electron{26,27} -- multiple vulnerabilities electron26 26.6.3 electron27 27.2.0

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6508.
  • Security: backported fix for CVE-2023-7024.
CVE-2023-6508 https://github.com/advisories/GHSA-3pr6-6r34-c98x CVE-2023-7024 https://github.com/advisories/GHSA-7c6v-f3h8-2x89 2023-12-21 2023-12-22
gitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin gitea 1.21.3

The Gitea team reports:

Update golang.org/x/crypto

https://github.com/go-gitea/gitea/releases/tag/v1.21.3 2023-12-19 2023-12-21
gitea -- missing permission checks gitea 1.21.2

The Gitea team reports:

Fix missing check

Do some missing checks

By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.

https://github.com/go-gitea/gitea/releases/tag/v1.21.2 2023-08-30 2023-09-10
nebula -- security fix for terrapin vulnerability nebula 1.8.1

Upstream reports:

Security fix:

  • Update golang.org/x/crypto, which includes a fix for CVE-2023-48795.
CVE-2023-48795 https://www.openssh.com/txt/release-9.6 https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d https://terrapin-attack.com/ 2023-10-16 2023-12-19
chromium -- security fix chromium 120.0.6099.129 ungoogled-chromium 120.0.6099.129

Chrome Releases reports:

This update includes 1 security fix:

  • [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19
CVE-2023-7024 https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html 2023-12-20 2023-12-21
putty -- add protocol extension against 'Terrapin attack' putty 0.80 putty-nogtk 0.80

Simon Tatham reports:

PuTTY version 0.80 [contains] one security fix [...] for a newly discovered security issue known as the 'Terrapin' attack, also numbered CVE-2023-48795. The issue affects widely-used OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305 cipher system, and 'encrypt-then-MAC' mode.

In order to benefit from the fix, you must be using a fixed version of PuTTY _and_ a server with the fix, so that they can agree to adopt a modified version of the protocol. [...]

CVE-2023-48795 https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html https://www.openssh.com/txt/release-9.6 https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://terrapin-attack.com/ 2023-10-16 2023-12-19
slurm-wlm -- Several security issues slurm-wlm 23.11.1

Slurm releases notes:

Description

CVE-2023-49933 through CVE-2023-49938

Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They've been assigned CVE-2023-49933 through CVE-2023-49938.

CVE-2023-49933 CVE-2023-49934 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938 2023-11-29 2023-12-19
couchdb -- information sharing via couchjs processes couchdb 3.3.2,2

Nick Vatamane reports:

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using various design document functions.

CVE-2023-26268 https://docs.couchdb.org/en/stable/cve/2023-26268.html 2023-05-02 2023-12-17
Gitlab -- vulnerabilities gitlab-ce 16.6.016.6.2 16.5.016.5.4 8.17.016.4.4

Gitlab reports:

Smartcard authentication allows impersonation of arbitrary user using user's public certificate

When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge

The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags

Project maintainer can escalate to Project owner using project access token rotate API

Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content

Unvalidated timeSpent value leads to unable to load issues on Issue board

Developer can bypass predefined variables via REST API

Auditor users can create merge requests on projects they don't have access to

CVE-2023-6680 CVE-2023-6564 CVE-2023-6051 CVE-2023-3907 CVE-2023-5512 CVE-2023-3904 CVE-2023-5061 CVE-2023-3511 https://about.gitlab.com/releases/2023/12/13/security-release-gitlab-16-6-2-released/ 2023-12-13 2023-12-14
chromium -- multiple security fixes chromium 120.0.6099.109 ungoogled-chromium 120.0.6099.109

Chrome Releases reports:

This update includes 9 security fixes:

  • [1501326] High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10
  • [1502102] High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14
  • [1504792] High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23
  • [1505708] High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28
  • [1500921] High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09
  • [1504036] Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21
CVE-2023-6702 CVE-2023-6703 CVE-2023-6704 CVE-2023-6705 CVE-2023-6706 CVE-2023-6707 https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html 2023-12-12 2023-12-13
FreeBSD -- NFS client data corruption and kernel memory disclosure FreeBSD-kernel 14.014.0_3 13.213.2_8

Problem Description:

In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the performance of IO_APPEND writes, that is, writes which add data to the end of a file and so extend its size. This uncovered an old bug in some routines which copy userspace data into the kernel. The bug also affects the NFS client's implementation of direct I/O; however, this implementation is disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only used to handle synchronous writes.

Impact:

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication.

The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network.

Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem.

CVE-2023-6660 SA-23:18.nfsclient 2023-12-12 2023-12-13
xorg-server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.10,1 xorg-nestserver 21.1.10,2 xwayland 23.2.3,1 xwayland-devel 21.0.99.1.582

The X.Org project reports:

  • CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org server: Out-of-bounds memory write in XKB button actions

    A device has XKB button actions for each button on the device. When a logical device switch happens (e.g. moving from a touchpad to a mouse), the server re-calculates the information available on the respective master device (typically the Virtual Core Pointer). This re-calculation only allocated enough memory for a single XKB action rather instead of enough for the newly active physical device's number of button. As a result, querying or changing the XKB button actions results in out-of-bounds memory reads and writes.

    This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).

  • CVE-2023-6478/ZDI-CAN-22561: X.Org server: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty

    This fixes an OOB read and the resulting information disclosure.

    Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->nUnits value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check.

    The server then proceeded with reading at least stuff->nUnits bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->nUnits bytes, i.e. 4GB.

https://lists.x.org/archives/xorg-announce/2023-December/003435.html CVE-2023-6377 CVE-2023-6478 2023-12-13 2023-12-13
chromium -- multiple security fixes chromium 120.0.6099.62 ungoogled-chromium 120.0.6099.62 qt5-webengine 5.15.16.p5_2 qt6-webengine 6.6.1_1

Chrome Releases reports:

This update includes 10 security fixes:

  • [1497984] High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy Kim(@cassidy6564) on 2023-10-31
  • [1494565] High CVE-2023-6509: Use after free in Side Panel Search. Reported by Khalil Zhani on 2023-10-21
  • [1480152] Medium CVE-2023-6510: Use after free in Media Capture. Reported by [pwn2car] on 2023-09-08
  • [1478613] Low CVE-2023-6511: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-09-04
  • [1457702] Low CVE-2023-6512: Inappropriate implementation in Web Browser UI. Reported by Om Apip on 2023-06-24
CVE-2023-6508 CVE-2023-6509 CVE-2023-6510 CVE-2023-6511 CVE-2023-6512 https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop.html 2023-12-05 2023-12-11
apache -- Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication zookeeper 3.7.2 3.8.03.8.3 3.9.03.9.1

security@apache.org reports:

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped.As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.

CVE-2023-44981 https://nvd.nist.gov/vuln/detail/CVE-2023-44981 2023-10-11 2023-12-10
electron25 -- multiple vulnerabilities electron25 25.9.8

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6350.
  • Security: backported fix for CVE-2023-6351.
CVE-2023-6350 https://github.com/advisories/GHSA-wmh6-7xp9-5gh8 CVE-2023-6351 https://github.com/advisories/GHSA-47vw-3hx2-6877 2023-12-06 2023-12-07
FreeBSD -- TCP spoofing vulnerability in pf(4) FreeBSD-kernel 14.014.0_2 13.213.2_4 12.412.4_6

Problem Description:

As part of its stateful TCP connection tracking implementation, pf performs sequence number validation on inbound packets. This makes it difficult for a would-be attacker to spoof the sender and inject packets into a TCP stream, since crafted packets must contain sequence numbers which match the current connection state to avoid being rejected by the firewall.

A bug in the implementation of sequence number validation means that the sequence number is not in fact validated, allowing an attacker who is able to impersonate the remote host and guess the connection's port numbers to inject packets into the TCP stream.

Impact:

An attacker can, with relatively little effort, inject packets into a TCP stream destined to a host behind a pf firewall. This could be used to implement a denial-of-service attack for hosts behind the firewall, for example by sending TCP RST packets to the host.

CVE-2023-6534 SA-23:17.pf 2023-12-05 2023-12-05 2023-12-14
varnish -- HTTP/2 Rapid Reset Attack varnish7 7.4.2 varnish6 6.6.3

Varnish Cache Project reports:

A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large volume of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the Varnish server to consume unnecessary resources processing requests for which the response will not be delivered.

CVE-2023-44487 https://varnish-cache.org/security/VSV00013.html 2023-11-13 2023-12-02
Gitlab -- Vulnerabilities gitlab-ce 16.6.016.6.1 16.5.016.5.3 8.13.016.4.3

Gitlab reports:

XSS and ReDoS in Markdown via Banzai pipeline of Jira

Members with admin_group_member custom permission can add members with higher role

Release Description visible in public projects despite release set as project members only through atom response

Manipulate the repository content in the UI (CVE-2023-3401 bypass)

External user can abuse policy bot to gain access to internal projects

Client-side DOS via Mermaid Flowchart

Developers can update pipeline schedules to use protected branches even if they don't have permission to merge

Users can install Composer packages from public projects even when Package registry is turned off

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Guest users can react (emojis) on confidential work items which they cant see in a project

CVE-2023-6033 CVE-2023-6396 CVE-2023-3949 CVE-2023-5226 CVE-2023-5995 CVE-2023-4912 CVE-2023-4317 CVE-2023-3964 CVE-2023-4658 CVE-2023-3443 https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/ 2023-11-30 2023-12-01
electron26 -- multiple vulnerabilities electron26 26.6.2

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6345.
  • Security: backported fix for CVE-2023-6346.
  • Security: backported fix for CVE-2023-6347.
  • Security: backported fix for CVE-2023-6350.
CVE-2023-6345 https://github.com/advisories/GHSA-xm5p-7w7v-qqr5 CVE-2023-6346 https://github.com/advisories/GHSA-w427-5x7p-xj8x CVE-2023-6347 https://github.com/advisories/GHSA-6jj9-4hh8-6xpv CVE-2023-6350 https://github.com/advisories/GHSA-wmh6-7xp9-5gh8 2023-11-30 2023-12-01
electron25 -- multiple vulnerabilities electron25 25.9.7

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6345.
  • Security: backported fix for CVE-2023-6346.
  • Security: backported fix for CVE-2023-6347.
CVE-2023-6345 https://github.com/advisories/GHSA-xm5p-7w7v-qqr5 CVE-2023-6346 https://github.com/advisories/GHSA-w427-5x7p-xj8x CVE-2023-6347 https://github.com/advisories/GHSA-6jj9-4hh8-6xpv 2023-12-01 2023-12-01
chromium -- multiple security fixes chromium 119.0.6045.199 ungoogled-chromium 119.0.6045.199 qt5-webengine 5.15.16.p5_2 qt6-webengine 6.6.1_1

Chrome Releases reports:

This update includes 7 security fixes:

  • [1491459] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
  • [1494461] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
  • [1500856] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
  • [1501766] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
  • [1501770] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
  • [1505053] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24
CVE-2023-6348 CVE-2023-6347 CVE-2023-6346 CVE-2023-6350 CVE-2023-6351 CVE-2023-6345 https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html 2023-11-28 2023-11-29
MariaDB -- Denial-of-Service vulnerability mariadb105-server 10.5.23 mariadb106-server 10.6.16 mariadb1011-server 10.11.6

The MariaDB project reports:

Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVE-2023-22084 https://mariadb.com/kb/en/mariadb-10-11-6-release-notes/ https://mariadb.com/kb/en/mariadb-10-6-16-release-notes/ https://mariadb.com/kb/en/mariadb-10-5-23-release-notes/ 2023-11-13 2023-11-26
strongSwan -- vulnerability in charon-tkm strongswan 5.3.05.9.11_3

strongSwan reports:

A vulnerability in charon-tkm related to processing DH public values was discovered in strongSwan that can result in a buffer overflow and potentially remote code execution. All versions since 5.3.0 are affected.

CVE-2023-41913 https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html 2023-11-20 2023-11-24
electron{25,26} -- use after free in Garbage Collection electron25 25.9.6 electron26 26.6.1

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5997.
CVE-2023-5997 https://github.com/advisories/GHSA-fggx-frxq-cpx8 2023-11-22 2023-11-22
chromium -- multiple security fixes chromium 119.0.6045.159 ungoogled-chromium 119.0.6045.159 qt5-webengine 5.15.16.p5 qt6-webengine 6.6.1

Chrome Releases reports:

This update includes 4 security fixes:

  • [1497997] High CVE-2023-5997: Use after free in Garbage Collection. Reported by Anonymous on 2023-10-31
  • [1499298] High CVE-2023-6112: Use after free in Navigation. Reported by Sergei Glazunov of Google Project Zero on 2023-11-04
CVE-2023-5997 CVE-2023-6112 https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_14.html 2023-11-14 2023-11-16
electron{25,26} -- use after free in WebAudio electron25 25.9.5 electron26 26.6.0

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5996.
CVE-2023-5996 https://github.com/advisories/GHSA-q3gq-rg4m-vgrp 2023-11-15 2023-11-16
openvpn -- 2.6.0...2.6.6 --fragment option division by zero crash, and TLS data leak openvpn 2.6.02.6.7_1 openvpn-devel g20231109,1

The OpenVPN community project team reports:

CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
Reported by Niccolo Belli and WIPocket (Github #400, #417).

CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)

CVE-2023-46849 CVE-2023-46850 https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst#overview-of-changes-in-267 2023-08-29 2023-11-15 2023-12-31
typo3 -- Multiple vulnerabilities typo3-11 typo3-12 11.5.33 12.4.33

security-advisories@github.com reports:

Weak Authentication in Session Handling in typo3/cms-core: In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Information Disclosure in Install Tool in typo3/cms-install: In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - classic non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

By-passing Cross-Site Scripting Protection in HTML Sanitizer: In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-47125 https://nvd.nist.gov/vuln/detail/CVE-2023-47125 CVE-2023-47126 https://nvd.nist.gov/vuln/detail/CVE-2023-47126 CVE-2023-47127 https://nvd.nist.gov/vuln/detail/CVE-2023-47127 2023-11-14 2023-11-15
postgresql-server -- Memory disclosure in aggregate function calls postgresql-server 16.1 15.5 14.10 13.13 12.17 11.22

PostgreSQL Project reports:

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

CVE-2023-5868 https://www.postgresql.org/support/security/CVE-2023-5868/ 2023-11-09 2023-11-09
postgresql-server -- Buffer overrun from integer overflow in array modification postgresql-server 16.1 15.5 14.10 13.13 12.17 11.22

PostgreSQL Project reports:

While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

CVE-2023-5869 https://www.postgresql.org/support/security/CVE-2023-5869/ 2023-11-09 2023-11-09
postgresql-server -- Role pg_cancel_backend can signal certain superuser processes postgresql-server 16.1 15.5 14.10 13.13 12.17 11.22

PostgreSQL Project reports:

Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

CVE-2023-5870 https://www.postgresql.org/support/security/CVE-2023-5870/ 2023-11-09 2023-11-09
electron{25,26} -- multiple vulnerabilities electron25 25.9.4 electron26 26.5.0

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-5849.
  • Security: backported fix for CVE-2023-5482.
CVE-2023-5849 https://github.com/advisories/GHSA-7cjp-92p9-vr97 CVE-2023-5482 https://github.com/advisories/GHSA-pq78-6h8h-rcf4 2023-11-08 2023-11-09
libsndfile_project -- Integer overflow in dataend calculation libsndfile 1.2.2_1

cve@mitre.org reports:

Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.

CVE-2022-33065 https://nvd.nist.gov/vuln/detail/CVE-2022-33065 2023-07-18 2023-11-08
chromium -- security update chromium 119.0.6045.123 ungoogled-chromium 119.0.6045.123

Chrome Releases reports:

This update includes 1 security fix:

  • [1497859] High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30
CVE-2023-5996 https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop.html 2023-11-07 2023-11-08
OpenSSL -- DoS in DH generation openssl 3.0.12_1,1 openssl111 1.1.1w_1 openssl31 3.1.4_1 openssl-quictls 3.0.12_1 openssl31-quictls 3.1.4_1

The OpenSSL project reports:

Excessive time spent in DH check / generation with large Q parameter value (low). Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

CVE-2023-5678 https://www.openssl.org/news/secadv/20231106.txt 2023-11-08 2023-11-08
FreeBSD -- Incorrect libcap_net limitation list manipulation FreeBSD 13.213.2_5

Problem Description:

Casper services allow limiting operations that a process can perform. Each service maintains a specific list of permitted operations. Certain operations can be further restricted, such as specifying which domain names can be resolved. During the verification of limits, the service must ensure that the new set of constraints is a subset of the previous one. In the case of the cap_net service, the currently limited set of domain names was fetched incorrectly.

Impact:

In certain scenarios, if only a list of resolvable domain names was specified without setting any other limitations, the application could submit a new list of domains including include entries not previously in the list.

CVE-2023-5978 SA-23:16.cap_net 2023-11-08 2023-11-08
FreeBSD -- libc stdio buffer overflow FreeBSD 13.213.2_5 12.412.4_7

Problem Description:

For line-buffered streams the __sflush() function did not correctly update the FILE object's write space member when the write(2) system call returns an error.

Impact:

Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overfly may occur. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program.

CVE-2023-5941 SA-23:15.stdio 2023-11-08 2023-11-08
vorbistools -- heap buffer overflow in oggenc vorbis-tools 1.4.2_4,3

Frank-Z7 reports:

Heap buffer overflow when vorbis-tools/oggenc converts WAV files to Ogg files.

CVE-2023-43361 https://nvd.nist.gov/vuln/detail/CVE-2023-43361 2023-09-16 2023-11-05
PptiPNG -- Global-buffer-overflow optipng 0.7.7_1

Frank-Z7 reports:

Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out" configuration options enabled raises a global-buffer-overflow bug, which could allow a remote attacker to conduct a denial-of-service attack or other unspecified effect on a crafted file.

CVE-2023-43907 https://nvd.nist.gov/vuln/detail/CVE-2023-43907 2023-09-30 2023-11-02
chromium -- multiple vulnerabilities chromium 119.0.6045.105 ungoogled-chromium 119.0.6045.105 qt6-webengine 6.6.1

Chrome Releases reports:

This update includes 15 security fixes:

  • [1492698] High CVE-2023-5480: Inappropriate implementation in Payments. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2023-10-14
  • [1492381] High CVE-2023-5482: Insufficient data validation in USB. Reported by DarkNavy on 2023-10-13
  • [1492384] High CVE-2023-5849: Integer overflow in USB. Reported by DarkNavy on 2023-10-13
  • [1281972] Medium CVE-2023-5850: Incorrect security UI in Downloads. Reported by Mohit Raj (shadow2639) on 2021-12-22
  • [1473957] Medium CVE-2023-5851: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-08-18
  • [1480852] Medium CVE-2023-5852: Use after free in Printing. Reported by [pwn2car] on 2023-09-10
  • [1456876] Medium CVE-2023-5853: Incorrect security UI in Downloads. Reported by Hafiizh on 2023-06-22
  • [1488267] Medium CVE-2023-5854: Use after free in Profiles. Reported by Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ on 2023-10-01
  • [1492396] Medium CVE-2023-5855: Use after free in Reading Mode. Reported by ChaobinZhang on 2023-10-13
  • [1493380] Medium CVE-2023-5856: Use after free in Side Panel. Reported by Weipeng Jiang (@Krace) of VRI on 2023-10-17
  • [1493435] Medium CVE-2023-5857: Inappropriate implementation in Downloads. Reported by Will Dormann on 2023-10-18
  • [1457704] Low CVE-2023-5858: Inappropriate implementation in WebApp Provider. Reported by Axel Chong on 2023-06-24
  • [1482045] Low CVE-2023-5859: Incorrect security UI in Picture In Picture. Reported by Junsung Lee on 2023-09-13
CVE-2023-5480 CVE-2023-5482 CVE-2023-5849 CVE-2023-5850 CVE-2023-5851 CVE-2023-5852 CVE-2023-5853 CVE-2023-5854 CVE-2023-5855 CVE-2023-5856 CVE-2023-5857 CVE-2023-5858 CVE-2023-5859 https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_31.html 2023-10-31 2023-11-03
phpmyfaq -- multiple vulnerabilities phpmyfaq-php80 phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83 3.2.2

phpmyfaq developers report:

XSS

Insufficient session expiration

CVE-2023-5863 CVE-2023-5865 https://nvd.nist.gov/vuln/detail/CVE-2023-5863 https://nvd.nist.gov/vuln/detail/CVE-2023-5865 https://huntr.com/bounties/fbfd4e84-61fb-4063-8f11-15877b8c1f6f/ https://huntr.com/bounties/4c4b7395-d9fd-4ca0-98d7-2e20c1249aff/ 2023-10-31 2023-11-02
open-vm-tools -- Multiple vulnerabilities open-vm-tools 12.3.5 open-vm-tools-nox11 12.3.5

VMware reports:

This update includes 2 security fixes:

  • High CVE-2023-34058: SAML token signature bypass vulnerability
  • High CVE-2023-34059: File descriptor hijack vulnerability in the vmware-user-suid-wrapper
CVE-2023-34058 https://nvd.nist.gov/vuln/detail/CVE-2023-34058 CVE-2023-34059 https://nvd.nist.gov/vuln/detail/CVE-2023-34059 2023-10-26 2023-11-01
Gitlab -- Vulnerabilities gitlab-ce 16.5.016.5.1 16.4.016.4.2 11.6.016.3.6

Gitlab reports:

Disclosure of CI/CD variables using Custom project templates

GitLab omnibus DoS crash via OOM with CI Catalogs

Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service

DoS - Blocking FIFO files in Tar archives

Titles exposed by service-desk template

Approval on protected environments can be bypassed

Version information disclosure when super_sidebar_logged_out feature flag is enabled

Add abuse detection for search syntax filter pipes

CVE-2023-3399 CVE-2023-5825 CVE-2023-3909 CVE-2023-3246 CVE-2023-5600 CVE-2023-4700 CVE-2023-5831 https://about.gitlab.com/releases/2023/10/31/security-release-gitlab-16-5-1-16-4-2-16-3-6-released/ 2023-10-31 2023-11-01
zeek -- potential DoS vulnerabilities zeek 6.0.2

Tim Wojtulewicz of Corelight reports:

A specially-crafted SSL packet could cause Zeek to leak memory and potentially crash.

A specially-crafted series of FTP packets could cause Zeek to log entries for requests that have already been completed, using resources unnecessarily and potentially causing Zeek to lose other traffic.

A specially-crafted series of SSL packets could cause Zeek to output a very large number of unnecessary alerts for the same record.

A specially-crafted series of SSL packets could cause Zeek to generate very long ssl_history fields in the ssl.log, potentially using a large amount of memory due to unbounded state growth

A specially-crafted IEEE802.11 packet could cause Zeek to overflow memory and potentially crash

https://github.com/zeek/zeek/releases/tag/v6.0.2 2023-10-27 2023-10-27
chromium -- multiple vulnerabilities chromium 118.0.5993.117 ungoogled-chromium 118.0.5993.117

Chrome Releases reports:

This update includes 2 security fixes:

  • [1491296] High CVE-2023-5472: Use after free in Profiles. Reported by @18楼梦想改造家 on 2023-10-10
CVE-2023-5472 https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_24.html 2023-10-24 2023-10-27
xorg-server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.9,1 xorg-nestserver 21.1.9,2 xwayland 23.2.2,1 xwayland-devel 21.0.99.1.542

The X.Org project reports:

  • ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty

    When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy() would write into memory outside the heap-allocated array.

  • ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in DestroyWindow

    This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed.

https://lists.x.org/archives/xorg-announce/2023-October/003430.html CVE-2023-5367 CVE-2023-5380 2023-10-25 2023-10-25
squid -- Multiple vulnerabilities squid 6.4

The squid-cache project reports:

  • Denial of Service in FTP
  • Request/Response smuggling in HTTP/1.1 and ICAP
  • Denial of Service in HTTP Digest Authentication
https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g 2023-10-21 2023-10-25
OpenSSL -- potential loss of confidentiality openssl 3.0.12,1 openssl31 3.1.4 openssl-quictls 3.0.12

SO-AND-SO reports:

Moderate severity: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

CVE-2023-5363 https://www.openssl.org/news/secadv/20231024.txt 2023-10-24 2023-10-24
MySQL -- Multiple vulnerabilities mysql57-server 5.7.44 mysql-connector-c++ 8.0.35 mysql-connector-j 8.1.1 mysql-connector-odbc 8.1.1 mysql80-server 8.0.35

Oracle reports:

This Critical Patch Update contains 37 new security patches, plus additional third party patches noted below, for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

CVE-2022-42898 CVE-2023-2650 CVE-2023-3817 CVE-2023-22015 CVE-2023-22026 CVE-2023-22028 CVE-2023-22032 CVE-2023-22059 CVE-2023-22064 CVE-2023-22065 CVE-2023-22066 CVE-2023-22068 CVE-2023-22070 CVE-2023-22078 CVE-2023-22079 CVE-2023-22084 CVE-2023-22092 CVE-2023-22094 CVE-2023-22095 CVE-2023-22097 CVE-2023-22102 CVE-2023-22103 CVE-2023-22104 CVE-2023-22110 CVE-2023-22111 CVE-2023-22112 CVE-2023-22113 CVE-2023-22114 CVE-2023-22115 CVE-2023-38545 https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixMSQL 2023-10-17 2023-10-23
Request Tracker -- multiple vulnerabilities rt44 4.4.6 rt50 5.0.4

Request Tracker reports:

CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.

CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.

CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.

CVE-2023-41259 CVE-2023-41260 CVE-2023-45024 https://bestpractical.com/request-tracker/ 2023-10-18 2023-10-18
electron{25,26} -- Use after free in Site Isolation electron25 25.9.2 electron26 26.4.1

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5218.
CVE-2023-5218 https://github.com/advisories/GHSA-cvp3-7vpw-ffh6 2023-10-18 2023-10-19
Apache httpd -- Multiple vulnerabilities apache24 2.4.58

The Apache httpd project reports:

  • CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
  • CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
  • CVE-2023-31122: mod_macro buffer over-read
CVE-2023-45802 CVE-2023-43622 CVE-2023-31122 https://dlcdn.apache.org/httpd/CHANGES_2.4.58 2023-10-19 2023-10-19
moonlight-embedded -- multiple vulnerabilities moonlight-embedded 2.6.1

The moonlight-embedded project reports:

Moonlight Embedded v2.6.1 fixed CVE-2023-42799, CVE-2023-42800, and CVE-2023-42801.

CVE-2022-42799 https://nvd.nist.gov/vuln/detail/CVE-2022-42799 CVE-2022-42800 https://nvd.nist.gov/vuln/detail/CVE-2022-42800 CVE-2022-42801 https://nvd.nist.gov/vuln/detail/CVE-2022-42801 2022-01-11 2023-10-16
jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty jenkins 2.428 jenkins-lts 2.414.3

Jenkins Security Advisory:

Description

(High) SECURITY-3291 / CVE-2023-36478, CVE-2023-44487

HTTP/2 denial of service vulnerability in bundled Jetty

CVE-2023-36478 CVE-2023-44487 https://www.jenkins.io/security/advisory/2023-10-18/ 2023-10-18 2023-10-18
Roundcube -- XSS vulnerability in SVG roundcube 1.6.4,1

The Roundcube project reports:

cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages

https://roundcube.net/news/2023/10/16/security-update-1.6.4-released 2023-10-16 2023-10-18
redis -- Possible bypassing Unix socket permissions redis 7.2.2 redis-devel 7.2.2.20231018 redis70 7.0.14 redis62 6.2.14

Redis core team reports:

The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.

CVE-2023-45145 https://groups.google.com/g/redis-db/c/r81pHa-dcI8 2023-10-18 2023-10-18
libcue -- out-of-bounds array access libcue 2.3.0

The libcue team reports:

There is a vulnerability to out-of-bounds array access.

CVE-2023-43641 https://nvd.nist.gov/vuln/detail/CVE-2023-43641 2023-10-09 2023-10-14
traefik -- Resource exhaustion by malicious HTTP/2 client traefik 2.10.5

The traefik authors report:

There is a vulnerability in GO managing HTTP/2 requests, which impacts Traefik. This vulnerability could be exploited to cause a denial of service.

CVE-2023-39325 CVE-2023-44487 https://github.com/traefik/traefik/security/advisories/GHSA-7v4p-328v-8v5g 2023-10-10 2023-10-14
x11/libXpm multiple vulnerabilities libXpm 3.5.17

The X.Org project reports:

CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
An out-of-bounds read is located in ParseComment() when reading from a memory buffer instead of a file, as it continued to look for the closing comment marker past the end of the buffer.
CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
A corrupted colormap section may cause libXpm to read out of bounds.
CVE-2023-43788 CVE-2023-43789 https://lists.x.org/archives/xorg/2023-October/061506.html 2023-09-22 2023-10-12
11/libX11 multiple vulnerabilities libX11 1.8.7

The X.Org project reports:

CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
When libX11 is processing the reply from the X server to the XkbGetMap request, if it detected the number of symbols in the new map was less than the size of the buffer it had allocated, it always added room for 128 more symbols, instead of the actual size needed. While the _XkbReadBufferCopyKeySyms() helper function returned an error if asked to copy more keysyms into the buffer than there was space allocated for, the caller never checked for an error and assumed the full set of keysyms was copied into the buffer and could then try to read out of bounds when accessing the buffer. libX11 1.8.7 has been patched to both fix the size allocated and check for error returns from _XkbReadBufferCopyKeySyms().
CVE-2023-43786: stack exhaustion in XPutImage
When splitting a single line of pixels into chunks that fit in a single request (not using the BIG-REQUESTS extension) to send to the X server, the code did not take into account the number of bits per pixel, so would just loop forever finding it needed to send more pixels than fit in the given request size and not breaking them down into a small enough chunk to fit. An XPM file was provided that triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function, which in turn calls XPutImage() and hit this bug.
CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow
When creating an image, there was no validation that the multiplication of the caller-provided width by the visual's bits_per_pixel did not overflow and thus result in the allocation of a buffer too small to hold the data that would be copied into it. An XPM file was provided that triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function, which in turn calls XCreateImage() and hit this bug.i
CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 https://lists.x.org/archives/xorg/2023-October/061506.html 2023-09-22 2023-10-12
chromium -- multiple vulnerabilities chromium 118.0.5993.70 ungoogled-chromium 118.0.5993.70 qt6-webengine 6.6.1

Chrome Releases reports:

This update includes 20 security fixes:

  • [1487110] Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦想改造家 on 2023-09-27
  • [1062251] Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17
  • [1414936] Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11
  • [1476952] Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30
  • [1425355] Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17
  • [1458934] Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28
  • [1474253] Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20
  • [1483194] Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15
  • [1471253] Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09
  • [1395164] Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02
  • [1472404] Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12
  • [1472558] Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13
  • [1357442] Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29
  • [1484000] Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18
CVE-2023-5218 CVE-2023-5487 CVE-2023-5484 CVE-2023-5475 CVE-2023-5483 CVE-2023-5481 CVE-2023-5476 CVE-2023-5474 CVE-2023-5479 CVE-2023-5485 CVE-2023-5478 CVE-2023-5477 CVE-2023-5486 CVE-2023-5473 https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html 2023-10-10 2023-10-11
electron25 -- Use after free in extensions vulnerability electron25 25.9.1

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5187.
CVE-2023-5187 https://github.com/advisories/GHSA-hg3r-958g-g8vq 2023-10-11 2023-10-12
curl -- SOCKS5 heap buffer overflow curl 7.69.08.4.0 cmake-core 3.27.8

The curl team reports:

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.

CVE-2023-38545 https://curl.se/docs/CVE-2023-38545.html 2023-09-30 2023-10-11 2023-10-11
h2o -- HTTP/2 Rapid Reset attack vulnerability h2o 2.2.6 h2o-devel 2.3.0.d.20231010

Kazuo Okuhu reports:

H2O is vulnerable to the HTTP/2 Rapid Reset attack. An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.

CVE-2023-44487 https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf 2023-10-10 2023-10-10
Django -- multiple vulnerabilities py39-django32 py310-django32 py311-django32 3.2.22 py39-django41 py310-django41 py311-django41 4.1.12 py39-django42 py310-django42 py311-django42 4.2.6

Django reports:

CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator.

CVE-2023-43665 https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ 2023-10-01 2023-10-05
libspf2 -- Integer Underflow Remote Code Execution libspf2 1.2.11

Trendmicro ZDI reports:

Integer Underflow Remote Code Execution Vulnerability

The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account.

CVE-2023-42118 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42118 2022-06-06 2023-10-04
chromium -- type confusion in v8 chromium 117.0.5938.149 ungoogled-chromium 117.0.5938.149

Chrome Releases reports:

This update includes 1 security fix:

  • [1485829] High CVE-2023-5346: Type Confusion in V8. Reported by Amit Kumar on 2023-09-22
CVE-2023-5346 https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop.html 2023-10-03 2023-10-04
FreeBSD -- arm64 boot CPUs may lack speculative execution protections FreeBSD-kernel 13.213.2_4

Problem Description:

On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized.

Impact:

No speculative execution workarounds are installed on CPU 0.

CVE-2023-5370 SA-23:14.smccc 2023-10-03 2023-10-04
FreeBSD -- copy_file_range insufficient capability rights check FreeBSD-kernel 13.213.2_4

Problem Description:

The syscall checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the syscall must additionally require the CAP_SEEK capability.

Impact:

A sandboxed process with only read or write but no seek capability on a file descriptor may be able to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.

CVE-2023-5369 SA-23:13.capsicum 2023-10-03 2023-10-04
FreeBSD -- msdosfs data disclosure FreeBSD-kernel 13.213.2_4 12.412.4_6

Problem Description:

In certain cases using the truncate or ftruncate system call to extend a file size populates the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes.

Impact:

A user with write access to files on a msdosfs file system may be able to read unintended data (for example, from a previously deleted file).

CVE-2023-5368 SA-23:12.msdosfs 2023-10-03 2023-10-04
mediawiki -- multiple vulnerabilities mediawiki135 1.35.13 mediawiki139 1.39.5 mediawiki140 1.40.1

Mediawikwi reports:

(T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission.

(T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.

(T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.

(T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.

(T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.

(T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.

(T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration).

CVE-2023-3550 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/BRWOWACCHMYRIS7JRTT6XD44X3362MVL/ 2023-09-01 2023-10-02
Remote Code Execution via web-accessible composer php80-composer 1.10.27 2.0.02.6.4 php81-composer 1.10.27 2.0.02.6.4 php82-composer 1.10.27 2.0.02.6.4 php83-composer 1.10.27 2.0.02.6.4 php80-composer2 2.6.4 php81-composer2 2.6.4 php82-composer2 2.6.4 php83-composer2 2.6.4

Composer project reports:

Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

CVE-2023-43655 https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf 2023-09-29 2023-09-29 2023-09-30
chromium -- multiple vulnerabilities chromium 117.0.5938.132 ungoogled-chromium 117.0.5938.132 qt6-webengine 6.6.1

Chrome Releases reports:

This update includes 10 security fixes:

  • [1486441] High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25
  • [1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
  • [1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
CVE-2023-5217 CVE-2023-5186 CVE-2023-5187 https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html 2023-09-27 2023-09-29
electron{22,24,25} -- Heap buffer overflow in vp8 encoding in libvpx electron22 22.3.25 electron24 24.8.5 electron25 25.8.4 libvpx 1.13.1

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-5217.
CVE-2023-5217 https://github.com/advisories/GHSA-qqvq-6xgj-jw8g 2023-09-28 2023-09-29 2023-09-30
Gitlab -- vulnerabilities gitlab-ce 16.4.016.4.1 16.3.016.3.5 8.1516.2.8

Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project

Group import allows impersonation of users in CI pipelines

Developers can bypass code owners approval by changing a MR's base branch

Leaking source code of restricted project through a fork

Third party library Consul requires enable-script-checks to be False to enable patch

Service account not deleted when namespace is deleted allowing access to internal projects

Enforce SSO settings bypassed for public projects for Members without identity

Removed project member can write to protected branches

Unauthorised association of CI jobs for Machine Learning experiments

Force pipelines to not have access to protected variables and will likely fail using tags

Maintainer can create a fork relationship between existing projects

Disclosure of masked CI variables via processing CI/CD configuration of forks

Asset Proxy Bypass using non-ASCII character in asset URI

Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches

Removed Developer can continue editing the source code of a public project

A project reporter can leak owner's Sentry instance projects

Math rendering in markdown can escape container and hijack clicks

CVE-2023-5207 CVE-2023-5207 CVE-2023-4379 CVE-2023-3413 CVE-2023-3914 CVE-2023-3115 CVE-2023-5198 CVE-2023-4532 CVE-2023-3917 CVE-2023-3920 CVE-2023-0989 CVE-2023-3906 CVE-2023-4658 CVE-2023-3979 CVE-2023-2233 CVE-2023-3922 https://about.gitlab.com/releases/2023/09/28/security-release-gitlab-16-4-1-released/ 2023-09-28 2023-09-29
xrdp -- unchecked access to font glyph info xrdp 0.9.23.1

xrdp team reports:

Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-42822 https://www.cve.org/CVERecord?id=CVE-2023-42822 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw 2023-09-27 2023-09-27
xrdp -- Improper handling of session establishment errors allows bypassing OS-level session restrictions xrdp 0.9.23

xrdp team reports:

In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.

CVE-2023-40184 https://www.cve.org/CVERecord?id=CVE-2023-40184 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq 2023-08-30 2023-09-27
routinator -- Possible path traversal when storing RRDP responses routinator 0.9.00.12.2

sep@nlnetlabs.nl reports:

NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests. The location of these stored responses is constructed from the URL of the request. Due to insufficient sanitation of the URL, it is possible for an attacker to craft a URL that results in the response being stored outside of the directory specified for it.

CVE-2023-39916 https://nvd.nist.gov/vuln/detail/CVE-2023-39916 2023-09-13 2023-09-27
jenkins -- multiple vulnerabilities jenkins 2.424 jenkins-lts 2.414.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-3261 / CVE-2023-43494

Builds can be filtered by values of sensitive build variables

(High) SECURITY-3245 / CVE-2023-43495

Stored XSS vulnerability

(High) SECURITY-3072 / CVE-2023-43496

Temporary plugin file created with insecure permissions

(Low) SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)

Temporary uploaded file created with insecure permissions

CVE-2023-43494 CVE-2023-43495 CVE-2023-43496 CVE-2023-43497 https://www.jenkins.io/security/advisory/2023-09-20/ 2023-09-20 2023-09-25
Mailpit affected by vulnerability in included go markdown module mailpit 1.9.1

Mailpit author reports:

Update Go modules to address CVE-2023-42821 (go markdown module DoS).

CVE-2023-42821 2023-09-23 2023-09-23
graphics/webp heap buffer overflow webp 1.3.2

Google Chrome reports:

Heap buffer overflow in WebP ... allowed a remote attacker to perform an out of bounds memory write ...

CVE-2023-4863 https://nvd.nist.gov/vuln/detail/CVE-2023-4863 2023-09-12 2023-09-21
libwebp heap buffer overflow tor-browser 12.5.3

chrome-cve-admin@google.com reports:

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) The Tor browser is based on Firefox and GeckoView and uses also libwep so it is affected by this bug.

CVE-2023-4863 https://nvd.nist.gov/vuln/detail/CVE-2023-4863 2023-09-12 2023-09-20
Gitlab -- vulnerability gitlab-ce 16.3.016.3.4 13.12.016.2.7

Gitlab reports:

Attacker can abuse scan execution policies to run pipelines as another user

CVE-2023-4998 https://about.gitlab.com/releases/2023/09/18/security-release-gitlab-16-3-4-released/ 2023-09-18 2023-09-19
routinator -- multiple vulnerabilities routinator 0.12.2

NLnet Labs report:

This release fixes two issues in Routinator that can be exploited remotely by rogue RPKI CAs and repositories. We therefore advise all users of Routinator to upgrade to this release at their earliest convenience.

The first issue, CVE-2022-39915, can lead to Routinator crashing when trying to decode certain illegal RPKI objects.

The second issue, CVE-2022-39916, only affects users that have the rrdp-keep-responses option enabled which allows storing all received RRDP responses on disk. Because the file name for these responses is derived from the URI and the path wasn't checked properly, a RRDP URI could be constructed that results in the response stored outside the directory, possibly overwriting existing files.

CVE-2022-39915 https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt CVE-2022-39916 https://nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txt 2022-12-08 2023-09-16
curl -- HTTP headers eat all memory curl 8.3.0

selmelc on hackerone reports:

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

CVE-2023-38039 https://curl.se/docs/CVE-2023-38039.html HERE 2023-09-13 2023-09-13
Roundcube -- XSS vulnerability roundcube 1.6.3,1

The Roundcube webmail project reports:

cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages

https://roundcube.net/news/2023/09/15/security-update-1.6.3-released 2023-09-15 2023-09-16
electron{24,25} -- multiple vulnerabilities electron24 24.8.3 electron25 25.8.1

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4763.
  • Security: backported fix for CVE-2023-4762.
  • Security: backported fix for CVE-2023-4761.
  • Security: backported fix for CVE-2023-4863.
CVE-2023-4763 https://github.com/advisories/GHSA-w5hv-g8p5-vwjr CVE-2023-4762 https://github.com/advisories/GHSA-3wjr-p76q-rg8q CVE-2023-4761 https://github.com/advisories/GHSA-8cgp-x4c5-vg9g CVE-2023-4863 https://github.com/advisories/GHSA-j7hp-h8jx-5ppr 2023-09-13 2023-09-13
electron22 -- multiple vulnerabilities electron22 22.3.24

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4572.
  • Security: backported fix for CVE-2023-4762.
  • Security: backported fix for CVE-2023-4863.
CVE-2023-4572 https://github.com/advisories/GHSA-6994-5wq3-gpjv CVE-2023-4762 https://github.com/advisories/GHSA-3wjr-p76q-rg8q CVE-2023-4863 https://github.com/advisories/GHSA-j7hp-h8jx-5ppr 2023-09-13 2023-09-13
chromium -- multiple vulnerabilities chromium 117.0.5938.62 ungoogled-chromium 117.0.5938.62

Chrome Releases reports:

This update includes 16 security fixes:

  • [1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06
  • [1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
  • [1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29
  • [1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14
  • [1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18
  • [1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09
  • [1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29
  • [1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30
  • [1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04
  • [1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06
  • [1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09
CVE-2023-4863 CVE-2023-4900 CVE-2023-4901 CVE-2023-4902 CVE-2023-4903 CVE-2023-4904 CVE-2023-4905 CVE-2023-4906 CVE-2023-4907 CVE-2023-4908 CVE-2023-4909 https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html 2023-09-12 2023-09-13
vscode -- VS Code Remote Code Execution Vulnerability vscode 1.82.1

VSCode developers report:

Visual Studio Code Remote Code Execution Vulnerability

A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.

VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.

CVE-2023-36742 https://nvd.nist.gov/vuln/detail/CVE-2023-36742 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742 2023-09-12 2023-09-13
zeek -- potential DoS vulnerabilities zeek 6.0.1

Tim Wojtulewicz of Corelight reports:

File extraction limits were not correctly enforced for files containing large amounts of missing bytes.

Sessions are sometimes not cleaned up completely within Zeek during shutdown, potentially causing a crash when using the -B dpd flag for debug logging.

A specially-crafted HTTP packet can cause Zeek's filename extraction code to take a long time to process the data.

A specially-crafted series of FTP packets made up of a CWD request followed by a large amount of ERPT requests may cause Zeek to spend a long time logging the commands.

A specially-crafted VLAN packet can cause Zeek to overflow memory and potentially crash.

https://github.com/zeek/zeek/releases/tag/v6.0.1 2023-09-12 2023-09-12
gitea -- block user account creation from blocked email domains gitea 1.20.3

The Gitea team reports:

check blocklist for emails when adding them to account

https://blog.gitea.com/release-of-1.20.4 https://github.com/go-gitea/gitea/releases/tag/v1.20.4 2023-08-30 2023-09-10
Python -- multiple vulnerabilities python38 3.8.18 python39 3.9.18 python310 3.10.13 python311 3.11.5

Python reports:

gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

CVE-2023-40217 https://pythoninsider.blogspot.com/2023/08/python-3115-31013-3918-and-3818-is-now.html 2023-08-22 2023-09-07
go -- multiple vulnerabilities go120 1.20.8 go121 1.21.1

The Go project reports:

cmd/go: go.mod toolchain directive allows arbitrary execution

The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

html/template: improper handling of HTML-like comments within script contexts

The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

html/template: improper handling of special tags within script contexts

The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script< contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

crypto/tls: panic when processing post-handshake message on QUIC connections

Processing an incomplete post-handshake message for a QUIC connection caused a panic.

CVE-2023-39320 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ?pli=1 2023-09-06 2023-09-07
FreeBSD -- Wi-Fi encryption bypass FreeBSD-kernel 13.213.2_3 12.412.4_5

Problem Description:

The net80211 subsystem would fallback to the multicast key for unicast traffic in the event the unicast key was removed. This would result in buffered unicast traffic being exposed to any stations with access to the multicast key.

Impact:

As described in the "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues" paper, an attacker can induce an access point to buffer frames for a client, deauthenticate the client (causing the unicast key to be removed from the access point), and subsequent flushing of the buffered frames now encrypted with the multicast key. This would give the attacker access to the data.

CVE-2022-47522 SA-23:11.wifi 2023-09-06 2023-09-07
FreeBSD -- pf incorrectly handles multiple IPv6 fragment headers FreeBSD-kernel 13.213.2_3 12.412.4_5

Problem Description:

With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.

Impact:

IPv6 fragments may bypass firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.

CVE-2023-4809 SA-23:10.pf 2023-09-06 2023-09-07
redis -- Possible bypassing ACL configuration redis 7.0.07.0.13 7.2.07.2.1 redis-devel 7.2.0.20230831 redis70 7.0.07.0.13

yangbodong22011 reports:

Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.

CVE-2023-41053 https://github.com/redis/redis/security/advisories/GHSA-q4jr-5p56-4xwc 2023-09-06 2023-09-07
chromium -- multiple vulnerabilities chromium 116.0.5845.179 ungoogled-chromium 116.0.5845.179

Chrome Releases reports:

This update includes 4 security fixes:

  • [1476403] High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by DarkNavy on 2023-08-28
  • [1473247] High CVE-2023-4762: Type Confusion in V8. Reported by Rong Jian of VRI on 2023-08-16
  • [1469928] High CVE-2023-4763: Use after free in Networks. Reported by anonymous on 2023-08-03
  • [1447237] High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan Kurniawan (sourc7) on 2023-05-20
CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764 https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html 2023-09-05 2023-09-06
Django -- multiple vulnerabilities py38-django32 py39-django32 py310-django32 py311-django32 3.2.21 py38-django41 py39-django41 py310-django41 py311-django41 4.1.11 py38-django42 py39-django42 py310-django42 py311-django42 4.2.5

Django reports:

CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri().

CVE-2023-41164 https://www.djangoproject.com/weblog/2023/sep/04/security-releases/ 2023-09-01 2023-09-04
Gitlab -- Vulnerabilities gitlab-ce 16.3.016.3.1 16.2.016.2.5 4.1.016.1.5

Gitlab reports:

Privilege escalation of "external user" to internal access through group service account

Maintainer can leak sentry token by changing the configured URL (fix bypass)

Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners

Information disclosure via project import endpoint

Developer can leak DAST scanners "Site Profile" request headers and auth password

Project forking outside current group

User is capable of creating Model experiment and updating existing run's status in public project

ReDoS in bulk import API

Pagination for Branches and Tags can be skipped leading to DoS

Internal Open Redirection Due to Improper handling of "../" characters

Subgroup Member With Reporter Role Can Edit Group Labels

Banned user can delete package registries

CVE-2023-3915 CVE-2023-4378 CVE-2023-3950 CVE-2023-4630 CVE-2022-4343 CVE-2023-4638 CVE-2023-4018 CVE-2023-3205 CVE-2023-4647 CVE-2023-1279 CVE-2023-0120 CVE-2023-1555 https://about.gitlab.com/releases/2023/08/31/security-release-gitlab-16-3-1-released/ 2023-08-31 2023-09-01
Borg (Backup) -- flaw in cryptographic authentication scheme in Borg allowed an attacker to fake archives and indirectly cause backup data loss. py37-borgbackup py38-borgbackup py39-borgbackup py310-borgbackup py311-borgbackup py312-borgbackup 1.2.5

Thomas Waldmann reports:

A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.

The attack requires an attacker to be able to

  • insert files (with no additional headers) into backups
  • gain write access to the repository

This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.

CVE-2023-36811 https://github.com/borgbackup/borg/blob/1.2.5-cvedocs/docs/changes.rst#pre-125-archives-spoofing-vulnerability-cve-2023-36811 2023-06-13 2023-08-31
electron25 -- multiple vulnerabilities electron25 25.8.0

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4427.
  • Security: backported fix for CVE-2023-4428.
  • Security: backported fix for CVE-2023-4429.
  • Security: backported fix for CVE-2023-4430.
  • Security: backported fix for CVE-2023-4572.
CVE-2023-4427 https://github.com/advisories/GHSA-qqwc-fhxf-4mf3 CVE-2023-4428 https://github.com/advisories/GHSA-m56x-9vph-h345 CVE-2023-4429 https://github.com/advisories/GHSA-r43m-48vw-xgp3 CVE-2023-4430 https://github.com/advisories/GHSA-h295-rcc5-87jh CVE-2023-4572 https://github.com/advisories/GHSA-6994-5wq3-gpjv 2023-08-30 2023-08-31
electron24 -- multiple vulnerabilities electron24 24.8.2

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4427.
  • Security: backported fix for CVE-2023-4428.
  • Security: backported fix for CVE-2023-4430.
  • Security: backported fix for CVE-2023-4572.
CVE-2023-4427 https://github.com/advisories/GHSA-qqwc-fhxf-4mf3 CVE-2023-4428 https://github.com/advisories/GHSA-m56x-9vph-h345 CVE-2023-4430 https://github.com/advisories/GHSA-h295-rcc5-87jh CVE-2023-4572 https://github.com/advisories/GHSA-6994-5wq3-gpjv 2023-08-30 2023-08-31
electron22 -- multiple vulnerabilities electron22 22.3.23

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4427.
  • Security: backported fix for CVE-2023-4428.
CVE-2023-4427 https://github.com/advisories/GHSA-qqwc-fhxf-4mf3 CVE-2023-4428 https://github.com/advisories/GHSA-m56x-9vph-h345 2023-08-30 2023-08-31
py-WsgiDAV -- XSS vulnerability py37-WsgiDAV py38-WsgiDAV py39-WsgiDAV py310-WsgiDAV py311-WsgiDAV 4.1.0

Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks.

CVE-2022-41905 https://osv.dev/vulnerability/GHSA-xx6g-jj35-pxjv 2022-11-11 2023-08-31
py-wagtail -- stored XSS vulnerability py37-wagtail py38-wagtail py39-wagtail py310-wagtail py311-wagtail 4.1.4 4.2.04.2.2

A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.

A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.

For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.

CVE-2023-28836 https://osv.dev/vulnerability/GHSA-5286-f2rf-35c2 2023-04-03 2023-08-31
py-wagtail -- DoS vulnerability py37-wagtail py38-wagtail py39-wagtail py310-wagtail py311-wagtail 4.2.04.2.2

A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents.

For both images and documents, files are loaded into memory during upload for additional processing.

A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

It can only be exploited by admin users with permission to upload images or documents.

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

CVE-2023-28837 https://osv.dev/vulnerability/GHSA-33pv-vcgh-jfg9 2023-04-03 2023-08-31
py-treq -- sensitive information leak vulnerability py37-treq py38-treq py39-treq py310-treq py311-treq 22.1.0

Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary.

Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies").

This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.

CVE-2022-23607 https://osv.dev/vulnerability/GHSA-fhpf-pp6p-55qc 2022-02-01 2023-08-31
py-Scrapy -- DoS vulnerability py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy 2.8.0

kmike and nramirezuy report:

Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

CVE-2017-14158 https://osv.dev/vulnerability/PYSEC-2017-83 https://osv.dev/vulnerability/GHSA-h7wm-ph43-c39p 2017-09-05 2023-08-31
py-Scrapy -- exposure of sensitive information vulnerability py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy 2.6.1

ranjit-git reports:

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

CVE-2022-0577 https://osv.dev/vulnerability/PYSEC-2022-159 https://osv.dev/vulnerability/GHSA-cjvr-mfj7-j4j8 2022-03-02 2023-08-31
py-Scrapy -- cookie injection vulnerability py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy 1.8.2 2.0.02.6.0

Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.

https://osv.dev/vulnerability/GHSA-mfjm-vh54-3f96 2022-03-01 2023-08-31
py-Scrapy -- credentials leak vulnerability py37-Scrapy py38-Scrapy py39-Scrapy py310-Scrapy py311-Scrapy 1.8.3 2.0.02.6.2

When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.

There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.

Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.

These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.

If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.

If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;

patching that downloader middlware may be necessary as well.

https://osv.dev/vulnerability/GHSA-9x8m-2xpf-crp3 2022-07-29 2023-08-31
py-httpx -- input validation vulnerability py37-httpx013 py38-httpx013 py39-httpx013 py310-httpx013 py311-httpx013 0.20.0

lebr0nli reports:

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.

CVE-2021-41945 https://osv.dev/vulnerability/PYSEC-2022-183 https://osv.dev/vulnerability/GHSA-h8pj-cxx2-jfg2 2022-04-28 2023-08-31
py-httpie -- exposure of sensitive information vulnerabilities py37-httpie py38-httpie py39-httpie py310-httpie py311-httpie 3.1.0

Glyph reports:

HTTPie is a command-line HTTP client.

HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage.

Before 3.1.0, HTTPie didn't distinguish between cookies and hosts they belonged.

This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website.

Users are advised to upgrade.

There are no known workarounds.

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.

CVE-2022-24737 https://osv.dev/vulnerability/PYSEC-2022-34 https://osv.dev/vulnerability/GHSA-9w4w-cpc8-h2fq CVE-2022-0430 https://osv.dev/vulnerability/PYSEC-2022-167 https://osv.dev/vulnerability/GHSA-6pc9-xqrg-wfqw 2022-03-07 2023-08-31
py-flask-security -- user redirect to arbitrary URL vulnerability py37-flask-security py38-flask-security py39-flask-security py310-flask-security py311-flask-security 3.0.0_1

Snyk reports:

This affects all versions of package Flask-Security.

When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`.

This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`.

**Note:** Flask-Security is not maintained anymore.

CVE-2021-23385 https://osv.dev/vulnerability/GHSA-cg8c-gc2j-2wf7 2022-08-02 2023-08-31
py-Flask-Cors -- directory traversal vulnerability py37-Flask-Cors py38-Flask-Cors py39-Flask-Cors py310-Flask-Cors py311-Flask-Cors 3.0.9

praetorian-colby-morgan reports:

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9.

It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

CVE-2020-25032 https://osv.dev/vulnerability/PYSEC-2020-43 https://osv.dev/vulnerability/GHSA-xc3p-ff3m-f46v 2020-08-31 2023-08-31
py-flask-caching -- remote code execution or local privilege escalation vulnerabilities py37-flask-caching py38-flask-caching py39-flask-caching py310-flask-caching py311-flask-caching 2.0.2

subnix reports:

The Flask-Caching extension through 2.0.2 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.

If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.

CVE-2021-33026 https://osv.dev/vulnerability/PYSEC-2021-13 https://osv.dev/vulnerability/GHSA-656c-6cxf-hvcv 2021-05-13 2023-08-31
py-django-photologue -- XSS vulnerability py37-django-photologue py38-django-photologue py39-django-photologue py310-django-photologue py311-django-photologue 3.15_1

domiee13 reports:

A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic.

Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler.

The manipulation of the argument object.caption leads to cross site scripting.

The attack may be launched remotely.

Upgrading to version 3.16 is able to address this issue.

The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7.

It is recommended to apply a patch to fix this issue.

VDB-215906 is the identifier assigned to this vulnerability.

CVE-2022-4526 https://osv.dev/vulnerability/GHSA-287q-jfcp-9vhv 2022-12-15 2023-08-31
py-pygments -- multiple DoS vulnerabilities py37-pygments py38-pygments py39-pygments py310-pygments py311-pygments 2.7.4 py37-pygments-25 py38-pygments-25 py39-pygments-25 py310-pygments-25 py311-pygments-25 2.7.4

Red Hat reports:

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Ben Caller reports:

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.

Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.

By crafting malicious input, an attacker can cause a denial of service.

CVE-2021-20270 https://osv.dev/vulnerability/PYSEC-2021-140 https://osv.dev/vulnerability/GHSA-9w8r-397f-prfh CVE-2021-27291 https://osv.dev/vulnerability/PYSEC-2021-141 https://osv.dev/vulnerability/GHSA-pq64-v7f5-gqh8 2021-03-17 2023-08-31
py-markdown2 -- regular expression denial of service vulnerability py37-markdown2 py38-markdown2 py39-markdown2 py310-markdown2 py311-markdown2 2.4.0

Ben Caller reports:

markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability.

If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.

CVE-2021-26813 https://osv.dev/vulnerability/PYSEC-2021-20 https://osv.dev/vulnerability/GHSA-jr9p-r423-9m2r 2021-03-03 2023-08-31
py-markdown2 -- XSS vulnerability py37-markdown2 py38-markdown2 py39-markdown2 py310-markdown2 py311-markdown2 2.3.9

TheGrandPew reports:

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds.

For example, an attack might use elementname@ or elementname- with an onclick attribute.

CVE-2020-11888 https://osv.dev/vulnerability/PYSEC-2020-65 https://osv.dev/vulnerability/GHSA-fv3h-8x5j-pvgq 2020-04-20 2023-08-31
py-dparse -- REDoS vulnerability py37-dparse py38-dparse py39-dparse py310-dparse py311-dparse 0.5.2

yeisonvargasf reports:

dparse is a parser for Python dependency files.

dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service.

All the users parsing index server URLs with dparse are impacted by this vulnerability.

Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.

CVE-2022-39280 https://osv.dev/vulnerability/PYSEC-2022-301 https://osv.dev/vulnerability/GHSA-8fg9-p83m-x5pq 2022-10-06 2023-08-31
FreeBSD -- Network authentication attack via pam_krb5 FreeBSD 13.213.2_2 13.113.1_9 12.412.4_4

Problem Description:

The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following the patch for that advisory.

Impact:

The impact described in FreeBSD-SA-23:04.pam_krb5 persists.

CVE-2023-3326 SA-23:09.pam_krb5 2023-08-01 2023-08-31
FreeBSD -- Potential remote code execution via ssh-agent forwarding FreeBSD 13.213.2_2 13.113.1_9 12.412.4_4

Problem Description:

The server may cause ssh-agent to load shared libraries other than those required for PKCS#11 support. These shared libraries may have side effects that occur on load and unload (dlopen and dlclose).

Impact:

An attacker with access to a server that accepts a forwarded ssh-agent connection may be able to execute code on the machine running ssh-agent. Note that the attack relies on properties of operating system-provided libraries. This has been demonstrated on other operating systems; it is unknown whether this attack is possible using the libraries provided by a FreeBSD installation.

CVE-2023-38408 SA-23:08.ssh 2023-08-01 2023-08-31
FreeBSD -- bhyve privileged guest escape via fwctl FreeBSD 13.213.2_2 13.113.1_9

Problem Description:

The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string.

Impact:

A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

CVE-2023-3494 SA-23:07.bhyve 2023-08-01 2023-08-31
FreeBSD -- Remote denial of service in IPv6 fragment reassembly FreeBSD-kernel 13.213.2_2 13.113.1_9 12.412.4_4

Problem Description:

Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header.

Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field.

Impact:

Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service.

CVE-2023-3107 SA-23:06.ipv6 2023-08-01 2023-08-31
FreeBSD -- ssh-add does not honor per-hop destination constraints FreeBSD 12.412.4_3

Problem Description:

When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop destination constraints, a logic error prevented the constraints from being sent to the agent resulting in keys being added to the agent without constraints.

Impact:

A malicious server could leverage the keys provided by a forwarded agent that would normally not be allowed due to the logic error.

CVE-2023-28531 SA-23:05.openssh 2023-06-21 2023-08-31
FreeBSD -- Network authentication attack via pam_krb5 FreeBSD 13.213.2_1 13.113.1_8 12.412.4_3

Problem Description:

pam_krb5 authenticates the user by essentially running kinit(1) with the password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password.

Normally, the system running the pam_krb5 module will also have a keytab, a key provisioned by the KDC. The pam_krb5 module will use the tgt to get a service ticket and validate it against the keytab, ensuring the tgt is valid and therefore, the password is valid.

However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid.

Impact:

In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.

CVE-2023-3326 SA-23:04.pam_krb5 2023-06-21 2023-08-31
FreeBSD -- Multiple vulnerabilities in OpenSSL FreeBSD 13.113.1_7 12.412.4_2 12.312.3_12

Problem Description:

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

Timing Oracle in RSA Decryption (CVE-2022-4304)

A timing based side channel exists in the OpenSSL RSA Decryption implementation.

Use-after-free following BIO_new_NDEF (CVE-2023-0215)

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO.

Double free after calling PEM_read_bio_ex (CVE-2022-4450)

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed.

Impact:

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Timing Oracle in RSA Decryption (CVE-2022-4304)

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

Use-after-free following BIO_new_NDEF (CVE-2023-0215)

A use-after-free will occur under certain conditions. This will most likely result in a crash.

Double free after calling PEM_read_bio_ex (CVE-2022-4450)

A double free may occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

CVE-2023-0286 CVE-2023-0215 CVE-2022-4450 CVE-2022-4304 SA-23:03.openssl 2023-02-16 2023-08-31
FreeBSD -- OpenSSH pre-authentication double free FreeBSD 12.412.4_2

Problem Description:

A flaw in the backwards-compatibility key exchange route allows a pointer to be freed twice.

Impact:

A remote, unauthenticated attacker may be able to cause a denial of service, or possibly remote code execution.

Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of OpenSSH, and are not affected. FreeBSD 13.2-BETA1 and later include the fix.

CVE-2023-25136 SA-23:02.openssh 2023-02-16 2023-08-31
FreeBSD -- GELI silently omits the keyfile if read from stdin FreeBSD-kernel 13.113.1_6 12.412.4_1 12.312.3_11

Problem Description:

When GELI reads a key file from a standard input, it doesn't store it anywhere. If the user tries to initialize multiple providers at once, for the second and subsequent devices the standard input stream will be already empty. In this case, GELI silently uses a NULL key as the user key file. If the user used only a key file without a user passphrase, the master key was encrypted with an empty key file. This might not be noticed if the devices were also decrypted in a batch operation.

Impact:

Some GELI providers might be silently encrypted with a NULL key file.

CVE-2023-0751 SA-23:01.geli 2023-02-08 2023-08-31
FreeBSD -- Stack overflow in ping(8) FreeBSD 13.113.1_5 12.312.3_10

Problem Description:

ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.

The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.

Impact:

The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.

The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.

CVE-2022-23093 SA-22:15.ping 2022-11-29 2023-08-31
FreeBSD -- Multiple vulnerabilities in Heimdal FreeBSD 13.113.1_4 12.312.3_9

Problem Description:

Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC.

Impact:

A malicious actor with control of the network between a client and a service using Kerberos for authentication can impersonate either the client or the service, enabling a man-in-the-middle (MITM) attack circumventing mutual authentication.

Note that, while CVE-2022-44640 is a severe vulnerability, possibly enabling remote code execution on other platforms, the version of Heimdal included with the FreeBSD base system cannot be exploited in this way on FreeBSD.

CVE-2019-14870 CVE-2021-44758 CVE-2022-3437 CVE-2022-42898 CVE-2022-44640 SA-22:14.heimdal 2022-11-15 2023-08-31
chromium -- use after free in MediaStream chromium 116.0.5845.140 ungoogled-chromium 116.0.5845.140

Chrome Releases reports:

This update includes 1 security fix:

  • [1472492] High CVE-2023-4572: Use after free in MediaStream. Reported by fwnfwn(@_fwnfwn) on 2023-08-12
CVE-2023-4472 https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop_29.html 2023-08-29 2023-08-30
gitea -- information disclosure gitea 1.20.3

The Gitea team reports:

Fix API leaking Usermail if not logged in

The API should only return the real Mail of a User, if the caller is logged in. The check do to this don't work. This PR fixes this. This not really a security issue, but can lead to Spam.

https://blog.gitea.com/release-of-1.20.3 https://github.com/go-gitea/gitea/releases/tag/v1.20.3 2023-06-06 2023-08-27
chromium -- multiple vulnerabilities chromium 116.0.5845.110 ungoogled-chromium 116.0.5845.110

Chrome Releases reports:

This update includes 5 security fixes:

  • [1469542] High CVE-2023-4430: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2023-08-02
  • [1469754] High CVE-2023-4429: Use after free in Loader. Reported by Anonymous on 2023-08-03
  • [1470477] High CVE-2023-4428: Out of bounds memory access in CSS. Reported by Francisco Alonso (@revskills) on 2023-08-06
  • [1470668] High CVE-2023-4427: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-08-07
  • [1469348] Medium CVE-2023-4431: Out of bounds memory access in Fonts. Reported by Microsoft Security Researcher on 2023-08-01
CVE-2023-4430 CVE-2023-4429 CVE-2023-4428 CVE-2023-4427 CVE-2023-4431 https://chromereleases.googleblog.com/2023/08/chrome-desktop-stable-update.html 2023-08-22 2023-08-24
electron25 -- multiple vulnerabilities electron25 25.7.0

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4071.
  • Security: backported fix for CVE-2023-4070.
  • Security: backported fix for CVE-2023-4075.
  • Security: backported fix for CVE-2023-4076.
  • Security: backported fix for CVE-2023-4074.
  • Security: backported fix for CVE-2023-4072.
  • Security: backported fix for CVE-2023-4068.
  • Security: backported fix for CVE-2023-4073.
  • Security: backported fix for CVE-2023-4355.
  • Security: backported fix for CVE-2023-4354.
  • Security: backported fix for CVE-2023-4353.
  • Security: backported fix for CVE-2023-4351.
CVE-2023-4071 https://github.com/advisories/GHSA-qc3g-vp59-7vwh CVE-2023-4070 https://github.com/advisories/GHSA-9xxv-mx64-rx27 CVE-2023-4075 https://github.com/advisories/GHSA-7332-j628-x48x CVE-2023-4076 https://github.com/advisories/GHSA-7rfc-cwhj-x2qv CVE-2023-4074 https://github.com/advisories/GHSA-6j3m-7hm6-qjrx CVE-2023-4072 https://github.com/advisories/GHSA-9j4r-qr47-rcxp CVE-2023-4068 https://github.com/advisories/GHSA-wh89-h5f7-hhcr CVE-2023-4073 https://github.com/advisories/GHSA-g9wf-6ppg-937x CVE-2023-4355 https://github.com/advisories/GHSA-xrw8-8992-37w4 CVE-2023-4354 https://github.com/advisories/GHSA-rq4v-7hxq-wpm5 CVE-2023-4353 https://github.com/advisories/GHSA-mjq9-8vf6-qh49 CVE-2023-4351 https://github.com/advisories/GHSA-mh2g-52mr-mr5v 2023-08-23 2023-08-24
electron{22,24} -- multiple vulnerabilities electron22 22.3.22 electron24 24.8.1

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-4355.
  • Security: backported fix for CVE-2023-4354.
  • Security: backported fix for CVE-2023-4353.
  • Security: backported fix for CVE-2023-4352.
  • Security: backported fix for CVE-2023-4351.
CVE-2023-4355 https://github.com/advisories/GHSA-xrw8-8992-37w4 CVE-2023-4354 https://github.com/advisories/GHSA-rq4v-7hxq-wpm5 CVE-2023-4353 https://github.com/advisories/GHSA-mjq9-8vf6-qh49 CVE-2023-4352 https://github.com/advisories/GHSA-vp8r-986v-6qj4 CVE-2023-4351 https://github.com/advisories/GHSA-mh2g-52mr-mr5v 2023-08-23 2023-08-24
phpmyfaq -- multiple vulnerabilities phpmyfaq-php80 phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83 3.1.16

phpmyfaq developers report:

Cross Site Scripting vulnerability

CSV injection vulnerability

https://huntr.dev/bounties/e891dcbc-2092-49d3-9518-23e37187a5ea/ https://huntr.dev/bounties/36149a42-cbd5-445e-a371-e351c899b189/ 2023-07-16 2023-08-23
chromium -- multiple vulnerabilities chromium 116.0.5845.96 ungoogled-chromium 116.0.5845.96

Chrome Releases reports:

This update includes 26 security fixes:

  • [1448548] High CVE-2023-2312: Use after free in Offline. Reported by avaue at S.S.L. on 2023-05-24
  • [1458303] High CVE-2023-4349: Use after free in Device Trust Connectors. Reported by Weipeng Jiang (@Krace) of VRI on 2023-06-27
  • [1454817] High CVE-2023-4350: Inappropriate implementation in Fullscreen. Reported by Khiem Tran (@duckhiem) on 2023-06-14
  • [1465833] High CVE-2023-4351: Use after free in Network. Reported by Guang and Weipeng Jiang of VRI on 2023-07-18
  • [1452076] High CVE-2023-4352: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-06-07
  • [1458046] High CVE-2023-4353: Heap buffer overflow in ANGLE. Reported by Christoph Diehl / Microsoft Vulnerability Research on 2023-06-27
  • [1464215] High CVE-2023-4354: Heap buffer overflow in Skia. Reported by Mark Brand of Google Project Zero on 2023-07-12
  • [1468943] High CVE-2023-4355: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-07-31
  • [1449929] Medium CVE-2023-4356: Use after free in Audio. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-05-30
  • [1458911] Medium CVE-2023-4357: Insufficient validation of untrusted input in XML. Reported by Igor Sak-Sakovskii on 2023-06-28
  • [1466415] Medium CVE-2023-4358: Use after free in DNS. Reported by Weipeng Jiang (@Krace) of VRI on 2023-07-20
  • [1443722] Medium CVE-2023-4359: Inappropriate implementation in App Launcher. Reported by @retsew0x01 on 2023-05-09
  • [1462723] Medium CVE-2023-4360: Inappropriate implementation in Color. Reported by Axel Chong on 2023-07-07
  • [1465230] Medium CVE-2023-4361: Inappropriate implementation in Autofill. Reported by Thomas Orlita on 2023-07-17
  • [1316379] Medium CVE-2023-4362: Heap buffer overflow in Mojom IDL. Reported by Zhao Hai of NanJing Cyberpeace TianYu Lab on 2022-04-14
  • [1367085] Medium CVE-2023-4363: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2022-09-23
  • [1406922] Medium CVE-2023-4364: Inappropriate implementation in Permission Prompts. Reported by Jasper Rebane on 2023-01-13
  • [1431043] Medium CVE-2023-4365: Inappropriate implementation in Fullscreen. Reported by Hafiizh on 2023-04-06
  • [1450784] Medium CVE-2023-4366: Use after free in Extensions. Reported by asnine on 2023-06-02
  • [1467743] Medium CVE-2023-4367: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
  • [1467751] Medium CVE-2023-4368: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
CVE-2023-2312 CVE-2023-4349 CVE-2023-4350 CVE-2023-4351 CVE-2023-4352 CVE-2023-4353 CVE-2023-4354 CVE-2023-4355 CVE-2023-4356 CVE-2023-4357 CVE-2023-4358 CVE-2023-4359 CVE-2023-4360 CVE-2023-4361 CVE-2023-4362 CVE-2023-4363 CVE-2023-4364 CVE-2023-4365 CVE-2023-4366 CVE-2023-4367 CVE-2023-4368 https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop_15.html 2023-08-15 2023-08-17
MySQL -- Multiple vulnerabilities mysql-connector-c++ 8.0.33 mysql-client57 5.7.43 mysql-server57 5.7.43 mysql-client80 8.0.34 mysql-server80 8.0.34

Oracle reports:

This Critical Patch Update contains 24 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

CVE-2022-4899 CVE-2023-0361 CVE-2022-4899 CVE-2022-4899 CVE-2023-22053 CVE-2023-22008 CVE-2023-22046 CVE-2023-22054 CVE-2023-22056 CVE-2023-21950 CVE-2023-22007 CVE-2023-22057 CVE-2023-22033 CVE-2023-22058 CVE-2023-22005 CVE-2023-22048 CVE-2023-22038 https://www.oracle.com/security-alerts/cpujul2023.html#AppendixMSQL 2023-07-18 2023-08-17
clamav -- Possible denial of service vulnerability in the AutoIt file parser clamav-lts 1.0.2,1

The ClamAV project reports:

There is a possible denial of service vulnerability in the AutoIt file parser.

CVE-2023-20212 https://blog.clamav.net/2023/07/2023-08-16-releases.html 2023-08-15 2023-08-16
clamav -- Possible denial of service vulnerability in the HFS+ file parser clamav 1.1.1,1 clamav-lts 1.0.2,1

Steve Smith reports:

There is a possible denial of service vulnerability in the HFS+ file parser.

CVE-2023-20197 https://blog.clamav.net/2023/07/2023-08-16-releases.html 2023-08-15 2023-08-16
krb5 -- Double-free in KDC TGS processing krb5 1.21.1_1 krb5-121 1.21.1_1 krb5-devel 1.22.2023.08.07

SO-AND-SO reports:

When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails..

CVE-2023-39975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39975 2023-08-07 2023-08-14
typo3 -- multiple vulnerabilities typo3-11-php80 typo3-11-php81 11.5.30 typo3-12-php80 typo3-12-php81 12.4.4

TYPO3 reports:

TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer

TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution

TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin

CVE-2023-38500 CVE-2023-38499 CVE-2023-37905 https://typo3.org/article/typo3-1244-and-11530-security-releases-published 2023-07-25 2023-08-14
postgresql-server -- MERGE fails to enforce UPDATE or SELECT row security policies postgresql-server 15.4

PostgreSQL Project reports

PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY to define a row security policy.

CVE-2023-39418 https://www.postgresql.org/support/security/CVE-2023-39418/ 2023-08-10 2023-08-10
postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection postgresql-server 11.21 12.16 13.12 14.9 15.4

PostgreSQL Project reports

An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.

CVE-2023-39417 https://www.postgresql.org/support/security/CVE-2023-39417/ 2023-08-10 2023-08-10
electron{22,23,24,25} -- multiple vulnerabilities electron22 22.3.20 electron23 23.3.12 electron24 24.7.0 electron25 25.4.0

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-3732.
  • Security: backported fix for CVE-2023-3728.
  • Security: backported fix for CVE-2023-3730.
CVE-2023-3732 https://github.com/advisories/GHSA-6f46-9vvr-v3j5 CVE-2023-3728 https://github.com/advisories/GHSA-fxgf-5cm8-2f8q CVE-2023-3730 https://github.com/advisories/GHSA-2gmm-4f9j-mw4p 2023-08-02 2023-08-07 2023-08-11
samba -- multiple vulnerabilities samba416 4.16.11 samba413 4.13.17_6

The Samba Team reports:

CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability
When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where keys are character strings and values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker.
CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still part of the protocol. If the system is running Samba's ntlm_auth as authentication backend for services like Squid (or a very unusual configuration with FreeRADIUS), the vulnarebility is remotely exploitable. If not so configured, or to exploit this vulnerability locally, the user must have access to the privileged winbindd UNIX domain socket (a subdirectory with name 'winbindd_privileged' under "state directory", as set in the smb.conf). This access is normally only given so special system services like Squid or FreeRADIUS, use this feature.
CVE-2023-34968: Spotlight server-side Share Path Disclosure
As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients. Known server side paths could be used to mount subsequent more serious security attacks or could disclose confidential information that is part of the path. To mitigate the issue, Samba will replace the real server-side path with a fake path constructed from the sharename.
CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability
When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This bug only affects servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes".
CVE-2023-3347: SMB2 packet signing not enforced
SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. SMB2 packet signing is a mechanism that ensures the integrity and authenticity of data exchanged between a client and a server using the SMB2 protocol. It provides protection against certain types of attacks, such as man-in-the-middle attacks, where an attacker intercepts network traffic and modifies the SMB2 messages. Both client and server of an SMB2 connection can require that signing is being used. The server-side setting in Samba to configure signing to be required is "server signing = required". Note that on an Samba AD DCs this is also the default for all SMB2 connections. Unless the client requires signing which would result in signing being used on the SMB2 connection, sensitive data might have been modified by an attacker. Clients connecting to IPC$ on an AD DC will require signed connections being used, so the integrity of these connections was not affected.
CVE-2023-34967 CVE-2022-2127 CVE-2023-34968 CVE-2023-34966 CVE-2023-3347 https://www.samba.org/samba/security/CVE-2023-34967.html https://www.samba.org/samba/security/CVE-2022-2127.html https://www.samba.org/samba/security/CVE-2023-34968.html https://www.samba.org/samba/security/CVE-2023-34966.html https://www.samba.org/samba/security/CVE-2023-3347.html 2023-07-19 2023-08-05
chromium -- multiple vulnerabilities chromium 115.0.5790.170 ungoogled-chromium 115.0.5790.170

Chrome Releases reports:

This update includes 17 security fixes:

  • [1466183] High CVE-2023-4068: Type Confusion in V8. Reported by Jerry on 2023-07-20
  • [1465326] High CVE-2023-4069: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-07-17
  • [1462951] High CVE-2023-4070: Type Confusion in V8. Reported by Jerry on 2023-07-07
  • [1458819] High CVE-2023-4071: Heap buffer overflow in Visuals. Reported by Guang and Weipeng Jiang of VRI on 2023-06-28
  • [1464038] High CVE-2023-4072: Out of bounds read and write in WebGL. Reported by Apple Security Engineering and Architecture (SEAR) on 2023-07-12
  • [1456243] High CVE-2023-4073: Out of bounds memory access in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-06-20
  • [1464113] High CVE-2023-4074: Use after free in Blink Task Scheduling. Reported by Anonymous on 2023-07-12
  • [1457757] High CVE-2023-4075: Use after free in Cast. Reported by Cassidy Kim(@cassidy6564) on 2023-06-25
  • [1459124] High CVE-2023-4076: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2023-06-29
  • [1451146] Medium CVE-2023-4077: Insufficient data validation in Extensions. Reported by Anonymous on 2023-06-04
  • [1461895] Medium CVE-2023-4078: Inappropriate implementation in Extensions. Reported by Anonymous on 2023-07-04
CVE-2023-4068 CVE-2023-4069 CVE-2023-4070 CVE-2023-4071 CVE-2023-4072 CVE-2023-4073 CVE-2023-4074 CVE-2023-4075 CVE-2023-4076 CVE-2023-4077 CVE-2023-4078 https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop.html 2023-08-02 2023-08-04
go -- multiple vulnerabilities go119 1.19.12 go120 1.20.7

The Go project reports:

crypto/tls: restrict RSA keys in certificates to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits.

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

cmd/go: cgo code injection

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.

runtime: unexpected behavior of setuid/setgid binaries

The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers.

cmd/go: improper sanitization of LDFLAGS

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.

html/template: improper sanitization of CSS values

Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.

html/template: improper handling of JavaScript whitespace

Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

html/template: improper handling of empty HTML attributes

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

CVE-2023-29406 CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400 https://groups.google.com/u/1/g/golang-announce/c/X0b6CsSAaYI https://groups.google.com/u/1/g/golang-announce/c/2q13H6LEEx0 https://groups.google.com/u/1/g/golang-announce/c/q5135a9d924 https://groups.google.com/u/1/g/golang-announce/c/MEb0UyuSMsU 2023-04-27 2023-08-02
Gitlab -- Vulnerabilities gitlab-ce 16.2.016.2.2 16.1.016.1.3 9.3.016.0.8

Gitlab reports:

ReDoS via ProjectReferenceFilter in any Markdown fields

ReDoS via AutolinkFilter in any Markdown fields

Regex DoS in Harbor Registry search

Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality

Stored XSS in Web IDE Beta via crafted URL

securityPolicyProjectAssign mutation does not authorize security policy project ID

An attacker can run pipeline jobs as arbitrary user

Possible Pages Unique Domain Overwrite

Access tokens may have been logged when a query was made to an endpoint

Reflected XSS via PlantUML diagram

The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code

Invalid 'start_sha' value on merge requests page may lead to Denial of Service

Developers can create pipeline schedules on protected branches even if they don't have access to merge

Potential DOS due to lack of pagination while loading license data

Leaking emails of newly created users

CVE-2023-3994 CVE-2023-3364 CVE-2023-0632 CVE-2023-3385 CVE-2023-2164 CVE-2023-4002 CVE-2023-4008 CVE-2023-3993 CVE-2023-3500 CVE-2023-3401 CVE-2023-3900 CVE-2023-2022 CVE-2023-4011 CVE-2023-1210 https://about.gitlab.com/releases/2023/08/01/security-release-gitlab-16-2-2-released/ 2023-08-01 2023-08-02
OpenSSL -- Excessive time spent checking DH q parameter value openssl 1.1.1u_1,1 openssl30 3.0.9_2 openssl31 3.1.1_2

The OpenSSL project reports:

Checking excessively long DH keys or parameters may be very slow (severity: Low).

CVE-2023-3817 https://www.openssl.org/news/secadv/20230731.txt 2023-07-31 2023-07-31
jenkins -- Stored XSS vulnerability jenkins 2.416 jenkins-lts 2.401.3

Jenkins Security Advisory:

Description

(High) SECURITY-3188 / CVE-2023-39151

Stored XSS vulnerability

CVE-2023-39151 https://www.jenkins.io/security/advisory/2023-07-26/ 2023-07-26 2023-07-26
gitea -- Disallow dangerous URL schemes gitea 1.20.1

The Gitea team reports:

Disallow javascript, vbscript and data (data uri images still work) url schemes even if all other schemes are allowed

https://blog.gitea.com/release-of-1.20.1 https://github.com/go-gitea/gitea/releases/tag/v1.20.1 2023-06-18 2023-07-23
OpenSSH -- remote code execution via a forwarded agent socket openssh-portable openssh-portable-hpn openssh-portable-gssapi 9.3.p2,1

OpenSSH project reports:

Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team.

CVE-2023-38408 https://www.openssh.com/txt/release-9.3p2 2023-07-19 2023-07-21
chromium -- multiple vulnerabilities chromium 115.0.5790.98 ungoogled-chromium 115.0.5790.98

Chrome Releases reports:

This update includes 20 security fixes:

  • [1454086] High CVE-2023-3727: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-06-12
  • [1457421] High CVE-2023-3728: Use after free in WebRTC. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-06-23
  • [1453465] High CVE-2023-3730: Use after free in Tab Groups. Reported by @ginggilBesel on 2023-06-09
  • [1450899] High CVE-2023-3732: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-06-02
  • [1450203] Medium CVE-2023-3733: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-31
  • [1450376] Medium CVE-2023-3734: Inappropriate implementation in Picture In Picture. Reported by Thomas Orlita on 2023-06-01
  • [1394410] Medium CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts. Reported by Ahmed ElMasry on 2022-11-29
  • [1434438] Medium CVE-2023-3736: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2023-04-19
  • [1446754] Medium CVE-2023-3737: Inappropriate implementation in Notifications. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2023-05-19
  • [1434330] Medium CVE-2023-3738: Inappropriate implementation in Autofill. Reported by Hafiizh on 2023-04-18
  • [1405223] Low CVE-2023-3740: Insufficient validation of untrusted input in Themes. Reported by Fardeen Siddiqui on 2023-01-06
CVE-2023-3727 CVE-2023-3728 CVE-2023-3730 CVE-2023-3732 CVE-2023-3733 CVE-2023-3734 CVE-2023-3735 CVE-2023-3736 CVE-2023-3737 CVE-2023-3738 CVE-2023-3740 https://chromereleases.googleblog.com/2023/07/stable-channel-update-for-desktop.html 2023-07-19 2023-07-20
virtualbox-ose -- multiple vulnerabilities virtualbox-ose 6.1.46

secalert_us@oracle.com reports:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).

CVE-2023-22016 https://nvd.nist.gov/vuln/detail/CVE-2023-22016 2023-07-18 2023-07-19
virtualbox-ose -- multiple vulnerabilities virtualbox-ose 6.1.46

secalert_us@oracle.com reports:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2023-22017 https://nvd.nist.gov/vuln/detail/CVE-2023-22017 2023-07-18 2023-07-19
virtualbox-ose -- multiple vulnerabilities virtualbox-ose 6.1.46

secalert_us@oracle.com reports:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2023-22018 https://nvd.nist.gov/vuln/detail/CVE-2023-22018 2023-07-18 2023-07-19
element-web -- Cross site scripting in Export Chat feature element-web 1.11.36

Matrix Developers reports:

The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.

CVE-2023-37259 https://nvd.nist.gov/vuln/detail/CVE-2023-37259 2023-07-18 2023-07-18
gitea -- multiple issues gitea 1.20.0

The Gitea team reports:

Test if container blob is accessible before mounting.

Set type="password" on all auth_token fields

Seen when migrating from other hosting platforms.

Prevents exposing the token to screen capture/cameras/eyeballs.

Prevents the browser from saving the value in its autocomplete dictionary, which often is not secure.

https://blog.gitea.com/release-of-1.20.0 https://github.com/go-gitea/gitea/releases/tag/v1.20.0 2023-06-08 2023-07-05
OpenSSL -- AES-SIV implementation ignores empty associated data entries openssl30 3.0.9_1 openssl31 3.1.1_1

The OpenSSL project reports:

The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.

CVE-2023-2975 https://www.openssl.org/news/secadv/20230714.txt 2023-07-14 2023-07-16
electron22 -- multiple vulnerabilities electron22 22.3.17

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-3422.
  • Security: backported fix for CVE-2023-3421.
  • Security: backported fix for CVE-2023-3420.
CVE-2023-3422 https://github.com/advisories/GHSA-gqjh-f545-vcx3 CVE-2023-3421 https://github.com/advisories/GHSA-943x-93ff-jr62 CVE-2023-3420 https://github.com/advisories/GHSA-4297-fx5c-x987 2023-07-12 2023-07-14
librecad -- out-of-bounds read in importshp plugin librecad 2.2.0.1

Albin Eldstål-Ahrens reports:

An out-of-bounds read on a heap buffer in the importshp plugin may allow an attacker to read sensitive data via a crafted DBF file.

CVE-2023-30259 https://github.com/LibreCAD/LibreCAD/issues/1481 2021-12-28 2023-07-10
redis -- heap overflow in COMMAND GETKEYS and ACL evaluation redis 7.0.12 redis-devel 7.0.12.20230710

Redis core team reports:

Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules.

CVE-2023-36824 https://groups.google.com/g/redis-db/c/JDjKS0GubsQ https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3 2023-07-10 2023-07-10
redis -- Heap overflow in the cjson and cmsgpack libraries redis 7.0.12 redis-devel 7.0.12.20230710 redis62 6.2.13 redis60 6.0.20

Redis core team reports:

A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution.

CVE-2022-24834 https://groups.google.com/g/redis-db/c/JDjKS0GubsQ 2023-07-10 2023-07-10
gitea -- avoid open HTTP redirects gitea 1.19.4

The Gitea team reports:

If redirect_to parameter has set value starting with \\example.com redirect will be created with header Location: /\\example.com that will redirect to example.com domain.

https://blog.gitea.io/2023/07/gitea-1.19.4-is-released/ https://github.com/go-gitea/gitea/releases/tag/v1.19.4 2023-06-08 2023-07-05
electron{23,24} -- multiple vulnerabilities electron23 23.3.10 electron24 24.6.2

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-3422.
  • Security: backported fix for CVE-2023-3421.
  • Security: backported fix for CVE-2023-3420.
CVE-2023-3422 https://github.com/advisories/GHSA-gqjh-f545-vcx3 CVE-2023-3421 https://github.com/advisories/GHSA-943x-93ff-jr62 CVE-2023-3420 https://github.com/advisories/GHSA-4297-fx5c-x987 2023-07-05 2023-07-06
Gitlab -- Vulnerabilities gitlab-ce 16.1.016.1.2 16.0.016.0.7 15.11.015.11.11

Gitlab reports:

A user can change the name and path of some public GitLab groups

CVE-2023-3484 https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/ 2023-07-05 2023-07-05
phpldapadmin -- XSS vulnerability phpldapadmin-php80 phpldapadmin-php81 1.2.6.2

cve@mitre.org reports:

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php.

CVE-2020-35132 https://nvd.nist.gov/vuln/detail/CVE-2020-35132 2020-12-11 2023-07-05
Django -- multiple vulnerabilities py38-django32 py39-django32 py310-django32 py311-django32 3.2.20 py38-django41 py39-django41 py310-django41 py311-django41 4.1.10 py38-django42 py39-django42 py310-django42 py311-django42 4.2.3

Django reports:

CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator.

CVE-2023-36053 https://www.djangoproject.com/weblog/2023/jul/03/security-releases/ 2023-07-01 2023-07-03
mediawiki -- multiple vulnerabilities mediawiki135 1.35.11 mediawiki138 1.38.7 mediawiki139 1.39.4

Mediawiki reports:

(T335203, CVE-2023-29197) Upgrade guzzlehttp/psr7 to >= 1.9.1/2.4.5.

(T335612, CVE-2023-36674) Manualthumb bypasses badFile lookup.

(T332889, CVE-2023-36675) XSS in BlockLogFormatter due to unsafe message use.

CVE-2023-29197 CVE-2023-36674 CVE-2023-36675 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/HVT3U3XYY35PSCIQPHMY4VQNF3Q6MHUO/ 2023-04-21 2023-07-01
Gitlab -- Vulnerabilities gitlab-ce 16.1.016.1.1 16.0.016.0.6 15.11.015.11.10 7.14.015.10.8

Gitlab reports:

ReDoS via EpicReferenceFilter in any Markdown fields

New commits to private projects visible in forks created while project was public

New commits to private projects visible in forks created while project was public

Maintainer can leak masked webhook secrets by manipulating URL masking

Information disclosure of project import errors

Sensitive information disclosure via value stream analytics controller

Bypassing Code Owners branch protection rule in GitLab

HTML injection in email address

Webhook token leaked in Sidekiq logs if log format is 'default'

Private email address of service desk issue creator disclosed via issues API

CVE-2023-3424 CVE-2023-2190 CVE-2023-3444 CVE-2023-2620 CVE-2023-3362 CVE-2023-3102 CVE-2023-2576 CVE-2023-2200 CVE-2023-3363 CVE-2023-1936 https://about.gitlab.com/releases/2023/06/29/security-release-gitlab-16-1-1-released/ 2023-06-29 2023-06-30
SoftEtherVPN -- multiple vulnerabilities softether 4.42.9798 softether-devel 4.42.9798

Daiyuu Nobori reports:

The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code.

The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways.

The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc.

  1. CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
  2. CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
  3. CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process
  4. CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person
  5. CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process
  6. CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read
CVE-2023-27395 CVE-2023-22325 CVE-2023-32275 CVE-2023-27516 CVE-2023-32634 CVE-2023-31192 https://www.softether.org/9-about/News/904-SEVPN202301 2023-06-30 2023-06-30
OpenEXR -- heap buffer overflow in internal_huf_decompress openexr 3.1.9

oss-fuzz reports:

heap buffer overflow in internal_huf_decompress.

Cary Phillips reports:

v3.1.9 - Patch release that addresses [...] also OSS-fuzz 59382 Heap-buffer-overflow in internal_huf_decompress

Kimball Thurston reports:

Fix scenario where malformed dwa file could read past end of buffer - fixes OSS-Fuzz 59382

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59382 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.1.9 https://github.com/AcademySoftwareFoundation/openexr/commit/e431f7e189d0785bb84a5bfb83391e9e58590c49 https://github.com/AcademySoftwareFoundation/openexr/pull/1439 2023-05-28 2023-06-27
chromium -- multiple vulnerabilities chromium 114.0.5735.198 ungoogled-chromium 114.0.5735.198

Chrome Releases reports:

This update includes 4 security fixes:

  • [1452137] High CVE-2023-3420: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-06-07
  • [1447568] High CVE-2023-3421: Use after free in Media. Reported by Piotr Bania of Cisco Talos on 2023-05-22
  • [1450397] High CVE-2023-3422: Use after free in Guest View. Reported by asnine on 2023-06-01
CVE-2023-3420 CVE-2023-3421 CVE-2023-3422 https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html 2023-06-26 2023-06-27
Grafana -- Account takeover / authentication bypass grafana 6.7.08.5.27 9.0.09.2.20 9.3.09.3.16 9.4.09.4.13 9.5.09.5.5 10.0.010.0.1 grafana8 8.5.27 grafana9 9.2.20 9.3.09.3.16 9.4.09.4.13 9.5.09.5.5 grafana10 10.0.1

Grafana Labs reports:

Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.

The CVSS score for this vulnerability is 9.4 Critical.

CVE-2023-3128 https://grafana.com/security/security-advisories/cve-2023-3128 2023-06-22 2023-06-23
electron{23,24} -- multiple vulnerabilities electron23 23.3.8 electron24 24.6.0

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-3215.
  • Security: backported fix for CVE-2023-3216.
CVE-2023-3215 https://github.com/advisories/GHSA-5rw6-vf4w-p4j3 CVE-2023-3216 https://github.com/advisories/GHSA-f35r-mcw4-gg3w 2023-06-22 2023-06-22
electron22 -- multiple vulnerabilities electron22 22.3.14

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-3215.
  • Security: backported fix for CVE-2023-3216.
  • Security: backported fix for CVE-2023-0698.
  • Security: backported fix for CVE-2023-0932.
CVE-2023-3215 https://github.com/advisories/GHSA-5rw6-vf4w-p4j3 CVE-2023-3216 https://github.com/advisories/GHSA-f35r-mcw4-gg3w CVE-2023-0698 https://github.com/advisories/GHSA-q6xx-4pmr-m3m4 CVE-2023-0932 https://github.com/advisories/GHSA-hh2g-39pc-2575 2023-06-22 2023-06-22
libX11 -- Sub-object overflows libX11 1.8.6,1

The X.Org project reports:

  • Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]

    The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. Instead they trusted that they were called with values provided by an Xserver that was adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do.

    As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself. Testing has found it is possible to at least cause the client to crash with this memory corruption.

https://lists.x.org/archives/xorg-announce/2023-June/003406.html CVE-2023-3138 2023-06-15 2023-06-16
electron24 -- multiple vulnerabilities electron24 24.5.1

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-3079.
  • Security: backported fix for CVE-2023-2933.
  • Security: backported fix for CVE-2023-2932.
  • Security: backported fix for CVE-2023-2931.
  • Security: backported fix for CVE-2023-2936.
  • Security: backported fix for CVE-2023-2935.
  • Security: backported fix for CVE-2023-2934.
  • Security: backported fix for CVE-2023-2930.
CVE-2023-3079 https://github.com/advisories/GHSA-8mwf-hvfp-6xfg CVE-2023-2933 https://github.com/advisories/GHSA-qrc7-3p69-2jpf CVE-2023-2932 https://github.com/advisories/GHSA-7g49-wq8x-r6rh CVE-2023-2931 https://github.com/advisories/GHSA-w3xh-m877-x3c2 CVE-2023-2936 https://github.com/advisories/GHSA-x723-3x32-qg44 CVE-2023-2935 https://github.com/advisories/GHSA-5ccq-3h49-vjp2 CVE-2023-2934 https://github.com/advisories/GHSA-mqff-qm67-cr66 CVE-2023-2930 https://github.com/advisories/GHSA-44xq-533g-gj79 2023-06-14 2023-06-16
electron23 -- multiple vulnerabilities electron23 23.3.7

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-2724.
  • Security: backported fix for CVE-2023-2725.
  • Security: backported fix for CVE-2023-2721.
  • Security: backported fix for CVE-2023-3079.
  • Security: backported fix for CVE-2023-2933.
  • Security: backported fix for CVE-2023-2932.
  • Security: backported fix for CVE-2023-2931.
  • Security: backported fix for CVE-2023-2936.
  • Security: backported fix for CVE-2023-2935.
  • Security: backported fix for CVE-2023-2934.
  • Security: backported fix for CVE-2023-2930.
CVE-2023-2724 https://github.com/advisories/GHSA-j5rv-3m5p-q6rc CVE-2023-2725 https://github.com/advisories/GHSA-c4fp-wmv9-q4cr CVE-2023-2721 https://github.com/advisories/GHSA-5cww-gpqh-ggqj CVE-2023-3079 https://github.com/advisories/GHSA-8mwf-hvfp-6xfg CVE-2023-2933 https://github.com/advisories/GHSA-qrc7-3p69-2jpf CVE-2023-2932 https://github.com/advisories/GHSA-7g49-wq8x-r6rh CVE-2023-2931 https://github.com/advisories/GHSA-w3xh-m877-x3c2 CVE-2023-2936 https://github.com/advisories/GHSA-x723-3x32-qg44 CVE-2023-2935 https://github.com/advisories/GHSA-5ccq-3h49-vjp2 CVE-2023-2934 https://github.com/advisories/GHSA-mqff-qm67-cr66 CVE-2023-2930 https://github.com/advisories/GHSA-44xq-533g-gj79 2023-06-14 2023-06-16
electron22 -- multiple vulnerabilities electron22 22.3.13

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-2724.
  • Security: backported fix for CVE-2023-2723.
  • Security: backported fix for CVE-2023-2725.
  • Security: backported fix for CVE-2023-2721.
  • Security: backported fix for CVE-2023-3079.
  • Security: backported fix for CVE-2023-2933.
  • Security: backported fix for CVE-2023-2932.
  • Security: backported fix for CVE-2023-2931.
  • Security: backported fix for CVE-2023-2936.
  • Security: backported fix for CVE-2023-2935.
  • Security: backported fix for CVE-2023-2930.
CVE-2023-2724 https://github.com/advisories/GHSA-j5rv-3m5p-q6rc CVE-2023-2723 https://github.com/advisories/GHSA-7797-6fvm-v8xw CVE-2023-2725 https://github.com/advisories/GHSA-c4fp-wmv9-q4cr CVE-2023-2721 https://github.com/advisories/GHSA-5cww-gpqh-ggqj CVE-2023-3079 https://github.com/advisories/GHSA-8mwf-hvfp-6xfg CVE-2023-2933 https://github.com/advisories/GHSA-qrc7-3p69-2jpf CVE-2023-2932 https://github.com/advisories/GHSA-7g49-wq8x-r6rh CVE-2023-2931 https://github.com/advisories/GHSA-w3xh-m877-x3c2 CVE-2023-2936 https://github.com/advisories/GHSA-x723-3x32-qg44 CVE-2023-2935 https://github.com/advisories/GHSA-5ccq-3h49-vjp2 CVE-2023-2930 https://github.com/advisories/GHSA-44xq-533g-gj79 2023-06-14 2023-06-16
jenkins -- CSRF protection bypass vulnerability jenkins 2.400 jenkins-lts 2.401.1

Jenkins Security Advisory:

Description

(High) SECURITY-3135 / CVE-2023-35141

CSRF protection bypass vulnerability

CVE-2023-35141 https://www.jenkins.io/security/advisory/2023-06-14/ 2023-06-14 2023-06-14
vscode -- VS Code Information Disclosure Vulnerability vscode 1.79.1

VSCode developers reports:

VS Code Information Disclosure Vulnerability

A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.

CVE-2023-33144 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33144 2023-06-13 2023-06-13
chromium -- multiple vulnerabilities chromium 114.0.5735.133 ungoogled-chromium 114.0.5735.133

Chrome Releases reports:

This update includes 5 security fixes:

  • [1450568] Critical CVE-2023-3214: Use after free in Autofill payments. Reported by Rong Jian of VRI on 2023-06-01
  • [1446274] High CVE-2023-3215: Use after free in WebRTC. Reported by asnine on 2023-05-17
  • [1450114] High CVE-2023-3216: Type Confusion in V8. Reported by 5n1p3r0010 from Topsec ChiXiao Lab on 2023-05-31
  • [1450601] High CVE-2023-3217: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2023-06-01
CVE-2023-3214 CVE-2023-3215 CVE-2023-3216 CVE-2023-3217 https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_13.html 2023-06-13 2023-06-13
xmltooling -- remote resource access xmltooling 3.2.4

Shibboleth consortium reports:

An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability.

Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs.

While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future.

https://shibboleth.net/community/advisories/secadv_20230612.txt 2023-06-12 2023-06-12
acme.sh -- closes potential remote vuln acme.sh 3.0.6

Neil Pang reports:

HiCA was injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine.

https://github.com/acmesh-official/acme.sh/issues/4665 2023-06-08 2023-06-09
Python -- multiple vulnerabilities python37 3.7.17 python38 3.8.17 python39 3.9.17 python310 3.10.12 python311 3.11.4

Python reports:

gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).

gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.

gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.

gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.

gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True.

gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().

gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory.

gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock.

gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local.

CVE-2022-4303 CVE-2023-2650 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-24329 https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html 2022-06-08 2023-06-08
Grafana -- Broken access control: viewer can send test alerts grafana 8.0.08.5.26 9.0.09.2.19 9.3.09.3.15 9.4.09.4.12 9.5.09.5.3 grafana8 8.0.08.5.26 grafana9 9.2.19 9.3.09.3.15 9.4.09.4.12 9.5.09.5.3

Grafana Labs reports:

Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.

The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).

CVE-2023-2183 https://grafana.com/security/security-advisories/cve-2023-2183/ 2023-06-06 2023-06-07
Grafana -- Grafana DS proxy race condition grafana 9.4.09.4.12 9.5.09.5.3 grafana9 9.4.09.4.12 9.5.09.5.3

Grafana Labs reports:

We have discovered a vulnerability with Grafana’s data source query endpoints that could end up crashing a Grafana instance.

If you have public dashboards (PD) enabled, we are scoring this as a CVSS 7.5 High.

If you have disabled PD, this vulnerability is still a risk, but triggering the issue requires data source read privileges and access to the Grafana API through a developer script.

CVE-2023-2801 CVE-2023-2801 2023-06-06 2023-06-07
chromium -- multiple vulnerabilities chromium 114.0.5735.106 ungoogled-chromium 114.0.5735.106

Chrome Releases reports:

This update includes 2 security fixes:

  • [1450481] High CVE-2023-3079: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-06-01
CVE-2023-3079 https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html 2023-06-05 2023-06-07
Gitlab -- Vulnerability gitlab-ce 16.0.016.0.2 15.11.015.11.7 15.10.015.10.8 1.215.9.8

Gitlab reports:

Stored-XSS with CSP-bypass in Merge requests

ReDoS via FrontMatterFilter in any Markdown fields

ReDoS via InlineDiffFilter in any Markdown fields

ReDoS via DollarMathPostFilter in Markdown fields

DoS via malicious test report artifacts

Restricted IP addresses can clone repositories of public projects

Reflected XSS in Report Abuse Functionality

Privilege escalation from maintainer to owner by importing members from a project

Bypassing tags protection in GitLab

Denial of Service using multiple labels with arbitrarily large descriptions

Ability to use an unverified email for public and commit emails

Open Redirection Through HTTP Response Splitting

Disclosure of issue notes to an unauthorized user when exporting a project

Ambiguous branch name exploitation

CVE-2023-2442 CVE-2023-2199 CVE-2023-2198 CVE-2023-2132 CVE-2023-0121 CVE-2023-2589 CVE-2023-2015 CVE-2023-2485 CVE-2023-2001 CVE-2023-0921 CVE-2023-1204 CVE-2023-0508 CVE-2023-1825 CVE-2023-2013 https://about.gitlab.com/releases/2023/06/05/security-release-gitlab-16-0-2-released/ 2023-06-05 2023-06-07
qpress -- directory traversal qpress 11.3 xtrabackup8 8.0.32

cve@mitre.org reports:

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.

CVE-2022-45866 https://nvd.nist.gov/vuln/detail/CVE-2022-45866 2022-11-23 2023-06-06
Kanboard -- Multiple vulnerabilities php80-kanboard 1.2.30

Kanboard is project management software that focuses on the Kanban methodology. The last update includes 4 vulnerabilities:

security-advisories@github.com reports:

  • Missing access control in internal task links feature
  • Stored Cross site scripting in the Task External Link Functionality in Kanboard
  • Missing Access Control allows User to move and duplicate tasks in Kanboard
  • Parameter based Indirect Object Referencing leading to private file exposure in Kanboard
CVE-2023-33970 https://nvd.nist.gov/vuln/detail/CVE-2023-33970 CVE-2023-33969 https://nvd.nist.gov/vuln/detail/CVE-2023-33969 CVE-2023-33968 https://nvd.nist.gov/vuln/detail/CVE-2023-33968 CVE-2023-33956 https://nvd.nist.gov/vuln/detail/CVE-2023-33956 2023-06-05 2023-06-06
OpenSSL -- Possible DoS translating ASN.1 identifiers openssl 1.1.1u,1 openssl30 3.0.9 openssl31 3.1.1 openssl-quictls 3.0.9

The OpenSSL project reports:

Severity: Moderate. Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

CVE-2023-2650 https://www.openssl.org/news/secadv/20230530.txt 2023-05-30 2023-05-31
Kanboard -- Clipboard based cross-site scripting (blocked with default CSP) in Kanboard php80-kanboard 1.2.29

security-advisories@github.com reports:

Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. This issue has been patched in version 1.2.29.

CVE-2023-32685 https://nvd.nist.gov/vuln/detail/CVE-2023-32685 2023-05-30 2023-05-30
chromium -- multiple vulnerabilities chromium 114.0.5735.90 ungoogled-chromium 114.0.5735.90

Chrome Releases reports:

This update includes 16 security fixes:

  • [1410191] High CVE-2023-2929: Out of bounds write in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-25
  • [1443401] High CVE-2023-2930: Use after free in Extensions. Reported by asnine on 2023-05-08
  • [1444238] High CVE-2023-2931: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-10
  • [1444581] High CVE-2023-2932: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-11
  • [1445426] High CVE-2023-2933: Use after free in PDF. Reported by Quang Nguyễn (@quangnh89) of Viettel Cyber Security and Nguyen Phuong on 2023-05-15
  • [1429720] High CVE-2023-2934: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-04-01
  • [1440695] High CVE-2023-2935: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-27
  • [1443452] High CVE-2023-2936: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-05-08
  • [1413813] Medium CVE-2023-2937: Inappropriate implementation in Picture In Picture. Reported by NDevTK on 2023-02-08
  • [1416350] Medium CVE-2023-2938: Inappropriate implementation in Picture In Picture. Reported by Alesandro Ortiz on 2023-02-15
  • [1427431] Medium CVE-2023-2939: Insufficient data validation in Installer. Reported by ycdxsb from VARAS@IIE on 2023-03-24
  • [1426807] Medium CVE-2023-2940: Inappropriate implementation in Downloads. Reported by Axel Chong on 2023-03-22
  • [1430269] Low CVE-2023-2941: Inappropriate implementation in Extensions API. Reported by Jasper Rebane on 2023-04-04
CVE-2023-2929 CVE-2023-2930 CVE-2023-2931 CVE-2023-2932 CVE-2023-2933 CVE-2023-2934 CVE-2023-2935 CVE-2023-2936 CVE-2023-2937 CVE-2023-2938 CVE-2023-2939 CVE-2023-2940 CVE-2023-2941 https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_30.html 2023-05-30 2023-05-31
MariaDB -- Nullpointer dereference mariadb1011-server 10.11.3 mariadb106-server 10.6.13 mariadb105-server 10.5.20 mariadb104-server 10.4.29 mariadb103-server 10.3.39

The MariaDB project reports:

MariaDB Server is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.

CVE-2022-47015 https://mariadb.com/kb/en/security/ 2023-05-10 2023-05-28
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.14

phpmyfaq developers report:

Multiple XSS vulnerabilities

https://huntr.dev/bounties/4d89c7cc-fb4c-4b64-9b67-f0189f70a620/ https://huntr.dev/bounties/8282d78e-f399-4bf4-8403-f39103a31e78/ 2023-05-17 2023-05-21
curl -- multiple vulnerabilities curl 8.1.0

Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:

This update fixes 4 security vulnerabilities:

  • Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
  • Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
  • Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
  • Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19
CVE-2023-28319 https://curl.se/docs/CVE-2023-28319.html CVE-2023-28320 https://curl.se/docs/CVE-2023-28320.html CVE-2023-28321 https://curl.se/docs/CVE-2023-28321.html CVE-2023-28322 https://curl.se/docs/CVE-2023-28322.html 2023-03-21 2023-05-19
zeek -- potential DoS vulnerabilities zeek 5.0.9

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of FTP packets with a CMD command with a large path followed by a very large number of replies could cause Zeek to spend a long time processing the data.

A specially-crafted with a truncated header can cause Zeek to overflow memory and potentially crash.

A specially-crafted series of SMTP packets can cause Zeek to generate a very large number of events and take a long time to process them.

A specially-crafted series of POP3 packets containing MIME data can cause Zeek to spend a long time dealing with each individual file ID.

https://github.com/zeek/zeek/releases/tag/v5.0.9 2023-05-19 2023-05-19
electron -- vulnerability electron22 22.3.10 electron23 23.3.3

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2023-29469
CVE-2023-29469 https://github.com/advisories/GHSA-7jv7-hr35-fwjr 2023-05-17 2023-05-18
chromium -- multiple vulnerabilities chromium 113.0.5672.126 ungoogled-chromium 113.0.5672.126

Chrome Releases reports:

This update includes 12 security fixes:

  • [1444360] Critical CVE-2023-2721: Use after free in Navigation. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2023-05-10
  • [1400905] High CVE-2023-2722: Use after free in Autofill UI. Reported by Rong Jian of VRI on 2022-12-14
  • [1435166] High CVE-2023-2723: Use after free in DevTools. Reported by asnine on 2023-04-21
  • [1433211] High CVE-2023-2724: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-14
  • [1442516] High CVE-2023-2725: Use after free in Guest View. Reported by asnine on 2023-05-04
  • [1442018] Medium CVE-2023-2726: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-03
CVE-2023-2721 CVE-2023-2722 CVE-2023-2723 CVE-2023-2724 CVE-2023-2725 CVE-2023-2726 https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_16.html 2023-05-16 2023-05-17
Gitlab -- Vulnerability gitlab-ce 15.11.015.11.3 15.10.015.10.7 9.015.9.8

Gitlab reports:

Smuggling code changes via merge requests with refs/replace

CVE-2023-2181 https://about.gitlab.com/releases/2023/05/10/security-release-gitlab-15-11-3-released/ 2023-05-10 2023-05-13
piwigo -- SQL injection piwigo 13.7.0

Piwigo reports:

Piwigo is affected by multiple SQL injection issues.

https://www.piwigo.org/release-13.7.0 2023-03-01 2023-05-12
postgresql-server -- Row security policies disregard user ID changes after inlining postgresql-server 15.3 14.8 13.11 12.15 11.20

PostgreSQL Project reports

While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

CVE-2023-2455 https://www.postgresql.org/support/security/CVE-2023-2455/ 2023-05-11 2023-05-11
postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes postgresql-server 15.3 14.8 13.11 12.15 11.20

PostgreSQL Project reports

This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.

CVE-2023-2454 https://www.postgresql.org/support/security/CVE-2023-2454/ 2023-05-11 2023-05-11
vscode -- Visual Studio Code Information Disclosure Vulnerability vscode 1.78.1

secure@microsoft.com reports:

Visual Studio Code Information Disclosure Vulnerability

A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.

CVE-2023-29338 https://nvd.nist.gov/vuln/detail/CVE-2023-29338 https://github.com/microsoft/vscode/security/advisories/GHSA-mmfh-4pv3-39hr 2023-05-09 2023-05-10
glpi -- multiple vulnerabilities glpi 10.0.7,1

glpi Project reports:

Multiple vulnerabilities found and fixed in this version:

  • High CVE-2023-28849: SQL injection and Stored XSS via inventory agent request.
  • High CVE-2023-28632: Account takeover by authenticated user.
  • High CVE-2023-28838: SQL injection through dynamic reports.
  • Moderate CVE-2023-28852: Stored XSS through dashboard administration.
  • Moderate CVE-2023-28636: Stored XSS on external links.
  • Moderate CVE-2023-28639: Reflected XSS in search pages.
  • Moderate CVE-2023-28634: Privilege Escalation from technician to super-admin.
  • Low CVE-2023-28633: Blind Server-Side Request Forgery (SSRF) in RSS feeds.
CVE-2023-28849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28849 CVE-2023-28632 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28632 CVE-2023-28838 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28838 CVE-2023-28852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28852 CVE-2023-28636 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28636 CVE-2023-28639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28639 CVE-2023-28634 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28634 2023-03-20 2023-05-08 2024-04-25
redis -- HINCRBYFLOAT can be used to crash a redis-server process redis 7.0.11 redis62 6.2.12 redis6 6.0.19

Redis core team reports:

Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that may later crash Redis on access.

CVE-2023-28856 https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6 2023-04-17 2023-05-08
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.11.015.11.2 15.10.015.10.6 9.015.9.7

Gitlab reports:

Malicious Runner Attachment via GraphQL

CVE-2023-2478 https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/ 2023-05-05 2023-05-06
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 py311-django32 3.2.19 py38-django41 py39-django41 py310-django41 py311-django41 4.1.9 py38-django42 py39-django42 py310-django42 py311-django42 4.2.1

Django reports:

CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field.

CVE-2023-31047 https://www.djangoproject.com/weblog/2023/may/03/security-releases/ 2023-05-01 2023-05-05
chromium -- multiple vulnerabilities chromium 113.0.5672.63 ungoogled-chromium 113.0.5672.63

Chrome Releases reports:

This update includes 15 security fixes:

  • [1423304] Medium CVE-2023-2459: Inappropriate implementation in Prompts. Reported by Rong Jian of VRI on 2023-03-10
  • [1419732] Medium CVE-2023-2460: Insufficient validation of untrusted input in Extensions. Reported by Martin Bajanik, Fingerprint[.]com on 2023-02-27
  • [1350561] Medium CVE-2023-2461: Use after free in OS Inputs. Reported by @ginggilBesel on 2022-08-06
  • [1375133] Medium CVE-2023-2462: Inappropriate implementation in Prompts. Reported by Alesandro Ortiz on 2022-10-17
  • [1406120] Medium CVE-2023-2463: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2023-01-10
  • [1418549] Medium CVE-2023-2464: Inappropriate implementation in PictureInPicture. Reported by Thomas Orlita on 2023-02-23
  • [1399862] Medium CVE-2023-2465: Inappropriate implementation in CORS. Reported by @kunte_ctf on 2022-12-10
  • [1385714] Low CVE-2023-2466: Inappropriate implementation in Prompts. Reported by Jasper Rebane (popstonia) on 2022-11-17
  • [1413586] Low CVE-2023-2467: Inappropriate implementation in Prompts. Reported by Thomas Orlita on 2023-02-07
  • [1416380] Low CVE-2023-2468: Inappropriate implementation in PictureInPicture. Reported by Alesandro Ortiz on 2023-02-15
CVE-2023-2459 CVE-2023-2460 CVE-2023-2461 CVE-2023-2462 CVE-2023-2463 CVE-2023-2464 CVE-2023-2465 CVE-2023-2466 CVE-2023-2467 CVE-2023-2468 https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop.html 2023-05-03 2023-05-03
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.11.015.11.1 15.10.015.10.5 9.015.9.6

Gitlab reports:

Privilege escalation for external users when OIDC is enabled under certain conditions

Account takeover through open redirect for Group SAML accounts

Users on banned IP addresses can still commit to projects

User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables

The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.

Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.

The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.

XSS and content injection and iframe injection when viewing raw files on iOS devices

Authenticated users can find other users by their private email

CVE-2023-2182 CVE-2023-1965 CVE-2023-1621 CVE-2023-2069 CVE-2023-1178 CVE-2023-0805 CVE-2023-0756 CVE-2023-1836 CVE-2022-4376 https://about.gitlab.com/releases/2023/05/02/security-release-gitlab-15-11-1-released/ 2023-05-02 2023-05-02
cloud-init -- sensitive data exposure in cloud-init logs cloud-init 23.1.2 cloud-init-devel 23.1.2

security@ubuntu.com reports:

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.

CVE-2023-1786 https://nvd.nist.gov/vuln/detail/CVE-2023-1786 2023-04-26 2023-04-29
h2o -- Malformed HTTP/1.1 causes Out-of-Memory Denial of Service h2o 2.2.6 h2o-devel 2.3.0.d.20230427

Elijah Glover reports:

Malformed HTTP/1.1 requests can crash worker processes. occasionally locking up child workers and causing denial of service, and an outage dropping any open connections.

CVE-2023-30847 https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx 2023-04-27 2023-04-30
git -- Multiple vulnerabilities git 2.40.1 git-lite 2.40.1 git-tiny 2.40.1

git developers reports:

This update includes 2 security fixes:

  • CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)
  • CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on
CVE-2023-25652 https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx CVE-2023-29007 https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844 2023-04-25 2023-04-26
Grafana -- Critical vulnerability in golang grafana 8.5.24 9.0.09.2.17 9.3.09.3.13 9.4.09.4.9 grafana8 8.5.24 grafana9 9.2.17 9.3.09.3.13 9.4.09.4.9

Grafana Labs reports:

An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.

The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).

CVE-2023-24538 https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/ 2023-04-19 2023-04-26
Grafana -- Exposure of sensitive information to an unauthorized actor grafana grafana9 9.1.09.2.17 9.3.09.3.13 9.4.09.4.9

Grafana Labs reports:

When setting up Grafana, there is an option to enable JWT authentication. Enabling this will allow users to authenticate towards the Grafana instance with a special header (default X-JWT-Assertion ).

In Grafana, there is an additional way to authenticate using JWT called URL login where the token is passed as a query parameter.

When using this option, a JWT token is passed to the data source as a header, which leads to exposure of sensitive information to an unauthorized party.

The CVSS score for this vulnerability is 4.2 Medium

CVE-2023-1387 https://grafana.com/security/security-advisories/cve-2023-1387/ 2023-04-26 2023-04-26
element-web -- matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting element-web 1.11.30

Matrix developers report:

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.

CVE-2023-30609 https://github.com/advisories/GHSA-xv83-x443-7rmw 2023-04-25 2023-04-26
jellyfin -- Multiple vulnerabilities jellyfin 10.8.10

security-advisories@github.com reports:

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

CVE-2023-30626 https://nvd.nist.gov/vuln/detail/CVE-2023-30626 CVE-2023-30627 https://nvd.nist.gov/vuln/detail/CVE-2023-30627 2023-04-24 2023-04-25
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.13

phpmyfaq developers report:

XSS

email address manipulation

https://huntr.dev/bounties/20d3a0b3-2693-4bf1-b196-10741201a540/ https://huntr.dev/bounties/89005a6d-d019-4cb7-ae88-486d2d44190d/ https://huntr.dev/bounties/cee65b6d-b003-4e6a-9d14-89aa94bee43e/ https://huntr.dev/bounties/840c8d91-c97e-4116-a9f8-4ab1a38d239b/ 2023-04-23 2023-04-24
MySQL -- Multiple vulnerabilities mysql-connector-java 8.0.33 mysql-client57 5.7.42 mysql-server57 5.7.42 mysql-client80 8.0.33 mysql-server80 8.0.33

Oracle reports:

This Critical Patch Update contains 34 new security patches, plus additional third party patches noted below, for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

CVE-2022-37434 CVE-2023-21912 CVE-2023-21980 CVE-2023-21946 CVE-2023-21929 CVE-2023-21971 CVE-2023-21911 CVE-2023-21962 CVE-2023-21919 CVE-2023-21933 CVE-2023-21972 CVE-2023-21966 CVE-2023-21913 CVE-2023-21917 CVE-2023-21920 CVE-2023-21935 CVE-2023-21945 CVE-2023-21976 CVE-2023-21977 CVE-2023-21982 CVE-2023-21953 CVE-2023-21955 CVE-2023-21940 CVE-2023-21947 CVE-2023-21963 https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixMSQL 2023-04-19 2023-04-22 2023-04-22
chromium -- multiple vulnerabilities chromium 112.0.5615.165 ungoogled-chromium 112.0.5615.165

Chrome Releases reports:

This update includes 8 security fixes:

  • [1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
  • [1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
  • [1424337] High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
  • [1432603] High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-12
  • [1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
CVE-2023-2133 CVE-2023-2134 CVE-2023-2135 CVE-2023-2136 CVE-2023-2137 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html 2023-04-20 2023-04-20
libxml2 -- multiple vulnerabilities libxml2 2.10.4

The libxml2 project reports:

Hashing of empty dict strings isn't deterministic

Fix null deref in xmlSchemaFixupComplexType

CVE-2023-28484 CVE-2023-29469 https://bugzilla.redhat.com/show_bug.cgi?id=2185984 https://bugzilla.redhat.com/show_bug.cgi?id=2185994 2023-04-11 2023-04-16
mod_gnutls -- Infinite Loop on request read timeout ap24-mod_gnutls 0.12.1

The mod_gnutls project reports:

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space.

CVE-2023-25824 https://nvd.nist.gov/vuln/detail/CVE-2023-25824 https://mod.gnutls.org/browser/mod_gnutls/CHANGELOG?rev=17b2836dc3e27754159ffb098323a4cd4426192f 2023-02-23 2023-04-15
chromium -- multiple vulnerabilities chromium 112.0.5615.121 ungoogled-chromium 112.0.5615.121

Chrome Releases reports:

This update includes 2 security fixes:

  • [1432210] High CVE-2023-2033: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-11
CVE-2023-2033 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html 2023-04-14 2023-04-15
ghostscript -- exploitable buffer overflow in (T)BCP in PS interpreter ghostscript 10.01.1 ghostscript7-base10.01.1 ghostscript7-commfont10.01.1 ghostscript7-jpnfont10.01.1 ghostscript7-korfont10.01.1 ghostscript7-x1110.01.1 ghostscript8-base10.01.1 ghostscript8-x1110.01.1 ghostscript9-agpl-base9.56.1_10

cve@mitre.org reports:

In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.

CVE-2023-28879 https://nvd.nist.gov/vuln/detail/CVE-2023-28879 https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript 2023-03-23 2023-04-13 2023-04-28
zeek -- potential DoS vulnerabilities zeek 5.0.8

Tim Wojtulewicz of Corelight reports:

Receiving DNS responses from async DNS requests (via A specially-crafted stream of FTP packets containing a command reply with many intermediate lines can cause Zeek to spend a large amount of time processing data.

A specially-crafted set of packets containing extremely large file offsets cause cause the reassembler code to allocate large amounts of memory.

The DNS manager does not correctly expire responses that don't contain any data, such those containing NXDOMAIN or NODATA status codes. This can lead to Zeek allocating large amounts of memory for these responses and never deallocating them.

A specially-crafted stream of RDP packets can cause Zeek to spend large protocol validation.

A specially-crafted stream of SMTP packets can cause Zeek to spend large amounts of time processing data.

https://github.com/zeek/zeek/releases/tag/v5.0.8 2023-04-12 2023-04-12
py-beaker -- arbitrary code execution vulnerability py37-beaker py38-beaker py39-beaker py310-beaker py311-beaker 1.12.1

matheusbrat reports:

The Beaker library through 1.12.1 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.

CVE-2013-7489 https://osv.dev/vulnerability/PYSEC-2020-216 2020-06-26 2023-04-10
py-psutil -- double free vulnerability py37-psutil121 py38-psutil121 py39-psutil121 py310-psutil121 py311-psutil121 5.6.6

ret2libc reports:

psutil (aka python-psutil) through 5.6.5 can have a double free.

This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.

CVE-2019-18874 https://osv.dev/vulnerability/PYSEC-2019-41 https://osv.dev/vulnerability/GHSA-qfc5-mcwq-26q8 2019-11-12 2023-04-10
py-ansible -- multiple vulnerabilities py37-ansible py38-ansible py39-ansible py310-ansible py311-ansible 7.2.0

abeluck reports:

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed.

Files would remain in the bucket exposing the data.

This issue affects directly data confidentiality.

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers.

Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes.

This issue affects mainly the service availability.

CVE-2020-25635 https://osv.dev/vulnerability/PYSEC-2020-220 CVE-2020-25636 https://osv.dev/vulnerability/PYSEC-2020-221 2020-10-05 2023-04-10
py-ansible -- data leak vulnerability py37-ansible py38-ansible py39-ansible py310-ansible py311-ansible 7.1.0

Tapas jena reports:

A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory.

Any secret information in an async status file will be readable by a malicious user on that system.

This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

CVE-2021-3532 https://osv.dev/vulnerability/PYSEC-2021-125 2021-06-09 2023-04-10
py-kerberos -- DoS and MitM vulnerabilities py37-kerberos py38-kerberos py39-kerberos py310-kerberos py311-kerberos 1.3.1

macosforgebot reports:

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.

CVE-2015-3206 https://osv.dev/vulnerability/PYSEC-2017-49 2017-08-25 2023-04-10
py-cryptography -- includes a vulnerable copy of OpenSSL py37-cryptography py38-cryptography py39-cryptography py310-cryptography py311-cryptography 39.0.1

pyca/cryptography's wheels include a statically linked copy of OpenSSL.

The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue.

More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL.

Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

CVE-2023-0286 https://osv.dev/vulnerability/GHSA-x4qr-2fvf-3mr5 2023-02-08 2023-04-10
py-cryptography -- allows programmers to misuse an API py37-cryptography py38-cryptography py39-cryptography py310-cryptography py311-cryptography 1.839.0.1

alex reports:

Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers.

This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python.

This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.

This now correctly raises an exception.

This issue has been present since `update_into` was originally introduced in cryptography 1.8.

CVE-2023-23931 https://osv.dev/vulnerability/GHSA-w7pp-m8wf-vj6r 2023-02-07 2023-04-10
py-tensorflow -- denial of service vulnerability py37-tensorflow py38-tensorflow py39-tensorflow py310-tensorflow py311-tensorflow 2.8.4 2.9.02.9.3 2.10.02.10.1

Kang Hong Jin, Neophytos Christou, 刘力源 and Pattarakrit Rattankul report:

Another instance of CVE-2022-35935, where `SobolSample` is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.

Pattarakrit Rattankul reports:

Another instance of CVE-2022-35991, where `TensorListScatter` and `TensorListScatterV2` crash via non scalar inputs in`element_shape`, was found in eager mode and fixed.

CVE-2022-35935 https://osv.dev/vulnerability/GHSA-cqvq-fvhr-v6hc CVE-2022-35991 https://osv.dev/vulnerability/GHSA-xf83-q765-xm6m 2022-11-21 2023-04-09
py-tensorflow -- unchecked argument causing crash py37-tensorflow py38-tensorflow py39-tensorflow py310-tensorflow py311-tensorflow 2.7.2 2.8.02.8.1 2.9.02.9.2

Jingyi Shi reports:

The 'AvgPoolOp' function takes an argument `ksize` that must be positive but is not checked.

A negative `ksize` can trigger a `CHECK` failure and crash the program.

CVE-2022-35941 https://osv.dev/vulnerability/GHSA-mgmh-g2v6-mqw5 2022-09-16 2023-04-09
py-pymatgen -- regular expression denial of service py37-pymatgen py38-pymatgen py39-pymatgen py310-pymatgen py311-pymatgen 2022.9.21

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.

CVE-2022-42964 https://osv.dev/vulnerability/GHSA-5jqp-885w-xj32 2022-11-10 2023-04-09
py-nicotine-plus -- Denial of service vulnerability py37-nicotine-plus py38-nicotine-plus py39-nicotine-plus py310-nicotine-plus py311-nicotine-plus 3.2.1

ztauras reports:

Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.

CVE-2021-45848 https://osv.dev/vulnerability/GHSA-p4v2-r99v-wjc2 2022-03-16 2023-04-09
py-slixmpp -- incomplete SSL certificate validation py37-slixmpp py38-slixmpp py39-slixmpp py310-slixmpp py311-slixmpp 1.8.3

Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.

CVE-2022-45197 https://osv.dev/vulnerability/GHSA-q6cq-m9gm-6q2f 2022-12-25 2023-04-09
py-suds -- vulnerable to symlink attacks py37-suds py38-suds py39-suds py310-suds py311-suds 1.0.0

SUSE reports:

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.

CVE-2013-2217 https://osv.dev/vulnerability/PYSEC-2013-32 2013-09-23 2023-04-09 2023-07-08
py-impacket -- multiple path traversal vulnerabilities py37-impacket py38-impacket py39-impacket py310-impacket py311-impacket 0.9.100.9.23

asolino reports:

Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.

CVE-2021-31800 https://osv.dev/vulnerability/PYSEC-2021-17 https://osv.dev/vulnerability/GHSA-mj63-64x7-57xf 2021-05-05 2023-04-09
py-tflite -- buffer overflow vulnerability py37-tflite py38-tflite py39-tflite py310-tflite py311-tflite 2.8.4 2.9.02.9.3 2.10.02.10.1

Thibaut Goetghebuer-Planchon reports:

The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.

Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.

An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.

It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.

This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).

CVE-2022-41894 https://osv.dev/vulnerability/GHSA-h6q3-vv32-2cq5 2022-11-21 2023-04-09
py-tflite -- denial of service vulnerability py37-tflite py38-tflite py39-tflite py310-tflite py311-tflite 2.3.4 2.4.02.4.3 2.5.02.5.1

Yakun Zhang of Baidu Security reports:

An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service

CVE-2021-37689 https://osv.dev/vulnerability/GHSA-wf5p-c75w-w3wh 2021-08-25 2023-04-09
py-cinder -- unauthorized data access py37-cinder py38-cinder py39-cinder py310-cinder py311-cinder 19.1.2 20.0.020.0.2

Utkarsh Gupta reports:

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0.

By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.

CVE-2022-47951 https://osv.dev/vulnerability/GHSA-7h75-hwxx-qpgc 2023-01-27 2023-04-09
py-cinder -- data leak py37-cinder py38-cinder py39-cinder py310-cinder py311-cinder 12.0.9 13.0.013.0.9 14.0.014.3.1 15.0.015.6.0 16.0.016.4.2 17.0.017.4.0 18.0.018.2.1 19.0.019.2.0 20.0.020.1.0 21.0.021.1.0 22.0.022.0.0.0rc2

Duncan Thomas reports:

The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.

CVE-2014-3641 https://osv.dev/vulnerability/GHSA-qhch-g8qr-p497 2022-05-17 2023-04-09
traefik -- Use of vulnerable Go modules net/http, net/textproto traefik 2.9.9_1

The Go project reports:

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

CVE-2023-24534 https://www.cve.org/CVERecord?id=CVE-2023-24534 CVE-2023-29013 https://www.cve.org/CVERecord?id=CVE-2023-29013 2023-03-10 2023-04-07
py39-cinder -- insecure-credentials flaw py39-cinder 14.1.0 15.0.015.2.0 16.0.015.1.0

OpenStack project reports:

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0.

When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element.

This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume.

Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint.

CVE-2020-10755 https://osv.dev/vulnerability/PYSEC-2020-228 2020-06-10 2023-04-09
py39-OWSLib -- arbitrary file read vulnerability py39-OWSLib 0.28.1

Jorge Rosillo reports:

OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.

This affects all XML parsing in the codebase.

CVE-2023-27476 https://osv.dev/vulnerability/GHSA-8h9c-r582-mggc 2023-03-07 2023-04-09
py39-unicorn -- sandbox escape and arbitrary code execution vulnerability py39-unicorn 2.0.0rc1

jwang-a reports:

An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5.

It allows local attackers to escape the sandbox.

An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability.

The specific flaw exists within the virtual memory manager.

The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block.

An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code on the host machine.

CVE-2021-44078 https://osv.dev/vulnerability/PYSEC-2021-868 2021-12-26 2023-04-09
py39-pycares -- domain hijacking vulnerability py39-pycares 4.2.0

Philipp Jeitner and Haya Shulman report:

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.

The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

CVE-2021-3672 https://osv.dev/vulnerability/GHSA-c58j-88f5-h53f 2021-06-11 2023-04-09
py39-setuptools -- denial of service vulnerability py39-setuptools 44.1.1_1 57.0.058.5.3_3 62.1.063.1.0_1

SCH227 reports:

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.

CVE-2022-40897 https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579 2022-12-23 2023-04-09
py27-setuptools44 -- denial of service vulnerability py27-setuptools44 44.1.1_1 57.0.058.5.3_3 62.1.063.1.0_1

SCH227 reports:

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

This has been patched in version 65.5.1. The patch backported to the revision 44.1.1_1.

CVE-2022-40897 https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579 2022-12-23 2023-04-09
py39-setuptools58 -- denial of service vulnerability py39-setuptools58 44.1.1_1 57.0.058.5.3_3 62.1.063.1.0_1

SCH227 reports:

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.

CVE-2022-40897 https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579 2022-12-23 2023-04-09
py39-sentry-sdk -- sensitive cookies leak py39-sentry-sdk 1.14.0

Tom Wolters reports:

When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry.

These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.

CVE-2023-28117 https://osv.dev/vulnerability/GHSA-29pr-6jr8-q5jm 2023-03-21 2023-04-09
py39-py -- Regular expression Denial of Service vulnerability py39-py 1.11.0

SCH227 reports:

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

CVE-2022-42969 https://osv.dev/vulnerability/PYSEC-2022-42969 https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6 2022-11-04 2023-04-09
py39-joblib -- arbitrary code execution py39-joblib 1.2.0

jimlinntu reports:

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

CVE-2022-21797 https://osv.dev/vulnerability/PYSEC-2022-288 https://osv.dev/vulnerability/GHSA-6hrg-qmvc-2xh8 2022-09-26 2023-04-09
py39-configobj -- vulnerable to Regular Expression Denial of Service py39-configobj 5.0.6_1

DarkTinia reports:

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).

**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

CVE-2023-26112 https://osv.dev/vulnerability/GHSA-c33w-24p9-8m24 2023-04-03 2023-04-09
py39-celery -- command injection vulnerability py39-celery 5.2.2

Snyk reports:

This affects the package celery before 5.2.2.

It by default trusts the messages and metadata stored in backends (result stores).

When reading task metadata from the backend, the data is deserialized.

Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

CVE-2021-23727 https://osv.dev/vulnerability/PYSEC-2021-858 https://osv.dev/vulnerability/GHSA-q4xr-rc97-m4xx 2021-12-09 2023-04-09
py39-redis -- can send response data to the client of an unrelated request py39-redis 4.4.04.4.4 4.5.04.5.4

drago-balto reports:

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.

NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

CVE-2023-28859 https://osv.dev/vulnerability/GHSA-8fww-64cx-x8p5 2023-03-26 2023-04-09
py39-redis -- can send response data to the client of an unrelated request py39-redis 4.3.6 4.4.04.4.3 4.5.04.5.3

drago-balto reports:

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner.

The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665).

CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

CVE-2023-28858 https://osv.dev/vulnerability/GHSA-24wv-mv5m-xv4h 2023-03-26 2023-04-09
py39-sqlalchemy12 -- multiple SQL Injection vulnerabilities py39-sqlalchemy12 1.3.0

21k reports:

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

nosecurity reports:

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

CVE-2019-7548 CVE-2019-7164 https://osv.dev/vulnerability/PYSEC-2019-123 https://osv.dev/vulnerability/PYSEC-2019-124 https://osv.dev/vulnerability/GHSA-38fc-9xqv-7f7q https://osv.dev/vulnerability/GHSA-887w-45rq-vxgf 2019-02-06 2023-04-09
py39-sqlalchemy11 -- multiple SQL Injection vulnerabilities py39-sqlalchemy11 1.3.0

21k reports:

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

nosecurity reports:

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

CVE-2019-7164 CVE-2019-7548 https://osv.dev/vulnerability/PYSEC-2019-123 https://osv.dev/vulnerability/PYSEC-2019-124 https://osv.dev/vulnerability/GHSA-38fc-9xqv-7f7q https://osv.dev/vulnerability/GHSA-887w-45rq-vxgf 2019-02-06 2023-04-09
py39-sqlalchemy10 -- multiple SQL Injection vulnerabilities py39-sqlalchemy10 1.3.0

21k reports:

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

nosecurity reports:

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

CVE-2019-7164 CVE-2019-7548 https://osv.dev/vulnerability/PYSEC-2019-123 https://osv.dev/vulnerability/PYSEC-2019-124 https://osv.dev/vulnerability/GHSA-887w-45rq-vxgf https://osv.dev/vulnerability/GHSA-38fc-9xqv-7f7q 2019-02-06 2023-03-28
py39-lmdb -- multiple vulnerabilities py39-lmdb 0.98

TeamSeri0us reports:

An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

CVE-2019-16224 https://osv.dev/vulnerability/PYSEC-2019-236 CVE-2019-16225 https://osv.dev/vulnerability/PYSEC-2019-237 CVE-2019-16226 https://osv.dev/vulnerability/PYSEC-2019-238 CVE-2019-16227 https://osv.dev/vulnerability/PYSEC-2019-239 CVE-2019-16228 https://osv.dev/vulnerability/PYSEC-2019-240 2019-09-11 2023-03-26
py39-Elixir -- weak use of cryptography py39-Elixir 0.8.0

Red Hat Security Response Team reports:

Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.

CVE-2012-2146 https://osv.dev/vulnerability/PYSEC-2012-13 2012-08-26 2023-03-26
py39-rencode -- infinite loop that could lead to Denial of Service py39-rencode 1.0.6_1

NIST reports:

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

CVE-2021-40839 https://osv.dev/vulnerability/PYSEC-2021-345 https://osv.dev/vulnerability/GHSA-gh8j-2pgf-x458 2021-09-09 2023-03-25 2023-03-26
chromium -- multiple vulnerabilities chromium 112.0.5615.49 ungoogled-chromium 112.0.5615.49

Chrome Releases reports:

This update includes 16 security fixes:

  • [1414018] High CVE-2023-1810: Heap buffer overflow in Visuals. Reported by Weipeng Jiang (@Krace) of VRI on 2023-02-08
  • [1420510] High CVE-2023-1811: Use after free in Frames. Reported by Thomas Orlita on 2023-03-01
  • [1418224] Medium CVE-2023-1812: Out of bounds memory access in DOM Bindings. Reported by Shijiang Yu on 2023-02-22
  • [1423258] Medium CVE-2023-1813: Inappropriate implementation in Extensions. Reported by Axel Chong on 2023-03-10
  • [1417325] Medium CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2023-02-18
  • [1278708] Medium CVE-2023-1815: Use after free in Networking APIs. Reported by DDV_UA on 2021-12-10
  • [1413919] Medium CVE-2023-1816: Incorrect security UI in Picture In Picture. Reported by NDevTK on 2023-02-08
  • [1418061] Medium CVE-2023-1817: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2023-02-22
  • [1223346] Medium CVE-2023-1818: Use after free in Vulkan. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research, Eric Lawrence, Microsoft, Patrick Walker (@HomeSen), and Kirtikumar Anandrao Ramchandani on 2021-06-24
  • [1406588] Medium CVE-2023-1819: Out of bounds read in Accessibility. Reported by Microsoft Edge Team on 2023-01-12
  • [1408120] Medium CVE-2023-1820: Heap buffer overflow in Browser History. Reported by raven at KunLun lab on 2023-01-17
  • [1413618] Low CVE-2023-1821: Inappropriate implementation in WebShare. Reported by Axel Chong on 2023-02-07
  • [1066555] Low CVE-2023-1822: Incorrect security UI in Navigation. Reported by 강우진 on 2020-04-01
  • [1406900] Low CVE-2023-1823: Inappropriate implementation in FedCM. Reported by Jasper Rebane (popstonia) on 2023-01-13
CVE-2023-1810 CVE-2023-1811 CVE-2023-1812 CVE-2023-1813 CVE-2023-1814 CVE-2023-1815 CVE-2023-1816 CVE-2023-1817 CVE-2023-1818 CVE-2023-1819 CVE-2023-1820 CVE-2023-1821 CVE-2023-1822 CVE-2023-1823 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop.html 2023-04-05 2023-04-05
go -- multiple vulnerabilities go119 1.19.8 go120 1.20.3

The Go project reports:

go/parser: infinite loop in parsing

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

html/template: backticks not treated as string delimiters

Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a Go template action within a Javascript template literal, the contents of the action could be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. Template.Parse will now return an Error when it encounters templates like this, with a currently unexported ErrorCode with a value of 12. This ErrorCode will be exported in the next major release.

net/http, net/textproto: denial of service from excessive memory allocation

HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers.

net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

CVE-2023-24537 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 https://groups.google.com/g/golang-dev/c/P-sOFU28bj0/m/QE_cqf22AgAJ 2023-04-04 2023-04-07
samba -- multiple vulnerabilities samba416 4.16.10 samba417 4.17.7 samba418 4.18.1

The Samba Team reports:

An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.

The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.

The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.

Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.

CVE-2023-0225 https://www.samba.org/samba/security/CVE-2023-0225.html CVE-2023-0922 https://www.samba.org/samba/security/CVE-2023-0922.html CVE-2023-0614 https://www.samba.org/samba/security/CVE-2023-0614.html 2023-03-29 2023-04-07
ffmpeg -- multiple vulnerabilities ffmpeg 5.1,15.1.3,1 5.0,15.0.3,1 4.4.4,1 ffmpeg4 4.4.4 avidemux 2.9 emby-server emby-server-devel 0 handbrake 1.6.0 mythtv mythtv-frontend 33.0,1

NVD reports:

An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.

A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.

A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.

CVE-2022-3109 CVE-2022-3341 CVE-2022-3964 https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7 https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/481e81be1271ac9a0124ee615700390c2371bd89 https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/1eb002596e3761d88de4aeea3158692b82fb6307 https://ffmpeg.org/security.html 2022-11-12 2023-04-07 2023-04-10
mediawiki -- multiple vulnerabilities mediawiki135 1.35.10 mediawiki138 1.38.6 mediawiki139 1.39.3

Mediawikwi reports:

(T285159, CVE-2023-PENDING) SECURITY: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.

(T326946, CVE-2020-36649) SECURITY: Bundled PapaParse copy in VisualEditor has known ReDos.

(T330086, CVE-2023-PENDING) SECURITY: OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration.

CVE-2020-36649 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/ 2020-04-02 2023-04-01
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.10.015.10.1 15.9.015.9.4 8.115.8.5

Gitlab reports:

Cross-site scripting in "Maximum page reached" page

Private project guests can read new changes using a fork

Mirror repository error reveals password in Settings UI

DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint

Unauthenticated users can view Environment names from public projects limited to project members only

Copying information to the clipboard could lead to the execution of unexpected commands

Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL

Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release

Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown

MR for security reports are available to everyone

API timeout when searching for group issues

Unauthorised user can add child epics linked to victim's epic in an unrelated group

GitLab search allows to leak internal notes

Ambiguous branch name exploitation in GitLab

Improper permissions checks for moving an issue

Private project branches names can be leaked through a fork

CVE-2022-3513 CVE-2023-0485 CVE-2023-1098 CVE-2023-1733 CVE-2023-0319 CVE-2023-1708 CVE-2023-0838 CVE-2023-0523 CVE-2023-0155 CVE-2023-1167 CVE-2023-1417 CVE-2023-1710 CVE-2023-0450 CVE-2023-1071 CVE-2022-3375 https://about.gitlab.com/releases/2023/03/30/security-release-gitlab-15-10-1-released/ 2023-03-30 2023-03-31
rubygem-time -- ReDoS vulnerability ruby 2.7.0,12.7.8,1 3.0.0,13.0.6,1 3.1.0,13.1.4,1 3.2.0.p1,13.2.2,1 ruby27 2.7.0,12.7.8,1 ruby30 3.0.0,13.0.6,1 ruby31 3.1.0,13.1.4,1 ruby32 3.2.0.p1,13.2.2,1 rubygem-time 0.2.2

ooooooo_q reports:

The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects.

CVE-2023-28756 https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ 2023-03-30 2023-03-30
rubygem-uri -- ReDoS vulnerability ruby 2.7.0,12.7.8,1 3.0.0,13.0.6,1 3.1.0,13.1.4,1 3.2.0.p1,13.2.2,1 ruby27 2.7.0,12.7.8,1 ruby30 3.0.0,13.0.6,1 ruby31 3.1.0,13.1.4,1 ruby32 3.2.0.p1,13.2.2,1 rubygem-uri 0.12.1

Dominic Couture reports:

A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.

CVE-2023-28755 https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ 2023-03-28 2023-03-30
powerdns-recursor -- denial of service powerdns-recursor 4.8.4

PowerDNS Team reports:

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable

CVE-2023-26437 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html 2023-03-29 2023-03-30
xorg-server -- Overlay Window Use-After-Free xorg-server xephyr xorg-vfbserver 21.1.8,1 xorg-nestserver 21.1.8,2 xwayland 23.0.0,123.1.1,1 22.1.9,1 xwayland-devel 21.0.99.1.439

The X.Org project reports:

  • ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability

    If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.

https://lists.x.org/archives/xorg-announce/2023-March/003374.html CVE-2023-1393 2023-03-29 2023-03-29
OpenSSL -- Multiple vulnerabilities openssl 1.1.1t,1_2 openssl30 3.0.8_2 openssl31 3.1.0_2 openssl-quic 3.0.8_2

The OpenSSL project reports:

Severity: low

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.

CVE-2023-0465 CVE-2023-0466 https://www.openssl.org/news/secadv/20230328.txt 2023-03-28 2023-03-29
Grafana -- Stored XSS in Graphite FunctionDescription tooltip grafana 8.5.22 9.0.09.2.15 9.3.09.3.11 9.4.09.4.7 grafana8 8.5.22 grafana9 9.2.15 9.3.09.3.11 9.4.09.4.7

Grafana Labs reports:

When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).

CVE-2023-1410 https://grafana.com/security/security-advisories/cve-2023-1410/ 2023-03-14 2023-03-29
Matrix clients -- Prototype pollution in matrix-js-sdk element-web 1.11.26 cinny 2.2.4

Matrix developers report:

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a pair of High severity vulnerabilities (CVE-2023-28427 / GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv for matrix-react-sdk).

The issues involve prototype pollution via events containing special strings in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk and matrix-react-sdk, potentially impacting the consumer's ability to process data safely.

CVE-2023-28103 CVE-2023-28427 https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0 2023-03-28 2023-03-29
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.12

phpmyfaq developers report:

XSS

weak passwords

privilege escalation

Captcha bypass

https://huntr.dev/bounties/e8109aed-d364-4c0c-9545-4de0347b10e1/ https://huntr.dev/bounties/39715aaf-e798-4c60-97c4-45f4f2cd5c61/ https://huntr.dev/bounties/01d6ae23-3a8f-42a8-99f4-10246187d71b/ https://huntr.dev/bounties/dda73cb6-9344-4822-97a1-2e31efb6a73e/ https://huntr.dev/bounties/529f2361-eb2e-476f-b7ef-4e561a712e28/ https://huntr.dev/bounties/1dc7f818-c8ea-4f80-b000-31b48a426334/ https://huntr.dev/bounties/e495b443-b328-42f5-aed5-d68b929b4cb9/ https://huntr.dev/bounties/ece5f051-674e-4919-b998-594714910f9e/ https://huntr.dev/bounties/93f981a3-231d-460d-a239-bb960e8c2fdc/ https://huntr.dev/bounties/e4a58835-96b5-412c-a17e-3ceed30231e1/ https://huntr.dev/bounties/b7d244b7-5ac3-4964-81ee-8dbb5bb5e33a/ https://huntr.dev/bounties/24c0a65f-0751-4ff8-af63-4b325ac8879f/ https://huntr.dev/bounties/3c2374cc-7082-44b7-a6a6-ccff7a650a3a/ https://huntr.dev/bounties/0854328e-eb00-41a3-9573-8da8f00e369c/ https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191/ https://huntr.dev/bounties/584a200a-6ff8-4d53-a3c0-e7893edff60c/ https://huntr.dev/bounties/bce84c02-abb2-474f-a67b-1468c9dcabb8/ https://huntr.dev/bounties/882ffa07-5397-4dbb-886f-4626859d711a/ https://huntr.dev/bounties/8ab09a1c-cfd5-4ce0-aae3-d33c93318957/ https://huntr.dev/bounties/2d0ac48a-490d-4548-8d98-7447042dd1b5/ 2023-03-20 2023-03-24
OpenSSL -- Excessive Resource Usage Verifying X.509 Policy Constraints openssl 1.1.1t,1_1 openssl30 3.0.8_1 openssl31 3.1.0_1 openssl-quic 3.0.8_1 virtualbox-ose 6.1.46

The OpenSSL project reports:

Severity: Low

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

CVE-2023-0464 https://www.openssl.org/news/secadv/20230322.txt 2023-03-23 2023-03-24 2023-07-19
rack -- possible denial of service vulnerability in header parsing rubygem-rack 3.0.6.1,3 rubygem-rack22 2.2.6.6,3 rubygem-rack16 1.6.14

ooooooo_q reports:

Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

CVE-2023-27539 https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466 2023-03-13 2023-03-24
dino -- Insufficient message sender validation in Dino dino 0.4.2

Dino team reports:

Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.

CVE-2023-28686 https://dino.im/security/cve-2023-28686/ 2023-03-23 2023-03-24
libXpm -- Issues handling XPM files libXpm 3.5.15

The X.Org project reports:

  1. CVE-2022-46285: Infinite loop on unclosed comments

    When reading XPM images from a file with libXpm 3.5.14 or older, if a comment in the file is not closed (i.e. a C-style comment starts with "/*" and is missing the closing "*/"), the ParseComment() function will loop forever calling getc() to try to read the rest of the comment, failing to notice that it has returned EOF, which may cause a denial of service to the calling program.

    This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team.

    The fix is provided in https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148

  2. CVE-2022-44617: Runaway loop on width of 0 and enormous height

    When reading XPM images from a file with libXpm 3.5.14 or older, if a image has a width of 0 and a very large height, the ParsePixels() function will loop over the entire height calling getc() and ungetc() repeatedly, or in some circumstances, may loop seemingly forever, which may cause a denial of service to the calling program when given a small crafted XPM file to parse.

    This issue was found by Martin Ettl.

    The fix is provided in https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28 and https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d

  3. CVE-2022-4883: compression commands depend on $PATH

    By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe.

    In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands. If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges.

    This issue was found by Alan Coopersmith of the Oracle Solaris team.

https://lists.x.org/archives/xorg-announce/2023-January/003312.html CVE-2022-46285 CVE-2022-44617 CVE-2022-4883 2023-01-17 2023-03-23
tailscale -- security vulnerability in Tailscale SSH tailscale 1.38.2

Tailscale team reports:

A vulnerability identified in the implementation of Tailscale SSH in FreeBSD allowed commands to be run with a higher privilege group ID than that specified by Tailscale SSH access rules.

CVE-2023-28436 https://tailscale.com/security-bulletins/#ts-2023-003 2023-03-22 2023-03-23
chromium -- multiple vulnerabilities chromium 111.0.5563.110 ungoogled-chromium 111.0.5563.110

Chrome Releases reports:

This update includes 8 security fixes:

  • [1421773] High CVE-2023-1528: Use after free in Passwords. Reported by Wan Choi of Seoul National University on 2023-03-07
  • [1419718] High CVE-2023-1529: Out of bounds memory access in WebHID. Reported by anonymous on 2023-02-27
  • [1419831] High CVE-2023-1530: Use after free in PDF. Reported by The UK's National Cyber Security Centre (NCSC) on 2023-02-27
  • [1415330] High CVE-2023-1531: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2023-02-13
  • [1421268] High CVE-2023-1532: Out of bounds read in GPU Video. Reported by Mark Brand of Google Project Zero on 2023-03-03
  • [1422183] High CVE-2023-1533: Use after free in WebProtect. Reported by Weipeng Jiang (@Krace) of VRI on 2023-03-07
  • [1422594] High CVE-2023-1534: Out of bounds read in ANGLE. Reported by Jann Horn and Mark Brand of Google Project Zero on 2023-03-08
CVE-2023-1528 CVE-2023-1529 CVE-2023-1530 CVE-2023-1531 CVE-2023-1532 CVE-2023-1533 CVE-2023-1534 https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop_21.html 2023-03-21 2023-03-22
redis -- specially crafted MSETNX command can lead to denial-of-service redis 7.0.10 redis-devel 7.0.10.20230320

Yupeng Yang reports:

Authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.

CVE-2023-28425 https://github.com/redis/redis/security/advisories/GHSA-mvmm-4vq6-vw8c 2023-03-20 2023-03-21
curl -- multiple vulnerabilities curl 8.0.0

Harry Sintonen reports:

CVE-2023-27533
curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.
CVE-2023-27534
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse.
CVE-2023-27535
libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.
CVE-2023-27536
ibcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
CVE-2023-27537
libcurl supports sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
CVE-2023-27538
libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.
CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27537 CVE-2023-27538 https://curl.se/docs/security.html 2023-03-20 2023-03-20
phpMyAdmin -- XSS vulnerability in drag-and-drop upload phpMyAdmin phpMyAdmin-php80 phpMyAdmin-php81 phpMyAdmin-php82 phpMyAdmin5 phpMyAdmin5-php80 phpMyAdmin5-php81 phpMyAdmin5-php82 4.9.11 5.05.2.1

phpMyAdmin Team reports:

PMASA-2023-1 XSS vulnerability in drag-and-drop upload

https://www.phpmyadmin.net/security/PMASA-2023-1/ 2023-02-07 2023-03-16
Apache httpd -- Multiple vulnerabilities apache24 2.4.56

The Apache httpd project reports:

  • CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org). HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
  • CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org). Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
CVE-2023-25690 CVE-2023-27522 https://downloads.apache.org/httpd/CHANGES_2.4.56 2023-03-08 2023-03-11
chromium -- multiple vulnerabilities chromium 111.0.5563.64 ungoogled-chromium 111.0.5563.64

Chrome Releases reports:

This update includes 40 security fixes:

  • [1411210] High CVE-2023-1213: Use after free in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-30
  • [1412487] High CVE-2023-1214: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-02-03
  • [1417176] High CVE-2023-1215: Type Confusion in CSS. Reported by Anonymous on 2023-02-17
  • [1417649] High CVE-2023-1216: Use after free in DevTools. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-02-21
  • [1412658] High CVE-2023-1217: Stack buffer overflow in Crash reporting. Reported by sunburst of Ant Group Tianqiong Security Lab on 2023-02-03
  • [1413628] High CVE-2023-1218: Use after free in WebRTC. Reported by Anonymous on 2023-02-07
  • [1415328] High CVE-2023-1219: Heap buffer overflow in Metrics. Reported by Sergei Glazunov of Google Project Zero on 2023-02-13
  • [1417185] High CVE-2023-1220: Heap buffer overflow in UMA. Reported by Sergei Glazunov of Google Project Zero on 2023-02-17
  • [1385343] Medium CVE-2023-1221: Insufficient policy enforcement in Extensions API. Reported by Ahmed ElMasry on 2022-11-16
  • [1403515] Medium CVE-2023-1222: Heap buffer overflow in Web Audio API. Reported by Cassidy Kim(@cassidy6564) on 2022-12-24
  • [1398579] Medium CVE-2023-1223: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-12-07
  • [1403539] Medium CVE-2023-1224: Insufficient policy enforcement in Web Payments API. Reported by Thomas Orlita on 2022-12-25
  • [1408799] Medium CVE-2023-1225: Insufficient policy enforcement in Navigation. Reported by Roberto Ffrench-Davis @Lihaft on 2023-01-20
  • [1013080] Medium CVE-2023-1226: Insufficient policy enforcement in Web Payments API. Reported by Anonymous on 2019-10-10
  • [1348791] Medium CVE-2023-1227: Use after free in Core. Reported by @ginggilBesel on 2022-07-31
  • [1365100] Medium CVE-2023-1228: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2022-09-18
  • [1160485] Medium CVE-2023-1229: Inappropriate implementation in Permission prompts. Reported by Thomas Orlita on 2020-12-20
  • [1404230] Medium CVE-2023-1230: Inappropriate implementation in WebApp Installs. Reported by Axel Chong on 2022-12-30
  • [1274887] Medium CVE-2023-1231: Inappropriate implementation in Autofill. Reported by Yan Zhu, Brave on 2021-11-30
  • [1346924] Low CVE-2023-1232: Insufficient policy enforcement in Resource Timing. Reported by Sohom Datta on 2022-07-24
  • [1045681] Low CVE-2023-1233: Insufficient policy enforcement in Resource Timing. Reported by Soroush Karami on 2020-01-25
  • [1404621] Low CVE-2023-1234: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-01-03
  • [1404704] Low CVE-2023-1235: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-03
  • [1374518] Low CVE-2023-1236: Inappropriate implementation in Internals. Reported by Alesandro Ortiz on 2022-10-14
CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227 CVE-2023-1228 CVE-2023-1229 CVE-2023-1230 CVE-2023-1231 CVE-2023-1232 CVE-2023-1233 CVE-2023-1234 CVE-2023-1235 CVE-2023-1236 https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop.html 2023-03-08 2023-03-09
jenkins -- multiple vulnerabilities jenkins 2.394 jenkins-lts 2.387.1

Jenkins Security Advisory:

Description

(High) SECURITY-3037 / CVE-2023-27898

XSS vulnerability in plugin manager

(Medium) SECURITY-3030 / CVE-2023-24998 (upstream issue), CVE-2023-27900 (MultipartFormDataParser), CVE-2023-27901 (StaplerRequest)

DoS vulnerability in bundled Apache Commons FileUpload library

(Medium) SECURITY-1807 / CVE-2023-27902

Workspace temporary directories accessible through directory browser

(Low) SECURITY-3058 / CVE-2023-27903

Temporary file parameter created with insecure permissions

(Low) SECURITY-2120 / CVE-2023-27904

Information disclosure through error stack traces related to agents

CVE-2023-27898 CVE-2023-24998 CVE-2023-27900 CVE-2023-27901 CVE-2023-27902 CVE-2023-27903 CVE-2023-27904 https://www.jenkins.io/security/advisory/2023-03-08/ 2023-03-08 2023-03-09
go -- crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results go119 1.19.7 go120 1.20.2

The Go project reports:

crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).

CVE-2023-24532 https://groups.google.com/g/golang-dev/c/3wmx8i5WvNY/m/AEOlccrGAwAJ 2023-02-22 2023-03-08
mantis -- multiple vulnerabilities mantis-php74 mantis-php80 mantis-php81 mantis-php82 2.25.6,1

Mantis 2.25.6 release reports:

Security and maintenance release

  • 0031086: Private issue summary disclosure (CVE-2023-22476)
  • 0030772: Update (bundled) moment.js to 2.29.4 (CVE-2022-31129)
  • 0030791: Allow adding relation type noopener/noreferrer to outgoing links
CVE-2023-22476 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-22476 CVE-2022-31129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-31129 2023-01-06 2023-03-08
Apache OpenOffice -- master password vulnerabilities apache-openoffice 4.1.13 apache-openoffice-devel 4.2.1678061694,4

The Apache Openoffice project reports:

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice

CVE-2022-37400 CVE-2022-37401 https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.13+Release+Notes 2022-02-25 2023-03-08
rack -- possible DoS vulnerability in multipart MIME parsing rubygem-rack 3.0.4.2,3 rubygem-rack22 2.2.6.3,3 rubygem-rack16 1.6.14

Aaron Patterson reports:

The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

CVE-2023-27530 https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388 2023-03-03 2023-03-06
curl -- multiple vulnerabilities curl 7.88.0

Harry Sintonen and Patrick Monnerat report:

CVE-2023-23914
A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on.
CVE-2023-23915
A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl < v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 https://curl.se/docs/security.html 2023-02-15 2023-03-05
strongSwan -- certificate verification vulnerability strongswan 5.9.85.9.9_2

strongSwan reports:

A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.

CVE-2023-26463 https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html 2023-03-02 2023-03-04
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.9.015.9.2 15.8.015.8.4 9.0.015.7.8

Gitlab reports:

Stored XSS via Kroki diagram

Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings

Improper validation of SSO and SCIM tokens while managing groups

Maintainer can leak Datadog API key by changing Datadog site

Clipboard based XSS in the title field of work items

Improper user right checks for personal snippets

Release Description visible in public projects despite release set as project members only

Group integration settings sensitive information exposed to project maintainers

Improve pagination limits for commits

Gitlab Open Redirect Vulnerability

Maintainer may become an Owner of a project

CVE-2023-0050 CVE-2022-4289 CVE-2022-4331 CVE-2023-0483 CVE-2022-4007 CVE-2022-3758 CVE-2023-0223 CVE-2022-4462 CVE-2023-1072 CVE-2022-3381 CVE-2023-1084 https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/ 2023-03-02 2023-03-03
Grafana -- Stored XSS in text panel plugin grafana 9.2.09.2.10 9.3.09.3.4 grafana9 9.2.09.2.10 9.3.09.3.4

Grafana Labs reports:

During an internal audit of Grafana on January 1, a member of the security team found a stored XSS vulnerability affecting the core text plugin.

The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass through the unsanitized HTML code, but in the next cycle, the HTML is cleaned up and saved in Grafana’s database.

The CVSS score for this vulnerability is 6.4 Medium (CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2023-22462 https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf 2023-01-01 2023-03-01
Grafana -- Stored XSS in TraceView panel grafana 8.5.21 9.0.09.2.13 9.3.09.3.8 grafana8 8.5.21 grafana9 9.0.09.2.13 9.3.09.3.8

Grafana Labs reports:

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2023-0594 https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/ 2023-01-30 2023-03-01
Grafana -- Stored XSS in geomap panel plugin via attribution grafana 8.5.21 9.0.09.2.13 9.3.09.3.8 grafana8 8.5.21 grafana9 9.0.09.2.13 9.3.09.3.8

Grafana Labs reports:

During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.

The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2023-0507 https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/ 2023-01-25 2023-03-01
redis -- multiple vulnerabilities redis 7.0.9 redis-devel 7.0.9.20230228 redis62 6.2.11 redis6 6.0.18

The Redis core team reports:

CVE-2023-25155
Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
CVE-2022-36021
String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.
CVE-2023-25155 CVE-2022-36021 https://groups.google.com/g/redis-db/c/3hQ1oTO4hMI 2023-02-28 2023-03-01
emacs -- multiple vulnerabilities emacs emacs-canna emacs-nox 28.2_3,3 emacs-devel emacs-devel-nox 30.0.50.20230101,3

Xi Lu reports:

CVE-2022-48337
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.
CVE-2022-48338
An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.
CVE-2022-48339
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 https://www.debian.org/security/2023/dsa-5360 2022-12-06 2023-02-27
freerdp -- clients using the `/video` command line switch might read uninitialized data freerdp 2.8.1

MITRE reports:

All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected.

CVE-2022-39283 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh 2022-10-13 2023-02-24
freerdp -- clients using `/parallel` command line switch might read uninitialized data freerdp 2.8.1

MITRE reports:

FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected.

CVE-2022-39282 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq 2022-10-13 2023-02-24
chromium -- multiple vulnerabilities chromium 110.0.5481.177 ungoogled-chromium 110.0.5481.177

Chrome Releases reports:

This update includes 10 security fixes:

  • [1415366] Critical CVE-2023-0941: Use after free in Prompts. Reported by Anonymous on 2023-02-13
  • [1414738] High CVE-2023-0927: Use after free in Web Payments API. Reported by Rong Jian of VRI on 2023-02-10
  • [1309035] High CVE-2023-0928: Use after free in SwiftShader. Reported by Anonymous on 2022-03-22
  • [1399742] High CVE-2023-0929: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2022-12-09
  • [1410766] High CVE-2023-0930: Heap buffer overflow in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-27
  • [1407701] High CVE-2023-0931: Use after free in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-17
  • [1413005] High CVE-2023-0932: Use after free in WebRTC. Reported by Omri Bushari (Talon Cyber Security) on 2023-02-05
  • [1404864] Medium CVE-2023-0933: Integer overflow in PDF. Reported by Zhiyi Zhang from Codesafe Team of Legendsec at QI-ANXIN
CVE-2023-0941 CVE-2023-0927 CVE-2023-0928 CVE-2023-0929 CVE-2023-0930 CVE-2023-0931 CVE-2023-0932 CVE-2023-0933 https://chromereleases.googleblog.com/2023/02/stable-channel-desktop-update_22.html 2023-02-22 2023-02-22
zeek -- potential DoS vulnerabilities zeek 5.0.7

Tim Wojtulewicz of Corelight reports:

Receiving DNS responses from async DNS requests (via the lookup_addr, etc BIF methods) with the TTL set to zero could cause the DNS manager to eventually stop being able to make new requests.

Specially-crafted FTP packets with excessively long usernames, passwords, or other fields could cause log writes to use large amounts of disk space.

The find_all and find_all_ordered BIF methods could take extremely large amounts of time to process incoming data depending on the size of the input.

https://github.com/zeek/zeek/releases/tag/v5.0.7 2023-02-21 2023-02-21
libde256 -- multiple vulnerabilities libde265 1.0.11

Libde265 developer reports:

This release fixes the known CVEs below. Many of them are actually caused by the same underlying issues that manifest in different ways.

CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2020-21599 CVE-2020-21600 CVE-2020-21601 CVE-2020-21602 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606 CVE-2022-1253 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655 https://github.com/strukturag/libde265/releases/tag/v1.0.10 2023-01-27 2023-02-21
git -- "git apply" overwriting paths outside the working tree git 2.39.2

git team reports:

By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply".

CVE-2023-23946 https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-23946 2023-02-14 2023-02-21
git -- Local clone-based data exfiltration with non-local transports git 2.39.2

git team reports:

Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.

These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

CVE-2023-22490 https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-22490 2023-02-14 2023-02-21
git -- gitattributes parsing integer overflow git 2.39.1

git team reports:

gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes file(s) within your repository.

The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names.

These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading .gitattributes from a file, but not when parsing it from the index. Successfully exploiting this vulnerability depends on the location of the .gitattributes file in question.

This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.

CVE-2022-23521 https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/#cve-2022-23521 2023-01-17 2023-02-21
git -- Heap overflow in `git archive`, `git log --format` leading to RCE git 2.39.1

The git team reports:

git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.

When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.

This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.

This integer overflow can result in arbitrary heap writes, which may result in remote code execution.

CVE-2022-41903 https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/#cve-2022-41903 2023-01-17 2023-02-21
gitea -- password hash quality gitea 1.18.4

The Gitea team reports:

This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters.

In addition it takes the opportunity to adjust the settings for pbkdf2 in order to make the hashing a little stronger.

Add command to bulk set must-change-password

As part of administration sometimes it is appropriate to forcibly tell users to update their passwords.

This PR creates a new command gitea admin user must-change-password which will set the MustChangePassword flag on the provided users.

https://blog.gitea.io/2023/02/gitea-1.18.4-is-released/ https://github.com/go-gitea/gitea/releases/tag/v1.18.4 2022-02-14 2023-02-20
traefik -- Use of vulnerable Go module x/net/http2 traefik 2.9.8

The Go project reports:

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

CVE-2022-41721 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41721 2022-10-22 2023-02-19
Rundeck3 -- Log4J RCE vulnerability rundeck3 3.4.10

The Rundeck project reports:

This release updates both Community and Enterprise with the latest Log4J to address CVE-2021-44832 by updating it to 2.17.1.

CVE-2021-44832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 2021-12-11 2023-02-16
MinIO -- unprivileged users can create service accounts for admin users minio 2022.04.12.06.55.35

MinIO reports:

A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials.

CVE-2022-24842 https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q 2022-04-11 2023-02-13
clamav -- Multiple vulnerabilities clamav 1.0.1,1 clamav-lts 0.103.8,1

Simon Scannell reports:

CVE-2023-20032
Fixed a possible remote code execution vulnerability in the HFS+ file parser.
CVE-2023-20052
Fixed a possible remote information leak vulnerability in the DMG file parser.
CVE-2023-20032 CVE-2023-20052 https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html 2023-02-15 2023-02-16
go -- multiple vulnerabilities go119 1.19.6 go120 1.20.1

The Go project reports:

path/filepath: path traversal in filepath.Clean on Windows

On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.

net/http, mime/multipart: denial of service from excessive resource consumption

Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.

crypto/tls: large handshake records may cause panics

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

CVE-2022-41722 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 https://groups.google.com/g/golang-dev/c/G2APtTxT1HQ/m/6O6aksDaBAAJ 2023-02-14 2023-02-15
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 3.2.18 py38-django40 py39-django40 py310-django40 4.0.10 py38-django41 py39-django41 py310-django41 4.1.7

Django reports:

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.

CVE-2023-24580 https://www.djangoproject.com/weblog/2023/feb/14/security-releases/ 2023-02-01 2023-02-14
GnuTLS -- timing sidechannel in RSA decryption gnutls 3.7.9

The GnuTLS project reports:

A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected.

CVE-2023-0361 https://gnutls.org/security-new.html#GNUTLS-SA-2020-07-14 2023-02-10 2023-02-13
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.11

phpmyfaq developers report:

a bypass to flood admin with FAQ proposals

stored XSS in questions

stored HTML injections

weak passwords

https://huntr.dev/bounties/14fc4841-0f5d-4e12-bf9e-1b60d2ac6a6c/ https://huntr.dev/bounties/8c74ccab-0d1d-4c6b-a0fa-803aa65de04f/ https://huntr.dev/bounties/87397c71-7b84-4617-a66e-fa6c73be9024/ https://huntr.dev/bounties/808d5452-607c-4af1-812f-26c49faf3e61/ https://huntr.dev/bounties/d9375178-2f23-4f5d-88bd-bba3d6ba7cc5/ https://huntr.dev/bounties/06af150b-b481-4248-9a48-56ded2814156/ https://huntr.dev/bounties/7152b340-c6f3-4ac8-9f62-f764a267488d/ https://huntr.dev/bounties/9e21156b-ab1d-4c60-88ef-8c9f3e2feb7f/ https://huntr.dev/bounties/b3881a1f-2f1e-45cb-86f3-735f66e660e9/ https://huntr.dev/bounties/949975f1-271d-46aa-85e5-1a013cdb5efb/ 2023-02-12 2023-02-12
chromium -- multiple vulnerabilities chromium 110.0.5481.77 ungoogled-chromium 110.0.5481.77

Chrome Releases reports:

This release contains 15 security fixes, including:

  • [1402270] High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18
  • [1341541] High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on 2022-07-03
  • [1403573] High CVE-2023-0698: Out of bounds read in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2022-12-25
  • [1371859] Medium CVE-2023-0699: Use after free in GPU. Reported by 7o8v and Cassidy Kim(@cassidy6564) on 2022-10-06
  • [1393732] Medium CVE-2023-0700: Inappropriate implementation in Download. Reported by Axel Chong on 2022-11-26
  • [1405123] Medium CVE-2023-0701: Heap buffer overflow in WebUI. Reported by Sumin Hwang of SSD Labs on 2023-01-05
  • [1316301] Medium CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14
  • [1405574] Medium CVE-2023-0703: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-07
  • [1385982] Low CVE-2023-0704: Insufficient policy enforcement in DevTools. Reported by Rhys Elsmore and Zac Sims of the Canva security team on 2022-11-18
  • [1238642] Low CVE-2023-0705: Integer overflow in Core. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-11
CVE-2023-0696 CVE-2023-0697 CVE-2023-0698 CVE-2023-0699 CVE-2023-0700 CVE-2023-0701 CVE-2023-0702 CVE-2023-0703 CVE-2023-0704 CVE-2023-0705 https://chromereleases.googleblog.com/2023/02/stable-channel-update-for-desktop.html 2023-02-07 2023-02-10
PostgreSQL server -- Client memory disclosure when connecting, with Kerberos, to modified server. postgresql15-client 15.2 postgresql14-client 14.7 postgresql13-client 13.10 postgresql12-client 12.14

PostgreSQL Project reports:

A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.

CVE-2022-41862 https://www.postgresql.org/support/security/CVE-2022-41862/ 2023-02-09 2023-02-09
Grafana -- Stored XSS in ResourcePicker component grafana 8.1.08.5.16 9.0.09.2.10 9.3.09.3.4 grafana8 8.1.08.5.16 grafana9 9.0.09.2.10 9.3.09.3.4

Grafana Labs reports:

On 2022-12-16 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin GeoMap.

The stored XSS vulnerability was possible due to SVG-files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

CVE-2022-23552 https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv 2022-12-16 2023-02-09
Grafana -- Spoofing originalUrl of snapshots grafana 8.0.08.5.16 9.0.09.2.10 9.3.09.3.4 grafana8 8.0.08.5.16 grafana9 9.0.09.2.10 9.3.09.3.4

Grafana Labs reports:

A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.)

We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).

CVE-2022-39324 https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw 2023-01-25 2023-02-09
LibreSSL -- Arbitrary memory read libressl 3.5.4 libressl-devel 3.6.2

The OpenBSD project reports:

A malicious certificate revocation list or timestamp response token would allow an attacker to read arbitrary memory.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.4-relnotes.txt 2023-02-08 2023-02-08
xorg-server -- Security issue in the X server xorg-server xephyr xorg-vfbserver 21.1.7,1 xorg-nestserver 21.1.7,2 xwayland 22.1.8,1 xwayland-devel 21.0.99.1.386

The X.org project reports:

  • CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses use-after-free

    A dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory.

https://lists.x.org/archives/xorg-announce/2023-February/003320.html CVE-2023-0494 2023-02-07 2023-02-08
TightVNC -- Muliple Vulnerabilities tightvnc 1.3.10_6

MITRE reports:

TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.

CVE-2019-8287 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15678 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15679 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15680 2019-02-12 2023-02-08
OpenSSL -- Multiple vulnerabilities openssl 1.1.1t,1 openssl-devel 3.0.8 openssl-quictls 3.0.8

The OpenSSL project reports:

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High): There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate): A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate): A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate): The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate): The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate): An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

NULL dereference validating DSA public key (CVE-2023-0217) (Moderate): An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack.

NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate): A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash.

CVE-2023-0286 CVE-2022-4304 CVE-2022-4203 CVE-2023-0215 CVE-2022-4450 CVE-2023-0216 CVE-2023-0401 https://www.openssl.org/news/secadv/20230207.txt 2023-02-07 2023-02-07
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 3.2.17 py38-django40 py39-django40 py310-django40 4.0.9 py38-django41 py39-django41 py310-django41 4.1.6

Django reports:

CVE-2023-23969: Potential denial-of-service via Accept-Language headers.

CVE-2023-23969 https://www.djangoproject.com/weblog/2023/feb/01/security-releases/ 2023-02-01 2023-02-06
kafka -- Denial Of Service vulnerability kafka 3.3.2

NIST reports:

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVE-2020-36518 https://nvd.nist.gov/vuln/detail/CVE-2020-36518 2022-03-11 2023-02-04
node_exporter -- bypass security with cache poisoning node_exporter 1.5.0

Prometheus team reports:

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

CVE-2022-46146 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46146 2021-11-28 2023-02-04
Asterisk -- multiple vulnerabilities asterisk18 18.15.1

The Asterisk project reports:

AST-2022-007: Remote Crash Vulnerability in H323 channel add on

AST-2022-008: Use after free in res_pjsip_pubsub.c

AST-2022-009: GetConfig AMI Action can read files outside of Asterisk directory

CVE-2022-37325 CVE-2022-42705 CVE-2022-42706 https://downloads.asterisk.org/pub/security/AST-2022-007.html https://downloads.asterisk.org/pub/security/AST-2022-008.html https://downloads.asterisk.org/pub/security/AST-2022-009.html 2022-12-01 2023-02-02
Spotipy -- Path traversal vulnerability py37-spotipy py38-spotipy py39-spotipy py310-spotipy py311-spotipy 2.22.0

Stéphane Bruckert

If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.

CVE-2023-23608 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23608 https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-q764-g6fm-555v 2023-01-16 2023-02-02
zeek -- potential DoS vulnerabilities zeek 5.0.6

Tim Wojtulewicz of Corelight reports:

A missing field in the SMB FSControl script-land record could cause a heap buffer overflow when receiving packets containing those header types.

Receiving a series of packets that start with HTTP/1.0 and then switch to HTTP/0.9 could cause Zeek to spend a large amount of time processing the packets.

Receiving large numbers of FTP commands sequentially from the network with bad data in them could cause Zeek to spend a large amount of time processing the packets, and generate a large amount of events.

https://github.com/zeek/zeek/releases/tag/v5.0.6 2023-02-01 2023-02-01
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.8.015.8.1 15.7.015.7.6 12.4.015.6.7

Gitlab reports:

Denial of Service via arbitrarily large Issue descriptions

CSRF via file upload allows an attacker to take over a repository

Sidekiq background job DoS by uploading malicious CI job artifact zips

Sidekiq background job DoS by uploading a malicious Helm package

CVE-2022-3411 CVE-2022-4138 CVE-2022-3759 CVE-2023-0518 https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/ 2023-01-31 2023-02-01
Plex Media Server -- security vulnerability plexmediaserver plexmediaserver-plexpass 1.25.0

Plex Security Team reports:

We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.

Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.

CVE-2021-42835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42835 2021-10-22 2023-01-30
prometheus2 -- basic authentication bypass prometheus 0.8.1

Prometheus team reports:

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

CVE-2022-46146 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46146 2022-11-28 2023-01-30
chromium -- multiple vulnerabilities chromium 109.0.5414.119 ungoogled-chromium 109.0.5414.119

Chrome Releases reports:

This release contains 6 security fixes, including:

  • [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
  • [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
  • [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
  • [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14
CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474 https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop_24.html 2023-01-24 2023-01-25
re2c -- uncontrolled recursion re2c 2.0

re2c reports:

re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.

CVE-2018-21232 https://nvd.nist.gov/vuln/detail/CVE-2018-21232 2022-05-24 2023-01-25
gitea -- information disclosure gitea 1.18.3

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.

https://blog.gitea.io/2023/01/gitea-1.18.3-is-released/ 2022-01-22 2023-01-24
net/krill -- DoS vulnerability krill 0.12.1

MITRE reports:

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated. .

CVE-2023-0158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0158 2023-01-10 2023-01-23
www/awstats -- Partial absolute pathname awstats 7.8

MITRE reports:

It seems #90 is not completely fixed in 7.8. (that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed). In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

CVE-2020-35176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176 2022-12-11 2023-01-23
net/eternalterminal -- Multiple vulnerabilities eternalterminal 6.2.1

Mitre reports:

etserver and etclient have predictable logfile names in /tmp and they are world-readable logfiles

CVE-2022-48257 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48257 CVE-2022-48258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48258 2023-01-13 2023-01-23
powerdns-recursor -- denial of service powerdns-recursor 4.8.04.8.1

PowerDNS Team reports:

PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination

CVE-2023-22617 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-01.html 2023-01-20 2023-01-23
shells/fish -- arbitrary code execution via git fish 3.1.03.4.0

Peter Ammon reports:

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the fish_git_prompt function from the prompt.

CVE-2022-20001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20001 2021-12-26 2023-01-21
MySQL -- Multiple vulnerabilities mysql-connector-c++ 8.0.33 mysql-connector-odbc 8.0.33 mysql-client57 5.7.42 mysql-server57 5.7.42 mysql-client80 8.0.33 mysql-server80 8.0.33

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network withouti requiring user credentials.

CVE-2022-32221 CVE-2022-24407 CVE-2022-24407 CVE-2022-3171 CVE-2022-1941 CVE-2023-21868 CVE-2023-21860 CVE-2023-21875 CVE-2023-21869 CVE-2023-21877 CVE-2023-21880 CVE-2023-21872 CVE-2023-21871 CVE-2023-21836 CVE-2023-21887 CVE-2023-21863 CVE-2023-21864 CVE-2023-21865 CVE-2023-21866 CVE-2023-21867 CVE-2023-21870 CVE-2023-21873 CVE-2023-21876 CVE-2023-21878 CVE-2023-21879 CVE-2023-21881 CVE-2023-21883 CVE-2023-21840 CVE-2023-21882 CVE-2023-21874 https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL 2023-01-20 2023-01-21
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.10

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in "Add new question"

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in admin user page

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in FAQ comments

phpMyFAQ does not implement sufficient checks to avoid a blind stored XSS in admin open question page

phpMyFAQ does not implement sufficient checks to avoid a reflected XSS in the admin backend login

phpMyFAQ does not implement sufficient checks to avoid stored XSS on user, category, FAQ, news and configuration admin backend

phpMyFAQ does not implement sufficient checks to avoid weak passwords

https://huntr.dev/bounties/cbba22f0-89ed-4d01-81ea-744979c8cbde/ https://huntr.dev/bounties/fac01e9f-e3e5-4985-94ad-59a76485f215/ https://huntr.dev/bounties/83cfed62-af8b-4aaa-94f2-5a33dc0c2d69/ https://huntr.dev/bounties/051d5e20-7fab-4769-bd7d-d986b804bb5a/ https://huntr.dev/bounties/c03c5925-43ff-450d-9827-2b65a3307ed6/ https://huntr.dev/bounties/f50ec8d1-cd60-4c2d-9ab8-3711870d83b9/ https://huntr.dev/bounties/82b0b629-c56b-4651-af3f-17f749751857/ https://huntr.dev/bounties/eac0a9d7-9721-4191-bef3-d43b0df59c67/ https://huntr.dev/bounties/bc27e84b-1f91-4e1b-a78c-944edeba8256/ 2023-01-15 2023-01-20
rack -- Multiple vulnerabilities rubygem-rack 3.0.4.1,3 rubygem-rack22 2.2.6.2,3 rubygem-rack16 1.6.14

Aaron Patterson reports:

CVE-2022-44570
Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
CVE-2022-44571
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
CVE-2022-44572
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 https://github.com/rack/rack/blob/v3.0.4.1/CHANGELOG.md https://github.com/advisories/GHSA-65f5-mfpf-vfhj https://github.com/advisories/GHSA-93pm-5p5f-3ghx https://github.com/advisories/GHSA-rqv2-275x-2jq5 2023-01-17 2023-01-19
Apache httpd -- Multiple vulnerabilities apache24 2.4.55

The Apache httpd project reports:

mod_dav out of bounds read, or write of zero byte (CVE-2006-20001) (moderate)

mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)

mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (CVE-2022-37436) (moderate)

CVE-2022-37436 CVE-2022-36760 CVE-2006-20001 https://downloads.apache.org/httpd/CHANGES_2.4.55 2023-01-17 2023-01-17
redis -- multiple vulnerabilities redis 7.0.8 redis-devel 7.0.8.20230116 redis62 6.2.9 redis6 6.0.17

The Redis core team reports:

CVE-2022-35977
Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic.
CVE-2023-22458
Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service.
CVE-2022-35977 CVE-2023-22458 https://github.com/redis/redis/releases/tag/7.0.8 2023-01-16 2023-01-16
security/keycloak -- Multiple possible DoS attacks keycloak 20.0.3

CIRCL reports:

  • CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream.
  • CVE-2022-40151: If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVE-2022-40151 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151 CVE-2022-41966 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41966 2022-09-07 2023-01-16
security/tor -- SOCKS4(a) inversion bug tor 0.4.7.13

The Tor Project reports:

TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through

This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a). Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.

https://hackerone.com/bugs?subject=torproject&report_id=1784589 https://gitlab.torproject.org/tpo/core/tor/-/issues/40730 2023-01-12 2023-01-14
emacs -- arbitary shell command execution vulnerability of ctags emacs emacs-canna emacs-nox 28.2_2,3 emacs-devel emacs-devel-nox 30.0.50.202211128,2

lu4nx reports:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVE-2022-45939 https://nvd.nist.gov/vuln/detail/CVE-2022-45939 2022-11-28 2023-01-12
cassandra3 -- multiple vulnerabilities cassandra3 3.11.14

Cassandra tema reports:

This release contains 6 security fixes including

  • CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
  • CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
  • CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
  • CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
  • CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
  • CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
CVE-2022-24823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823 CVE-2020-7238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238 CVE-2019-2684 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684 CVE-2022-25857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857 CVE-2022-42003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003 CVE-2022-42004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004 2023-01-11 2023-01-11
cassandra3 -- arbitrary code execution cassandra3 3.11.13

Marcus Eriksson reports:

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.

CVE-2021-44521 https://www.cvedetails.com/cve/CVE-2021-44521 2022-02-11 2023-01-11
cassandra3 -- jBCrypt integer overflow cassandra3 3.11.12

mindrot project reports:

There is an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.

CVE-2015-0886 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886 2015-01-30 2023-01-11
xorg-server -- Multiple security issues in X server extensions xorg-server xephyr xorg-vfbserver 21.1.5,1 xorg-nestserver 21.1.5,2 xwayland 22.1.6,1 xwayland-devel 21.0.99.1.319

The X.org project reports:

  • CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack overflow

    The swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request.

    This issue does not affect systems where client and server use the same byte order.

  • CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab out-of-bounds access

    The handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code.

  • CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify use-after-free

    The handler for the XvdiSelectVideoNotify request may write to memory after it has been freed.

  • CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes use-after-free

    The handler for the ScreenSaverSetAttributes request may write to memory after it has been freed.

  • CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty out-of-bounds access

    The handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure.

  • CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free

    The XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.

https://lists.x.org/archives/xorg-announce/2022-December/003302.html CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2022-4283 2022-12-14 2023-01-11
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.7.015.7.2 15.6.015.6.4 6.6.015.5.7

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

CVE-2022-4037 CVE-2022-3613 CVE-2022-4365 CVE-2022-4342 CVE-2022-3573 CVE-2022-4167 CVE-2022-3870 CVE-2023-0042 CVE-2022-4131 CVE-2022-3514 https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released/ 2023-01-09 2023-01-11
chromium -- multiple vulnerabilities chromium 109.0.5414.74 ungoogled-chromium 109.0.5414.74

Chrome Releases reports:

This release contains 17 security fixes, including:

  • [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
  • [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
  • [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
  • [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
  • [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
  • [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
  • [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
  • [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
  • [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
  • [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
  • [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
  • [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
  • [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
  • [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12
CVE-2023-0128 CVE-2023-0129 CVE-2023-0130 CVE-2023-0131 CVE-2023-0132 CVE-2023-0133 CVE-2023-0134 CVE-2023-0135 CVE-2023-0136 CVE-2023-0137 CVE-2023-0138 CVE-2023-0139 CVE-2023-0140 CVE-2023-0141 https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html 2023-01-10 2023-01-10
net-mgmt/cacti is vulnerable to remote command injection cacti 1.2.23

cacti team reports:

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

CVE-2022-46169 https://nvd.nist.gov/vuln/detail/CVE-2022-46169 2022-12-05 2023-01-05 2023-01-09
devel/viewvc-devel is vulnerable to cross-site scripting py37-viewvc-devel py38-viewvc-devel py39-viewvc-devel 1.3.0.20230104

C. Michael Pilato reports:

security fix: escape revision view copy paths (#311) [CVE-2023-22464]

security fix: escape revision view changed paths (#311) [CVE-2023-22456]

CVE-2023-22464 CVE-2023-22456 https://nvd.nist.gov/vuln/detail/CVE-2023-22464 https://nvd.nist.gov/vuln/detail/CVE-2023-22456 2023-01-04 2023-01-05
rxvt-unicode is vulnerable to a remote code execution rxvt-unicode 9.31

Marc Lehmann reports:

The biggest issue is resolving CVE-2022-4170, which allows command execution inside urxvt from within the terminal (that means anything that can output text in the terminal can start commands in the context of the urxvt process, even remotely).

CVE-2022-4170 https://nvd.nist.gov/vuln/detail/CVE-2022-4170 2022-12-05 2023-01-03
gitea -- multiple issues gitea 1.18.0

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips

https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/ https://github.com/go-gitea/gitea/releases/tag/v1.18.0 2022-08-23 2023-01-02