diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml index 9edfcca95f77..70a5c2f53341 100644 --- a/security/vuxml/vuln/2022.xml +++ b/security/vuxml/vuln/2022.xml @@ -1,9954 +1,9985 @@ + + traefik -- multiple vulnerabilities + + + traefik + 2.9.6 + + + + +

The Traefik project reports:

+
+

This update is recommended for all traefik users and provides following important security fixes:

+
    +
  • CVE-2022-23469: Authorization header displayed in the debug logs
  • +
  • CVE-2022-46153: Routes exposed with an empty TLSOption in traefik
  • +
+
+ +
+ + CVE-2022-23469 + CVE-2022-46153 + https://github.com/traefik/traefik/releases/tag/v2.9.6 + + + 2022-12-08 + 2022-12-10 + +
+ xrdp -- multiple vulnerabilities xrdp 0.9.21

xrdp project reports:

This update is recommended for all xrdp users and provides following important security fixes:

  • CVE-2022-23468
  • CVE-2022-23477
  • CVE-2022-23478
  • CVE-2022-23479
  • CVE-2022-23480
  • CVE-2022-23481
  • CVE-2022-23483
  • CVE-2022-23482
  • CVE-2022-23484
  • CVE-2022-23493

These security issues are reported by Team BT5 (BoB 11th). We appreciate their great help with making and reviewing patches.

CVE-2022-23468 CVE-2022-23477 CVE-2022-23478 CVE-2022-23479 CVE-2022-23480 CVE-2022-23481 CVE-2022-23483 CVE-2022-23482 CVE-2022-23484 CVE-2022-23493 https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.21 2022-12-01 2022-12-10
Python -- multiple vulnerabilities python37 3.7.16 python38 3.8.16 python39 3.9.16 python310 3.10.9 python311 3.11.1

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

https://docs.python.org/3/whatsnew/changelog.html#changelog 2022-09-28 2022-12-07
go -- multiple vulnerabilities go118 1.18.9 go119 1.19.4

The Go project reports:

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

net/http: limit canonical header cache by bytes, not entries

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

CVE-2022-41720 CVE-2022-41717 https://groups.google.com/g/golang-dev/c/G9Jj4cO4Gpk/m/kOkLVG6TAgAJ 2022-10-20 2022-12-06
chromium -- Type confusion in V8 chromium 108.0.5359.94 ungoogled-chromium 108.0.5359.94

Chrome Releases reports:

This release contains 1 security fix:

  • [1394403] High CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29

Google is aware that an exploit for CVE-2022-4262 exists in the wild.

CVE-2022-4262 https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html 2022-12-02 2022-12-03
rpm4 -- Multiple Vulnerabilities rpm4 4.18.0

rpm project reports:

Fix intermediate symlinks not verified (CVE-2021-35939).

Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521).

Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)

CVE-2021-35939 CVE-2021-3521 CVE-2021-35938 2022-08-22 2022-12-01
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.6.015.6.1 15.5.015.5.5 9.3.015.4.6

Gitlab reports:

DAST API scanner exposes Authorization headers in vulnerabilities

Group IP allow-list not fully respected by the Package Registry

Deploy keys and tokens may bypass External Authorization service if it is enabled

Repository import still allows to import 40 hexadecimal branches

Webhook secret tokens leaked in webhook logs

Maintainer can leak webhook secret token by changing the webhook URL

Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP

Release names visible in public projects despite release set as project members only

Sidekiq background job DoS by uploading malicious NuGet packages

SSRF in Web Terminal advertise_address

CVE-2022-4206 CVE-2022-3820 CVE-2022-3740 CVE-2022-4205 CVE-2022-3902 CVE-2022-4054 CVE-2022-3572 CVE-2022-3482 CVE-2022-3478 CVE-2022-4201 https://about.gitlab.com/releases/2022/11/30/security-release-gitlab-15-6-1-released/ 2022-11-30 2022-12-01
chromium -- multiple vulnerabilities chromium 108.0.5359.71 ungoogled-chromium 108.0.5359.71

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1379054] High CVE-2022-4174: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2022-10-27
  • [1381401] High CVE-2022-4175: Use after free in Camera Capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-11-04
  • [1361066] High CVE-2022-4176: Out of bounds write in Lacros Graphics. Reported by @ginggilBesel on 2022-09-08
  • [1379242] High CVE-2022-4177: Use after free in Extensions. Reported by Chaoyuan Peng (@ret2happy) on 2022-10-28
  • [1376099] High CVE-2022-4178: Use after free in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2022-10-18
  • [1377783] High CVE-2022-4179: Use after free in Audio. Reported by Sergei Glazunov of Google Project Zero on 2022-10-24
  • [1378564] High CVE-2022-4180: Use after free in Mojo. Reported by Anonymous on 2022-10-26
  • [1382581] High CVE-2022-4181: Use after free in Forms. Reported by Aviv A. on 2022-11-09
  • [1368739] Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames. Reported by Peter Nemeth on 2022-09-28
  • [1251790] Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. Reported by David Sievers on 2021-09-22
  • [1358647] Medium CVE-2022-4184: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-09-01
  • [1373025] Medium CVE-2022-4185: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2022-10-10
  • [1377165] Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Reported by Luan Herrera (@lbherrera_) on 2022-10-21
  • [1381217] Medium CVE-2022-4187: Insufficient policy enforcement in DevTools. Reported by Axel Chong on 2022-11-04
  • [1340879] Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS. Reported by Philipp Beer (TU Wien) on 2022-06-30
  • [1344647] Medium CVE-2022-4189: Insufficient policy enforcement in DevTools. Reported by NDevTK on 2022-07-15
  • [1378997] Medium CVE-2022-4190: Insufficient data validation in Directory. Reported by Axel Chong on 2022-10-27
  • [1373941] Medium CVE-2022-4191: Use after free in Sign-In. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-10-12
  • [1344514] Medium CVE-2022-4192: Use after free in Live Caption. Reported by Samet Bekmezci @sametbekmezci on 2022-07-14
  • [1354518] Medium CVE-2022-4193: Insufficient policy enforcement in File System API. Reported by Axel Chong on 2022-08-19
  • [1370562] Medium CVE-2022-4194: Use after free in Accessibility. Reported by Anonymous on 2022-10-03
  • [1371926] Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Reported by Eric Lawrence of Microsoft on 2022-10-06
CVE-2022-4174 CVE-2022-4175 CVE-2022-4176 CVE-2022-4177 CVE-2022-4178 CVE-2022-4179 CVE-2022-4180 CVE-2022-4181 CVE-2022-4182 CVE-2022-4183 CVE-2022-4184 CVE-2022-4185 CVE-2022-4186 CVE-2022-4187 CVE-2022-4188 CVE-2022-4189 CVE-2022-4190 CVE-2022-4191 CVE-2022-4192 CVE-2022-4193 CVE-2022-4194 CVE-2022-4195 https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html 2022-11-29 2022-11-30
chromium -- multiple vulnerabilities chromium 107.0.5304.121 ungoogled-chromium 107.0.5304.121

Chrome Releases reports:

This release contains 1 security fix:

  • [1392715] High CVE-2022-4135: Heap buffer overflow in GPU. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-22

Google is aware that an exploit for CVE-2022-4135 exists in the wild.

CVE-2022-4135 https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html 2022-11-24 2022-11-25
rubygem-cgi -- HTTP response splitting vulnerability rubygem-cgi 0.3.4 ruby 2.7.0,12.7.7,1 3.0.0,13.0.5,1 3.1.0,13.1.3,1 3.2.0.p1,13.2.0.r1,1 ruby27 2.7.0,12.7.7,1 ruby30 3.0.0,13.0.5,1 ruby31 3.1.0,13.1.3,1 ruby32 3.2.0.p1,13.2.0.r1,1

Hiroshi Tokumaru reports:

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.

CVE-2021-33621 https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/ 2022-11-22 2022-11-24
zeek -- potential DoS vulnerabilities zeek 5.0.4

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of HTTP 0.9 packets can cause Zeek to spend large amounts of time processing the packets.

A specially-crafted FTP packet can cause Zeek to spend large amounts of time processing the command.

A specially-crafted IPv6 packet can cause Zeek to overflow memory and potentially crash.

https://github.com/zeek/zeek/releases/tag/v5.0.4 2022-11-24 2022-11-24
advancecomp -- Multiple vulnerabilities advancecomp 2.4

GitHub advisories reports:

Multiple vulnerabilities found in advancecomp including:

  • Three segmentation faults.
  • Heap buffer overflow via le_uint32_read at /lib/endianrw.h.
  • Three more heap buffer overflows.
CVE-2022-35014 https://nvd.nist.gov/vuln/detail/CVE-2022-35014 CVE-2022-35015 https://nvd.nist.gov/vuln/detail/CVE-2022-35015 CVE-2022-35016 https://nvd.nist.gov/vuln/detail/CVE-2022-35016 CVE-2022-35017 https://nvd.nist.gov/vuln/detail/CVE-2022-35017 CVE-2022-35018 https://nvd.nist.gov/vuln/detail/CVE-2022-35018 CVE-2022-35019 https://nvd.nist.gov/vuln/detail/CVE-2022-35019 CVE-2022-35020 https://nvd.nist.gov/vuln/detail/CVE-2022-35020 2022-08-29 2022-11-24
tailscale -- Security vulnerability in the client tailscale 1.32.3

Tailscale team reports:

A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.

CVE-2022-41925 https://tailscale.com/security-bulletins/#ts-2022-005 2022-11-21 2022-11-22
Tomcat -- Request Smuggling tomcat 8.5.08.5.83 9.0.0-M19.0.68 10.0.0-M110.0.27 10.1.0-M110.1.1 tomcat85 8.5.08.5.83 tomcat9 9.0.0-M19.0.68 tomcat10 10.0.0-M110.0.27 tomcat101 10.1.0-M110.1.1 tomcat-devel 10.1.0-M110.1.1

Apache Tomcat reports:

If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The CVSS score for this vulnerability is 7.5 High

CVE-2022-42252 https://nvd.nist.gov/vuln/detail/CVE-2022-42252 2022-10-31 2022-11-18
krb5 -- Integer overflow vulnerabilities in PAC parsing krb5 1.19.3_1 1.201.20_1 krb5-120 1.20_1 krb5-119 1.19.3_1 krb5-devel 2022.11.03

MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:

Due to an integer overflow vulnerabilities in PAC parsing An authenticated attacker may be able to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service.

On 32-bit platforms an authenticated attacker may be able to cause heap corruption resulting in an RCE.

CVE-2022-42898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42898 2022-11-05 2022-11-15
Grafana -- Username enumeration grafana 8.0.08.5.15 9.0.09.2.4 grafana8 8.0.08.5.15 grafana9 9.0.09.2.4

Grafana Labs reports:

When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message.

The CVSS score for this vulnerability is 5.3 Moderate

CVE-2022-39307 https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 2022-10-24 2022-11-12
Grafana -- Privilege escalation grafana 8.0.08.5.15 9.0.09.2.4 grafana8 8.0.08.5.15 grafana9 9.0.09.2.4

Grafana Labs reports:

Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization.

The CVSS score for this vulnerability is 6.4 Moderate

CVE-2022-39306 https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84 2022-10-24 2022-11-12
Grafana -- Privilege escalation grafana 9.2.09.2.4 grafana9 9.2.09.2.4

Grafana Labs reports:

Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. As a result, an unauthenticated user can successfully query protected endpoints.

The CVSS score for this vulnerability is 9.8 Critical

CVE-2022-39328 https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch 2022-11-08 2022-11-12
Grafana -- Plugin signature bypass grafana 7.0.08.5.14 9.0.09.1.8 grafana7 7.0.0 grafana8 8.0.08.5.14 grafana9 9.0.09.1.8

Grafana Labs reports:

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

CVE-2022-31123 https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 2022-07-04 2022-11-12
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins grafana 7.0.08.5.14 9.0.09.1.8 grafana7 7.0.0 grafana8 8.0.08.5.14 grafana9 9.0.09.1.8

Grafana Labs reports:

On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.

We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVE-2022-31130 https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc 2022-06-26 2022-11-12
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins grafana 5.0.08.5.14 9.0.09.1.8 grafana7 7.0.0 grafana8 8.0.08.5.14 grafana9 9.0.09.1.8

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

CVE-2022-39201 https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr 2022-09-07 2022-11-12
Grafana -- Improper authentication grafana 8.0.08.5.14 9.0.09.1.8 grafana8 8.0.08.5.14 grafana9 9.0.09.1.8

Grafana Labs reports:

On September 7, as a result of an internal security audit, we discovered a security vulnerability in Grafana’s basic authentication related to the usage of username and email address.

n Grafana, a user’s username and email address are unique fields, which means no other user can have the same username or email address as another user.

In addition, a user can have an email address as a username, and the Grafana login allows users to sign in with either username or email address. This creates an unusual behavior, where user_1 can register with one email address and user_2 can register their username as user_1’s email address. As a result, user_1 would be prevented from signing in to Grafana, since user_1 password won’t match with user_2 email address.

The CVSS score for this vulnerability is 4.3 moderate (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

CVE-2022-39229 https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r 2022-09-07 2022-11-12
ipython -- Execution with Unnecessary Privileges py37-ipython py38-ipython py39-ipython py310-ipython py311-ipython 7.31.1

IPython project reports:

IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some default values in order to prevent potential Execution with Unnecessary Privileges.

CVE-2022-21699 https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699 2022-01-19 2022-11-12
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.8

phpmyfaq developers report:

a pre-auth SQL injection in then saving user comments

a reflected cross-site scripting vulnerability in the search

a stored cross-site scripting vulnerability in the meta data administration

a weak password requirement

https://huntr.dev/bounties/613143a1-8e51-449a-b214-12458308835d/ https://huntr.dev/bounties/d9666520-4ff5-43bb-aacf-50c8e5570983/ https://huntr.dev/bounties/f4711d7f-1368-48ab-9bef-45f32e356c47/ 2022-10-24 2022-11-11
varnish -- HTTP/2 Request Forgery Vulnerability varnish7 7.2.1 varnish6 6.6.2

Varnish Cache Project reports:

A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.

https://varnish-cache.org/security/VSV00011.html 2022-11-08 2022-11-09
varnish -- Request Smuggling Vulnerability varnish7 7.2.1

Varnish Cache Project reports:

A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both Content-Length and Host, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL.

https://varnish-cache.org/security/VSV00010.html 2022-11-08 2022-11-09
chromium -- multiple vulnerabilities chromium 107.0.5304.110 ungoogled-chromium 107.0.5304.110

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1377816] High CVE-2022-3885: Use after free in V8. Reported by gzobqq@ on 2022-10-24
  • [1372999] High CVE-2022-3886: Use after free in Speech Recognition. Reported by anonymous on 2022-10-10
  • [1372695] High CVE-2022-3887: Use after free in Web Workers. Reported by anonymous on 2022-10-08
  • [1375059] High CVE-2022-3888: Use after free in WebCodecs. Reported by Peter Nemeth on 2022-10-16
  • [1380063] High CVE-2022-3889: Type Confusion in V8. Reported by anonymous on 2022-11-01
  • [1380083] High CVE-2022-3890: Heap buffer overflow in Crashpad. Reported by anonymous on 2022-11-01
CVE-2022-3885 CVE-2022-3886 CVE-2022-3887 CVE-2022-3888 CVE-2022-3889 CVE-2022-3890 https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop.html 2022-11-08 2022-11-09
zeek -- potential DoS vulnerabilities zeek 5.0.3

Tim Wojtulewicz of Corelight reports:

Fix an issue where a specially-crafted FTP packet can cause Zeek to spend large amounts of time attempting to search for valid commands in the data stream.

Fix a possible overflow in the Zeek dictionary code that may lead to a memory leak.

Fix an issue where a specially-crafted packet can cause Zeek to spend large amounts of time reporting analyzer violations.

Fix a possible assert and crash in the HTTP analyzer when receiving a specially crafted packet.

Fix an issue where a specially-crafted HTTP or SMTP packet can cause Zeek to spend a large amount of time attempting to search for filenames within the packet data.

Fix two separate possible crashes when converting processed IP headers for logging via the raw_packet event handlers.

https://github.com/zeek/zeek/releases/tag/v5.0.3 2022-11-09 2022-11-09
darkhttpd -- DOS vulnerability darkhttpd 1.14

Mitre reports:

flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by accessing a file with a large modification date. The highest threat from this vulnerability is to system availability.

CVE-2020-25691 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25691 2020-11-02 2022-11-08
sudo -- Potential out-of-bounds write for small passwords sudo 1.8.01.9.12p1

SO-AND-SO reports:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

CVE-2022-43995 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995 2022-11-07 2022-11-07
Gitlab -- Multiple vulnerabilities gitlab-ce 15.5.015.5.2 15.4.015.4.4 9.3.015.3.5

Gitlab reports:

DAST analyzer sends custom request headers with every request

Stored-XSS with CSP-bypass via scoped labels' color

Maintainer can leak Datadog API key by changing integration URL

Uncontrolled resource consumption when parsing URLs

Issue HTTP requests when users view an OpenAPI document and click buttons

Command injection in CI jobs via branch name in CI pipelines

Open redirection

Prefill variables do not check permission of the project in external CI config

Disclosure of audit events to insufficiently permissioned group and project members

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

Award emojis API for an internal note is accessible to users without access to the note

Open redirect in pipeline artifacts when generating HTML documents

Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines

Project-level Secure Files can be written out of the target directory

CVE-2022-3767 CVE-2022-3265 CVE-2022-3483 CVE-2022-3818 CVE-2022-3726 CVE-2022-2251 CVE-2022-3486 CVE-2022-3793 CVE-2022-3413 CVE-2022-2761 CVE-2022-3819 CVE-2022-3280 CVE-2022-3706 https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/ 2022-11-02 2022-11-05
pixman -- heap overflow pixman 0.42.2

Pixman reports: for release 0.42.2

Avoid integer overflow leading to out-of-bounds write

CVE-2022-44638 https://nvd.nist.gov/vuln/detail/CVE-2022-44638 2022-11-02 2022-11-03
go -- syscall, os/exec: unsanitized NUL in environment variables go118 1.18.8 go119 1.19.3

The Go project reports:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".

CVE-2022-41716 https://groups.google.com/g/golang-dev/c/83nKqv2W1Dk/m/gEJdD5vjDwAJ 2022-10-17 2022-11-01
OpenSSL -- Buffer overflows in Email verification openssl-devel 3.0.7

The OpenSSL project reports:

X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602) (High): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (High): A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

CVE-2022-3602 CVE-2022-3786 https://www.openssl.org/news/secadv/20221101.txt 2022-11-01 2022-11-01
MySQL -- Multiple vulnerabilities mysql-connector-c++ 8.0.31 mysql-connector-odbc 8.0.31 mysql-client57 5.7.40 mysql-server57 5.7.40 mysql-client80 8.0.31 mysql-server80 8.0.31

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials

CVE-2022-21600 CVE-2022-21635 CVE-2022-39408 CVE-2022-39410 CVE-2022-2097 CVE-2022-21604 CVE-2022-21637 CVE-2022-21617 CVE-2022-21605 CVE-2022-21594 CVE-2022-21607 CVE-2022-21608 CVE-2022-21638 CVE-2022-21640 CVE-2022-21641 CVE-2022-39400 CVE-2022-21633 CVE-2022-21632 CVE-2022-21599 CVE-2022-21595 CVE-2022-21625 CVE-2022-21592 CVE-2022-21589 CVE-2022-39402 CVE-2022-39404 CVE-2022-21611 CVE-2022-39403 https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixMSQL 2022-10-18 2022-10-30
chromium -- Type confusion in V8 chromium 107.0.5304.87 ungoogled-chromium 107.0.5304.87

Chrome Releases reports:

This release contains 1 security fix:

  • [1378239] High CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojtešek, Milánek, and Przemek Gmerek of Avast on 2022-10-25
CVE-2022-3723 https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html 2022-10-27 2022-10-28
samba -- buffer overflow in Heimdal unwrap_des3() samba412 4.12.16 samba413 4.13.17_4 samba416 4.16.6

The Samba Team reports:

The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet.

CVE-2022-3437 https://www.samba.org/samba/security/CVE-2022-3437.html 2022-08-02 2022-10-25
chromium -- multiple vulnerabilities chromium 107.0.5304.68 ungoogled-chromium 107.0.5304.68

Chrome Releases reports:

This release contains 14 security fixes, including:

  • [1369871] High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30
  • [1354271] High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19
  • [1365330] High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19
  • [1343384] Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
  • [1345275] Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18
  • [1351177] Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09
  • [1352817] Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14
  • [1355560] Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23
  • [1327505] Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20
  • [1350111] Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04
CVE-2022-3652 CVE-2022-3653 CVE-2022-3654 CVE-2022-3655 CVE-2022-3656 CVE-2022-3657 CVE-2022-3658 CVE-2022-3659 CVE-2022-3660 CVE-2022-3661 https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_25.html 2022-10-25 2022-10-25
Cleartext leak in libudisks libudisks 2.9.4

From libudisks 2.9.4 NEWS:

udiskslinuxblock: Fix leaking cleartext block interface

https://github.com/storaged-project/udisks/blob/udisks-2.9.4/NEWS 2021-09-29 2022-10-22
phpmyfaq -- CSRF vulnerability phpmyfaq 3.1.7

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid CSRF when logging out an user.

https://huntr.dev/bounties/76095ac1-da12-449b-9564-4a086be96592/ 2022-10-02 2022-10-21
Python -- multiple vulnerabilities python37 3.7.15 python38 3.8.15 python39 3.9.15 python310 3.10.8

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

https://docs.python.org/release/3.9.15/whatsnew/changelog.html 2022-09-29 2022-10-20
nginx -- Two vulnerabilities nginx 1.0.71.22.1 nginx-devel 1.1.31.23.2

NGINX Development Team reports:

Two security issues were identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact (CVE-2022-41741, CVE-2022-41742).

CVE-2022-41741 CVE-2022-41742 https://mailman.nginx.org/archives/list/nginx@nginx.org/thread/F7TMIHDNNU3M52GYS23UWDWW2R2BLVVH/ 2022-10-19 2022-10-19
git -- Multiple vulnerabilities git 2.38.1 git-lite 2.38.1 git-tiny 2.38.1

This release contains 2 security fixes:

CVE-2022-39253

When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory. Additionally, the value of `protocol.file.allow` is changed to be "user" by default.

CVE-2022-39260

An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB.

CVE-2022-39253 CVE-2022-39260 https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u 2022-06-09 2022-10-18
OpenSSL -- Potential NULL encryption in NID_undef with Custom Cipher openssl-devel 3.0.6

The OpenSSL project reports:

Using a Custom Cipher with NID_undef may lead to NULL encryption (low)

CVE-2022-3358 https://www.openssl.org/news/secadv/20221011.txt 2022-10-11 2022-10-18
gitea -- multiple issues gitea 1.17.3

The Gitea team reports:

Sanitize and Escape refs in git backend

Bump golang.org/x/text

Update bluemonday

https://github.com/go-gitea/gitea/releases/tag/v1.17.3 2022-09-27 2022-10-15
roundcube-thunderbird_labels -- RCE with custom label titles roundcube-thunderbird_labels 1.4.12

The Roundcube project reports:

Description:

Remote code execution vulnerability in roundcube-thunderbird_labels when tb_label_modify_labels is enabled.

Workaround:

If you cannot upgrade to roundcube-thunderbird_labels-1.4.13 disable the tb_label_modify_labels config option.

https://github.com/mike-kfed/roundcube-thunderbird_labels/security/advisories/GHSA-wp6h-wgxq-v949 2022-10-10 2022-10-12
chromium -- mulitple vulnerabilities chromium 106.0.5249.119 ungoogled-chromium 106.0.5249.119

Chrome Releases reports:

This release contains 6 security fixes:

  • [1364604] High CVE-2022-3445: Use after free in Skia. Reported by Nan Wang (@eternalsakura13) and Yong Liu of 360 Vulnerability Research Institute on 2022-09-16
  • [1368076] High CVE-2022-3446: Heap buffer overflow in WebSQL. Reported by Kaijie Xu (@kaijieguigui) on 2022-09-26
  • [1366582] High CVE-2022-3447: Inappropriate implementation in Custom Tabs. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2022-09-22
  • [1363040] High CVE-2022-3448: Use after free in Permissions API. Reported by raven at KunLun lab on 2022-09-13
  • [1364662] High CVE-2022-3449: Use after free in Safe Browsing. Reported by asnine on 2022-09-17
  • [1369882] High CVE-2022-3450: Use after free in Peer Connection. Reported by Anonymous on 2022-09-30
CVE-2022-3445 CVE-2022-3446 CVE-2022-3447 CVE-2022-3448 CVE-2022-3449 CVE-2022-3450 https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_11.html 2022-10-11 2022-10-12
samba -- Multiple vulnerabilities samba412 4.12.16 samba413 4.13.17_2

The Samba Team reports:

CVE-2022-2031
The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services.
CVE-2022-32744
The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.
CVE-2022-32745
Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault.
CVE-2022-32746
The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl.
CVE-2022-32742
SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer.
CVE-2022-2031 CVE-2022-32744 CVE-2022-32745 CVE-2022-32746 CVE-2022-32742 https://lists.samba.org/archive/samba-announce/2022/000609.html https://www.samba.org/samba/security/CVE-2022-2031.html https://www.samba.org/samba/security/CVE-2022-32744.html https://www.samba.org/samba/security/CVE-2022-32745.html https://www.samba.org/samba/security/CVE-2022-32746.html https://www.samba.org/samba/security/CVE-2022-32742.html 2022-07-27 2022-10-11
strongswan -- DOS attack vulnerability strongswan 5.9.8

Lahav Schlesinger reported a bug related to online certificate revocation checking that can lead to a denial-of-service attack

.

CVE-2022-40617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-40617 2022-10-03 2022-10-10
routinator -- potential DOS attack routinator 0.9.00.11.3

Due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data. We are not aware of exploitation of this vulnerability at this point in time. Starting with release 0.11.3, Routinator handles encoding errors by rejecting the snapshot or delta file and continuing with validation. In case of an invalid delta file, it will try using the snapshot instead. If a snapshot file is invalid, the update of the repository will fail and an update through rsync is attempted.

.

CVE-2022-3029 https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt 2022-10-06 2022-10-07
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 3.2.16 py38-django40 py39-django40 py310-django40 4.0.8 py38-django41 py39-django41 py310-django41 4.1.2

Django reports:

CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs.

CVE-2022-41323 https://www.djangoproject.com/weblog/2022/oct/04/security-releases/ 2022-09-23 2022-10-06
jenkins -- XSS vulnerability jenkins 2.370

Jenkins Security Advisory:

Description

(High) SECURITY-2886 / CVE-2022-41224

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

CVE-2022-41224 https://www.jenkins.io/security/advisory/2022-09-21/ 2022-09-21 2022-10-05 2022-10-07
go -- multiple vulnerabilities go118 1.18.7 go119 1.19.2

The Go project reports:

archive/tar: unbounded memory consumption when reading headers

Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB.

net/http/httputil: ReverseProxy should not forward unparseable query parameters

Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

regexp/syntax: limit memory used by parsing regexps

The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected.

CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 https://groups.google.com/g/golang-announce/c/xtuG5faxtaU/m/jEhlI_5WBgAJ 2022-10-04 2022-10-04
zydis -- heap buffer overflow zydis 3.2.1

Zyantific reports:

Zydis users of versions v3.2.0 and older that use the string functions provided in zycore in order to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like ZyanStringAppend to make incorrect calculations for the new target size, resulting in heap memory corruption.

CVE-2021-41253 https://www.cvedetails.com/cve/CVE-2021-41253 2021-11-08 2022-10-04
mediawiki -- multiple vulnerabilities mediawiki135 1.35.8 mediawiki137 1.37.6 mediawiki138 1.38.4

Mediawiki reports:

(T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions..

(T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users.

(T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name.

CVE-2022-41765 CVE-2022-41766 CVE-2022-41767 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/SPYFDCGZE7KJNO73ET7QVSUXMHXVRFTE/ 2022-09-29 2022-10-02
chromium -- multiple vulnerabilities chromium 106.0.5249.91

Chrome Releases reports:

This release contains 3 security fixes, including:

  • [1366813] High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22
  • [1366399] High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21
CVE-2022-3370 CVE-2022-3373 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_30.html 2022-09-30 2022-09-30
Gitlab -- Multiple vulnerabilities gitlab-ce 15.4.015.4.1 15.3.015.3.4 9.3.015.2.5

Gitlab reports:

Denial of Service via cloning an issue

Arbitrary PUT request as victim user through Sentry error list

Content injection via External Status Checks

Project maintainers can access Datadog API Key from logs

Unsafe serialization of Json data could lead to sensitive data leakage

Import bug allows importing of private local git repos

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

Unauthorized users able to create issues in any project

Bypass group IP restriction on Dependency Proxy

Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system

Disclosure of Todo details to guest users

A user's primary email may be disclosed through group member events webhooks

Content manipulation due to branch/tag name confusion with the default branch name

Leakage of email addresses in WebHook logs

Specially crafted output makes job logs inaccessible

Enforce editing approval rules on project level

CVE-2022-3283 CVE-2022-3060 CVE-2022-2904 CVE-2022-3018 CVE-2022-3291 CVE-2022-3067 CVE-2022-2882 CVE-2022-3066 CVE-2022-3286 CVE-2022-3285 CVE-2022-3330 CVE-2022-3351 CVE-2022-3288 CVE-2022-3293 CVE-2022-3279 CVE-2022-3325 https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/ 2022-09-29 2022-09-30
unbound -- Non-Responsive Delegation Attack unbound 1.16.2

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation.

.

CVE-2022-3204 https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt 2022-09-26 2022-09-29
Matrix clients -- several vulnerabilities cinny 2.2.1 element-web 1.11.7

Matrix developers report:

Two critical severity vulnerabilities in end-to-end encryption were found in the SDKs which power Element, Beeper, Cinny, SchildiChat, Circuli, Synod.im and any other clients based on matrix-js-sdk, matrix-ios-sdk or matrix-android-sdk2.

CVE-2022-39249 CVE-2022-39250 CVE-2022-39251 CVE-2022-39236 https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients 2022-09-23 2022-09-28
chromium -- multiple vulnerabilities chromium 106.0.5249.61

Chrome Releases reports:

This release contains 20 security fixes, including:

  • [1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
  • [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
  • [1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
  • [1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
  • [1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
  • [1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
  • [1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
  • [1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
  • [1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
  • [1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
  • [1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
  • [1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
  • [1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
  • [1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
  • [1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
  • [1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
CVE-2022-3201 CVE-2022-3304 CVE-2022-3305 CVE-2022-3306 CVE-2022-3307 CVE-2022-3308 CVE-2022-3309 CVE-2022-3310 CVE-2022-3311 CVE-2022-3312 CVE-2022-3313 CVE-2022-3314 CVE-2022-3315 CVE-2022-3316 CVE-2022-3317 CVE-2022-3318 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_27.html 2022-09-27 2022-09-27
expat -- Heap use-after-free vulnerability expat 2.4.9

Debian Security Advisory reports:

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.

CVE-2022-40674 https://www.debian.org/security/2022/dsa-5236 https://nvd.nist.gov/vuln/detail/CVE-2022-40674 2022-09-14 2022-09-27
squid -- Exposure of sensitive information in cache manager squid 5.7

Mikhail Evdokimov (aka konata) reports:

Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. This problem allows a trusted client to directly access cache manager information bypassing the manager ACL protection. The available cache manager information contains records of internal network structure, client credentials, client identity and client traffic behaviour.

CVE-2022-41317 https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq 2022-04-17 2022-09-26
redis -- Potential remote code execution vulnerability redis 7.0.07.0.5

The Redis core team reports:

Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer.

CVE-2022-35951 https://github.com/redis/redis/releases/tag/7.0.5 2022-09-21 2022-09-21
Grafana -- Privilege escalation grafana 2.1.08.5.13 9.0.09.0.9 9.1.09.1.6 grafana7 7.0 grafana8 8.0.08.5.13 grafana9 9.0.09.0.9 9.1.09.1.6

Grafana Labs reports:

On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.

Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.

Datasource proxy breaks this assumption:

  • it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username.
  • This fake datasource can be called publicly via this proxying feature.

The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-35957 https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q 2022-08-09 2022-09-21
zeek -- potential DoS vulnerabilities zeek 5.0.2

Tim Wojtulewicz of Corelight reports:

Fix a possible overflow and crash in the ICMP analyzer when receiving a specially crafted packet.

Fix a possible overflow and crash in the IRC analyzer when receiving a specially crafted packet.

Fix a possible overflow and crash in the SMB analyzer when receiving a specially crafted packet.

Fix two possible crashes when converting IP headers for output via the raw_packet event.

https://github.com/zeek/zeek/releases/tag/v5.0.2 2022-09-19 2022-09-19
puppetdb -- Potential SQL injection puppetdb6 6.22.1 puppetdb7 7.11.1

Puppet reports:

The org.postgresql/postgresql driver has been updated to version 42.4.1 to address CVE-2022-31197, which is an SQL injection risk that according to the CVE report, can only be exploited if an attacker controls the database to the extent that they can adjust relevant tables to have "malicious" column names.

CVE-2022-31197 https://nvd.nist.gov/vuln/detail/CVE-2022-31197 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2 2022-08-03 2022-09-16
chromium -- multiple vulnerabilities chromium 105.0.5195.125

Chrome Releases reports:

This release includes 11 security fixes, including:

  • [1358381] High CVE-2022-3195: Out of bounds write in Storage. Reported by Ziling Chen and Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute on 2022-08-31
  • [1358090] High CVE-2022-3196: Use after free in PDF. Reported by triplepwns on 2022-08-30
  • [1358075] High CVE-2022-3197: Use after free in PDF. Reported by triplepwns on 2022-08-30
  • [1355682] High CVE-2022-3198: Use after free in PDF. Reported by MerdroidSG on 2022-08-23
  • [1355237] High CVE-2022-3199: Use after free in Frames. Reported by Anonymous on 2022-08-22
  • [1355103] High CVE-2022-3200: Heap buffer overflow in Internals. Reported by Richard Lorenz, SAP on 2022-08-22
  • [1343104] High CVE-2022-3201: Insufficient validation of untrusted input in DevTools. Reported by NDevTK on 2022-07-09
CVE-2022-3195 CVE-2022-3196 CVE-2022-3197 CVE-2022-3198 CVE-2022-3199 CVE-2022-3200 CVE-2022-3201 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_14.html 2022-09-14 2022-09-14
dendrite -- Signature checks not applied to some retrieved missing events dendrite 0.9.8

Dendrite team reports:

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c 2022-09-12 2022-09-12
gitea -- multiple issues gitea 1.17.2

The Gitea team reports:

Double check CloneURL is acceptable

Add more checks in migration code

https://blog.gitea.io/2022/09/gitea-1.17.2-is-released/ 2022-08-19 2022-09-11
Python -- multiple vulnerabilities python37 3.7.14 python38 3.8.14 python39 3.9.14 python310 3.10.7

Python reports:

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.

gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.

CVE-2020-10735 https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog 2020-03-20 2022-09-08
go -- multiple vulnerabilities go118 1.18.6 go119 1.19.1

The Go project reports:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path.

CVE-2022-27664 CVE-2022-32190 https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ 2022-09-06 2022-09-07
chromium -- insufficient data validation in Mojo chromium 105.0.5195.102

Chrome Releases reports:

This release contains 1 security fix:

  • [1358134] High CVE-2022-3075: Insufficient data validation in Mojo. Reported by Anonymous on 2022-08-30

Google is aware that an exploit of CVE-2022-3075 exists in the wild.

CVE-2022-3075 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html 2022-09-02 2022-09-03
powerdns-recursor -- denial of service powerdns-recursor 4.7.2 4.6.3 4.5.10

PowerDNS Team reports:

PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation.

CVE-2022-37428 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html 2022-08-23 2022-09-01
Grafana -- Unauthorized file disclosure grafana 5.2.08.3.11 8.4.08.4.11 8.5.08.5.11 9.0.09.0.8 9.1.09.1.2 grafana7 7.0 grafana8 8.3.08.3.11 8.4.08.4.11 8.5.08.5.11 grafana9 9.0.09.0.8 9.1.09.1.2

Grafana Labs reports:

On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).

CVE-2022-31176 https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5 2022-07-21 2022-09-01
Matrix clients -- several vulnerabilities cinny 2.1.3 element-web 1.11.4

Matrix developers report:

The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.

CVE-2022-36059 CVE-2022-36060 https://matrix.org/blog/2022/08/31/security-releases-matrix-js-sdk-19-4-0-and-matrix-react-sdk-3-53-0 2022-08-31 2022-08-31
chromium -- multiple vulnerabilities chromium 105.0.5195.52

Chrome Releases reports:

This release contains 24 security fixes, including:

  • [1340253] Critical CVE-2022-3038: Use after free in Network Service. Reported by Sergei Glazunov of Google Project Zero on 2022-06-28
  • [1343348] High CVE-2022-3039: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11
  • [1341539] High CVE-2022-3040: Use after free in Layout. Reported by Anonymous on 2022-07-03
  • [1345947] High CVE-2022-3041: Use after free in WebSQL. Reported by Ziling Chen and Nan Wang(@eternalsakura13) of 360 Vulnerability Research Institute on 2022-07-20
  • [1338553] High CVE-2022-3042: Use after free in PhoneHub. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
  • [1336979] High CVE-2022-3043: Heap buffer overflow in Screen Capture. Reported by @ginggilBesel on 2022-06-16
  • [1051198] High CVE-2022-3044: Inappropriate implementation in Site Isolation. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-02-12
  • [1339648] High CVE-2022-3045: Insufficient validation of untrusted input in V8. Reported by Ben Noordhuis <info@bnoordhuis.nl> on 2022-06-26
  • [1346245] High CVE-2022-3046: Use after free in Browser Tag. Reported by Rong Jian of VRI on 2022-07-21
  • [1342586] Medium CVE-2022-3047: Insufficient policy enforcement in Extensions API. Reported by Maurice Dauer on 2022-07-07
  • [1303308] Medium CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen. Reported by Andr.Ess on 2022-03-06
  • [1316892] Medium CVE-2022-3049: Use after free in SplitScreen. Reported by @ginggilBesel on 2022-04-17
  • [1337132] Medium CVE-2022-3050: Heap buffer overflow in WebUI. Reported by Zhihua Yao of KunLun Lab on 2022-06-17
  • [1345245] Medium CVE-2022-3051: Heap buffer overflow in Exosphere. Reported by @ginggilBesel on 2022-07-18
  • [1346154] Medium CVE-2022-3052: Heap buffer overflow in Window Manager. Reported by Khalil Zhani on 2022-07-21
  • [1267867] Medium CVE-2022-3053: Inappropriate implementation in Pointer Lock. Reported by Jesper van den Ende (Pelican Party Studios) on 2021-11-08
  • [1290236] Medium CVE-2022-3054: Insufficient policy enforcement in DevTools. Reported by Kuilin Li on 2022-01-24
  • [1351969] Medium CVE-2022-3055: Use after free in Passwords. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-11
  • [1329460] Low CVE-2022-3056: Insufficient policy enforcement in Content Security Policy. Reported by Anonymous on 2022-05-26
  • [1336904] Low CVE-2022-3057: Inappropriate implementation in iframe Sandbox. Reported by Gareth Heyes on 2022-06-16
  • [1337676] Low CVE-2022-3058: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-06-20
CVE-2022-3038 CVE-2022-3039 CVE-2022-3040 CVE-2022-3041 CVE-2022-3042 CVE-2022-3043 CVE-2022-3044 CVE-2022-3045 CVE-2022-3046 CVE-2022-3047 CVE-2022-3048 CVE-2022-3049 CVE-2022-3050 CVE-2022-3051 CVE-2022-3052 CVE-2022-3053 CVE-2022-3054 CVE-2022-3055 CVE-2022-3056 CVE-2022-3057 CVE-2022-3058 https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html 2022-08-30 2022-08-31
FreeBSD -- zlib heap buffer overflow FreeBSD 13.113.1_2 13.013.0_13 12.312.3_7

Problem Description:

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

Impact:

Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in the FreeBSD base system, but may be used by third party software.

CVE-2022-37434 SA-22:13.zlib 2022-08-30 2022-08-31
Gitlab -- multiple vulnerabilities gitlab-ce 15.3.015.3.2 15.2.015.2.4 10.0.015.1.6

Gitlab reports:

Remote Command Execution via GitHub import

Stored XSS via labels color

Content injection via Incidents Timeline description

Lack of length validation in Snippets leads to Denial of Service

Group IP allow-list not fully respected by the Package Registry

Abusing Gitaly.GetTreeEntries calls leads to denial of service

Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags

Regular Expression Denial of Service via special crafted input

Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events

Regex backtracking through the Commit message field

Read repository content via LivePreview feature

Denial of Service via the Create branch API

Denial of Service via Issue preview

IDOR in Zentao integration leaked issue details

Brute force attack may guess a password even when 2FA is enabled

CVE-2022-2992 CVE-2022-2865 CVE-2022-2527 CVE-2022-2592 CVE-2022-2533 CVE-2022-2455 CVE-2022-2428 CVE-2022-2908 CVE-2022-2630 CVE-2022-2931 CVE-2022-2907 CVE-2022-3031 https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/ 2022-08-30 2022-08-30
zeek -- potential DoS vulnerabilities zeek 5.0.1

Tim Wojtulewicz of Corelight reports:

Fix a possible overflow and crash in the ARP analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Fix a possible overflow and crash in the Modbus analyzer when receiving a specially crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

Fix two possible crashes when converting IP headers for output via the raw_packet event. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Note that the raw_packet event is not enabled by default so these are likely low-severity issues.

Fix an abort related to an error related to the ordering of record fields when processing DNS EDNS headers via events. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. Note that the dns_EDNS events are not implemented by default so this is likely a low-severity issue.

https://github.com/zeek/zeek/releases/tag/v5.0.1 2022-08-23 2022-08-26
MariaDB -- Multiple vulnerabilities mariadb103-server 10.3.36 mariadb104-server 10.4.26 mariadb105-server 10.5.17 mariadb106-server 10.6.9

The MariaDB project reports:

Multiple vulnerabilities, mostly segfaults, in the server component

CVE-2022-32082 CVE-2022-32089 CVE-2022-32081 CVE-2018-25032 CVE-2022-32091 CVE-2022-32084 https://mariadb.com/kb/en/cve/ 2022-08-22 2022-08-25
Gitlab -- Remote Code Execution gitlab-ce 15.3.015.3.1 15.2.015.2.3 11.3.415.1.5

Gitlab reports:

Remote Command Execution via Github import

CVE-2022-2884 https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/ 2022-08-22 2022-08-23
drupal9 -- multiple vulnerabilities drupal9 9.4.5

Drupal reports:

CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process.

CVE-2022-31175 https://www.drupal.org/project/drupal/releases/9.4.5 2022-08-01 2022-08-20
chromium -- multiple vulnerabilities chromium 104.0.5112.101

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
  • [1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
  • [1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
  • [1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
  • [1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
  • [1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
  • [1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
  • [1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
  • [1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
  • [1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
CVE-2022-2852 CVE-2022-2853 CVE-2022-2854 CVE-2022-2855 CVE-2022-2856 CVE-2022-2857 CVE-2022-2858 CVE-2022-2859 CVE-2022-2860 CVE-2022-2861 https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html 2022-08-16 2022-08-17
dendrite -- Incorrect parsing of the event default power level in event auth dendrite 0.9.3

Dendrite team reports:

The power level parsing within gomatrixserverlib was failing to parse the "events_default" key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.

In rooms where the "events_default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

CVE-2022-36009 https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-grvv-h2f9-7v9c 2022-08-15 2022-08-15 2022-08-25
Tomcat -- XSS in examples web application tomcat 8.5.508.5.81 9.0.309.0.64 10.0.0-M110.0.22 10.1.0-M110.1.0-M16 tomcat85 8.5.508.5.81 tomcat9 9.0.309.0.64 tomcat10 10.0.0-M110.0.22 tomcat-devel 10.1.0-M110.1.0-M16

Apache Tomcat reports:

The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

CVE-2022-34305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34305 2022-06-22 2022-08-14
XFCE tumbler -- Vulnerability in the GStreamer plugin xfce4-tumbler 4.16.1

The XFCE project reports:

Added mime type check to the gst-thumbnailer plugin to fix an undisclosed vulnerability.

https://mail.xfce.org/pipermail/xfce-announce/2022-August/001133.html https://gitlab.xfce.org/xfce/tumbler/-/commit/a0fc191e8ab41fe579f3333085d649fdacb2daa5 2022-08-02 2022-08-12
varnish -- Denial of Service Vulnerability varnish7 7.1.1

Varnish Cache Project reports:

A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.

https://varnish-cache.org/security/VSV00009.html 2022-08-09 2022-08-10
FreeBSD -- Missing bounds check in 9p message handling FreeBSD 13.113.1_1 13.013.0_12

Problem Description:

The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.

Impact:

The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox.

CVE-2022-23092 SA-22:12.lib9p 2022-08-09 2022-08-10
FreeBSD -- Memory disclosure by stale virtual memory mapping FreeBSD-kernel 13.113.1_1 13.013.0_12 12.312.3_6

Problem Description:

A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause.

Impact:

An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel.

CVE-2022-23091 SA-22:11.vm 2022-08-09 2022-08-10
FreeBSD -- AIO credential reference count leak FreeBSD-kernel 13.013.0_12 12.312.3_6

Problem Description:

The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case.

Impact:

An attacker may cause the reference count to overflow, leading to a use after free (UAF).

CVE-2022-23090 SA-22:10.aio 2022-08-09 2022-08-10 2022-08-10
FreeBSD -- Out of bound read in elf_note_prpsinfo() FreeBSD-kernel 13.113.1_1 13.013.0_12 12.312.3_6

Problem Description:

When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled.

Impact:

An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash.

CVE-2022-23089 SA-22:09.elf 2022-08-09 2022-08-10
rsync -- client-side arbitrary file write vulnerability rsync 3.2.5

Openwall oss-security reports:

We have discovered a critical arbitrary file write vulnerability in the rsync utility that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. Due to the insufficient controls inside the do_server_recv function a malicious rysnc server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories.

CVE-2022-29154 https://www.openwall.com/lists/oss-security/2022/08/02/1 2022-08-02 2022-08-10
gnutls -- double free vulnerability gnutls 3.6.03.7.7

The GnuTLS project reports:

When gnutls_pkcs7_verify cannot verify signature against given trust list, it starts creating a chain of certificates starting from identified signer up to known root. During the creation of this chain the signer certificate gets freed which results in double free when the same signer certificate is freed at the end of the algorithm.

CVE-2022-2509 https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-07-07 2022-07-07 2022-08-09
wolfssl -- multiple issues wolfssl 5.4.0

wolfSSL blog reports:

In release 5.4.0 there were 3 vulnerabilities listed as fixed in wolfSSL. Two relatively new reports, one dealing with a DTLS 1.0/1.2 denial of service attack and the other a ciphertext attack on ECC/DH operations. The last vulnerability listed was a public disclosure of a previous attack on AMD devices fixed since wolfSSL version 5.1.0. Coordination of the disclosure of the attack was done responsibly, in cooperation with the researchers, waiting for the public release of the attack details since it affects multiple security libraries.

CVE-2022-34293 CVE-2020-12966 CVE-2021-46744 https://github.com/wolfSSL/wolfssl/releases/tag/v5.4.0-stable https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1013 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033 2022-07-11 2022-08-08
gitea -- multiple issues gitea 1.17.0

The Gitea team reports:

Use git.HOME_PATH for Git HOME directory

Add write check for creating Commit status

Remove deprecated SSH ciphers from default

https://github.com/go-gitea/gitea/releases/tag/v1.17.0 2022-07-12 2022-08-05
Unbound -- Multiple vulnerabilities unbound 1.16.2

NLnet Labs reports:

novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating.

novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information.

CVE-2022-30699 CVE-2022-30698 https://www.nlnetlabs.nl/projects/unbound/security-advisories/ 2022-08-01 2022-08-05
gitea -- multiple issues gitea 1.16.9

The Gitea team reports:

Add write check for creating Commit status

Check for permission when fetching user controlled issues

https://github.com/go-gitea/gitea/releases/tag/v1.16.9 2022-07-12 2022-08-05
Django -- multiple vulnerabilities py38-django32 py39-django32 py310-django32 3.2.15 py38-django40 py39-django40 py310-django40 4.0.7

Django reports:

CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.

CVE-2022-36359 https://www.djangoproject.com/weblog/2022/aug/03/security-releases/ 2022-08-01 2022-08-05
chromium -- multiple vulnerabilities chromium 104.0.5112.79

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1325699] High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16
  • [1335316] High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-10
  • [1338470] High CVE-2022-2605: Out of bounds read in Dawn. Reported by Looben Yang on 2022-06-22
  • [1330489] High CVE-2022-2606: Use after free in Managed devices API. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-31
  • [1286203] High CVE-2022-2607: Use after free in Tab Strip. Reported by @ginggilBesel on 2022-01-11
  • [1330775] High CVE-2022-2608: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-06-01
  • [1338560] High CVE-2022-2609: Use after free in Nearby Share. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-06-22
  • [1278255] Medium CVE-2022-2610: Insufficient policy enforcement in Background Fetch. Reported by Maurice Dauer on 2021-12-09
  • [1320538] Medium CVE-2022-2611: Inappropriate implementation in Fullscreen API. Reported by Irvan Kurniawan (sourc7) on 2022-04-28
  • [1321350] Medium CVE-2022-2612: Side-channel information leakage in Keyboard input. Reported by Erik Kraft (erik.kraft5@gmx.at), Martin Schwarzl (martin.schwarzl@iaik.tugraz.at) on 2022-04-30
  • [1325256] Medium CVE-2022-2613: Use after free in Input. Reported by Piotr Tworek (Vewd) on 2022-05-13
  • [1341907] Medium CVE-2022-2614: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
  • [1268580] Medium CVE-2022-2615: Insufficient policy enforcement in Cookies. Reported by Maurice Dauer on 2021-11-10
  • [1302159] Medium CVE-2022-2616: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-03-02
  • [1292451] Medium CVE-2022-2617: Use after free in Extensions API. Reported by @ginggilBesel on 2022-01-31
  • [1308422] Medium CVE-2022-2618: Insufficient validation of untrusted input in Internals. Reported by asnine on 2022-03-21
  • [1332881] Medium CVE-2022-2619: Insufficient validation of untrusted input in Settings. Reported by Oliver Dunk on 2022-06-04
  • [1337304] Medium CVE-2022-2620: Use after free in WebUI. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-17
  • [1323449] Medium CVE-2022-2621: Use after free in Extensions. Reported by Huyna at Viettel Cyber Security on 2022-05-07
  • [1332392] Medium CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing. Reported by Imre Rad (@ImreRad) and @j00sean on 2022-06-03
  • [1337798] Medium CVE-2022-2623: Use after free in Offline. Reported by raven at KunLun lab on 2022-06-20
  • [1339745] Medium CVE-2022-2624: Heap buffer overflow in PDF. Reported by YU-CHANG CHEN and CHIH-YEN CHANG, working with DEVCORE Internship Program on 2022-06-27
CVE-2022-2603 CVE-2022-2604 CVE-2022-2605 CVE-2022-2606 CVE-2022-2607 CVE-2022-2608 CVE-2022-2609 CVE-2022-2610 CVE-2022-2611 CVE-2022-2612 CVE-2022-2613 CVE-2022-2614 CVE-2022-2615 CVE-2022-2616 CVE-2022-2617 CVE-2022-2618 CVE-2022-2619 CVE-2022-2620 CVE-2022-2621 CVE-2022-2622 CVE-2022-2623 CVE-2022-2624 https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html 2022-08-02 2022-08-03
go -- decoding big.Float and big.Rat can panic go118 1.18.5 go117 1.17.13

The Go project reports:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too short.

CVE-2022-32189 https://groups.google.com/g/golang-announce/c/YqYYG87xB10 2022-07-14 2022-08-02
Gitlab -- multiple vulnerabilities gitlab-ce 15.2.015.2.1 15.1.015.1.4 015.0.5

Gitlab reports:

Revoke access to confidential notes todos

Pipeline subscriptions trigger new pipelines with the wrong author

Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email

Import via git protocol allows to bypass checks on repository

Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages

Maintainer can leak Packagist and other integration access tokens by changing integration URL

Unauthenticated access to victims Grafana datasources through path traversal

Unauthorized users can filter issues by contact and organization

Malicious Maintainer may change the visibility of project or a group

Stored XSS in job error messages

Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant

Non project members can view public project's Deploy Keys

IDOR in project with Jira integration leaks project owner's other projects Jira issues

Group Bot Users and Tokens not deleted after group deletion

Email invited members can join projects even after the member lock has been enabled

Datadog integration returns user emails

CVE-2022-2512 CVE-2022-2498 CVE-2022-2326 CVE-2022-2417 CVE-2022-2501 CVE-2022-2497 CVE-2022-2531 CVE-2022-2539 CVE-2022-2456 CVE-2022-2500 CVE-2022-2303 CVE-2022-2095 CVE-2022-2499 CVE-2022-2307 CVE-2022-2459 CVE-2022-2534 https://about.gitlab.com/releases/2022/07/28/security-release-gitlab-15-2-1-released/ 2022-07-28 2022-07-30
VirtualBox -- Multiple vulnerabilities virtualbox-ose 6.1.36

Oracle reports:

Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.

CVE-2022-21554 CVE-2022-21571 https://www.oracle.com/security-alerts/cpujul2022.html 2022-07-20 2022-07-21
MySQL -- Multiple vulnerabilities mysql-server56 5.6.52 mysql-server57 5.7.39 mysql-client80 8.0.30 mysql-server80 8.0.30

Oracle reports:

This Critical Patch Update contains 34 new security patches plus additional third party patches noted below for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

CVE-2022-1292 CVE-2022-21824 CVE-2022-27778 CVE-2018-25032 CVE-2022-21556 CVE-2022-21569 CVE-2022-21550 CVE-2022-21519 CVE-2022-21527 CVE-2022-21528 CVE-2022-21509 CVE-2022-21539 CVE-2022-21517 CVE-2022-21537 CVE-2022-21547 CVE-2022-21525 CVE-2022-21526 CVE-2022-21529 CVE-2022-21530 CVE-2022-21531 CVE-2022-21553 CVE-2022-21515 CVE-2022-21455 CVE-2022-21534 CVE-2022-21522 CVE-2022-21538 CVE-2022-21535 https://www.oracle.com/security-alerts/cpujul2022.html#AppendixMSQL 2022-07-19 2022-07-21
chromium -- multiple vulnerabilities chromium 103.0.5060.134

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1336266] High CVE-2022-2477: Use after free in Guest View. Reported by anonymous on 2022-06-14
  • [1335861] High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13
  • [1329987] High CVE-2022-2479: Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
  • [1339844] High CVE-2022-2480: Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
  • [1341603] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
  • [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
CVE-2022-2163 CVE-2022-2477 CVE-2022-2478 CVE-2022-2479 CVE-2022-2480 CVE-2022-2481 https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html 2022-07-19 2022-07-20
redis -- Potential remote code execution vulnerability redis 7.0.07.0.4

The Redis core team reports:

A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution.

CVE-2022-31144 https://groups.google.com/g/redis-db/c/FWngtg3WpfA 2022-07-18 2022-07-18
Grafana -- Stored XSS grafana 8.3.08.3.10 8.4.08.4.10 8.5.08.5.9 9.0.09.0.3 9.1.09.2.7 grafana8 8.3.08.3.10 8.4.08.4.10 8.5.08.5.9 grafana9 9.0.3 9.1.09.2.7

Grafana Labs reports:

An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)

CVE-2022-31097 https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f 2022-06-19 2022-07-15
Grafana -- OAuth Account Takeover grafana 5.3.08.3.10 8.4.08.4.10 8.5.08.5.9 9.0.09.0.3 grafana7 7.0 grafana8 8.3.08.3.10 8.4.08.4.10 8.5.08.5.9 grafana9 9.0.3

Grafana Labs reports:

It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.

CVE-2022-31107 https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2 2022-06-27 2022-07-15
go -- multiple vulnerabilities go118 1.18.4 go117 1.17.12

The Go project reports:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

CVE-2022-1705 CVE-2022-32148 CVE-2022-30631 CVE-2022-30633 CVE-2022-28131 CVE-2022-30635 CVE-2022-30632 CVE-2022-30630 CVE-2022-1962 https://groups.google.com/g/golang-dev/c/frczlF8OFQ0 2022-07-12 2022-07-13
git -- privilege escalation git 2.37.1

The git project reports:

Git is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository.

CVE-2022-29187 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187 2022-07-12 2022-07-12
mat2 -- directory traversal/arbitrary file read during ZIP file processing mat2 0.13.0

mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.

CVE-2022-35410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35410 2022-07-08 2022-07-10
Gitlab -- multiple vulnerabilities gitlab-ce 15.1.015.1.1 15.0.015.0.4 014.10.5

Gitlab reports:

Remote Command Execution via Project Imports

XSS in ZenTao integration affecting self hosted instances without strict CSP

XSS in project settings page

Unallowed users can read unprotected CI variables

IP allow-list bypass to access Container Registries

2FA status is disclosed to unauthenticated users

CI variables provided to runners outside of a group's restricted IP range

IDOR in sentry issues

Reporters can manage issues in error tracking

Regular Expression Denial of Service via malicious web server responses

Unauthorized read for conan repository

Open redirect vulnerability

Group labels are editable through subproject

Release titles visible for any users if group milestones are associated with any project releases

Restrict membership by email domain bypass

Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint

CVE-2022-2185 CVE-2022-2235 CVE-2022-2230 CVE-2022-2229 CVE-2022-1983 CVE-2022-1963 CVE-2022-2228 CVE-2022-2243 CVE-2022-2244 CVE-2022-1954 CVE-2022-2270 CVE-2022-2250 CVE-2022-1999 CVE-2022-2281 CVE-2022-1981 CVE-2022-2227 https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/ 2022-06-30 2022-07-09
Node.js -- July 7th 2022 Security Releases node 14.0.014.20.0 16.0.016.16.0 18.0.018.5.0 node16 16.16.0 node14 14.20.0

Node.js reports:

HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)(CVE-2022-32213)

The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)(CVE-2022-32214)

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215)

The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

DNS rebinding in --inspect via invalid IP addresses (High)(CVE-2022-32212)

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

Attempt to read openssl.cnf from /home/iojs/build/ upon startup (Medium)(CVE-2022-32222)

When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.

OpenSSL - AES OCB fails to encrypt some bytes (Medium)(CVE-2022-2097)

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 CVE-2022-32222 CVE-2022-2097 https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ 2022-07-05 2022-07-08 2022-07-08
chromium -- multiple vulnerabilities chromium 103.0.5060.114

Chrome Releases reports:

This release contains 4 security fixes, including:

  • [1341043] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01
  • [1336869] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16
  • [1327087] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19
CVE-2022-2294 CVE-2022-2295 CVE-2022-2296 https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html 2022-07-04 2022-07-07
OpenSSL -- AES OCB fails to encrypt some bytes openssl 1.1.1q,1 openssl-devel 3.0.5

The OpenSSL project reports:

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.

CVE-2022-2097 https://www.openssl.org/news/secadv/20220705.txt 2022-07-05 2022-07-05
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 3.2.14 py38-django40 py39-django40 py310-django40 4.0.6

SO-AND-SO reports:

CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.

CVE-2022-34265 https://www.djangoproject.com/weblog/2022/jul/04/security-releases/ 2022-06-21 2022-07-04
OpenSSL -- Heap memory corruption with RSA private key operation openssl-devel 3.0.43.0.5

The OpenSSL project reports:

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.

SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

CVE-2022-2274 https://www.openssl.org/news/secadv/20220705.txt 2022-07-01 2022-07-03 2022-07-05
mediawiki -- multiple vulnerabilities mediawiki135 1.35.7 mediawiki137 1.37.3 mediawiki138 1.38.2

Mediawiki reports:

(T308471) Username is not escaped in the "welcomeuser" message.

(T308473) Username not escaped in the contributions-title message.

(T309377, CVE-2022-29248) Update "guzzlehttp/guzzle" to version 6.5.6.

(T311384, CVE-2022-27776) Update "guzzlehttp/guzzle" to 6.5.8/7.4.5.

CVE-2022-29248 CVE-2022-27776 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/ 2022-05-16 2022-07-03
py-matrix-synapse -- unbounded recursion in urlpreview py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse py311-matrix-synapse 1.61.1

Matrix developers report:

This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.

Note that:

  • Homeservers with the url_preview_enabled configuration option set to false (the default value) are unaffected.
  • Instances with the enable_media_repo configuration option set to false are also unaffected, as this also disables the URL preview functionality.
CVE-2022-31052 https://matrix.org/blog/2022/06/28/security-release-synapse-1-61-1 2022-06-28 2022-06-29
cURL -- Multiple vulnerabilities curl 7.16.47.84.0

The cURL project reports:

  • CVE-2022-32205: Set-Cookie denial of service
  • CVE-2022-32206: HTTP compression denial of service
  • CVE-2022-32207: Unpreserved file permissions
  • CVE-2022-32208: FTP-KRB bad message verification
CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 https://curl.se/docs/security.html 2022-06-27 2022-06-27
jenkins -- multiple vulnerabilities jenkins 2.356 jenkins-lts 2.346.1

Jenkins Security Advisory:

Description

(High) SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)

Multiple XSS vulnerabilities

(Medium) SECURITY-2566 / CVE-2022-34174

Observable timing discrepancy allows determining username validity

(Medium) Unauthorized view fragment access

SECURITY-2777 / CVE-2022-34175

CVE-2022-34170 CVE-2022-34171 CVE-2022-34172 CVE-2022-34173 CVE-2022-34174 CVE-2022-34175 https://www.jenkins.io/security/advisory/2022-06-22/ 2022-06-22 2022-06-22
OpenSSL -- Command injection vulnerability openssl 1.1.1p,1 openssl-devel 3.0.4 openssl-quictls 3.0.4

The OpenSSL project reports:

Circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.

CVE-2022-2068 https://www.openssl.org/news/secadv/20220621.txt 2022-06-21 2022-06-22
chromium -- multiple vulnerabilities chromium 103.0.5060.53

Chrome Releases reports:

This release contains 14 security fixes, including:

  • [1335458] Critical CVE-2022-2156: Use after free in Base. Reported by Mark Brand of Google Project Zero on 2022-06-11
  • [1327312] High CVE-2022-2157: Use after free in Interest groups. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-19
  • [1321078] High CVE-2022-2158: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-04-29
  • [1116450] Medium CVE-2022-2160: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-08-14
  • [1330289] Medium CVE-2022-2161: Use after free in WebApp Provider. Reported by Zhihua Yao of KunLun Lab on 2022-05-30
  • [1307930] Medium CVE-2022-2162: Insufficient policy enforcement in File System API. Reported by Abdelhamid Naceri (halov) on 2022-03-19
  • [1308341] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
  • [1268445] Low CVE-2022-2164: Inappropriate implementation in Extensions API. Reported by José Miguel Moreno Computer Security Lab (COSEC) at UC3M on 2021-11-10
  • [1250993] Low CVE-2022-2165: Insufficient data validation in URL formatting. Reported by Rayyan Bijoora on 2021-09-19
CVE-2022-2156 CVE-2022-2157 CVE-2022-2158 CVE-2022-2160 CVE-2022-2161 CVE-2022-2162 CVE-2022-2163 CVE-2022-2164 CVE-2022-2165 https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop_21.html 2022-06-21 2022-06-22
Security Vulnerability found in ExifTool leading to RCE p5-Image-ExifTool 12.38

Debian Security tracker reports:

ExifTool.pm in ExifTool before 12.38 mishandles a file special characters check, leading to command injection

CVE-2022-23935 https://www.cvedetails.com/cve/CVE-2022-23935 2022-01-25 2022-06-11
mitmproxy -- Insufficient Protection against HTTP Request Smuggling mitmproxy 8.0.0

Zeyu Zhang reports:

In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.

Unless you use mitmproxy to protect an HTTP/1 service, no action is required.

CVE-2022-24766 https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b 2022-03-21 2022-06-20
Tor - Unspecified high severity vulnerability tor 0.4.7.8

Tor organization reports:

TROVE-2022-001

https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE 2022-06-14 2022-06-17
XFCE -- Allows executing malicious .desktop files pointing to remote code libexo 4.16.4

XFCE Project reports:

Prevent executing possibly malicious .desktop files from online sources (ftp://, http:// etc.).

CVE-2022-32278 https://gitlab.xfce.org/xfce/exo/-/commit/cc047717c3b5efded2cc7bd419c41a3d1f1e48b6 2022-06-11 2022-06-11
py-numpy -- Missing return-value validation of the function PyArray_DescrNew py38-numpy py39-numpy py310-numpy 1.22.4

Numpy reports:

At most call-sites for PyArray_DescrNew, there are no validations of its return, but an invalid address may be returned.

CVE-2021-41495 https://github.com/numpy/numpy/pull/20960 2021-05-19 2022-06-11
chromium -- multiple vulnerabilities chromium 102.0.5005.115

Chrome Releases reports:

This release contains 7 security fixes, including:

  • [1326210] High CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17
  • [1317673] High CVE-2022-2008: Out of bounds memory access in WebGL. Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19
  • [1325298] High CVE-2022-2010: Out of bounds read in compositing. Reported by Mark Brand of Google Project Zero on 2022-05-13
  • [1330379] High CVE-2022-2011: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-05-31
CVE-2022-2007 CVE-2022-2008 CVE-2022-2010 CVE-2022-2011 https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop.html 2022-06-09 2022-06-09
Apache httpd -- Multiple vulnerabilities apache24 2.4.54

The Apache httpd project reports:

  • CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
  • CVE-2022-30556: Information Disclosure in mod_lua with websockets. Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
  • CVE-2022-30522: mod_sed denial of service. If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
  • CVE-2022-29404: Denial of service in mod_lua r:parsebody. In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.
  • CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
  • CVE-2022-28614: read beyond bounds via ap_rwrite(). The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.
  • CVE-2022-28330: read beyond bounds in mod_isapi. Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.
  • CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.
CVE-2022-31813 CVE-2022-30556 CVE-2022-30522 CVE-2022-29404 CVE-2022-28615 CVE-2022-28614 CVE-2022-28330 CVE-2022-26377 http://downloads.apache.org/httpd/CHANGES_2.4.54 2022-06-08 2022-06-09 2022-06-10
go -- multiple vulnerabilities go118 1.18.3 go117 1.17.11

The Go project reports:

crypto/rand: rand.Read hangs with extremely large buffers

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

crypto/tls: session tickets lack random ticket_age_add

Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

os/exec: empty Cmd.Path can result in running unintended binary on Windows

If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

path/filepath: Clean(`.\c:`) returns `c:` on Windows

On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

https://groups.google.com/g/golang-dev/c/DidEMYAH_n0 CVE-2022-30634 https://go.dev/issue/52561 CVE-2022-30629 https://go.dev/issue/52814 CVE-2022-30580 https://go.dev/issue/52574 CVE-2022-29804 https://go.dev/issue/52476 2022-06-01 2022-06-07
e2fsprogs -- out-of-bounds read/write vulnerability e2fsprogs 1.46.5_1 e2fsprogs-nobootfsck 1.46.5_1 e2fsprogs-roothardlinks 1.46.5_1

Nils Bars reports:

During the processing of [a specially fuzzed disk image], an out-of-bounds write is triggered and causes a segmentation fault (SIGSEGV).

CVE-2022-1304 https://bugzilla.redhat.com/show_bug.cgi?id=2068113 https://bugzilla.redhat.com/show_bug.cgi?id=2069726 https://lore.kernel.org/linux-ext4/20220421173148.20193-1-lczerner@redhat.com/T/#u 2022-03-24 2022-06-05
Gitlab -- multiple vulnerabilities gitlab-ce 15.0.015.0.1 14.10.014.10.4 11.10.014.9.5

Gitlab reports:

Account take over via SCIM email change

Stored XSS in Jira integration

Quick action commands susceptible to XSS

IP allowlist bypass when using Trigger tokens

IP allowlist bypass when using Project Deploy Tokens

Improper authorization in the Interactive Web Terminal

Subgroup member can list members of parent group

Group member lock bypass

CVE-2022-1680 CVE-2022-1940 CVE-2022-1948 CVE-2022-1935 CVE-2022-1936 CVE-2022-1944 CVE-2022-1821 CVE-2022-1783 https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/ 2022-06-01 2022-06-04
zeek -- potential DoS vulnerabilty zeek 4.0.7

Tim Wojtulewicz of Corelight reports:

Fix potential hang in the DNS analyzer when receiving a specially-crafted packet. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

https://github.com/zeek/zeek/releases/tag/v4.0.7 2022-06-01 2022-06-03
chromium -- multiple vulnerabilities chromium 102.0.5005.61

Chrome Releases reports:

This release contains 32 security fixes, including:

  • [1324864] Critical CVE-2022-1853: Use after free in Indexed DB. Reported by Anonymous on 2022-05-12
  • [1320024] High CVE-2022-1854: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-27
  • [1228661] High CVE-2022-1855: Use after free in Messaging. Reported by Anonymous on 2021-07-13
  • [1323239] High CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
  • [1227995] High CVE-2022-1857: Insufficient policy enforcement in File System API. Reported by Daniel Rhea on 2021-07-11
  • [1314310] High CVE-2022-1858: Out of bounds read in DevTools. Reported by EllisVlad on 2022-04-07
  • [1322744] High CVE-2022-1859: Use after free in Performance Manager. Reported by Guannan Wang (@Keenan7310) of Tencent Security Xuanwu Lab on 2022-05-05
  • [1297209] High CVE-2022-1860: Use after free in UI Foundations. Reported by @ginggilBesel on 2022-02-15
  • [1316846] High CVE-2022-1861: Use after free in Sharing. Reported by Khalil Zhani on 2022-04-16
  • [1236325] Medium CVE-2022-1862: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2021-08-04
  • [1292870] Medium CVE-2022-1863: Use after free in Tab Groups. Reported by David Erceg on 2022-02-01
  • [1320624] Medium CVE-2022-1864: Use after free in WebApp Installs. Reported by Yuntao You (@GraVity0) of Bytedance Wuheng Lab on 2022-04-28
  • [1289192] Medium CVE-2022-1865: Use after free in Bookmarks. Reported by Rong Jian of VRI on 2022-01-20
  • [1292264] Medium CVE-2022-1866: Use after free in Tablet Mode. Reported by @ginggilBesel on 2022-01-29
  • [1315563] Medium CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer. Reported by Michal Bentkowski of Securitum on 2022-04-12
  • [1301203] Medium CVE-2022-1868: Inappropriate implementation in Extensions API. Reported by Alesandro Ortiz on 2022-02-28
  • [1309467] Medium CVE-2022-1869: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-23
  • [1323236] Medium CVE-2022-1870: Use after free in App Service. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06
  • [1308199] Low CVE-2022-1871: Insufficient policy enforcement in File System API. Reported by Thomas Orlita on 2022-03-21
  • [1310461] Low CVE-2022-1872: Insufficient policy enforcement in Extensions API. Reported by ChaobinZhang on 2022-03-26
  • [1305394] Low CVE-2022-1873: Insufficient policy enforcement in COOP. Reported by NDevTK on 2022-03-11
  • [1251588] Low CVE-2022-1874: Insufficient policy enforcement in Safe Browsing. Reported by hjy79425575 on 2021-09-21
  • [1306443] Low CVE-2022-1875: Inappropriate implementation in PDF. Reported by NDevTK on 2022-03-15
  • [1313600] Low CVE-2022-1876: Heap buffer overflow in DevTools. Reported by @ginggilBesel on 2022-04-06
CVE-2022-1853 CVE-2022-1854 CVE-2022-1855 CVE-2022-1856 CVE-2022-1857 CVE-2022-1858 CVE-2022-1859 CVE-2022-1860 CVE-2022-1861 CVE-2022-1862 CVE-2022-1863 CVE-2022-1864 CVE-2022-1865 CVE-2022-1866 CVE-2022-1867 CVE-2022-1868 CVE-2022-1869 CVE-2022-1870 CVE-2022-1871 CVE-2022-1872 CVE-2022-1873 CVE-2022-1874 CVE-2022-1875 CVE-2022-1876 https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html 2022-05-24 2022-05-24
MariaDB -- Multiple vulnerabilities mariadb103-client 10.3.35 mariadb103-server 10.3.35 mariadb104-client 10.4.25 mariadb104-server 10.4.25 mariadb105-client 10.5.16 mariadb105-server 10.5.16 mariadb106-client 10.6.8 mariadb106-server 10.6.8

The MariaDB project reports:

MariaDB fixed 23 vulnerabilities across all supported versions

CVE-2021-46669 CVE-2022-27376 CVE-2022-27377 CVE-2022-27378 CVE-2022-27379 CVE-2022-27380 CVE-2022-27381 CVE-2022-27382 CVE-2022-27383 CVE-2022-27384 CVE-2022-27386 CVE-2022-27387 CVE-2022-27444 CVE-2022-27445 CVE-2022-27446 CVE-2022-27447 CVE-2022-27448 CVE-2022-27449 CVE-2022-27451 CVE-2022-27452 CVE-2022-27455 CVE-2022-27456 CVE-2022-27457 CVE-2022-27458 https://mariadb.com/kb/en/security/#full-list-of-cves-fixed-in-mariadb 2022-05-20 2022-05-23
clamav -- Multiple vulnerabilities clamav 0.104.3,1 clamav-lts 0.103.6,1

The ClamAV project reports:

Fixed a possible double-free vulnerability in the OLE2 file parser. Issue affects versions 0.104.0 through 0.104.2. Issue identified by OSS-Fuzz.

Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank you to Michał Dardas for reporting this issue.

Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

CVE-2022-20803 CVE-2022-20770 CVE-2022-20796 CVE-2022-20771 CVE-2022-20785 CVE-2022-20792 https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more 2022-05-04 2022-05-19
go -- syscall.Faccessat checks wrong group on Linux go 1.18.2,1 go117 1.17.10

The Go project reports:

When called with a non-zero flags parameter, the syscall.Faccessat function could incorrectly report that a file is accessible. This bug only occurs on Linux systems.

CVE-2022-29526 https://github.com/golang/go/issues/52313 https://groups.google.com/g/golang-dev/c/CPU3TB6d4oY 2022-04-12 2022-05-15
curl -- Multiple vulnerabilities curl 7.83.1

The curl project reports:

CVE-2022-27778: curl removes wrong file on error

CVE-2022-27779: cookie for trailing dot TLD

CVE-2022-27780: percent-encoded path separator in URL host

CVE-2022-27781: CERTINFO never-ending busy-loop

CVE-2022-27782: TLS and SSH connection too eager reuse

CVE-2022-30115: HSTS bypass via trailing dot

CVE-2022-27778 CVE-2022-27779 CVE-2022-27780 CVE-2022-27781 CVE-2022-27782 CVE-2022-30115 https://curl.se/docs/security.html 2022-05-11 2022-05-13
PostgreSQL Server -- execute arbitrary SQL code as DBA user postgresql14-server 14.3 postgresql13-server 13.7 postgresql12-server 12.11 postgresql11-server 11.16 postgresql10-server 10.21

The PostgreSQL project reports:

Confine additional operations within "security restricted operation" sandboxes.

Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the "security restricted operation" protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.

CVE-2022-1552 2022-05-11 2022-05-11
chromium -- multiple vulnerabilities chromium 101.0.4951.64

Chrome Releases reports:

This release contains 13 security fixes, including:

  • [1316990] High CVE-2022-1633: Use after free in Sharesheet. Reported by Khalil Zhani on 2022-04-18
  • [1314908] High CVE-2022-1634: Use after free in Browser UI. Reported by Khalil Zhani on 2022-04-09
  • [1319797] High CVE-2022-1635: Use after free in Permission Prompts. Reported by Anonymous on 2022-04-26
  • [1297283] High CVE-2022-1636: Use after free in Performance APIs. Reported by Seth Brenith, Microsoft on 2022-02-15
  • [1311820] High CVE-2022-1637: Inappropriate implementation in Web Contents. Reported by Alesandro Ortiz on 2022-03-31
  • [1316946] High CVE-2022-1638: Heap buffer overflow in V8 Internationalization. Reported by DoHyun Lee (@l33d0hyun) of DNSLab, Korea University on 2022-04-17
  • [1317650] High CVE-2022-1639: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-19
  • [1320592] High CVE-2022-1640: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-28
  • [1305068] Medium CVE-2022-1641: Use after free in Web UI Diagnostics. Reported by Rong Jian of VRI on 2022-03-10
CVE-2022-1633 CVE-2022-1634 CVE-2022-1635 CVE-2022-1636 CVE-2022-1637 CVE-2022-1638 CVE-2022-1639 CVE-2022-1640 CVE-2022-1641 https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html 2022-05-10 2022-05-10
rsyslog8 -- heap buffer overflow on receiving TCP syslog rsyslog 8.2204.1

Rainer Gerhards reports:

Modules for TCP syslog reception have a heap buffer overflow when octet-counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible..

CVE-2022-24903 https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8 2022-05-05 2022-05-06
gogs -- XSS in issue attachments gogs 0.12.7

The gogs project reports:

Repository issues page allows HTML attachments with arbitrary JS code.

CVE-2022-1464 https://github.com/gogs/gogs/issues/6919 https://huntr.dev/bounties/34a12146-3a5d-4efc-a0f8-7a3ae04b198d/ 2022-04-12 2022-05-05
gitea -- Escape git fetch remote gitea 1.16.7

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go

https://github.com/go-gitea/gitea/pull/19487 2022-04-25 2022-05-05
OpenSSL -- Multiple vulnerabilities openssl 1.1.1o,1 openssl-devel 3.0.3 openssl-quictls 3.0.3

The OpenSSL project reports:

  • The c_rehash script allows command injection (CVE-2022-1292) (Moderate)
    The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
  • OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) (Moderate)
    The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.
  • Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) (Low)
    The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable.
  • Resource leakage when decoding certificates and keys (CVE-2022-1473) (Low)
    The OPENSSL_LH_flush() function, which empties a hash table, containsa bug that breaks reuse of the memory occuppied by the removed hash table entries.
CVE-2022-1292 CVE-2022-1343 CVE-2022-1434 CVE-2022-1473 https://www.openssl.org/news/secadv/20220503.txt 2022-05-03 2022-05-04 2022-05-05
rainloop -- cross-site-scripting (XSS) vulnerability rainloop-php74 rainloop-php80 rainloop-php81 rainloop-community-php74 rainloop-community-php80 rainloop-community-php81 1.16.0_2

Simon Scannell reports:

The code vulnerability can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client. When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links.

CVE-2022-29360 https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw https://github.com/RainLoop/rainloop-webmail/issues/2142 2022-04-19 2022-05-03
go -- multiple vulnerabilities go 1.18.1,1 go117 1.17.9

The Go project reports:

encoding/pem: fix stack overflow in Decode.

A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.

crypto/elliptic: tolerate all oversized scalars in generic P-256.

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18.

Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.

CVE-2022-24675 https://github.com/golang/go/issues/51853 CVE-2022-28327 https://github.com/golang/go/issues/52075 CVE-2022-27536 https://github.com/golang/go/issues/51759 2022-04-12 2022-05-02
Rails -- XSS vulnerabilities rubygem-actionpack52 5.2.7.1 rubygem-actionpack60 6.0.4.8 rubygem-actionpack61 6.1.5.1 rubygem-actionpack70 7.0.2.4 rubygem-actionview52 5.2.7.1 rubygem-actionview60 6.0.4.8 rubygem-actionview61 6.1.5.1 rubygem-actionview70 7.0.2.4

Ruby on Rails blog:

This is an announcement to let you know that Rails 7.0.2.4, 6.1.5.1, 6.0.4.8, and 5.2.7.1 have been released!

These are security releases so please update as soon as you can. Once again we've made these releases based on the last release tag, so hopefully upgrading will go smoothly.

The releases address two vulnerabilities, CVE-2022-22577, and CVS-2022-27777. They are both XSS vulnerabilities, so please take a look at the forum posts to see how (or if) they might possibly impact your application.

CVE-2022-22577 CVE-2022-27777 https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released 2022-04-26 2022-04-30
hiredis -- integer/buffer overflow hiredis 1.0.1

hiredis maintainers report:

Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data. When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX. If it can not, and the calloc() call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.

CVE-2021-32765 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32765 https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2 2021-10-04 2022-04-29
cURL -- Multiple vulnerabilities curl 7.83.0

The cURL project reports:

  • OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
  • Credential leak on redirect (CVE-2022-27774)
  • Bad local IPv6 connection reuse (CVE-2022-27775)
  • Auth/cookie leak on redirect (CVE-2022-27776)
CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776 https://curl.se/docs/vuln-7.82.0.html 2022-04-27 2022-04-28
chromium -- multiple vulnerabilities chromium 101.0.4951.41

Chrome Releases reports:

This release contains 30 security fixes, including:

  • [1313905] High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-04-06
  • [1299261] High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park (SeHwa) on 2022-02-20
  • [1305190] High CVE-2022-1479: Use after free in ANGLE. Reported by Jeonghoon Shin of Theori on 2022-03-10
  • [1307223] High CVE-2022-1480: Use after free in Device API. Reported by @uwu7586 on 2022-03-17
  • [1302949] High CVE-2022-1481: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-03-04
  • [1304987] High CVE-2022-1482: Inappropriate implementation in WebGL. Reported by Christoph Diehl, Microsoft on 2022-03-10
  • [1314754] High CVE-2022-1483: Heap buffer overflow in WebGPU. Reported by Mark Brand of Google Project Zero on 2022-04-08
  • [1297429] Medium CVE-2022-1484: Heap buffer overflow in Web UI Settings. Reported by Chaoyuan Peng (@ret2happy) on 2022-02-15
  • [1299743] Medium CVE-2022-1485: Use after free in File System API. Reported by Anonymous on 2022-02-22
  • [1314616] Medium CVE-2022-1486: Type Confusion in V8. Reported by Brendon Tiszka on 2022-04-08
  • [1304368] Medium CVE-2022-1487: Use after free in Ozone. Reported by Sri on 2022-03-09
  • [1302959] Medium CVE-2022-1488: Inappropriate implementation in Extensions API. Reported by Thomas Beverley from Wavebox.io on 2022-03-04
  • [1300561] Medium CVE-2022-1489: Out of bounds memory access in UI Shelf. Reported by Khalil Zhani on 2022-02-25
  • [1301840] Medium CVE-2022-1490: Use after free in Browser Switcher. Reported by raven at KunLun lab on 2022-03-01
  • [1305706] Medium CVE-2022-1491: Use after free in Bookmarks. Reported by raven at KunLun lab on 2022-03-12
  • [1315040] Medium CVE-2022-1492: Insufficient data validation in Blink Editing. Reported by Michal Bentkowski of Securitum on 2022-04-11
  • [1275414] Medium CVE-2022-1493: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-12-01
  • [1298122] Medium CVE-2022-1494: Insufficient data validation in Trusted Types. Reported by Masato Kinugawa on 2022-02-17
  • [1301180] Medium CVE-2022-1495: Incorrect security UI in Downloads. Reported by Umar Farooq on 2022-02-28
  • [1306391] Medium CVE-2022-1496: Use after free in File Manager. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2022-03-15
  • [1264543] Medium CVE-2022-1497: Inappropriate implementation in Input. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-10-29
  • [1297138] Low CVE-2022-1498: Inappropriate implementation in HTML Parser. Reported by SeungJu Oh (@real_as3617) on 2022-02-14
  • [1000408] Low CVE-2022-1499: Inappropriate implementation in WebAuthentication. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-04
  • [1223475] Low CVE-2022-1500: Insufficient data validation in Dev Tools. Reported by Hoang Nguyen on 2021-06-25
  • [1293191] Low CVE-2022-1501: Inappropriate implementation in iframe. Reported by Oriol Brufau on 2022-02-02
CVE-2022-1477 CVE-2022-1478 CVE-2022-1479 CVE-2022-1480 CVE-2022-1481 CVE-2022-1482 CVE-2022-1483 CVE-2022-1484 CVE-2022-1485 CVE-2022-1486 CVE-2022-1487 CVE-2022-1488 CVE-2022-1489 CVE-2022-1490 CVE-2022-1491 CVE-2022-1492 CVE-2022-1493 CVE-2022-1494 CVE-2022-1495 CVE-2022-1496 CVE-2022-1497 CVE-2022-1498 CVE-2022-1499 CVE-2022-1500 CVE-2022-1501 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html 2022-04-26 2022-04-28
redis -- Multiple vulnerabilities redis 6.2.7 redis-devel 7.0.0.20220428 redis62 6.2.7

Aviv Yahav reports:

CVE-2022-24735
By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.
CVE-2022-24736
An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process.
CVE-2022-24735 CVE-2022-24736 https://groups.google.com/g/redis-db/c/7iWUlwtoDqU 2022-04-27 2022-04-27
eb -- Potential buffer overrun vulnerability ja-eb 4.4.3_5

Kazuhiro Ito reports:

Potential buffer overrun vulnerability is found in eb/multiplex.c.

mailto:edict@ring.gr.jp 2022-04-25 2022-04-26
zeek -- potential DoS vulnerabilty zeek 4.0.6

Tim Wojtulewicz of Corelight reports:

Fix potential unbounded state growth in the FTP analyzer when receiving a specially-crafted stream of commands. This may lead to a buffer overflow and cause Zeek to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerabilty.

https://github.com/zeek/zeek/releases/tag/v4.0.6 2022-04-21 2022-04-21
zgrep -- arbitrary file write gzip 1.12

RedHat reports:

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

CVE-2022-1271 https://bugzilla.redhat.com/show_bug.cgi?id=2073310 2022-04-07 2022-04-19
Nextcloud Calendar -- SMTP Command Injection nextcloud-calendar 3.2.2

reports:

SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL>` SMTP command and begin injecting arbitrary SMTP commands.

CVE-2022-24838 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8xv5-4855-24qf 2022-04-11 2022-04-17
MySQL -- Multiple vulnerabilities mysql57-server 5.7.38 mysql80-client 8.0.29 mysql80-server 8.0.29

Oracle reports:

The 2022 April Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

https://www.oracle.com/security-alerts/cpuapr2022.html CVE-2022-0778 CVE-2021-22570 CVE-2022-0778 CVE-2022-21454 CVE-2022-21482 CVE-2022-21483 CVE-2022-21489 CVE-2022-21490 CVE-2022-21457 CVE-2022-21425 CVE-2022-21440 CVE-2022-21459 CVE-2022-21478 CVE-2022-21479 CVE-2022-21418 CVE-2022-21417 CVE-2022-21413 CVE-2022-21427 CVE-2022-21412 CVE-2022-21414 CVE-2022-21435 CVE-2022-21436 CVE-2022-21437 CVE-2022-21438 CVE-2022-21452 CVE-2022-21462 CVE-2022-21415 CVE-2022-21451 CVE-2022-21444 CVE-2022-21460 CVE-2022-21484 CVE-2022-21485 CVE-2022-21486 CVE-2022-21423 2022-04-16 2022-04-16 2022-05-23
chromium -- multiple vulnerabilities chromium 100.0.4896.127

Chrome Releases reports:

This release contains 2 security fixes, including:

  • [1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-0-13
CVE-2022-1364 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html 2022-04-14 2022-04-15
Asterisk -- func_odbc: Possible SQL Injection asterisk16 16.25.2 asterisk18 18.11.2

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.

CVE-2022-26651 https://downloads.asterisk.org/pub/security/AST-2022-003.html 2022-04-14 2022-04-14
Asterisk -- multiple vulnerabilities asterisk16 16.15.016.25.2 asterisk18 18.11.2

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.

CVE-2022-26498 https://downloads.asterisk.org/pub/security/AST-2022-001.html CVE-2022-26499 https://downloads.asterisk.org/pub/security/AST-2022-002.html 2022-04-14 2022-04-14
Composer -- Command injection vulnerability php74-composer php80-composer php81-composer 1.10.26 php74-composer2 php80-composer2 php81-composer2 2.0.02.2.12 2.3.02.3.5

Composer developers reports:

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

CVE-2022-24828 https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 2022-04-13 2022-04-13
Subversion -- Multiple vulnerabilities in server code subversion 1.10.01.10.8 1.11.01.14.2 mod_dav_svn 1.10.01.10.8 1.11.01.14.2 subversion-lts 1.10.01.10.8 mod_dav_svn-lts 1.10.01.10.8

Subversion project reports:

Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed.

CVE-2021-28544 CVE-2022-24070 https://subversion.apache.org/security/CVE-2021-28544-advisory.txt https://subversion.apache.org/security/CVE-2022-24070-advisory.txt 2022-04-12 2022-04-13
Ruby -- Buffer overrun in String-to-Float conversion ruby 2.7.0,12.7.6,1 3.0.0,13.0.4,1 3.1.0,13.1.2,1 3.2.0.p1,13.2.0.p1_1,1 ruby27 2.7.0,12.7.6,1 ruby30 3.0.0,13.0.4,1 ruby31 3.1.0,13.1.2,1 ruby32 3.2.0.p1,13.2.0.p1_1,1

piao reports:

Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.

CVE-2022-28739 https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ 2022-04-12 2022-04-13
Ruby -- Double free in Regexp compilation ruby 3.0.0,13.0.4,1 3.1.0,13.1.2,1 3.2.0.p1,13.2.0.p1_1,1 ruby30 3.0.0,13.0.4,1 ruby31 3.1.0,13.1.2,1 ruby32 3.2.0.p1,13.2.0.p1_1,1

piao reports:

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

CVE-2022-28738 https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ 2022-04-12 2022-04-13
mutt -- mutt_decode_uuencoded() can read past the of the input line mutt 2.2.3

Tavis Ormandy reports:

mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys

CVE-2022-1328 https://gitlab.com/muttmua/mutt/-/issues/404 2022-04-04 2022-04-12
Chromium -- mulitple vulnerabilities chromium 100.0.4896.88

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07
  • [1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21
  • [1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
  • [1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci (@sametbekmezci) on 2021-12-28
  • [1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17
  • [1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18
  • [1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28
  • [1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30
  • [1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16
  • [1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09
CVE-2022-1305 CVE-2022-1306 CVE-2022-1307 CVE-2022-1308 CVE-2022-1309 CVE-2022-1310 CVE-2022-1311 CVE-2022-1312 CVE-2022-1313 CVE-2022-1314 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html 2022-04-11 2022-04-12
Django -- multiple vulnerabilities py37-django22 py38-django22 py39-django22 py310-django22 2.2.28 py37-django32 py38-django32 py39-django32 py310-django32 3.2.13 py38-django40 py39-django40 py310-django40 4.0.4

Django Release reports:

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.

CVE-2022-28346 CVE-2022-28347 https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ 2022-04-02 2022-04-12
FreeBSD -- zlib compression out-of-bounds write FreeBSD 13.013.0_11 12.312.3_5

Problem Description:

Certain inputs can cause zlib's compression routine to overwrite an internal buffer with compressed data. This issue may require the use of uncommon or non-default compression parameters.

Impact:

The out-of-bounds write may result in memory corruption and an application crash or kernel panic.

CVE-2018-25032 SA-22:08.zlib 2022-04-06 2022-04-07
FreeBSD -- 802.11 heap buffer overflow FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.

Impact:

While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

CVE-2022-23088 SA-22:07.wifi_meshid 2022-04-06 2022-04-07
FreeBSD -- mpr/mps/mpt driver ioctl heap out-of-bounds write FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small.

Impact:

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.

CVE-2022-23086 SA-22:06.ioctl 2022-04-06 2022-04-07
FreeBSD -- Bhyve e82545 device emulation out-of-bounds write FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context.

The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.

CVE-2022-23087 SA-22:05.bhyve 2022-04-06 2022-04-07
FreeBSD -- Potential jail escape vulnerabilities in netmap FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084]

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085]

Impact:

On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

CVE-2022-23084 CVE-2022-23085 SA-22:04.netmap 2022-04-06 2022-04-07
chromium -- Type confusion in V8 chromium 100.0.4896.75

Chrome Releases reports:

This release includes one security fix:

  • [1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30
CVE-2022-1232 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop.html 2022-04-04 2022-04-05
Gitlab -- multiple vulnerabilities gitlab-ce 14.9.014.9.2 14.8.014.8.5 014.7.7

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

CVE-2022-1162 CVE-2022-1175 CVE-2022-1190 CVE-2022-1185 CVE-2022-1148 CVE-2022-1121 CVE-2022-1120 CVE-2022-1100 CVE-2022-1193 CVE-2022-1105 CVE-2022-1099 CVE-2022-1174 CVE-2022-1188 CVE-2022-0740 CVE-2022-1189 CVE-2022-1157 CVE-2022-1111 https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/ 2022-03-31 2022-04-04
mediawiki -- multiple vulnerabilities mediawiki135 1.35.6 mediawiki136 1.36.4 mediawiki137 1.37.2

Mediawiki reports:

(T297543, CVE-2022-28202) Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

(T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki.

(T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS.

(T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.

CVE-2022-28201 CVE-2022-28202 CVE-2022-28203 CVE-2022-28204 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/ 2021-12-12 2022-04-04
dnsmasq -- heap use-after-free in dhcp6_no_relay dnsmasq 2.86_4,1 dnsmasq-devel 2.86_4,1

Petr Menšík reports:

Possible vulnerability [...] found in latest dnsmasq. It [was] found with help of oss-fuzz Google project by me and short after that independently also by Richard Johnson of Trellix Threat Labs.

It is affected only by DHCPv6 requests, which could be crafted to modify already freed memory. [...] We think it might be triggered remotely, but we do not think it could be used to execute remote code.

CVE-2022-0934 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html 2022-03-31 2022-04-03
gitea -- Open Redirect on login gitea 1.16.5

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.

CVE-2022-1058 https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ 2022-03-23 2022-03-29
gitea -- Improper/incorrect authorization gitea 1.16.4

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

CVE-2022-0905 https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb 2022-03-06 2022-03-29
chromium -- multiple vulnerabilities chromium 100.0.4896.60

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1292261] High CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani on 2022-01-29
  • [1291891] High CVE-2022-1127: Use after free in QR Code Generator. Reported by anonymous on 2022-01-28
  • [1301920] High CVE-2022-1128: Inappropriate implementation in Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of Shielder on 2022-03-01
  • [1300253] High CVE-2022-1129: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2022-02-24
  • [1142269] High CVE-2022-1130: Insufficient validation of untrusted input in WebOTP. Reported by Sergey Toshin of Oversecurity Inc. on 2020-10-25
  • [1297404] High CVE-2022-1131: Use after free in Cast UI. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2022-02-15
  • [1303410] High CVE-2022-1132: Inappropriate implementation in Virtual Keyboard. Reported by Andr.Ess on 2022-03-07
  • [1305776] High CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous on 2022-03-13
  • [1308360] High CVE-2022-1134: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-21
  • [1285601] Medium CVE-2022-1135: Use after free in Shopping Cart. Reported by Wei Yuan of MoyunSec VLab on 2022-01-09
  • [1280205] Medium CVE-2022-1136: Use after free in Tab Strip. Reported by Krace on 2021-12-15
  • [1289846] Medium CVE-2022-1137: Inappropriate implementation in Extensions. Reported by Thomas Orlita on 2022-01-22
  • [1246188] Medium CVE-2022-1138: Inappropriate implementation in Web Cursor. Reported by Alesandro Ortiz on 2021-09-03
  • [1268541] Medium CVE-2022-1139: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-10
  • [1303253] Medium CVE-2022-1141: Use after free in File Manager. Reported by raven at KunLun lab on 2022-03-05
  • [1303613] Medium CVE-2022-1142: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
  • [1303615] Medium CVE-2022-1143: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
  • [1304145] Medium CVE-2022-1144: Use after free in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-08
  • [1304545] Medium CVE-2022-1145: Use after free in Extensions. Reported by Yakun Zhang of Baidu Security on 2022-03-09
  • [1290150] Low CVE-2022-1146: Inappropriate implementation in Resource Timing. Reported by Sohom Datta on 2022-01-23
CVE-2022-1125 CVE-2022-1127 CVE-2022-1128 CVE-2022-1129 CVE-2022-1130 CVE-2022-1131 CVE-2022-1132 CVE-2022-1133 CVE-2022-1134 CVE-2022-1135 CVE-2022-1136 CVE-2022-1137 CVE-2022-1138 CVE-2022-1139 CVE-2022-1141 CVE-2022-1142 CVE-2022-1143 CVE-2022-1144 CVE-2022-1145 CVE-2022-1146 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html 2022-03-29 2022-03-29
powerdns-recursor -- denial of service powerdns-recursor 4.6.0

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

CVE-2022-27227 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html 2022-03-25 2022-03-27
powerdns -- denial of service powerdns 4.6.0

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

CVE-2022-27227 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html 2022-03-25 2022-03-27
chromium -- V8 type confusion chromium 99.0.4844.84

Chrome Releases reports:

This release contains 1 security fix:

  • [1309225] High CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23

Google is aware that an exploit for CVE-2022-1096 exists in the wild.

CVE-2022-1096 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html 2022-03-25 2022-03-25
Security Vulnerability found in ExifTool p5-Image-ExifTool 7.4412.24

Debian Security Advisory reports:

A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.

CVE-2021-22204 https://www.cvedetails.com/cve/CVE-2021-22204/ 2021-01-04 2022-03-25
tcpslice -- heap-based use-after-free in extract_slice() tcpslice 1.5,1

The Tcpdump Group reports:

heap-based use-after-free in extract_slice()

CVE-2021-41043 https://github.com/the-tcpdump-group/tcpslice/issues/11 2021-09-13 2022-03-22
go -- multiple vulnerabilities go 1.17.8,1

The Go project reports:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

CVE-2022-24921 https://github.com/golang/go/issues/51112 2022-02-09 2022-03-19
openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins openvpn 2.5.6 openvpn-mbedtls 2.5.6

David Sommerseth reports:

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.

CVE-2022-0547 https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256 2022-03-10 2022-03-17
wordpress -- multiple issues wordpress fr-wordpress 5.9.2,1 de-wordpress zh_CN-wordpress th_TW-wordpress ja-wordpress ru-wordpress 5.9.2

wordpress developers reports:

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release: -Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency -Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability -Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor

https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ 2022-03-11 2022-03-16
Weechat -- Possible man-in-the-middle attack in TLS connection to servers weechat 3.4.1

The Weechat project reports:

After changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the TLS verification function is lost. Consequently, any connection to a server with TLS is made without verifying the certificate, which could lead to a man-in-the-middle attack. Connection to IRC servers with TLS is affected, as well as any connection a server made by a plugin or a script using the function hook_connect.

https://weechat.org/doc/security/WSA-2022-1/ 2022-03-13 2022-03-16
OpenSSL -- Infinite loop in BN_mod_sqrt parsing certificates openssl 1.1.1n,1 openssl-devel 3.0.2 openssl-quictls 3.0.2 libressl 3.4.3 libressl-devel 3.5.1 FreeBSD 13.013.0_8 12.312.3_3 12.212.2_14

The OpenSSL project reports:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

  • TLS clients consuming server certificates
  • TLS servers consuming client certificates
  • Hosting providers taking certificates or private keys from customers
  • Certificate authorities parsing certification requests from subscribers
  • Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.

CVE-2022-0778 https://www.openssl.org/news/secadv/20220315.txt SA-22:03.openssl 2022-03-15 2022-03-16 2022-03-16
FreeBSD-kernel -- Multiple WiFi issues FreeBSD-kernel 13.013.0_8 12.312.3_3 12.212.2_14

Problem Description:

The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" reported a number of security vulnerabilities in the 802.11 specification related to frame aggregation and fragmentation.

Additionally, FreeBSD 12.x missed length validation of SSIDs and Information Elements (IEs).

Impact:

As reported on the FragAttacks website, the "design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." Under suitable conditions an attacker may be able to extract sensitive data or inject data.

CVE-2020-26147 CVE-2020-24588 CVE-2020-26144 SA-22:02.wifi 2022-03-15 2022-03-16
chromium -- multiple vulnerabilities chromium 98.0.4844.74

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1299422] Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
  • [1301320] High CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
  • [1297498] High CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
  • [1291986] High CVE-2022-0974: Use after free in Splitscreen. Reported by @ginggilBesel on 2022-01-28
  • [1295411] High CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
  • [1296866] High CVE-2022-0976: Heap buffer overflow in GPU. Reported by Omair on 2022-02-13
  • [1299225] High CVE-2022-0977: Use after free in Browser UI. Reported by Khalil Zhani on 2022-02-20
  • [1299264] High CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-20
  • [1302644] High CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
  • [1302157] Medium CVE-2022-0980: Use after free in New Tab Page. Reported by Krace on 2022-03-02
CVE-2022-0971 CVE-2022-0972 CVE-2022-0973 CVE-2022-0974 CVE-2022-0975 CVE-2022-0976 CVE-2022-0977 CVE-2022-0978 CVE-2022-0979 CVE-2022-0980 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html 2022-03-15 2022-03-15
Apache httpd -- Multiple vulnerabilities apache24 2.4.53

The Apache httpd project reports:

  • mod_lua: Use of uninitialized value of in r:parsebody (moderate) (CVE-2022-22719)

    A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

  • HTTP request smuggling vulnerability (important) (CVE-2022-22720)

    httpd fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

  • core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (low) (CVE-2022-22721)

    If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

  • mod_sed: Read/write beyond bounds (important) (CVE-2022-23924)

    Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943 https://httpd.apache.org/security/vulnerabilities_24.html 2022-03-14 2022-03-15
Teeworlds -- Buffer Overflow teeworlds 0.7.5_2

NVD reports:

Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.

CVE-2021-43518 https://nvd.nist.gov/vuln/detail/CVE-2021-43518 2021-10-23 2022-03-10
Gitlab -- multiple vulnerabilities gitlab-ce 14.8.014.8.2 14.7.014.7.4 014.6.5

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments

CVE-2022-0735 CVE-2022-0549 CVE-2022-0751 CVE-2022-0741 CVE-2021-4191 CVE-2022-0738 CVE-2022-0489 https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ 2022-02-25 2022-03-09
asterisk -- multiple vulnerabilities asterisk16 16.24.1 asterisk18 18.10.1

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.

CVE-2021-37706 CVE-2022-23608 CVE-2022-21723 https://downloads.asterisk.org/pub/security/AST-2022-004.html https://downloads.asterisk.org/pub/security/AST-2022-005.html https://downloads.asterisk.org/pub/security/AST-2022-006.html 2022-03-03 2022-03-05
chromium -- multiple vulnerabilities chromium 99.0.4844.51

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1289383] High CVE-2022-0789: Heap buffer overflow in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-01-21
  • [1274077] High CVE-2022-0790: Use after free in Cast UI. Reported by Anonymous on 2021-11-26
  • [1278322] High CVE-2022-0791: Use after free in Omnibox. Reported by Zhihua Yao of KunLun Lab on 2021-12-09
  • [1285885] High CVE-2022-0792: Out of bounds read in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2022-01-11
  • [1291728] High CVE-2022-0793: Use after free in Views. Reported by Thomas Orlita on 2022-01-28
  • [1294097] High CVE-2022-0794: Use after free in WebShare. Reported by Khalil Zhani on 2022-02-04
  • [1282782] High CVE-2022-0795: Type Confusion in Blink Layout. Reported by 0x74960 on 2021-12-27
  • [1295786] High CVE-2022-0796: Use after free in Media. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-10
  • [1281908] High CVE-2022-0797: Out of bounds memory access in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-12-21
  • [1283402] Medium CVE-2022-0798: Use after free in MediaStream. Reported by Samet Bekmezci @sametbekmezci on 2021-12-30
  • [1279188] Medium CVE-2022-0799: Insufficient policy enforcement in Installer. Reported by Abdelhamid Naceri (halov) on 2021-12-12
  • [1242962] Medium CVE-2022-0800: Heap buffer overflow in Cast UI. Reported by Khalil Zhani on 2021-08-24
  • [1231037] Medium CVE-2022-0801: Inappropriate implementation in HTML parser. Reported by Michal Bentkowski of Securitum on 2021-07-20
  • [1270052] Medium CVE-2022-0802: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-14
  • [1280233] Medium CVE-2022-0803: Inappropriate implementation in Permissions. Reported by Abdulla Aldoseri on 2021-12-15
  • [1264561] Medium CVE-2022-0804: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-10-29
  • [1290700] Medium CVE-2022-0805: Use after free in Browser Switcher. Reported by raven at KunLun Lab on 2022-01-25
  • [1283434] Medium CVE-2022-0806: Data leak in Canvas. Reported by Paril on 2021-12-31
  • [1287364] Medium CVE-2022-0807: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2022-01-14
  • [1292271] Medium CVE-2022-0808: Use after free in Chrome OS Shell. Reported by @ginggilBesel on 2022-01-29
  • [1293428] Medium CVE-2022-0809: Out of bounds memory access in WebXR. Reported by @uwu7586 on 2022-02-03
CVE-2022-0789 CVE-2022-0790 CVE-2022-0791 CVE-2022-0792 CVE-2022-0793 CVE-2022-0794 CVE-2022-0795 CVE-2022-0796 CVE-2022-0797 CVE-2022-0798 CVE-2022-0799 CVE-2022-0800 CVE-2022-0801 CVE-2022-0802 CVE-2022-0803 CVE-2022-0804 CVE-2022-0805 CVE-2022-0806 CVE-2022-0807 CVE-2022-0808 CVE-2022-0809 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html 2022-03-01 2022-03-02
cyrus-sasl -- Fix off by one error cyrus-sasl 2.1.272.1.28

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Fix off by one error

CVE-2019-19906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906 2019-12-19 2022-02-28
typo3 -- XSS vulnerability in svg-sanitize typo3-10-php74 10.4.25 typo3-11-php74 typo3-11-php80 typo3-11-php81 11.5.7

The TYPO3 project reports:

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

CVE-2022-23638 https://github.com/typo3/typo3/commit/9940defb21 https://typo3.org/article/typo3-psa-2022-001 2022-02-22 2022-02-27
Grafana -- Teams API IDOR grafana6 6.0.0 grafana7 7.5.15 grafana8 8.3.5

Grafana Labs reports:

On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:

  • /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
  • /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
  • /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE-2022-21713 https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ 2022-01-18 2022-02-12
Grafana -- CSRF grafana6 6.0.0 grafana7 7.5.15 grafana8 8.3.5

Grafana Labs reports:

On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

CVE-2022-21703 https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ 2022-01-18 2022-02-12
Grafana -- XSS grafana6 6.0.0 grafana7 7.5.15 grafana8 8.3.5

Grafana Labs reports:

On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

CVE-2022-21702 https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ 2022-01-16 2022-02-12
cryptopp -- ElGamal implementation allows plaintext recovery cryptopp 8.6.0

Crypto++ 8.6 release notes reports:

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

CVE-2021-40530 https://nvd.nist.gov/vuln/detail/CVE-2021-40530 2021-09-06 2022-02-24
flac -- fix encoder bug flac 1.3.4

The FLAC 1.3.4 release reports:

Fix 12 decoder bugs found by oss-fuzz.

Fix encoder bug CVE-2021-0561.

CVE-2021-0561 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561 2022-02-20 2022-02-24
cyrus-sasl -- Escape password for SQL insert/update commands cyrus-sasl-sql 2.1.272.1.27_1

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Escape password for SQL insert/update commands.

CVE-2022-24407 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407 2022-02-04 2022-02-23
The Update Framwork -- path traversal vulnerability py37-tuf py38-tuf py39-tuf py310-tuf py311-tuf 0.18.1

NVD reports:

python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.

CVE-2021-41131 https://nvd.nist.gov/vuln/detail/CVE-2021-41131 2021-10-22 2022-02-22
seatd-launch -- remove files with escalated privileges with SUID seatd 0.6.00.6.4

Kenny Levinsen reports:

seatd-launch could use a user-specified socket path instead of the internally generated socket path, and would unlink the socket path before use to guard against collision with leftover sockets. This meant that a caller could freely control what file path would be unlinked and replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious user to remove files with the privileges of the owner of seatd-launch, which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, and the user-owned socket file is at the current time not believed to be directly useful for further exploitation.

https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E CVE-2022-25643 2022-02-21 2022-02-21 2022-02-22
Qt5 -- QProcess unexpected search path qt5-core 5.15.2p263_1

The Qt Company reports:

Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.

CVE-2022-25255 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255 2022-02-17 2022-02-21
libmysoft -- Heap-based buffer overflow vulnerability libmysofa 1.2.1.13

Zhengjie Du reports:

There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.

CVE-2021-3756 https://www.huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/ 2021-09-27 2022-02-20
MariaDB -- Multiple vulnerabilities mariadb103-client 10.3.34 mariadb103-server 10.3.34 mariadb104-client 10.4.24 mariadb104-server 10.4.24 mariadb105-client 10.5.15 mariadb105-server 10.5.15

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions resulting from fuzzing tests

CVE-2021-46661 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46668 https://mariadb.com/kb/en/cve/ https://mariadb.com/kb/en/mdb-10334-rn/ https://mariadb.com/kb/en/mdb-10424-rn/ https://mariadb.com/kb/en/mdb-10515-rn/ 2022-02-12 2022-02-18
go -- multiple vulnerabilities go 1.17.7,1

The Go project reports:

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches.

CVE-2022-23806 https://github.com/golang/go/issues/50974 CVE-2022-23772 https://github.com/golang/go/issues/50699 CVE-2022-23773 https://github.com/golang/go/issues/35671 2022-02-10 2022-02-18
chromium -- multiple vulnerabilities chromium 98.0.4758.102

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1290008] High CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
  • [1273397] High CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24
  • [1286940] High CVE-2022-0605: Use after free in Webstore API. Reported by Thomas Orlita on 2022-01-13
  • [1288020] High CVE-2022-0606: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-01-17
  • [1250655] High CVE-2022-0607: Use after free in GPU. Reported by 0x74960 on 2021-09-17
  • [1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-11-16
  • [1296150] High CVE-2022-0609: Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google' Threat Analysis Group on 2022-02-10
  • [1285449] Medium CVE-2022-0610: Inappropriate implementation in Gamepad API. Reported by Anonymous on 2022-01-08
CVE-2022-0603 CVE-2022-0604 CVE-2022-0605 CVE-2022-0606 CVE-2022-0607 CVE-2022-0608 CVE-2022-0609 CVE-2022-0610 https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html 2022-02-14 2022-02-15
py-twisted -- cookie and authorization headers are leaked when following cross-origin redirects py37-twisted py38-twisted py39-twisted py310-twisted 22.1.0

Twisted developers report:

Cookie and Authorization headers are leaked when following cross-origin redirects in twited.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent.

https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx 2022-02-07 2022-02-13
zsh -- Arbitrary command execution vulnerability zsh 5.8.1

Marc Cornellà reports:

Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

CVE-2021-45444 https://zsh.sourceforge.io/releases.html 2022-02-12 2022-02-12
Node.js -- January 2022 Security Releases node 12.0.012.22.9 14.0.014.18.3 16.0.016.13.2 17.0.017.3.1 node16 16.13.2 node14 14.18.3

Node.js reports:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ 2022-01-10 2022-02-12
jenkins -- DoS vulnerability in bundled XStream library jenkins 2.334 jenkins-lts 2.319.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)

DoS vulnerability in bundled XStream library

CVE-2021-43859 CVE-2022-0538 https://www.jenkins.io/security/advisory/2022-02-09/ 2022-02-09 2022-02-10
MariaDB -- Multiple vulnerabilities mariadb103-client 10.3.33 mariadb103-server 10.3.33 mariadb104-client 10.4.23 mariadb104-server 10.4.23 mariadb105-client 10.5.14 mariadb105-server 10.5.14

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions without further detailed information.

CVE-2022-24052 CVE-2022-24051 CVE-2022-24050 CVE-2022-24048 CVE-2021-46659 https://mariadb.com/kb/en/cve/ https://mariadb.com/kb/en/mdb-10333-rn/ https://mariadb.com/kb/en/mdb-10423-rn/ https://mariadb.com/kb/en/mdb-10514-rn/ 2022-02-10 2022-02-10 2022-02-17
xrdp -- privilege escalation xrdp 0.9.17,10.9.18.1,1 xrdp-devel 0.9.17,10.9.18.1,1

xrdp project reports:

An integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is accessible to a sesman server (listens by default on localhost when installing xrdp, but can be remote if configured otherwise) to execute code as root.

CVE-2022-23613 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32 2022-01-23 2022-02-08 2022-02-15
Gitlab -- multiple vulnerabilities gitlab-ce 14.7.014.7.1 14.6.014.6.4 014.5.4

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

CVE-2022-0427 CVE-2022-0425 CVE-2022-0123 CVE-2022-0136 CVE-2022-0283 CVE-2022-0390 CVE-2022-0373 CVE-2022-0371 CVE-2021-39943 CVE-2022-0477 CVE-2022-0167 CVE-2022-0249 CVE-2022-0344 CVE-2022-0488 CVE-2021-39931 https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/ 2022-02-03 2022-02-04
chromium -- multiple vulnerabilities chromium 98.0.4758.80

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1284584] High CVE-2022-0452: Use after free in Safe Browsing. Reported by avaue at S.S.L. on 2022-01-05
  • [1284916] High CVE-2022-0453: Use after free in Reader Mode. Reported by Rong Jian of VRI on 2022-01-06
  • [1287962] High CVE-2022-0454: Heap buffer overflow in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2022-01-17
  • [1270593] High CVE-2022-0455: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-16
  • [1289523] High CVE-2022-0456: Use after free in Web Search. Reported by Zhihua Yao of KunLun Lab on 2022-01-21
  • [1274445] High CVE-2022-0457: Type Confusion in V8. Reported by rax of the Group0x58 on 2021-11-29
  • [1267060] High CVE-2022-0458: Use after free in Thumbnail Tab Strip. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-05
  • [1244205] High CVE-2022-0459: Use after free in Screen Capture. Reported by raven (@raid_akame) on 2021-08-28
  • [1250227] Medium CVE-2022-0460: Use after free in Window Dialog. Reported by 0x74960 on 2021-09-16
  • [1256823] Medium CVE-2022-0461: Policy bypass in COOP. Reported by NDevTK on 2021-10-05
  • [1270470] Medium CVE-2022-0462: Inappropriate implementation in Scroll. Reported by Youssef Sammouda on 2021-11-16
  • [1268240] Medium CVE-2022-0463: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-09
  • [1270095] Medium CVE-2022-0464: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-14
  • [1281941] Medium CVE-2022-0465: Use after free in Extensions. Reported by Samet Bekmezci @sametbekmezci on 2021-12-22
  • [1115460] Medium CVE-2022-0466: Inappropriate implementation in Extensions Platform. Reported by David Erceg on 2020-08-12
  • [1239496] Medium CVE-2022-0467: Inappropriate implementation in Pointer Lock. Reported by Alesandro Ortiz on 2021-08-13
  • [1252716] Medium CVE-2022-0468: Use after free in Payments. Reported by Krace on 2021-09-24
  • [1279531] Medium CVE-2022-0469: Use after free in Cast. Reported by Thomas Orlita on 2021-12-14
  • [1269225] Low CVE-2022-0470: Out of bounds memory access in V8. Reported by Looben Yang on 2021-11-11
CVE-2022-0452 CVE-2022-0453 CVE-2022-0454 CVE-2022-0455 CVE-2022-0456 CVE-2022-0457 CVE-2022-0458 CVE-2022-0459 CVE-2022-0460 CVE-2022-0461 CVE-2022-0462 CVE-2022-0463 CVE-2022-0464 CVE-2022-0465 CVE-2022-0466 CVE-2022-0467 CVE-2022-0468 CVE-2022-0469 CVE-2022-0470 https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html 2022-02-01 2022-02-02
h2o -- uninitialised memory access in HTTP3 h2o-devel 2.3.0.d.20220131

Emil Lerner reports:

When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o.

This internal state includes traffic of other connections in unencrypted form and TLS session tickets.

This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability.

CVE-2021-43848 https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 2021-01-31 2022-02-02
FreeBSD -- vt console buffer overflow FreeBSD 13.013.0_6 12.212.2_12

Problem Description:

Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory.

Impact:

Users with access to the system console may be able to cause system misbehaviour.

CVE-2021-29632 SA-22:01.vt 2022-01-11 2022-02-02
samba -- Multiple Vulnerabilities samba413 4.13.17 samba414 4.14.12 samba415 4.15.5

The Samba Team reports:

  • CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition.
  • CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share.
  • CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution.
  • CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services.
CVE-2021-43566 CVE-2021-44141 CVE-2021-44142 CVE-2022-0336 https://www.samba.org/samba/security/CVE-2021-43566.html https://www.samba.org/samba/security/CVE-2021-44141.html https://www.samba.org/samba/security/CVE-2021-44142.html https://www.samba.org/samba/security/CVE-2022-0336.html 2022-01-31 2022-02-01
Rust -- Race condition enabling symlink following rust 1.58.1 rust-nightly 1.60.0.20220202

The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.

CVE-2022-21658 https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html 2022-01-20 2022-01-31 2022-02-03
varnish -- Request Smuggling Vulnerability varnish6 6.6.2 varnish4 4.1.11r6

Varnish Cache Project reports:

A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

CVE-2022-23959 https://varnish-cache.org/security/VSV00008.html https://docs.varnish-software.com/security/VSV00008/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959 2022-01-25 2022-01-29
OpenEXR -- Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute openexr 3.1.4

Cary Phillips reports:

[OpenEXR Version 3.1.4 is a] patch release that [...] addresses one public security vulnerability: CVE-2021-45942 Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute [and several] specific OSS-fuzz issues [...].

CVE-2021-45942 https://github.com/AcademySoftwareFoundation/openexr/blob/v3.1.4/CHANGES.md#version-314-january-26-2022 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41999 https://github.com/AcademySoftwareFoundation/openexr/pull/1209 2021-11-26 2022-01-28
OpenSSL -- BN_mod_exp incorrect results on MIPS openssl 1.1.1m,1 openssl-devel 3.0.1 openssl-quictls 3.0.1

The OpenSSL project reports:

BN_mod_exp may produce incorrect results on MIPS (Moderate)

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

CVE-2021-4160 https://www.openssl.org/news/secadv/20220128.txt 2022-01-28 2022-01-28
mustache - Possible Remote Code Execution phpmustache 2.14.1

huntr.dev reports:

In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.

CVE-2022-0323 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0323 2022-01-20 2022-01-27
polkit -- Local Privilege Escalation polkit 0.120_1

Qualys reports:

We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

CVE-2021-4034 https://seclists.org/oss-sec/2022/q1/80 ports/261482 2022-01-25 2022-01-26
strongswan - Incorrect Handling of Early EAP-Success Messages strongswan 5.9.5

Strongswan Release Notes reports:

Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079.

CVE-2021-45079 https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html 2021-12-16 2022-01-25
strongswan - denial-of-service vulnerability in the gmp plugin/denial-of-service vulnerability in the in-memory certificate cache strongswan 5.9.4

Strongswan Release Notes reports:

Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.

Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.

CVE-2021-41990 CVE-2021-41991 https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41990).html https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html 2021-10-04 2022-01-25
aide -- heap-based buffer overflow aide 0.17.4

David Bouman reports:

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

Aide uses a fixed size (16k bytes) for the return buffer in encode_base64/decode_base64 functions. This results in a segfault if aide processes a file with too large extended attribute value or ACL.

CVE-2021-45417 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45417 2022-01-15 2022-01-23
chromium -- multiple vulnerabilities chromium 97.0.4692.99

Chrome Releases reports:

This release contains 26 security fixes, including:

  • [1284367] Critical CVE-2022-0289: Use after free in Safe browsing. Reported by Sergei Glazunov of Google Project Zero on 2022-01-05
  • [1260134][1260007] High CVE-2022-0290: Use after free in Site isolation. Reported by Brendon Tiszka and Sergei Glazunov of Google Project Zero on 2021-10-15
  • [1281084] High CVE-2022-0291: Inappropriate implementation in Storage. Reported by Anonymous on 2021-12-19
  • [1270358] High CVE-2022-0292: Inappropriate implementation in Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
  • [1283371] High CVE-2022-0293: Use after free in Web packaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-30
  • [1273017] High CVE-2022-0294: Inappropriate implementation in Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-11-23
  • [1278180] High CVE-2022-0295: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-09
  • [1283375] High CVE-2022-0296: Use after free in Printing. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-30
  • [1274316] High CVE-2022-0297: Use after free in Vulkan. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • [1212957] High CVE-2022-0298: Use after free in Scheduling. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
  • [1275438] High CVE-2022-0300: Use after free in Text Input Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-01
  • [1276331] High CVE-2022-0301: Heap buffer overflow in DevTools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-12-03
  • [1278613] High CVE-2022-0302: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-10
  • [1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
  • [1282118] High CVE-2022-0304: Use after free in Bookmarks. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-22
  • [1282354] High CVE-2022-0305: Inappropriate implementation in Service Worker API. Reported by @uwu7586 on 2021-12-23
  • [1283198] High CVE-2022-0306: Heap buffer overflow in PDFium. Reported by Sergei Glazunov of Google Project Zero on 2021-12-29
  • [1281881] Medium CVE-2022-0307: Use after free in Optimization Guide. Reported by Samet Bekmezci @sametbekmezci on 2021-12-21
  • [1282480] Medium CVE-2022-0308: Use after free in Data Transfer. Reported by @ginggilBesel on 2021-12-24
  • [1240472] Medium CVE-2022-0309: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2021-08-17
  • [1283805] Medium CVE-2022-0310: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
  • [1283807] Medium CVE-2022-0311: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
CVE-2022-0289 CVE-2022-0290 CVE-2022-0291 CVE-2022-0292 CVE-2022-0293 CVE-2022-0294 CVE-2022-0295 CVE-2022-0296 CVE-2022-0297 CVE-2022-0298 CVE-2022-0300 CVE-2022-0301 CVE-2022-0302 CVE-2022-0303 CVE-2022-0304 CVE-2022-0305 CVE-2022-0306 CVE-2022-0307 CVE-2022-0308 CVE-2022-0309 CVE-2022-0310 CVE-2022-0311 https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop_19.html 2022-01-19 2022-01-20
MySQL -- Multiple vulnerabilities mysql-connector-odbc 8.0.28 mysql-connector-c++ 8.0.28 mysql-connector-java 8.0.28 mysql-connector-java51 8.0.28 mysql-server55 5.5.63 mysql-server56 5.6.52 mysql-server57 5.7.37 mysql-server80 8.0.27

Oracle reports:

This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 7.4

CVE-2021-22946 CVE-2021-3712 CVE-2022-21278 CVE-2022-21351 CVE-2022-21363 CVE-2022-21358 CVE-2022-21352 CVE-2022-21367 CVE-2022-21301 CVE-2022-21378 CVE-2022-21302 CVE-2022-21254 CVE-2022-21348 CVE-2022-21270 CVE-2022-21256 CVE-2022-21379 CVE-2022-21362 CVE-2022-21374 CVE-2022-21253 CVE-2022-21264 CVE-2022-21297 CVE-2022-21339 CVE-2022-21342 CVE-2022-21370 CVE-2022-21304 CVE-2022-21344 CVE-2022-21303 CVE-2022-21368 CVE-2022-21245 CVE-2022-21265 CVE-2022-21249 CVE-2022-21372 https://www.oracle.com/security-alerts/cpujan2022.html#AppendixMSQL 2022-01-18 2022-01-19
Prosody XMPP server advisory 2022-01-13 prosody 0.11.12

The Prosody teaM reports:

It was discovered that an internal Prosody library to load XML based on does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

CVE-2022-0217 https://prosody.im/security/advisory_20220113/ 2022-01-10 2022-01-14
WordPress -- Multiple Vulnerabilities wordpress 5.8.3,1

The WordPress project reports:

  • Issue with stored XSS through post slugs
  • Issue with Object injection in some multisite installations
  • SQL injection vulnerability in WP_Query
  • SQL injection vulnerability in WP_Meta_Query
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ 2022-01-06 2022-01-13
clamav -- invalid pointer read that may cause a crash clamav 0.104.2,1 clamav-lts 0.103.5,1

Laurent Delosieres reports:

Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

CVE-2022-20698 https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html 2022-01-12 2022-01-12
jenkins -- multiple vulnerabilities jenkins 2.330 jenkins-lts 2.319.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-2558 / CVE-2022-20612

CSRF vulnerability in build triggers

CVE-2022-20612 https://www.jenkins.io/security/advisory/2022-01-12/ 2022-01-12 2022-01-12
Gitlab -- Multiple Vulnerabilities gitlab-ce 14.6.014.6.2 14.5.014.5.3 7.714.4.5

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

CVE-2021-39946 CVE-2022-0154 CVE-2022-0152 CVE-2022-0151 CVE-2022-0172 CVE-2022-0090 CVE-2022-0125 CVE-2022-0124 CVE-2021-39942 CVE-2022-0093 CVE-2021-39927 https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/ 2022-01-11 2022-01-12
uriparser -- Multiple vulnerabilities uriparser 0.9.6

Upstream project reports:

Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed.

CVE-2021-46141 CVE-2021-46142 https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog 2022-01-06 2022-01-09
Django -- multiple vulnerabilities py37-django22 py38-django22 py39-django22 2.2.26 py37-django32 py38-django32 py39-django32 3.2.11 py37-django40 py38-django40 py39-django40 4.0.1

Django Release reports:

CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator.

CVE-2021-45116: Potential information disclosure in dictsort template filter.

CVE-2021-45452: Potential directory-traversal via Storage.save().

CVE-2021-45115 CVE-2021-45116 CVE-2021-45452 https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ 2021-12-20 2022-01-06
routinator -- multiple vulnerabilities routinator 0.10.1

nlnetlabs reports:

Release 0.10.2 contains fixes for the following issues:

  • Medium CVE-2021-43172: Infinite length chain of RRDP repositories. Credit: Koen van Hove. Date: 2021-11-09
  • Medium CVE-2021-43173: Hanging RRDP request. Credit: Koen van Hove. Date: 2021-11-09
  • Medium CVE-2021-43174: gzip transfer encoding caused out-of-memory crash. Credit Koen van Hove. Date: 2021-11-09
CVE-2021-43172 CVE-2021-43173 CVE-2021-43174 https://nlnetlabs.nl/projects/rpki/security-advisories/ 2021-11-09 2022-01-05
chromium -- multiple vulnerabilities chromium 97.0.4692.71

Chrome Releases reports:

This release contains 37 security fixes, including:

  • [$TBD][1275020] Critical CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30
  • [1117173] High CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17
  • [1273609] High CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24
  • [1245629] High CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01
  • [1238209] High CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10
  • [1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame) on 2021-09-14
  • [1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14
  • [1272266] High CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair on 2021-11-21
  • [1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25
  • [1274376] High CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • [1278960] High CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10
  • [1248438] Medium CVE-2022-0107: Use after free in File Manager API. Reported by raven (@raid_akame) on 2021-09-10
  • [1248444] Medium CVE-2022-0108: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2021-09-10
  • [1261689] Medium CVE-2022-0109: Inappropriate implementation in Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2021-10-20
  • [1237310] Medium CVE-2022-0110: Incorrect security UI in Autofill. Reported by Alesandro Ortiz on 2021-08-06
  • [1241188] Medium CVE-2022-0111: Inappropriate implementation in Navigation. Reported by garygreen on 2021-08-18
  • [1255713] Medium CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas Orlita on 2021-10-04
  • [1039885] Medium CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
  • [1267627] Medium CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by Looben Yang on 2021-11-06
  • [1268903] Medium CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand of Google Project Zero on 2021-11-10
  • [1272250] Medium CVE-2022-0116: Inappropriate implementation in Compositing. Reported by Irvan Kurniawan (sourc7) on 2021-11-20
  • [1115847] Low CVE-2022-0117: Policy bypass in Service Workers. Reported by Dongsung Kim (@kid1ng) on 2020-08-13
  • [1238631] Low CVE-2022-0118: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2021-08-11
  • [1262953] Low CVE-2022-0120: Inappropriate implementation in Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25
CVE-2022-0096 CVE-2022-0097 CVE-2022-0098 CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102 CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106 CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110 CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114 CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118 CVE-2022-0120 https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html 2022-01-04 2022-01-05