Jenkins Security Advisory:
+++ +Description
+(Medium) SECURITY-3495 / CVE-2025-27622
+Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission
+Description
+(Medium) SECURITY-3496 / CVE-2025-27623
+Encrypted values of secrets stored in view configuration revealed to users with View/Read permission
+Description
+(Medium) SECURITY-3498 / CVE-2025-27624
+CSRF vulnerability
+Description
+(Medium) SECURITY-3501 / CVE-2025-27625
+Open redirect vulnerability
+
security-advisories@github.com reports:
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
Chrome Releases reports:
This update includes 14 security fixes:
- [397731718] High CVE-2025-1914: Out of bounds read in V8. Reported by Zhenghang Xiao (@Kipreyyy) and Nan Wang (@eternalsakura13) on 2025-02-20
- [391114799] Medium CVE-2025-1915: Improper Limitation of a Pathname to a Restricted Directory in DevTools. Reported by Topi Lassila on 2025-01-20
- [376493203] Medium CVE-2025-1916: Use after free in Profiles. Reported by parkminchan, SSD Labs Korea on 2024-10-31
- [329476341] Medium CVE-2025-1917: Inappropriate Implementation in Browser UI. Reported by Khalil Zhani on 2024-03-14
- [388557904] Medium CVE-2025-1918: Out of bounds read in PDFium. Reported by asnine on 2025-01-09
- [392375312] Medium CVE-2025-1919: Out of bounds read in Media. Reported by @Bl1nnnk and @Pisanbao on 2025-01-26
- [387583503] Medium CVE-2025-1921: Inappropriate Implementation in Media Stream. Reported by Kaiido on 2025-01-04
- [384033062] Low CVE-2025-1922: Inappropriate Implementation in Selection. Reported by Alesandro Ortiz on 2024-12-14
- [382540635] Low CVE-2025-1923: Inappropriate Implementation in Permission Prompts. Reported by Khalil Zhani on 2024-12-06
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0611.
- Security: backported fix for CVE-2025-0612.
- Security: backported fix for CVE-2025-0999.
SO-AND-SO reports:
Unit 1.34.2 fixes two issues in the Java language module websocket code.
- It addresses a potential security issue where we could get a negative payload length that could cause the Java language module process(es) to enter an infinite loop and consume excess CPU. This was a bug carried over from the initial Java websocket code import. It has been re-issued a CVE number (CVE-2025-1695).
- It addresses an issue whereby decoded payload lengths would be limited to 32 bits.
vim reports:
Summary
Potential code execution with tar.vim and special crafted tar files
Description
Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files.
Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to support permissions), the tar.vim plugin uses the ":read " ex command line to append below the cursor position, however the is not sanitized and is taken literaly from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).
Impact
Impact is high but a user must be convinced to edit such a file using Vim which will reveal the filename, so a careful user may suspect some strange things going on.
Gitlab reports:
XSS in k8s proxy endpoint
XSS Maven Dependency Proxy
HTML injection leads to XSS on self hosted instances
Improper Authorisation Check Allows Guest User to Read Security Policy
Planner role can read code review analytics in private projects
Chrome Releases reports:
This update includes 1 security fix.
Kevin Backhouse reports:
A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file.
Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as fixiso.
A shell injection vulnerability exists in GNU Emacs due to improper handling of custom man URI schemes.
Initially considered low severity, as it required user interaction with local files, it was later discovered that an attacker could exploit this vulnerability by tricking a user into visiting a specially crafted website or an HTTP URL with a redirect, leading to arbitrary shell command execution without further user action.
An Emacs user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.
cve@mitre.org reports:
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
OpenSSH client host verification error (CVE-2025-26465)
ssh(1) contains a logic error that allows an on-path attacker to impersonate any server during certain conditions when the VerifyHostKeyDNS option is enabled.
OpenSSH server denial of service (CVE-2025-26466)
The OpenSSH client and server are both vulnerable to a memory/CPU denial of service while handling SSH2_MSG_PING packets.
OpenSSH client host verification error (CVE-2025-26465)
Under specific circumstances, a machine-in-the-middle may impersonate any server when the client has the VerifyHostKeyDNS option enabled.
OpenSSH server denial of service (CVE-2025-26466)
During the processing of SSH2_MSG_PING packets, a server may be subject to a memory/CPU denial of service.
Chrome Releases reports:
This update includes 3 security fixes:
- [394350433] High CVE-2025-0999: Heap buffer overflow in V8. Reported by Seunghyun Lee (@0x10n) on 2025-02-04
- [383465163] High CVE-2025-1426: Heap buffer overflow in GPU. Reported by un3xploitable and GF on 2024-12-11
- [390590778] Medium CVE-2025-1006: Use after free in Network. Reported by Tal Keren, Sam Agranat, Eran Rom, Edouard Bochin, Adam Hatsir of Palo Alto Networks on 2025-01-18
Chrome Releases reports:
This update includes 4 security fixes:
- [391907159] High CVE-2025-0995: Use after free in V8. Reported by Popax21 on 2025-01-24
- [391788835] High CVE-2025-0996: Inappropriate implementation in Browser UI. Reported by yuki yamaoto on 2025-01-23
- [391666328] High CVE-2025-0997: Use after free in Navigation. Reported by asnine on 2025-01-23
- [386857213] High CVE-2025-0998: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-31
Chrome Releases reports:
This update includes 12 security fixes:
- [390889644] High CVE-2025-0444: Use after free in Skia. Reported by Francisco Alonso (@revskills) on 2025-01-19
- [392521083] High CVE-2025-0445: Use after free in V8. Reported by 303f06e3 on 2025-01-27
- [40061026] Medium CVE-2025-0451: Inappropriate implementation in Extensions API. Reported by Vitor Torres and Alesandro Ortiz on 2022-09-18
VSCode developers report:
The update addresses these issues, including a fix for a security vulnerability.
- Scope node_module binary resolution in js-debug
- Elevation of Privilege Vulnerability with VS Code server for web UI
Graham Northup reports:
A buffer overflow in extract_openvpn_cr allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this field and cause a buffer overflow.
The PostgreSQL Project reports:
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Gitlab reports:
A CSP-bypass XSS in merge-request page
Denial of Service due to Unbounded Symbol Creation
Exfiltrate content from private issues using Prompt Injection
A custom permission may allow overriding Repository settings
Internal HTTP header leak via route confusion in workhorse
SSRF via workspaces
Unauthorized Incident Closure and Deletion by Planner Role in GitLab
ActionCable does not invalidate tokens after revocation
Intel reports:
A potential security vulnerability in some Intel Processors may allow denial of service. Intel released microcode updates to mitigate this potential vulnerability.
A potential security vulnerability in some Intel Software Guard Extensions (Intel SGX) Platforms may allow denial of service. Intel is released microcode updates to mitigate this potential vulnerability.
Potential security vulnerabilities in the UEFI firmware for some Intel Processors may allow escalation of privilege, denial of service, or information disclosure. Intel released UEFI firmware and CPU microcode updates to mitigate these potential vulnerabilities.
A potential security vulnerability in some 13th and 14th Generation Intel Core⢠Processors may allow denial of service. Intel released microcode and UEFI reference code updates to mitigate this potential vulnerability.
A potential security vulnerability in the Intel Data Streaming Accelerator (Intel DSA) for some Intel Xeon Processors may allow denial of service. Intel released software updates to mitigate this potential vulnerability.
The OpenSSL project reports:
RFC7250 handshakes with unauthenticated servers don't abort as expected (High). Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set.
security@mozilla.org reports:
A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution.
A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak.
Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack.
security@mozilla.org reports:
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.
A race during concurrent delazification could have led to a use-after-free.
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the Other field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.
MariaDB reports:
Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Sam Hocevar reports:
Multiple memory leaks and invalid memory accesses:
- CVE-2018-20545: Illegal WRITE memory access at common-image.c
- CVE-2018-20546: Illegal READ memory access at caca/dither.c
- CVE-2018-20547: Illegal READ memory access at caca/dither.c
- CVE-2018-20548: Illegal WRITE memory access at common-image.c
- CVE-2018-20549: Illegal WRITE memory access at caca/file.c
- CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize
- CVE-2021-30498: Heap buffer overflow in export.c in function export_tga
- CVE-2021-30499: Buffer overflow in export.c in function export_troff
Cacti repo reports:
- security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
- security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
- security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
- security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
- security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
- security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template
The nginx development team reports:
This update fixes the SSL session reuse vulnerability.
Qt qtwebengine-chromium repo reports:
Backports for 9 security bugs in Chromium:
- CVE-2024-12693: Out of bounds memory access in V8
- CVE-2024-12694: Use after free in Compositing
- CVE-2025-0436: Integer overflow in Skia
- CVE-2025-0437: Out of bounds read in Metrics
- CVE-2025-0438: Stack buffer overflow in Tracing
- CVE-2025-0441: Inappropriate implementation in Fenced Frames
- CVE-2025-0443: Insufficient data validation in Extensions
- CVE-2025-0447: Inappropriate implementation in Navigation
- CVE-2025-0611: Object corruption in V8
Chrome Releases reports:
This update includes 2 security fixes:
- [384844003] Medium CVE-2025-0762: Use after free in DevTools. Reported by Sakana.S on 2024-12-18
Dendrite team reports:
This is a security release, gomatrixserverlib was vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9).
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective.
A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing.
Golang reports:
This update include security fixes:
- CVE-2024-45338: Non-linear parsing of case-insensitive content
The Vaultwarden project reports:
RCE in the admin panel.
Getting access to the Admin Panel via CSRF.
Escalation of privilege via variable confusion in OrgHeaders trait.
Chrome Releases reports:
This update includes 3 security fixes:
- [386143468] High CVE-2025-0611: Object corruption in V8. Reported by 303f06e3 on 2024-12-26
- [385155406] High CVE-2025-0612: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-20
Chrome Releases reports:
This update includes 16 security fixes:
- [374627491] High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21
- [379652406] High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18
- [382786791] High CVE-2025-0436: Integer overflow in Skia. Reported by Han Zheng (HexHive) on 2024-12-08
- [378623799] High CVE-2025-0437: Out of bounds read in Metrics. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-11-12
- [384186539] High CVE-2025-0438: Stack buffer overflow in Tracing. Reported by Han Zheng (HexHive) on 2024-12-15
- [371247941] Medium CVE-2025-0439: Race in Frames. Reported by Hafiizh on 2024-10-03
- [40067914] Medium CVE-2025-0440: Inappropriate implementation in Fullscreen. Reported by Umar Farooq on 2023-07-22
- [368628042] Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames. Reported by someoneverycurious on 2024-09-21
- [40940854] Medium CVE-2025-0442: Inappropriate implementation in Payments. Reported by Ahmed ElMasry on 2023-11-08
- [376625003] Medium CVE-2025-0443: Insufficient data validation in Extensions. Reported by Anonymous on 2024-10-31
- [359949844] Low CVE-2025-0446: Inappropriate implementation in Extensions. Reported by Hafiizh on 2024-08-15
- [375550814] Low CVE-2025-0447: Inappropriate implementation in Navigation. Reported by Khiem Tran (@duckhiem) on 2024-10-25
- [377948403] Low CVE-2025-0448: Inappropriate implementation in Compositing. Reported by Dahyeon Park on 2024-11-08
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
- Security: backported fix for CVE-2024-12695.
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2025-0434.
- Security: backported fix for CVE-2025-0436.
- Security: backported fix for CVE-2025-0437.
Gitlab reports:
Stored XSS via Asciidoctor render
Developer could exfiltrate protected CI/CD variables via CI lint
Cyclic reference of epics leads resource exhaustion
The ClamAV project reports:
A possible buffer overflow read bug is found in the OLE2 file parser that could cause a denial-of-service (DoS) condition.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-12053.
The Go project reports:
crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
net/http: sensitive headers incorrectly sent after cross-domain redirect
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-12053.
- Security: backported fix for CVE-2024-12693.
- Security: backported fix for CVE-2024-12694.
Filippo Valsorda reports:
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.
Frank Lichtenheld reports:
[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.
rsync reports:
This update includes multiple security fixes:
- CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- CVE-2024-12086: Server leaks arbitrary client files
- CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links
- CVE-2024-12088: --safe-links Bypass
- CVE-2024-12747: symlink race condition
Git development team reports:
CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.
CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.
Keycloak reports:
This update includes 2 security fixes:
- CVE-2024-11734: Unrestricted admin use of system and environment variables
- CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers
cve@mitre.org reports:
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.
Redis core team reports:
An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.The problem exists in Redis 7.0.0 or newer.
Redis core team reports:
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.
Gitlab reports:
Possible access token exposure in GitLab logs
Cyclic reference of epics leads resource exhaustion
Unauthorized user can manipulate status of issues in public projects
Instance SAML does not respect external_provider configuration