-b865-48d5-935b-3fb6ebb425fc

Apache reports:

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

more...
apache-ant

more detail
2020-09-26*VuXML ID 456375e1-cd09-11ea-9172-4c72b94353b5

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.

more...
pango

more detail
2020-09-24VuXML ID b371db92-fe34-11ea-b90e-6805ca2fa271

PowerDNS Team reports

CVE-2020-17482: An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR.

more...
powerdns

more detail
2020-09-22VuXML ID e68d3db1-fd04-11ea-a67f-e09467587c17

Chrome Releases reports:

This release fixes 10 security issues, including:

  • [1100136] High CVE-2020-15960: Out of bounds read in storage. Reported by Anonymous on 2020-06-28
  • [1114636] High CVE-2020-15961: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-10
  • [1121836] High CVE-2020-15962: Insufficient policy enforcement in serial. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-26
  • [1113558] High CVE-2020-15963: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
  • [1126249] High CVE-2020-15965: Out of bounds write in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-09-08
  • [1113565] Medium CVE-2020-15966: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
  • [1121414] Low CVE-2020-15964: Insufficient data validation in media. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-08-25
more...
chromium

more detail
2020-09-22VuXML ID f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9

CVE mitre reports:

CVE-2019-20388

xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.

CVE-2020-7595

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

CVE-2020-24977

GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal

more...
libxml2

more detail
2020-09-21VuXML ID 2327234d-fc4b-11ea-adef-641c67a117d8

Problem Description:

Affected Synapse versions assume that all events have an "origin" field set. If an event without the "origin" field is sent into a federated room, servers not already joined to the room will be unable to do so due to failing to fetch the malformed event.

Impact:

An attacker could cause a denial of service by deliberately sending a malformed event into a room, thus preventing new servers (and thus their users) from joining the room.

more...
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse

more detail
2020-09-20VuXML ID 24ace516-fad7-11ea-8d8c-005056a311d1

The Samba Team reports:

An unauthenticated attacker on the network can gain administrator access by exploiting a netlogon protocol flaw.

more...
samba410
samba411
samba412

more detail
2020-09-20VuXML ID 2cb21232-fb32-11ea-a929-a4bf014bf5f7

Python reports:

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).

bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.

bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.

bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

bpo-41183: Use 3072 RSA keys and SHA-256 signature for test certs and keys.

bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.

more...
python35

more detail
2020-09-20VuXML ID 2eec1e85-faf3-11ea-8ac0-4437e6ad11c4

tt-rss project reports:

The cached_url feature mishandles JavaScript inside an SVG document.

imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message.

It does not validate all URLs before requesting them.

Allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.

more...
tt-rss

more detail
2020-09-19VuXML ID eeec4e6f-fa71-11ea-9bb7-d4c9ef517024

The Nextcloud project reports:

NC-SA-2020-026 (low): Password of share by mail is not hashed when given on the create share call

A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

more...
nextcloud

more detail
2020-09-16VuXML ID 2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab

Problem Description:

AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures.

Impact:

An attacker with host root access (including to a jailed bhyve instance) can use this vulnerability to achieve kernel code execution.

more...
FreeBSD-kernel

more detail
2020-09-16VuXML ID 4ca5894c-f7f1-11ea-8ff8-0022489ad614

Node.js reports:

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.

HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Impacts:

  • All versions of the 14.x and 12.x releases line

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)

Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

Impacts:

  • All versions of the 14.x release line

fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)

libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Impacts:

  • All versions of the 10.x release line
  • All versions of the 12.x release line
  • All versions of the 14.x release line before 14.9.0
more...
node
node10
node12

more detail
2020-09-16VuXML ID 6d334fdb-f7e7-11ea-88f8-901b0ef719ab

Problem Description:

A ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges.

Impact:

A malicious FTP user can gain privileged access to an affected system.

more...
FreeBSD

more detail
2020-09-16VuXML ID bb53af7b-f7e4-11ea-88f8-901b0ef719ab

Problem Description:

A programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes.

An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs.

Impact:

An attacker that can send large frames (larger than 2048 bytes in size) to be received by the host (be it VLAN, or non-VLAN tagged packet), can inject arbitrary packets to be received and processed by the host. This includes spoofing packets from other hosts, or injecting packets to other VLANs than the host is on.

more...
FreeBSD-kernel

more detail
2020-09-16VuXML ID e73c688b-f7e6-11ea-88f8-901b0ef719ab

Problem Description:

A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.

Impact:

From kernel mode a malicious guest can write to arbitrary host memory (with some constraints), affording the guest full control of the host.

more...
FreeBSD-kernel

more detail
2020-09-12VuXML ID 7b630362-f468-11ea-a96c-08002728f74c

Ruby on Rails blog:

Rails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an important security fix, so please upgrade when you can.

Both releases contain the following fix: [CVE-2020-15169] Potential XSS vulnerability in Action View

more...
rubygem-actionview52
rubygem-actionview60

more detail
2020-09-09VuXML ID 2c92fdd3-896c-4a5a-a0d8-52acee69182d

Jon Siwek of Corelight reports:

This release fixes the following security issue:

  • The AYIYA and GTPv1 parsing/decapsulation logic may leak memory -- These leaks have potential for remote exploitation to cause Denial of Service via resource exhaustion.
more...
zeek

more detail
2020-09-09VuXML ID bed5d41a-f2b4-11ea-a878-e09467587c17

Chrome Releases reports:

This release contains 5 security fixes:

  • [1116304] High CVE-2020-6573: Use after free in video. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-14
  • [1102196] High CVE-2020-6574: Insufficient policy enforcement in installer. Reported by CodeColorist of Ant-Financial LightYear Labs on 2020-07-05
  • [1081874] High CVE-2020-6575: Race in Mojo. Reported by Microsoft on 2020-05-12
  • [1111737] High CVE-2020-6576: Use after free in offscreen canvas. Reported by Looben Yang on 2020-07-31
  • [1122684] High CVE-2020-15959: Insufficient policy enforcement in networking. Reported by Eric Lawrence of Microsoft on 2020-08-27
more...
chromium

more detail
2020-09-07VuXML ID 3749ae9e-f132-11ea-97da-d05099c0ae8c

Chen Nan of Chaitin Security Research Lab reports:

Fix buffer overflow introduced in version 5.8: processing of template %aX in a RADIUS authentication response might lead to unexpected termination of the mpd5 process. Installations not using RADIUS or not using %aX templates in RADIUS attributes were not affected.

Fix buffer overflow in parsing of L2TP control packets introduced in version 4.0 that initially brought in L2TP support: a specially crafted incoming L2TP control packet might lead to unexpected termination of the process. Installations with neither L2TP clients nor L2TP server configured are not affected.

more...
mpd5

more detail
2020-09-07*VuXML ID cd97c7ca-f079-11ea-9c31-001b216d295b

Version 5.9 contains security fix for L2TP clients and servers. Insufficient validation of incoming L2TP control packet specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 4.0 that brought in initial support for L2TP. Installations not using L2TP clients nor L2TP server configuration were not affected.

more...
mpd5

more detail
2020-09-06VuXML ID 2272e6f1-f029-11ea-838a-0011d823eebd

The GnuTLS project reports:

It was found by oss-fuzz that the server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake can cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.

more...
gnutls

more detail
2020-09-06VuXML ID 4c69240f-f02c-11ea-838a-0011d823eebd

Manuel Pégourié-Gonnard reports:

When decrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the padding to remote attackers, as recommended in the original Lucky Thirteen paper.

A local attacker who is able to observe the state of the cache could monitor the presence of mbedtls_md_process() in the cache in order to determine when the actual computation ends and when the dummy rounds start. This is a reliable target as it's always called at least once, in response to a previous attack. The attacker can then continue with one of many well-documented Lucky 13 variants.

more...
mbedtls

more detail
2020-09-06VuXML ID bcdeb6d2-f02d-11ea-838a-0011d823eebd

Manuel Pégourié-Gonnard reports:

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations.

more...
mbedtls

more detail
2020-09-05VuXML ID 002432c8-ef6a-11ea-ba8f-08002728f74c

Django Release notes:

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions).

more...
py35-django22
py36-django22
py36-django30
py36-django31
py37-django22
py37-django30
py37-django31
py38-django22
py38-django30
py38-django31

more detail
2020-09-05*VuXML ID 6842ac7e-d250-11ea-b9b7-08002728f74c

JasPer NEWS:

- Fix CVE-2018-9154

- Fix CVE-2018-19541

- Fix CVE-2016-9399, CVE-2017-13751

- Fix CVE-2018-19540

- Fix CVE-2018-9055

- Fix CVE-2017-13748

- Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505

- Fix CVE-2018-9252

- Fix CVE-2018-19139

- Fix CVE-2018-19543, CVE-2017-9782

- Fix CVE-2018-20570

- Fix CVE-2018-20622

- Fix CVE-2016-9398

- Fix CVE-2017-14132

- Fix CVE-2017-5499

- Fix CVE-2018-18873

- Fix CVE-2017-13750

more...
jasper

more detail
2020-09-03VuXML ID f9fa7adc-ee51-11ea-a240-002590acae31

Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04.

more...
gnupg

more detail
2020-09-02VuXML ID 1fb13175-ed52-11ea-8b93-001b217b3468

Gitlab reports:

Vendor Cross-Account Assume-Role Attack

Stored XSS on the Vulnerability Page

Outdated Job Token Can Be Reused to Access Unauthorized Resources

File Disclosure Via Workhorse File Upload Bypass

Unauthorized Maintainer Can Edit Group Badge

Denial of Service Within Wiki Functionality

Sign-in Vulnerable to Brute-force Attacks

Invalidated Session Allows Account Access With an Old Password

GitLab Omniauth Endpoint Renders User Controlled Messages

Blind SSRF Through Repository Mirroring

Information Disclosure Through Incorrect Group Permission Verifications

No Rate Limit on GitLab Webhook Feature

GitLab Session Revocation Feature Does Not Invalidate All Sessions

OAuth Authorization Scope for an External Application Can Be Changed Without User Consent

Unauthorized Maintainer Can Delete Repository

Improper Verification of Deploy-Key Leads to Access Restricted Repository

Disabled Repository Still Accessible With a Deploy-Token

Duplicated Secret Code Generated by 2 Factor Authentication Mechanism

Lack of Validation Within Project Invitation Flow

Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication

Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab

Lack of Upper Bound Check Leading to Possible Denial of Service

2 Factor Authentication for Groups Was Not Enforced Within API Endpoint

GitLab Runner Denial of Service via CI Jobs

Update jQuery Dependency

more...
gitlab-ce

more detail
2020-09-02VuXML ID 74bbde13-ec17-11ea-88f8-901b0ef719ab

Problem Description:

Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

more...
FreeBSD-kernel

more detail
2020-09-02VuXML ID 762b7d4a-ec19-11ea-88f8-901b0ef719ab

Problem Description:

When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer.

Impact:

The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox.

more...
FreeBSD

more detail
2020-09-02VuXML ID 77b877aa-ec18-11ea-88f8-901b0ef719ab

Problem Description:

Due to improper handling in the kernel, a use-after-free bug can be triggered by sending large user messages from multiple threads on the same socket.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

more...
FreeBSD-kernel

more detail
2020-09-01VuXML ID 67b050ae-ec82-11ea-9071-10c37b4ac2ea

The Go project reports:

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

more...
go

more detail
2020-08-28VuXML ID 38fdf07b-e8ec-11ea-8bbe-e0d55e2a8bf9

Albert Astals Cid reports:

Overview

A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at dirsymlink.tar

Impact

Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart.

Workaround

Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain symlink entries pointing outside the extraction folder.

The 'Extract' context menu from the Dolphin file manager shouldn't be used.

Solution

Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.

Alternatively, 8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases.

Credits

Thanks to Fabian Vogt for reporting this issue and for fixing it.

more...
ark

more detail
2020-08-27VuXML ID ee261034-b95e-4479-b947-08b0877e029f

grigoritchy at gmail dot com reports:

The phar_parse_zipfile function had use-after-free vulnerability because of mishandling of the actual_alias variable.

more...
php72
php73
php74

more detail
2020-08-26VuXML ID d73bc4e6-e7c4-11ea-a878-e09467587c17

Chrome Releases reports:

This update includes 20 security fixes, including:

  • [1109120] High CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-24
  • [1116706] High CVE-2020-6559: Use after free in presentation API. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-08-15
  • [1108181] Medium CVE-2020-6560: Insufficient policy enforcement in autofill. Reported by Nadja Ungethuem from www.unnex.de on 2020-07-22
  • [932892] Medium CVE-2020-6561: Inappropriate implementation in Content Security Policy. Reported by Rob Wu on 2019-02-16
  • [1086845] Medium CVE-2020-6562: Insufficient policy enforcement in Blink. Reported by Masato Kinugawa on 2020-05-27
  • [1104628] Medium CVE-2020-6563: Insufficient policy enforcement in intent handling. Reported by Pedro Oliveira on 2020-07-12
  • [841622] Medium CVE-2020-6564: Incorrect security UI in permissions. Reported by Khalil Zhani on 2018-05-10
  • [1029907] Medium CVE-2020-6565: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-12-02
  • [1065264] Medium CVE-2020-6566: Insufficient policy enforcement in media. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-27
  • [937179] Low CVE-2020-6567: Insufficient validation of untrusted input in command line handling. Reported by Joshua Graham of TSS on 2019-03-01
  • [1092451] Low CVE-2020-6568: Insufficient policy enforcement in intent handling. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
  • [995732] Low CVE-2020-6569: Integer overflow in WebUSB. Reported by guaixiaomei on 2019-08-20
  • [1084699] Low CVE-2020-6570: Side-channel information leakage in WebRTC. Reported by Signal/Tenable on 2020-05-19
  • [1085315] Low CVE-2020-6571: Incorrect security UI in Omnibox. Reported by Rayyan Bijoora on 2020-05-21
more...
chromium

more detail
2020-08-25*VuXML ID a003b74f-d7b3-11ea-9df1-001b217b3468

Gitlab reports:

Arbitrary File Read when Moving an Issue

Memory Exhaustion via Excessive Logging of Invite Email Error

Denial of Service Through Project Import Feature

User Controlled Git Configuration Settings Resulting in SSRF

Stored XSS in Issue Reference Number Tooltip

Stored XSS in Issues List via Milestone Title

Improper Access Control After Group Transfer

Bypass Email Verification Required for OAuth Flow

Confusion When Using Hexadecimal Branch Names

Insufficient OAuth Revocation

Improper Access Control for Project Sharing

Stored XSS in Jobs Page

Improper Access Control of Applications Page

SSRF into Shared Runner

Update Kramdown Gem

more...
gitlab-ce

more detail
2020-08-25VuXML ID ffa15b3b-e6f6-11ea-8cbf-54e1ad3d6335

The X.org project reports:

All theses issuses can lead to local privileges elevation on systems where the X server is running privileged.

The handler for the XkbSetNames request does not validate the request length before accessing its contents.

An integer underflow exists in the handler for the XIChangeHierarchy request.

An integer underflow exist in the handler for the XkbSelectEvents request.

An integer underflow exist in the handler for the CreateRegister request of the X record extension.

more...
xephyr
xorg-dmx
xorg-nestserver
xorg-server
xorg-vfbserver
xwayland

more detail
2020-08-22VuXML ID 719f06af-e45e-11ea-95a1-c3b8167b8026

Miroslav Lichvar reports:

chrony-3.5.1 [...] fixes a security issue in writing of the pidfile.

When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE.

more...
chrony

more detail
2020-08-20VuXML ID 08de38d2-e2d0-11ea-9538-0c9d925bbbc0

Ian Jackson and the adns project reports:

Vulnerable applications: all adns callers. Exploitable by: the local recursive resolver. Likely worst case: Remote code execution.

Vulnerable applications: those that make SOA queries. Exploitable by: upstream DNS data sources. Likely worst case: DoS (crash of the adns-using application)

Vulnerable applications: those that use adns_qf_quoteok_query. Exploitable by: sources of query domain names. Likely worst case: DoS (crash of the adns-using application)

Vulnerable applications: adnshost. Exploitable by: code responsible for framing the input. Likely worst case: DoS (adnshost crashes at EOF).

more...
adns

more detail
2020-08-20VuXML ID 2ed7e8db-e234-11ea-9392-002590bc43be

Andrew Walker reports:

Issue 1:

Users are always granted permissions to cd into a directory. The check for whether execute is present on directories is a de-facto no-op. This cannot be mitigated without upgrading. Even setting an explicit "deny - execute" NFSv4 ACE will be bypassed.

Issue 2:

All ACEs for the owner_group (group@) and regular groups (group:) are granted the current user. This means that POSIX mode 770 is de-facto 777, and the below ACL is also de-facto 777 because the groupmember check for builtin_administrators returns True.

root@TESTBOX[~]# getfacl testfile
# file: testfile
# owner: root
# group: wheel
group:builtin_administrators:rwxpDdaARWcCos:-------:allow
	  
more...
openzfs-kmod

more detail
2020-08-20VuXML ID fbca6863-e2ad-11ea-9d39-00a09858faf5

Elastic reports:

A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

more...
elasticsearch6

more detail
2020-08-19VuXML ID 3fcb70a4-e22d-11ea-98b2-080027846a02

Python reports:

bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(...).

more...
python36
python37

more detail
2020-08-19VuXML ID b905dff4-e227-11ea-b0ea-08002728f74c

curl security problems:

CVE-2020-8231: wrong connect-only connection

An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.

CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.

If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.

If after those operations, the application then wants to use the original transfer's connect-only setup to for example use curl_easy_send() to send raw data over that connection, libcurl could erroneously find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection.

The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly.

more...
curl

more detail
2020-08-19VuXML ID f60561e7-e23e-11ea-be64-507b9d01076a

Icinga development team reports:

CVE-2020-24368

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.

more...
icingaweb2

more detail
2020-08-18VuXML ID 64575bb6-e188-11ea-beed-e09467587c17

Chrome Releases reports:

This release contains one security fix:

  • [1115345] High CVE-2020-6556: Heap buffer overflow in SwiftShader. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-08-12
more...
chromium

more detail
2020-08-18VuXML ID e37a0a7b-e1a7-11ea-9538-0c9d925bbbc0

the TrouSerS project reports reports:

If the tcsd daemon is started with root privileges, it fails to drop the root gid after it is no longer needed.

If the tcsd daemon is started with root privileges, the tss user has read and write access to the /etc/tcsd.conf file.

If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks.

more...
trousers

more detail
2020-08-17VuXML ID 09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8

Jenkins Security Advisory:

Description

(Critical) SECURITY-1983 / CVE-2019-17638

Buffer corruption in bundled Jetty

more...
jenkins
jenkins-lts

more detail
2020-08-16VuXML ID 085399ab-dfd7-11ea-96e4-80ee73bc7b66

rsync developers reports:

Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840

more...
rsync

more detail
2020-08-16VuXML ID a23ebf36-e8b6-4665-b0f3-4c977f9a145c

py-ecdsa developers report:

Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding.

Fix CVE-2019-14859 - signature malleability caused by insufficient checks of DER encoding

more...
py27-ecdsa
py37-ecdsa

more detail
2020-08-16VuXML ID f20eb9a4-dfea-11ea-a9b8-9c5c8e84d621

Red Hat bugzilla reports:

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.

more...
ceph14

more detail
2020-08-15VuXML ID b8ea5b66-deff-11ea-adef-641c67a117d8

Snmptt reports:

Fixed a security issue with EXEC / PREXEC / unknown_trap_exec that could allow malicious shell code to be executed.

Fixed a bug with EXEC / PREXEC / unknown_trap_exec that caused commands to be run as root instead of the user defined in daemon_uid.

more...
snmptt

more detail
2020-08-13VuXML ID 87a07de1-e55e-4d51-bb64-8d117829a26a

Aki Tuomi reports:

Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory..

Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash

lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.

Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.

more...
dovecot

more detail
2020-08-13VuXML ID b1d6b383-dd51-11ea-a688-7b12871ef3ad

Cary Phillips reports:

v2.5.3 - Patch release with various bug/security fixes [...]:

  • Various sanitizer/fuzz-identified issues related to handling of invalid input
more...
ilmbase
openexr

more detail
2020-08-12VuXML ID eef0d2d9-78c0-441e-8b03-454c5baebe20

Jenkins Security Advisory:

Description

(High) SECURITY-1955 / CVE-2020-2229

Stored XSS vulnerability in help icons

(High) SECURITY-1957 / CVE-2020-2230

Stored XSS vulnerability in project naming strategy

(High) SECURITY-1960 / CVE-2020-2231

Stored XSS vulnerability in 'Trigger builds remotely'

more...
jenkins
jenkins-lts

more detail
2020-08-11VuXML ID 10e3ed8a-db7f-11ea-8bdf-643150d3111d

Puppetlabs reports:

In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities.

more...
puppetdb5

more detail
2020-08-11VuXML ID 1110e286-dc08-11ea-beed-e09467587c17

Chrome Releases reports:

This release contains 15 security fixes, including:

  • [1107433] High CVE-2020-6542: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2020-07-20
  • [1104046] High CVE-2020-6543: Use after free in task scheduling. Reported by Looben Yang on 2020-07-10
  • [1108497] High CVE-2020-6544: Use after free in media. Reported by Tim Becker of Theori on 2020-07-22
  • [1095584] High CVE-2020-6545: Use after free in audio. Reported by Anonymous on 2020-06-16
  • [1100280] High CVE-2020-6546: Inappropriate implementation in installer. Reported by Andrew Hess (any1) on 2020-06-29
  • [1102153] High CVE-2020-6547: Incorrect security UI in media. Reported by David Albert on 2020-07-05
  • [1103827] High CVE-2020-6548: Heap buffer overflow in Skia. Reported by Choongwoo Han, Microsoft Browser Vulnerability Research on 2020-07-09
  • [1105426] High CVE-2020-6549: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2020-07-14
  • [1106682] High CVE-2020-6550: Use after free in IndexedDB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
  • [1107815] High CVE-2020-6551: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2020-07-21
  • [1108518] High CVE-2020-6552: Use after free in Blink. Reported by Tim Becker of Theori on 2020-07-22
  • [1111307] High CVE-2020-6553: Use after free in offline mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-30
  • [1094235] Medium CVE-2020-6554: Use after free in extensions. Reported by Anonymous on 2020-06-12
  • [1105202] Medium CVE-2020-6555: Out of bounds read in WebGL. Reported by Marcin Towalski of Cisco Talos on 2020-07-13
more...
chromium

more detail
2020-08-10VuXML ID 6b6de127-db0b-11ea-ba1e-1c39475b9f84

Bftpd project reports:

Bftpd is vulnerable to out of bounds memory access, file descriptor leak and a potential buffer overflow.

more...
bftpd

more detail
2020-08-08*VuXML ID 76700d2f-d959-11ea-b53c-d4c9ef517024

The Apache httpd projec reports:

  • mod_http2: Important: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490)

    A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.
  • mod_proxy_uwsgi: Moderate: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)

    info disclosure and possible RCE
  • mod_http2: Moderate: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993)

    When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.
more...
apache24
mod_http2

more detail
2020-08-06VuXML ID 8db74c04-d794-11ea-88f8-901b0ef719ab

Problem Description:

When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers. The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a malicious userspace program to modify control message headers after they were validated by the kernel.

Impact:

The TOCTOU bug can be exploited by an unprivileged malicious userspace program to trigger privilege escalation.

more...
FreeBSD-kernel

more detail
2020-08-06VuXML ID 9eb01384-d793-11ea-88f8-901b0ef719ab

Problem Description:

A missing length validation code common to these three drivers means that a malicious USB device could write beyond the end of an allocated network packet buffer.

Impact:

An attacker with physical access to a USB port and the ability to bring a network interface up may be able to use a specially crafted USB device to gain kernel or user-space code execution.

more...
FreeBSD-kernel

more detail
2020-08-06VuXML ID bc7aff8c-d806-11ea-a5aa-0800272260e5

The Go project reports:

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

more...
go

more detail
2020-08-06*VuXML ID c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3

sqlite3 update:

Various security issues could be used by an attacker to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.

  • CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
  • CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.
  • CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
  • CVE-2020-13630: ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
  • CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
  • CVE-2020-13632: ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
more...
FreeBSD
sqlite3

more detail
2020-08-04VuXML ID eab964f8-d632-11ea-9172-4c72b94353b5

Typo3 Team reports:

In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions.

It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.

more...
typo3-10-php72
typo3-10-php73
typo3-10-php74
typo3-9-php72
typo3-9-php73
typo3-9-php74

more detail
2020-08-01VuXML ID 3c7ba82a-d3fb-11ea-9aba-0c9d925bbbc0

The X.org project reports:

Allocation for pixmap data in AllocatePixmap() does not initialize the memory in xserver, it leads to leak uninitialize heap memory to clients. When the X server runs with elevated privileges.

This flaw can lead to ASLR bypass, which when combined with other flaws (known/unknown) could lead to lead to privilege elevation in the client.

more...
xephyr
xorg-dmx
xorg-nestserver
xorg-server
xorg-vfbserver
xwayland

more detail
2020-08-01VuXML ID 6faa7feb-d3fa-11ea-9aba-0c9d925bbbc0

The X.org project reports:

The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.

more...
libX11

more detail
2020-07-31VuXML ID 7d7221ee-d334-11ea-bc50-080027846a02

Python reports:

bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801).

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putreques().

more...
python38

more detail
2020-07-30VuXML ID d1ef1138-d273-11ea-a757-e0d55e2a8bf9

KDE Project Security Advisory reports:

KDE Project Security Advisory

Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio
Date: 30 July 2020

Overview

A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction.

Proof of concept

For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip

Impact

Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart

Workaround

Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path.

Solution

Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users.

Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases.

Credits

Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it.

more...
ark

more detail
2020-07-28VuXML ID 086c96cd-d0cb-11ea-b922-5404a68ad561

RedHat reports:

It was discovered the fix for CVE-2018-19758 was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.

more...
libsndfile

more detail
2020-07-28VuXML ID 9a447f78-d0f8-11ea-9837-e09467587c17

Chrome Releases reports:

This update contains 8 security fixes, including:

  • [1105318] High CVE-2020-6537: Type Confusion in V8. Reported by Alphalaab on 2020-07-14
  • [1096677] High CVE-2020-6538: Inappropriate implementation in WebView. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-18
  • [1104061] High CVE-2020-6532: Use after free in SCTP. Reported by Anonymous on 2020-07-09
  • [1105635] High CVE-2020-6539: Use after free in CSS. Reported by Oriol Brufau on 2020-07-14
  • [1105720] High CVE-2020-6540: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-07-15
  • [1106773] High CVE-2020-6541: Use after free in WebUSB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
more...
chromium

more detail
2020-07-28VuXML ID a955cdb7-d089-11ea-8c6f-080027eedc6a

Bernhard Miklautz reports:

  • Integer overflow due to missing input sanitation in rdpegfx channel
  • All FreeRDP clients are affected
  • The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a memcpy)
more...
freerdp

more detail
2020-07-28VuXML ID e333084c-9588-4eee-8bdc-323e02cb4fe0

Jon Siwek of Corelight reports:

This release fixes the following security issues:

  • Fix potential DNS analyzer stack overflow
  • Fix potential NetbiosSSN analyzer stack overflow
more...
zeek

more detail
2020-07-27VuXML ID cd2dc126-cfe4-11ea-9172-4c72b94353b5

Cacti developers reports:

Multiple fixes for bundled jQuery to prevent code exec (CVE-2020-11022, CVE-2020-11023).

PHPMail contains a escaping bug (CVE-2020-13625).

SQL Injection via color.php in Cacti (CVE-2020-14295).

more...
cacti

more detail
2020-07-24VuXML ID e1d3a580-cd8b-11ea-bad0-08002728f74c

GitHub Advisory Database:

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

more...
py36-wagtail
py37-wagtail
py38-wagtail

more detail
2020-07-23*VuXML ID 6a72eff7-ccd6-11ea-9172-4c72b94353b5

The Apache Software Foundation reports:

An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

more...
tomcat-devel
tomcat7
tomcat85
tomcat9

more detail
2020-07-20VuXML ID a9eeb3a3-ca5e-11ea-930b-080027846a02

Python reports:

bpo-41162:Audit hooks are now cleared later during finalization to avoid missing events.

bpo-29778:Ensure python3.dll is loaded from correct locations when Python is embedded.

more...
python38

more detail
2020-07-19VuXML ID 1e7b316b-c6a8-11ea-a7d5-001999f8d30b

Oracle reports:

Vulnerabilities in VirtualBox core can allow users with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of these vulnerabilities can result in unauthorized access to critical data, access to all Oracle VM VirtualBox accessible data, unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) or takeover of Oracle VM VirtualBox.

more...
virtualbox-ose

more detail
2020-07-16VuXML ID 714e6c35-c75b-11ea-aa29-d74973d1f9f3

Cary Phillips reports:

openexr 2.5.2 [is a p]atch release with various bug/security and build/install fixes:

  • Invalid input could cause a heap-use-after-free error in DeepScanLineInputFile::DeepScanLineInputFile()
  • Invalid chunkCount attributes could cause heap buffer overflow in getChunkOffsetTableSize()
  • Invalid tiled input file could cause invalid memory access TiledInputFile::TiledInputFile()
more...
ilmbase
openexr

more detail
2020-07-16VuXML ID f7a02651-c798-11ea-81d6-6805cabe6ebb

Micah Snyder reports:

CVE-2020-3350
Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.
CVE-2020-3327
Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.
CVE-2020-3481
Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.
more...
clamav

more detail
2020-07-15VuXML ID 1ddab5cb-14c9-4632-959f-802c412a9593

Jenkins Security Advisory:

Description

(High) SECURITY-1868 / CVE-2020-2220

Stored XSS vulnerability in job build time trend

(High) SECURITY-1901 / CVE-2020-2221

Stored XSS vulnerability in upstream cause

(High) SECURITY-1902 / CVE-2020-2222

Stored XSS vulnerability in 'keep forever' badge icons

(High) SECURITY-1945 / CVE-2020-2223

Stored XSS vulnerability in console links

more...
jenkins
jenkins-lts

more detail
2020-07-15VuXML ID 870d59b0-c6c4-11ea-8015-e09467587c17

Chrome Releases reports:

This update contains 38 security fixes, including:

  • [1103195] Critical CVE-2020-6510: Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
  • [1074317] High CVE-2020-6511: Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
  • [1084820] High CVE-2020-6512: Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
  • [1091404] High CVE-2020-6513: Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
  • [1076703] High CVE-2020-6514: Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30
  • [1082755] High CVE-2020-6515: Use after free in tab strip. Reported by DDV_UA on 2020-05-14
  • [1092449] High CVE-2020-6516: Policy bypass in CORS. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
  • [1095560] High CVE-2020-6517: Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
  • [986051] Medium CVE-2020-6518: Use after free in developer tools. Reported by David Erceg on 2019-07-20
  • [1064676] Medium CVE-2020-6519: Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
  • [1092274] Medium CVE-2020-6520: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
  • [1075734] Medium CVE-2020-6521: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
  • [1052093] Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
  • [1080481] Medium CVE-2020-6523: Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
  • [1081722] Medium CVE-2020-6524: Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
  • [1091670] Medium CVE-2020-6525: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
  • [1074340] Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
  • [992698] Low CVE-2020-6527: Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
  • [1063690] Low CVE-2020-6528: Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
  • [978779] Low CVE-2020-6529: Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
  • [1016278] Low CVE-2020-6530: Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
  • [1042986] Low CVE-2020-6531: Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
  • [1069964] Low CVE-2020-6533: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
  • [1072412] Low CVE-2020-6534: Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
  • [1073409] Low CVE-2020-6535: Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
  • [1080934] Low CVE-2020-6536: Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09
more...
chromium

more detail
2020-07-11VuXML ID 0ed71663-c369-11ea-b53c-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 40 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

This Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2020, which will be released on Tuesday, July 14, 2020.

more...
mysql56-client
mysql56-server
mysql57-client
mysql57-server
mysql80-client
mysql80-server

more detail
2020-07-10*VuXML ID a2cb7c31-9c79-11ea-a9c2-d05099c0ae8c

NLNetLabs reports:

This release fixes CVE-2020-12662 and CVE-2020-12663.

Bug Fixes:

  • CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target.
  • CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.
more...
FreeBSD
unbound

more detail
2020-07-10VuXML ID c11ee146-c266-11ea-8659-901b0ef719ab

Problem Description:

The IPV6_2292PKTOPTIONS set handler was missing synchronization, so racing accesses could modify freed memory.

Impact:

A malicious user application could trigger memory corruption, leading to privilege escalation.

more...
FreeBSD-kernel

more detail
2020-07-10VuXML ID efd03116-c2a9-11ea-82bc-b42e99a1b9c3

The WebKitGTK project reports vulnerabilities:

  • CVE-2020-9802: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9803: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9805: Processing maliciously crafted web content may lead to universal cross site scripting.
  • CVE-2020-9806: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9807: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2020-9843: Processing maliciously crafted web content may lead to a cross site scripting attack.
  • CVE-2020-9850: A remote attacker may be able to cause arbitrary code execution.
  • CVE-2020-13753: CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal’s input buffer.
more...
webkit2-gtk3

more detail
2020-07-10VuXML ID f8b46415-c264-11ea-8659-901b0ef719ab

Problem Description:

posix_spawnp spawns a new thread with a limited stack allocated on the heap before delegating to execvp for the final execution within that thread.

execvp would previously make unbounded allocations on the stack, directly proportional to the length of the user-controlled PATH environment variable.

Impact:

Long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of stack that was allocated, ultimately overflowing the heap-allocated stack with a direct copy of the value stored in PATH.

more...
FreeBSD

more detail
2020-07-09VuXML ID 198a120d-c22d-11ea-9172-4c72b94353b5

mybb Team reports:

High risk: Installer RCE on settings file write

Medium risk: Arbitrary upload paths and Local File Inclusion RCE

Medium risk: XSS via insufficient HTML sanitization of Blog feed and Extend data

Low risk: Open redirect on login

Low risk: SCEditor reflected XSS

more...
mybb

more detail
2020-07-08VuXML ID 20b46222-c12b-11ea-abe8-08002728f74c

kramdown news:

CVE-2020-14001 is addressed to avoid problems when using the {::options /} extension together with the 'template' option.

more...
rubygem-kramdown

more detail
2020-07-07VuXML ID c685edd9-c045-11ea-8898-001cc0382b2f

Manuel Pégourié-Gonnard reports:

The scalar multiplication function in Mbed TLS accepts a random number generator (RNG) as an optional argument and, if provided, uses it to protect against some attacks.

It is the caller's responsibility to provide a RNG if protection against side-channel attacks is desired; however two groups of functions in Mbed TLS itself fail to pass a RNG:

  1. mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
  2. mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()

When those functions are called, scalar multiplication is computed without randomisation, a number of old and new attacks apply, allowing a powerful local attacker to fully recover the private key.

more...
mbedtls

more detail
2020-07-07VuXML ID f7a97d43-c039-11ea-a051-001b217b3468

Gitlab reports:

Workhorse bypass allows files in /tmp to be read via Maven Repository APIs

more...
gitlab-ce

more detail
2020-07-06VuXML ID 33c05d57-bf6e-11ea-ba1e-0800273f78d3

Python reports:

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

more...
python37

more detail
2020-07-04VuXML ID 4344861a-be0b-11ea-9172-4c72b94353b5

Anydesk reports:

AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.

more...
anydesk

more detail
2020-07-03VuXML ID 27616957-b084-11ea-937b-b42e99a1b9c3

GitHub Security Lab reports:

D-Bus has a file descriptor leak, which can lead to denial of service when the dbus-daemon runs out of file descriptors. An unprivileged local attacker can use this to attack the system dbus-daemon, leading to denial of service for all users of the machine.

more...
dbus

more detail
2020-07-03VuXML ID d9f686f3-fde0-48dc-ab0a-01c2fe3e0529

Matrix developers report:

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

  • A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers.
  • HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade.
more...
py36-matrix-synapse
py37-matrix-synapse
py38-matrix-synapse

more detail
2020-07-02VuXML ID 0a305431-bc98-11ea-a051-001b217b3468

Gitlab reports:

Missing Permission Check on Time Tracking

Cross-Site Scripting in PyPi Files API

Insecure Authorization Check on Private Project Security Dashboard

Cross-Site Scripting in References

Cross-Site Scripting in Group Names

Cross-Site Scripting in Blob Viewer

Cross-Site Scripting in Error Tracking

Insecure Authorisation Check on Creation and Deletion of Deploy Tokens

User Name Format Restiction Bypass

Denial of Service in Issue Comments

Cross-Site Scripting in Wiki Pages

Private Merge Request Updates Leaked via Todos

Private User Activity Leaked via API

Cross-Site Scripting in Bitbucket Import Feature

Github Project Restriction Bypass

Update PCRE Dependency

Update Kaminari Gem

Cross-Site Scripting in User Profile

Update Xterm.js

more...
gitlab-ce

more detail
2020-07-02VuXML ID 641cd669-bc37-11ea-babf-6805ca2fa271

PowerDNS Team reports:

CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.

more...
powerdns-recursor

more detail
2020-07-02VuXML ID 6fd773d3-bc5a-11ea-b38d-f0def1d0c3ea

Bryan Call reports:

ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.

more...
trafficserver

more detail
2020-07-02VuXML ID ae599263-bca2-11ea-b78f-b42e99a1b9c3

The Samba Team reports:

Four vulnerabilities were fixed in samba:

  • CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results
  • CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU in the AD DC (only)
  • CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV
  • CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd
more...
samba410
samba411
samba412

more detail
2020-07-02VuXML ID fce7a6e7-bc5d-11ea-b38d-f0def1d0c3ea

Felix Dörre reports:

The issue is that STUN/TURN response buffer is not initialized properly. (CWE 665) This is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client.

more...
coturn

more detail
2020-07-01VuXML ID b51d5391-bb76-11ea-9172-4c72b94353b5

Drupal Security Team reports:

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

more...
drupal7

more detail
2020-06-30VuXML ID 2675f0db-baa5-11ea-aa12-80ee73419af3

Ashley Newson reports:

The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350.

more...
xrdp

more detail
2020-06-29VuXML ID d0be8e1f-b19a-11ea-94aa-b827eb2f57d4

reports:

Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action.

Credit

Discovered by Tony Yesudas.

more...
mongodb36
mongodb40
mongodb42

more detail
2020-06-28VuXML ID 4200d5f5-b985-11ea-b08a-f8b156b6dcc8

Two vulnerabilities were fixed in the upstream repository:

  • The bark_noise_hybridmp function allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted file.
  • mapping0_forward does not validate the number of channels, which allows remote attackers to cause a denial of service (heap-based buffer overflow or over-read) or possibly have unspecified other impact via a crafted file.
more...
libvorbis

more detail
2020-06-28VuXML ID 6190c0cd-b945-11ea-9401-2dcf562daa69

Simon Tatham reports:

[Release 0.74] fixes the following security issues:

  • New configuration option to disable PuTTY's default policy of changing its host key algorithm preferences to prefer keys it already knows. (There is a theoretical information leak in this policy.) [CVE-2020-14002]
  • In some situations an SSH server could cause PuTTY to access freed mdmory by pretending to accept an SSH key and then refusing the actual signature. It can only happen if you're using an SSH agent.
more...
putty
putty-gtk2
putty-nogtk

more detail
2020-06-25VuXML ID 09eef008-3b16-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

more...
glpi

more detail
2020-06-25VuXML ID 0ba61fcc-3b38-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.

more...
glpi

more detail
2020-06-25VuXML ID 5acd95db-3b16-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

more...
glpi

more detail
2020-06-25VuXML ID 675e5098-3b15-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.

more...
glpi

more detail
2020-06-25VuXML ID 7f163c81-3b12-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

more...
glpi

more detail
2020-06-25VuXML ID b7abdb0f-3b15-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

more...
glpi

more detail
2020-06-24VuXML ID 29b13a34-b1d2-11ea-a11c-4437e6ad11c4

mutt 1.14.4 updates:

CVE-2020-14954 - Machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP

more...
mutt

more detail
2020-06-24VuXML ID 4a8a-8987-11ea-93ef-b42e99a1b9c3

Apple reports:

  • CVE-2019-8842: The ippReadIO function may under-read an extension.
  • CVE-2020-3898: The ppdOpen function did not handle invalid UI constraint. ppdcSource::get_resolution function did not handle invalid resolution strings. An application may be able to gain elevated privileges.
more...
cups

more detail
2020-06-24VuXML ID 5b397852-b1d0-11ea-a11c-4437e6ad11c4

mutt 1.14.3 updates:

CVE-2020-14093 - IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response.

more...
mutt

more detail
2020-06-24VuXML ID 6a5d15b6-b661-11ea-8015-e09467587c17

Chrome Releases reports:

This update includes 2 security fixes, including:

  • [1092308] High CVE-2020-6509: Use after free in extensions. Reported by Anonymous on 2020-06-08
more...
chromium

more detail
2020-06-24VuXML ID 6bff5ca6-b61a-11ea-aef4-08002728f74c

curl security problems:

CVE-2020-8169: Partial password leak over DNS on HTTP redirect

libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded.

In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: http://user:password@host/path. In this case, the name and password are URL encoded as that's how they appear in URLs.

If the options are set, they override the credentials set in the URL.

Internally, this is handled by storing the credentials in the "URL object" so that there is only a single set of credentials stored associated with this single URL.

When libcurl handles a relative redirect (as opposed to an absolute URL redirect) for an HTTP transfer, the server is only sending a new path to the client and that path is applied on to the existing URL. That "applying" of the relative path on top of an absolute URL is done by libcurl first generating a full absolute URL out of all the components it has, then it applies the redirect and finally it deconstructs the URL again into its separate components.

This security vulnerability originates in the fact that curl did not correctly URL encode the credential data when set using one of the curl_easy_setopt options described above. This made curl generate a badly formatted full URL when it would do a redirect and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name.

The wrong host name would then be used in a name resolve lookup, potentially leaking the host name + partial password in clear text over the network (if plain DNS was used) and in particular to the used DNS server(s).

CVE-2020-8177: curl overwrite local file with -J

curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.

The command line tool offers the -J option that saves a remote file using the file name present in the Content-Disposition: response header. curl then refuses to overwrite an existing local file using the same name, if one already exists in the current directory.

The -J flag is designed to save a response body, and so it doesn't work together with -i and there's logic that forbids it. However, the check is flawed and doesn't properly check for when the options are used in the reversed order: first using -J and then -i were mistakenly accepted.

The result of this mistake was that incoming HTTP headers could overwrite a local file if one existed, as the check to avoid the local file was done first when body data was received, and due to the mistake mentioned above, it could already have received and saved headers by that time.

The saved file would only get response headers added to it, as it would abort the saving when the first body byte arrives. A malicious server could however still be made to send back virtually anything as headers and curl would save them like this, until the first CRLF-CRLF sequence appears.

(Also note that -J needs to be used in combination with -O to have any effect.)

more...
curl

more detail
2020-06-24*VuXML ID 8b812395-c739-11e8-ab5b-9c5c8e75236a

Joel Esler reports:

  • CVE-2018-15378:
    • Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
    • Reported by Secunia Research at Flexera.
  • Fix for a 2-byte buffer over-read bug in ClamAV&s PDF parsing code.
    • Reported by Alex Gaynor.
  • CVE-2018-14680:
    • An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.
  • CVE-2018-14681:
    • An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.
  • CVE-2018-14682:
    • An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. Additionally, 0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied libmspack's version of the fix in its place.
more...
clamav

more detail
2020-06-24VuXML ID ce0c8590-b628-11ea-9d28-3c970ee9157c

Apple reports:

  • CVE-2019-8842: The ippReadIO function may under-read an extension.
  • CVE-2020-3898: The ppdOpen function did not handle invalid UI constraint. ppdcSource::get_resolution function did not handle invalid resolution strings. An application may be able to gain elevated privileges.
more...
cups

more detail
2020-06-24*VuXML ID f04f840d-0840-11ea-8d66-75d3253ef913

CVE list:

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

more...
libidn2

more detail
2020-06-24*VuXML ID f72d98d1-0b7e-11e7-970f-002590263bf5

Marina Glancy reports:

  • MSA-17-0001: System file inclusion when adding own preset file in Boost theme

  • MSA-17-0002: Incorrect sanitation of attributes in forums

  • MSA-17-0003: PHPMailer vulnerability in no-reply address

  • MSA-17-0004: XSS in assignment submission page

more...
moodle29
moodle30
moodle31
moodle32

more detail
2020-06-22VuXML ID feb8afdc-b3e5-11ea-9df5-08002728f74c

Ruby on Rails blog:

Rails 6.0.3.2 has been released! This version of Rails contains an important security patch, and you should upgrade! The release contains only one patch that addresses CVE-2020-8185.

more...
rubygem-actionpack60

more detail
2020-06-18VuXML ID 75d72e03-b137-11ea-8659-901b0ef719ab

ISC reports:

An assertion check in BIND (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer.

more...
bind916

more detail
2020-06-18VuXML ID f00d1873-b138-11ea-8659-901b0ef719ab

ISC reports:

The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node.

A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure.

more...
bind911
bind916

more detail
2020-06-18VuXML ID f28476f7-b166-11ea-8775-507b9d01076a

lynis update:

This release resolves two security issues

  • CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova
  • CVE-2019-13033 - Discovered by Sander Bos
more...
lynis

more detail
2020-06-17VuXML ID 77896891-b08a-11ea-937b-b42e99a1b9c3

Thomas Guillem reports:

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.

more...
vlc

more detail
2020-06-13*VuXML ID a27b0bb6-84fc-11ea-b5b4-641c67a117d8

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

more...
python27
python35
python36
python37
python38

more detail
2020-06-13*VuXML ID ca595a25-91d8-11ea-b470-080027846a02

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.

more...
python27
python35
python36
python37
python38

more detail
2020-06-12VuXML ID 11fcfa8f-ac64-11ea-9dab-000d3ab229d6

Node.js reports:

Updates are now available for all supported Node.js release lines for the following issues.

TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)

The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.

The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized connections.

HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)

Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings, blocking all other activities until complete.

The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary using the maxSettings option.

napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)

Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.

A exploit has not been reported and it may be difficult but the following is suggested:

  • All users of LTS Node.js versions should update to the versions announced in this security post. This will address the issue for any non pre-built add-on.
  • Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that will be released soon after this announcement.

ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the overflow in 10.x.

more...
node
node10
node12

more detail
2020-06-12VuXML ID 96fb446d-ac7b-11ea-8b5e-b42e99a1b9c3

LibreOffice reports:

Two flaws were found in LibreOffice:

  • CVE-2020-12802: remote graphics contained in docx format retrieved in 'stealth mode'
  • CVE-2020-12803: XForms submissions could overwrite local files
more...
libreoffice

more detail
2020-06-11VuXML ID 045e46e8-abe6-11ea-99cb-10bf48e1088e

fklassen on Github reports:

This release fixes the following security issues:

  • memory access in do_checksum()
  • NULL pointer dereference get_layer4_v6()
  • NULL pointer dereference get_ipv6_l4proto()
more...
tcpreplay

more detail
2020-06-10VuXML ID 10a24ce0-ab68-11ea-b9b8-641c67a117d8

Mitre reports:

ZNC 1.8.0 up to 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.

more...
znc

more detail
2020-06-10VuXML ID 2a3588b4-ab12-11ea-a051-001b217b3468

NPM reports:

Global node_modules Binary Overwrite

Symlink reference outside of node_modules

Arbitrary File Write

more...
npm

more detail
2020-06-10VuXML ID 329ecd60-aaf7-11ea-8659-10bf48e1088e

Malvineous on Github reports:

This release fixes the following security issues:

  • buffer overflow in .bmf
  • buffer overflow in .dtm
  • buffer overflow in .mkj
  • buffer overflow in .a2m
  • buffer overflow in .rad
  • buffer overflow in .mtk
  • double free and OOB reads in .u6m
more...
libadplug

more detail
2020-06-10VuXML ID 9f7ae7ea-da93-4f86-b257-ba76707f6d5d

Jon Siwek of Corelight reports:

This release fixes the following security issues:

  • Fix potential stack overflow in NVT analyzer
  • Fix NVT analyzer memory leak from multiple telnet authn name options
  • Fix multiple content-transfer-encoding headers causing a memory leak
  • Fix potential leak of Analyzers added to tree during Analyzer::Done
  • Prevent IP fragment reassembly on packets without minimal IP header
more...
zeek

more detail
2020-06-09VuXML ID 196b31b8-aa9a-11ea-a59a-6451062f0f7a

Adobe reports:

  • This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2020-9633).
more...
linux-flashplayer

more detail
2020-06-09VuXML ID 32c92a75-aa71-11ea-92ab-00163e433440

Problem Description:

If the push/pop level of the USB HID state is not restored within the processing of the same HID item, an invalid memory location may be used for subsequent HID item processing.

Impact:

An attacker with physical access to a USB port may be able to use a specially crafted USB device to gain kernel or user-space code execution.

more...
FreeBSD-kernel

more detail
2020-06-05VuXML ID a2caf7bd-a719-11ea-a857-e09467587c17

Chrome Releases reports:

This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers.

  • [1082105] High CVE-2020-6493: Use after free in WebAuthentication. Reported by Anonymous on 2020-05-13
  • [1083972] High CVE-2020-6494: Incorrect security UI in payments. Reported by Juho Nurminen on 2020-05-18
  • [1072116] High CVE-2020-6495: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-18
  • [1085990] High CVE-2020-6496: Use after free in payments. Reported by Khalil Zhani on 2020-05-24
more...
chromium

more detail
2020-06-04VuXML ID 40bfab16-a68b-11ea-9ea5-001b217b3468

Gitlab reports:

CI Token Access Control

more...
gitlab-ce

more detail
2020-06-04VuXML ID 597d02ce-a66c-11ea-af32-080027846a02

Django security release reports:

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.

more...
py36-django22
py36-django30
py37-django22
py37-django30
py38-django22
py38-django30

more detail
2020-06-04VuXML ID ef5b4f5f-a658-11ea-80d7-001cc0382b2f

The GnuTLS project reports:

It was found that GnuTLS 3.6.4 introduced a regression in the TLS protocol implementation. This caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a MitM attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2.

more...
gnutls

more detail
2020-06-03VuXML ID 4bb56d2f-a5b0-11ea-a860-08002728f74c

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.

more...
libnghttp2
nghttp2

more detail
2020-06-03VuXML ID ca8327f7-a5a5-11ea-a860-08002728f74c

Changelog:

Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)

more...
rubygem-websocket-extensions

more detail
2020-05-31VuXML ID 1650cee2-a320-11ea-a090-08002734b9ed

The Gitea Team reports for release 1.11.6:

  • Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
  • Use session for retrieving org teams (#11438) (#11439)
more...
gitea

more detail
2020-05-29*VuXML ID f9c5a410-9b4e-11ea-ac3f-6805ca2fa271

PowerDNS Team reports:

CVE-2020-10995: An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect.

CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation.

CVE-2020-10030: An issue has been found in PowerDNS Authoritative Server allowing an attacker with enough privileges to change the system's hostname to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not null-terminate the returned string if the hostname is larger than the supplied buffer. Linux systems are not affected because the buffer is always large enough. OpenBSD systems are not affected because the returned hostname is always null-terminated. Under some conditions this issue can lead to the writing of one null-byte out-of-bounds on the stack, causing a denial of service or possibly arbitrary code execution.

more...
powerdns-recursor

more detail
2020-05-28VuXML ID 28481349-7e20-4f80-ae1e-e6bf48d4f17c

The Sane Project reports:

epson2: fixes CVE-2020-12867 (GHSL-2020-075) and several memory management issues found while addressing that CVE

epsonds: addresses out-of-bound memory access issues to fix CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083), addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084) and disables network autodiscovery to mitigate CVE-2020-12866 (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864 (GHSL-2020-081). Note that this backend does not support network scanners to begin with.

magicolor: fixes a floating point exception and uninitialized data read

fixes an overflow in sanei_tcp_read()

more...
sane-backends

more detail
2020-05-28VuXML ID 4e6875a2-a126-11ea-b385-08002728f74c

Kaminari Security Advisories:

There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.

The 1.2.1 gem including the patch has already been released.

All past released versions are affected by this vulnerability.

more...
rubygem-kaminari-core

more detail
2020-05-28VuXML ID 669f3fe8-a07a-11ea-b83e-f0def1f5c5a2

The FreeRDP changelog reports 14 CVEs addressed after 2.0.0-rc4

more...
freerdp

more detail
2020-05-28VuXML ID 69cf62a8-a0aa-11ea-9ea5-001b217b3468

Gitlab reports:

User Email Verification Bypass

OAuth Flow Missing Email Verification Checks

Notification Email Verification Bypass

Undisclosed Vulnerability on a Third-Party Rendering Engine

Group Sign-Up Restriction Bypass

Mirror Project Owner Impersonation

Missing Permission Check on Fork Relation Creation

Cross-Site Scripting in Repository Files API

Kubernetes Cluster Token Disclosure

Object Storage File Enumeration

Insecure Authorization Check on Project Deploy Keys

Cross-Site Scripting on Metrics Dashboard

Denial of Service on Custom Dashboards

Client-Side Code Injection through Mermaid Markup

Cross-Site Scripting on Static Site Editor

Disclosure of Amazon EKS Credentials

Denial of Service on Workhorse

more...
gitlab-ce

more detail
2020-05-26VuXML ID 61bc44ce-9f5a-11ea-aff3-f8b156c2bfe9

A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers:

  • FastCGI wrappers
  • newaliases wrapper

The FastCGI wrappers wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi were used to make the web interface running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected, forged code might be loaded and executed under privileges of setuid-ed users.

more...
sympa

more detail
2020-05-24VuXML ID 38c676bd-9def-11ea-a94c-3065ec8fd3ec

Google Chrome Releases reports:

This release includes 38 security fixes, including CVEs CVE-2020-6465 through CVE-2020-6491.

more...
chromium

more detail
2020-05-23VuXML ID 436d7f93-9cf0-11ea-82b8-4c72b94353b5

Piwigo reports:

Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.

more...
piwigo

more detail
2020-05-22VuXML ID 676ca486-9c1e-11ea-8b5e-b42e99a1b9c3

The Apache Software Foundation reports:

Under certain circumstances an attacker will be able to trigger remote code execution via deserialization of the file under their control

more...
tomcat-devel
tomcat7
tomcat85
tomcat9

more detail
2020-05-22VuXML ID 9908a1cc-35ad-424d-be0b-7e56abd5931a

Javier Moreno discovered a vulnerability in Sympa web interface that can cause denial of service (DoS) attack.

By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate exessive notification messages to listmasters.

more...
sympa

more detail
2020-05-22VuXML ID c5ec57a9-9c2b-11ea-82b8-4c72b94353b5

Drupal Security Team reports:

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are: ... Security issues in jQuerys DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

more...
drupal7
drupal8

more detail
2020-05-20VuXML ID 4d11d37e-9a8d-11ea-b9b8-641c67a117d8

Zabbix reports:

Fixed security vulnerability cve-2020-11800 (remote code execution). (ZBX-17600)

more...
zabbix3-proxy
zabbix3-server

more detail
2020-05-19VuXML ID 85fca718-99f6-11ea-bf1d-08002728f74c

Ruby on Rails blog:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

CVE-2020-8162: Circumvention of file size limits in ActiveStorage

CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack

CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token

CVE-2020-8167: CSRF Vulnerability in rails-ujs

more...
rubygem-actionpack52
rubygem-actionpack60
rubygem-actionview52
rubygem-actionview60
rubygem-activestorage52
rubygem-activestorage60
rubygem-activesupport52
rubygem-activesupport60

more detail
2020-05-18VuXML ID 37d106a8-15a4-483e-8247-fcb68b16eaf8

Aki Tuomi reports:

Vulnerability Details: Sending malformed NOOP command causes crash in submission, submission-login or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: Send ``NOOP EE"FY`` to submission port, or similarly malformed command.

Vulnerability Details: Sending command followed by sufficient number of newlines triggers a use-after-free bug that might crash submission-login, submission or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: This can be currently reproduced with ASAN or Valgrind. Reliable way to crash has not yet been discovered.

Vulnerability Details: Sending mail with empty quoted localpart causes submission or lmtp component to crash. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad sender or recipient address. Steps to reproduce: Send mail with envelope sender or recipient as <""@example.org>. Workaround: For submission there is no workaround, but triggering the bug requires valid credentials. For lmtp, one can implement sufficient filtering on MTA level to prevent mails with such addresses from ending up in LMTP delivery.

more...
dovecot

more detail
2020-05-17*VuXML ID abc3ef37-95d4-11ea-9004-25fadb81abf4

Tobias Stöckmann reports:

I have discovered a way to trigger an out of boundary write while parsing a huge json file through a malicious input source. It can be triggered if an attacker has control over the input stream or if a huge load during filesystem operations can be triggered.

more...
json-c

more detail
2020-05-16*VuXML ID 21d59ea3-8559-11ea-a5e2-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

MariaDB reports 4 of these vulnerabilities exist in their software

more...
mariadb101-server
mariadb102-server
mariadb103-server
mariadb104-server
mysql56-server
mysql57-server
mysql80-server
percona55-server
percona56-server
percona57-server

more detail
2020-05-16VuXML ID 6bf55af9-973b-11ea-9f2c-38d547003487

F-Secure reports:

CVE-2020-11651 - Authentication bypass vulnerabilities

The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root.

The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server. This "root key" can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.

CVE-2020-11652 - Directory traversal vulnerabilities

The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.

The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().

more...
py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
py36-salt
py37-salt
py38-salt

more detail
2020-05-16VuXML ID ce6db19b-976e-11ea-93c4-08002728f74c

Ruby on Rails blog:

Due to an unfortunate oversight, Rails 4.2.11.2 has a missing constant error. To address this Rails 4.2.11.3 has been released.

The original announcement for CVE-2020-8163 has a follow-up message with an updated patch if you’re unable to use the gems.

more...
rubygem-actionview4

more detail
2020-05-14VuXML ID 91ce95d5-cd15-4105-b942-af5ccc7144c1

Micah Snyder reports:

CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.

CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.

more...
clamav

more detail
2020-05-13VuXML ID 59fabdf2-9549-11ea-9448-08002728f74c

Typo3 News:

CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset

It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not.

CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling

It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.

CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

Calling unserialize() on malicious user-submitted content can result in the following scenarios:

- trigger deletion of arbitrary directory in file system (if writable for web server)

- trigger message submission via email using identity of web site (mail relay)

Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface

It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims’ user session.

In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’ actually a same-site request forgery (SSRF).

Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location.

The attacked victim requires an active and valid backend or install tool user session at the time of the attack to be successful.

more...
typo3-10-php72
typo3-10-php73
typo3-10-php74
typo3-9-php72
typo3-9-php73
typo3-9-php74

more detail
2020-05-12VuXML ID 0bfcae0b-947f-11ea-92ab-00163e433440

Problem Description:

Requests to create cryptography sessions using a MAC did not validate the user-supplied MAC key length. The cryptodev module allocates a buffer whose size is this user-suppled length.

Impact:

An unprivileged process can trigger a kernel panic.

more...
FreeBSD-kernel

more detail
2020-05-12VuXML ID 253486f5-947d-11ea-92ab-00163e433440

Problem Description:

The SCTP layer does improper checking when an application tries to update a shared key. Therefore an unprivileged local user can trigger a use-after- free situation, for example by specific sequences of updating shared keys and closing the SCTP association.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.

more...
FreeBSD-kernel

more detail
2020-05-12VuXML ID 30ce591c-947b-11ea-92ab-00163e433440

Problem Description:

libalias(3) packet handlers do not properly validate the packet length before accessing the protocol headers. As a result, if a libalias(3) module does not properly validate the packet length before accessing the protocol header, it is possible for an out of bound read or write condition to occur.

Impact:

A malicious attacker could send specially constructed packets that exploit the lack of validation allowing the attacker to read or write memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

more...
FreeBSD-kernel

more detail
2020-05-12VuXML ID 78992249-947c-11ea-92ab-00163e433440

Problem Description:

The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

Impact:

A malicious attacker could send specially constructed packets that exploit the erroneous calculation allowing the attacker to disclose small amount of memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

more...
FreeBSD-kernel

more detail
2020-05-12VuXML ID 9f15c2da-947e-11ea-92ab-00163e433440

Problem Description:

A race condition permitted a data structure in the kernel to be used after it was freed by the cryptodev module.

Impact:

An unprivileged process can overwrite arbitrary kernel memory.

more...
FreeBSD-kernel

more detail
2020-05-09VuXML ID 452d16bb-920d-11ea-9d20-18a6f7016652

Qutebrowser developers report:

After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.

more...
qutebrowser

more detail
2020-05-09VuXML ID d222241d-91cc-11ea-82b8-4c72b94353b5

MITRE Corporation reports:

inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.

more...
glpi

more detail
2020-05-07VuXML ID 88760f4d-8ef7-11ea-a66d-4b2ef158be83

Mark Sapiro reports:

A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh.

An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack.

(added 2020-05-07) This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.

more...
mailman
mailman-with-htdig

more detail
2020-05-06VuXML ID 1a6b7641-aed2-4ba1-96f4-c282d5b09c37

Jon Siwek of Corelight reports:

This release fixes the following security issues:

  • Fix buffer over-read in Ident analyzer
  • Fix SSL scripting error leading to uninitialized field access and memory leak
  • Fix POP3 analyzer global buffer over-read
  • Fix potential stack overflows due to use of Variable-Length-Arrays
more...
zeek

more detail
2020-05-05VuXML ID d5fead4f-8efa-11ea-a5c8-08002728f74c

Wagtail release notes:

CVE-2020-11037: Potential timing attack on password-protected private pages

This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)

more...
py35-wagtail
py36-wagtail
py37-wagtail
py38-wagtail

more detail
2020-05-04VuXML ID cd864f1a-8e5a-11ea-b5b4-641c67a117d8

Cacti developer reports:

Lack of escaping of color items can lead to XSS exposure.

more...
cacti

more detail
2020-05-03VuXML ID d3f3e818-8d10-11ea-8668-e0d55e2a8bf9

Webin security lab - dbapp security Ltd reports:

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.

more...
taglib

more detail
2020-05-01VuXML ID e8483115-8b8e-11ea-bdcf-001b217b3468

Gitlab reports:

Path Traversal in NuGet Package Registry

Workhorse Bypass Leads to File Disclosure

OAuth Application Client Secrets Revealed

Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes

Code Owners Protection Not Enforced from Web UI

Repository Mirror Passwords Exposed To Maintainers

Admin Audit Log Page Denial of Service

Private Project ID Revealed Through Group API

Elasticsearch Credentials Logged to ELK

GitHub Personal Access Token Exposed on Integrations Page

Update Nokogiri dependency

Update OpenSSL Dependency

Update git

more...
gitlab-ce

more detail
2020-04-29VuXML ID 3c7911c9-8a29-11ea-8d8c-005056a311d1

The Samba Team reports:

CVE-2020-10700

A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server.

CVE-2020-10704

A deeply nested filter in an un-authenticated LDAP search can exhaust the LDAP server's stack memory causing a SIGSEGV.

more...
samba410
samba411
samba412

more detail
2020-04-29VuXML ID 4a10902f-8a48-11ea-8668-e0d55e2a8bf9

VideoLAN reports:

Details

A remote user could:

  • Create a specifically crafted image file that could trigger an out of bounds read
  • Send a specifically crafter request to the microdns service discovery, potentially triggering various memory management issues

Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

We have not seen exploits performing code execution through these vulnerabilities

CVE-2019-19721 affects VLC 3.0.8 and earlier, and only reads 1 byte out of bound

more...
vlc

more detail
2020-04-29*VuXML ID aae8fecf-888e-11ea-9714-08002718de91

Riccardo Schirone (https://github.com/ret2libc) reports:

In FullLoader python/object/new constructor, implemented by construct_python_object_apply, has support for setting the state of a deserialized instance through the set_python_instance_state method. After setting the state, some operations are performed on the instance to complete its initialization, however it is possible for an attacker to set the instance' state in such a way that arbitrary code is executed by the FullLoader.

This patch tries to block such attacks in FullLoader by preventing set_python_instance_state from setting arbitrar properties. It implements a blacklist that includes extend method (called by construct_python_object_apply) and all special methods (e.g. __set__, __setitem__, etc.).

Users who need special attributes being set in the state of a deserialized object can still do it through the UnsafeLoader, which however should not be used on untrusted input. Additionally, they can subclass FullLoader and redefine state_blacklist_regexp to include the additional attributes they need, passing the subclassed loader to yaml.load.

more...
py27-yaml
py35-yaml
py36-yaml
py37-yaml
py38-yaml

more detail
2020-04-28VuXML ID c7617931-8985-11ea-93ef-b42e99a1b9c3

Howard Chu reports:

nested filters leads to stack overflow

more...
openldap24-server

more detail
2020-04-26VuXML ID 4c52ec3c-86f3-11ea-b5b4-641c67a117d8

Bleach developers reports:

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

more...
py27-bleach
py35-bleach
py36-bleach
py37-bleach
py38-bleach

more detail
2020-04-23VuXML ID 622b5c47-855b-11ea-a5e2-d4c9ef517024

Oracle reports:

This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

more...
mysql-connector-c
mysql-connector-c++
mysql-connector-java
mysql56-client
mysql57-client
mysql80-client
percona55-client
percona56-client
percona57-client

more detail
2020-04-23VuXML ID afa018d9-8557-11ea-a5e2-d4c9ef517024

Nextcloud reports:

XSS in Files PDF viewer (NC-SA-2020-019)

Missing ownership check on remote wipe endpoint (NC-SA-2020-018)

more...
nextcloud

more detail
2020-04-22*VuXML ID 012809ce-83f3-11ea-92ab-00163e433440

Problem Description:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer.

Impact:

A malicious peer could exploit the NULL pointer dereference crash, causing a denial of service attack.

more...
FreeBSD
openssl

more detail
2020-04-22VuXML ID 67765237-8470-11ea-a283-b42e99a1b9c3

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.

more...
git
git-gui
git-lite

more detail
2020-04-22VuXML ID 8d85d600-84a9-11ea-97b9-08002728f74c

Wagtail release notes:

CVE-2020-11001: Possible XSS attack via page revision comparison view

This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

more...
py35-wagtail
py36-wagtail
py37-wagtail
py38-wagtail

more detail
2020-04-22VuXML ID ced2d47e-8469-11ea-a283-b42e99a1b9c3

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.

more...
git
git-gui
git-lite

more detail
2020-04-21VuXML ID 0f798bd6-8325-11ea-9a78-08002728f74c

NVD reports:

Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request.

more...
libntlm

more detail
2020-04-21VuXML ID 33edcc56-83f2-11ea-92ab-00163e433440

Problem Description:

Incomplete packet data validation may result in accessing out-of-bounds memory (CVE-2019-5614) or may access memory after it has been freed (CVE-2019-15874).

Impact:

Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.

more...
FreeBSD-kernel

more detail
2020-04-21VuXML ID 9fbaefb3-837e-11ea-b5b4-641c67a117d8

Twisted developers reports:

All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability.

The HTTP/2 server implementation now enforces TCP flow control on control frame messages and times out clients that send invalid data without reading responses. This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks to Jonathan Looney and Piotr Sikora.

twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.

more...
py27-twisted
py35-twisted
py36-twisted
py37-twisted
py38-twisted

more detail
2020-04-19VuXML ID 3d7dfd63-823b-11ea-b3a8-240a644dd835

The libssh team reports (originally reported by Yasheng Yang from Google):

A malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connection.

more...
libssh

more detail
2020-04-18VuXML ID e418b8f0-9abb-420b-a7f1-1d8231b352e2

The WebKitGTK project reports the following vulnerability.

Processing maliciously crafted web content may lead to arbitrary code execution or application crash (denial of service). Description: A memory corruption issue (use-after-free) was addressed with improved memory handling.

more...
webkit2-gtk3

more detail
2020-04-17VuXML ID 0899c0d3-80f2-11ea-bafd-815569f3852d

Borja Tarraso reports:

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.

more...
ansible
ansible23
ansible24
ansible25
ansible26
ansible27

more detail
2020-04-17VuXML ID 67dbeeb6-80f4-11ea-bafd-815569f3852d

Borja Tarraso reports:

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

more...
ansible
ansible23
ansible24
ansible25
ansible26
ansible27

more detail
2020-04-17VuXML ID ae2e7871-80f6-11ea-bafd-815569f3852d

Borja Tarraso reports:

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

more...
ansible
ansible23
ansible24
ansible25
ansible26
ansible27

more detail
2020-04-17VuXML ID e24fd421-8128-11ea-aa57-000ffec73f06

Drupal Security Team reports:

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can createor edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

more...
drupal8

more detail
2020-04-16VuXML ID 25efe05c-7ffc-11ea-b594-3065ec8fd3ec

Google Chrome Releases reports:

[1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04

more...
chromium

more detail
2020-04-16VuXML ID 8604121c-7fc2-11ea-bcac-7781e90b0c8f

Lev Stipakov and Gert Doering report:

There is a time frame between allocating peer-id and initializing data channel key (which is performed on receiving push request or on async push-reply) in which the existing peer-id float checks do not work right.

If a "rogue" data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address.

The net effect of this behaviour is that the VPN session for the "victim client" is broken. Since the "attacker client" does not have suitable keys, it can not inject or steal VPN traffic from the other session. The time window is small and it can not be used to attack a specific client's session, unless some other way is found to make it disconnect and reconnect first.

more...
openvpn
openvpn-devel
openvpn-mbedtls

more detail
2020-04-15VuXML ID 570706ff-7ee0-11ea-bd0b-001b217b3468

Gitlab reports:

NuGet Package and File Disclosure through GitLab Workhorse

Job Artifact Uploads and File Disclosure through GitLab Workhorse

Incorrect membership following group removal

Logging of Praefect tokens

Update Rack dependency

Update OpenSSL dependency

more...
gitlab-ce

more detail
2020-04-15VuXML ID bf1f47c4-7f1b-11ea-bf94-001cc0382b2f

Manuel Pégourié-Gonnard reports:

An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can fully recover an ECDSA private key after observing a number of signature operations.

more...
mbedtls

more detail
2020-04-14VuXML ID 5b6bc863-89dc-11ea-af8b-00155d0a0200

RedHat reports:

ceph: secure mode of msgr2 breaks both confidentiality and integrity aspects for long-lived sessions.

ceph: header-splitting in RGW GetObject has a possible XSS.

more...
ceph14

more detail
2020-04-14VuXML ID f59c4c53-c55f-43fe-9920-82b9d1ea9c3d

Jon Siwek of Corelight reports:

This release fixes the following security issue:

  • An attacker can crash Zeek remotely via crafted packet sequence.
more...
zeek

more detail
2020-04-12VuXML ID 6e3b700a-7ca3-11ea-b594-3065ec8fd3ec

Google Chrome Releases reports:

This updates includes 32 security fixes, including:

  • [1019161] High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29
  • [1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
  • [1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
  • [1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
  • [1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
  • [852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
  • [965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
  • [1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
  • [1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
  • [1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
  • [1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
  • [639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
  • [714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
  • [868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
  • [894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
  • [959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
  • [1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
  • [1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
  • [922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
  • [933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
  • [991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
  • [1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26
more...
chromium

more detail
2020-04-07VuXML ID 57c1c2ee-7914-11ea-90bf-0800276545c1

The Squid developers reports:

Improper Input Validation issues in HTTP Request processing (CVE-2020-8449, CVE-2020-8450).

Information Disclosure issue in FTP Gateway (CVE-2019-12528).

Buffer Overflow issue in ext_lm_group_acl helper (CVE-2020-8517).

more...
squid

more detail
2020-04-02*VuXML ID 40194e1c-6d89-11ea-8082-80ee73419af3

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary bjects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.

more...
rubygem-json

more detail
2020-04-02VuXML ID 7f829d44-7509-11ea-b47c-589cfc0f81b0

The HAproxy Project reports:

The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue.

more...
haproxy
haproxy18
haproxy19
haproxy21

more detail
2020-04-02VuXML ID 9cb57a06-7517-11ea-b594-3065ec8fd3ec

Google Chrome Releases reports:

This update contains 8 security fixes.

  • [1062247] High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-17
  • [1061018] High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-12
  • [1059764] High CVE-2020-6452: Heap buffer overflow in media Reported by asnine on 2020-03-09
  • [1066247] Various fixes from internal audits, fuzzing and other initiatives.
more...
chromium

more detail
2020-04-02VuXML ID b360b120-74b1-11ea-a84a-4c72b94353b5

Apache Team reports:

SECURITY: CVE-2020-1934

mod_proxy_ftp: Use of uninitialized value with malicious backend FTP server.

SECURITY: CVE-2020-1927

rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. The fix for CVE-2019-10098 was not effective.

more...
apache24

more detail
2020-04-02VuXML ID e2b564fc-7462-11ea-af63-38d547003487

The Cacti developers reports:

When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813).

Lack of escaping on some pages can lead to XSS exposure (CVE-2020-7106).

Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237).

more...
cacti

more detail
2020-03-31VuXML ID d887b3d9-7366-11ea-b81a-001cc0382b2f

The GnuTLS project reports:

It was found that GnuTLS 3.6.3 introduced a regression in the DTLS protocol implementation. This caused the DTLS client to not contribute any randomness to the DTLS negotiation breaking the security guarantees of the DTLS protocol.

more...
gnutls

more detail
2020-03-30VuXML ID 0309c898-3aed-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

more...
glpi

more detail
2020-03-30VuXML ID 07aecafa-3b12-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

more...
glpi

more detail
2020-03-30VuXML ID 27a230a2-3b11-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.

more...
glpi

more detail
2020-03-30VuXML ID 3a63f478-3b10-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

more...
glpi

more detail
2020-03-30VuXML ID 832fd11b-3b11-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

more...
glpi

more detail
2020-03-30VuXML ID aec9cbe0-3b0f-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

more...
glpi

more detail
2020-03-30VuXML ID b3aae7ea-3aef-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.

more...
glpi

more detail
2020-03-30VuXML ID b64edef7-3b10-11eb-af2a-080027dbe4b7

MITRE Corporation reports:

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

more...
glpi

more detail
2020-03-29VuXML ID d331f691-71f4-11ea-8bb5-6cc21735f730

The PostgreSQL project reports:

Versions Affected: 9.6 - 12

The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION.

more...
postgresql10-server
postgresql11-server
postgresql12-server
postgresql96-server

more detail
2020-03-27VuXML ID 090763f6-7030-11ea-93dd-080027846a02

Mediawiki reports:

Security fixes: T246602:jquery.makeCollapsible allows applying event handler to any CSS selector.

more...
mediawiki131
mediawiki133
mediawiki134

more detail
2020-03-26VuXML ID 08fba28b-6f9f-11ea-bd0b-001b217b3468

Gitlab reports:

Arbitrary File Read when Moving an Issue

Path Traversal in NPM Package Registry

SSRF on Project Import

External Users Can Create Personal Snippet

Triggers Decription Can be Updated by Other Maintainers in Project

Information Disclosure on Confidential Issues Moved to Private Programs

Potential DoS in Repository Archive Download

Blocked Users Can Still Pull/Push Docker Images

Repository Mirroring not Disabled when Feature not Activated

Vulnerability Feedback Page Was Leaking Information on Vulnerabilities

Stored XSS Vulnerability in Admin Feature

Upload Feature Allowed a User to Read Unauthorized Exported Files

Unauthorized Users Are Able to See CI Metrics

Last Pipeline Status of a Merge Request Leaked

Blind SSRF on FogBugz

Update Nokogiri dependency

more...
gitlab-ce

more detail
2020-03-25VuXML ID 5bf6ed6d-9002-4f43-ad63-458f59e45384

Jenkins Security Advisory:

Description

(High) SECURITY-1774 / CVE-2020-2160

CSRF protection for any URL could be bypassed

(Medium) SECURITY-1781 / CVE-2020-2161

Stored XSS vulnerability in label expression validation

(Medium) SECURITY-1793 / CVE-2020-2162

Stored XSS vulnerability in file parameters

(Medium) SECURITY-1796 / CVE-2020-2163

Stored XSS vulnerability in list view column headers

more...
jenkins
jenkins-lts

more detail
2020-03-25VuXML ID 97fcc60a-6ec0-11ea-a84a-4c72b94353b5

phpMyAdmin Team reports:

PMASA-2020-2 SQL injection vulnerability in the user accounts page, particularly when changing a password

PMASA-2020-3 SQL injection vulnerability relating to the search feature

PMASA-2020-4 SQL injection and XSS having to do with displaying results

Removing of the "options" field for the external transformation

more...
phpMyAdmin
phpMyAdmin-php72
phpMyAdmin-php73
phpMyAdmin-php74
phpMyAdmin5
phpMyAdmin5-php72
phpMyAdmin5-php73
phpMyAdmin5-php74

more detail
2020-03-23VuXML ID 36def7ba-6d2b-11ea-b115-643150d3111d

Puppetlabs reports:

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.

more...
puppetdb5
puppetdb6
puppetserver5
puppetserver6

more detail
2020-03-23VuXML ID 77687355-52aa-11ea-b115-643150d3111d

Puppetlabs reports:

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet