diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 2b17919a9eac..62b2600e5c4f 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,2909 +1,2943 @@ + + Apache OpenOffice -- master password vulnerabilities + + + apache-openoffice + 4.1.13 + + + apache-openoffice-devel + 4.2.1678061694i,4 + + + + +

The Apache Openoffice project reports:

+
+

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice

+
+
+

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice

+
+ +
+ + CVE-2022-37400 + CVE-2022-37401 + https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.13+Release+Notes + + + 2022-02-25 + 2023-03-08 + +
+ rack -- possible DoS vulnerability in multipart MIME parsing rubygem-rack 3.0.4.2,3 rubygem-rack22 2.2.6.6,3 rubygem-rack16 1.6.14

Aaron Patterson reports:

The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

CVE-2023-27530 https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388 2023-03-03 2023-03-06
curl -- multiple vulnerabilities curl 7.88.0

Harry Sintonen and Patrick Monnerat report:

CVE-2023-23914
A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on.
CVE-2023-23915
A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl < v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 https://curl.se/docs/security.html 2023-02-15 2023-03-05
strongSwan -- certificate verification vulnerability strongswan 5.9.85.9.9_2

strongSwan reports:

A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.

CVE-2023-26463 https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html 2023-03-02 2023-03-04
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.9.015.9.2 15.8.015.8.4 9.0.015.7.8

Gitlab reports:

Stored XSS via Kroki diagram

Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings

Improper validation of SSO and SCIM tokens while managing groups

Maintainer can leak Datadog API key by changing Datadog site

Clipboard based XSS in the title field of work items

Improper user right checks for personal snippets

Release Description visible in public projects despite release set as project members only

Group integration settings sensitive information exposed to project maintainers

Improve pagination limits for commits

Gitlab Open Redirect Vulnerability

Maintainer may become an Owner of a project

CVE-2023-0050 CVE-2022-4289 CVE-2022-4331 CVE-2023-0483 CVE-2022-4007 CVE-2022-3758 CVE-2023-0223 CVE-2022-4462 CVE-2023-1072 CVE-2022-3381 CVE-2023-1084 https://about.gitlab.com/releases/2023/03/02/security-release-gitlab-15-9-2-released/ 2023-03-02 2023-03-03
Grafana -- Stored XSS in text panel plugin grafana 9.2.09.2.10 9.3.09.3.4 grafana9 9.2.09.2.10 9.3.09.3.4

Grafana Labs reports:

During an internal audit of Grafana on January 1, a member of the security team found a stored XSS vulnerability affecting the core text plugin.

The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass through the unsanitized HTML code, but in the next cycle, the HTML is cleaned up and saved in Grafana’s database.

The CVSS score for this vulnerability is 6.4 Medium (CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2023-22462 https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf 2023-01-01 2023-03-01
Grafana -- Stored XSS in TraceView panel grafana 8.5.21 9.0.09.2.13 9.3.09.3.8 grafana8 8.5.21 grafana9 9.0.09.2.13 9.3.09.3.8

Grafana Labs reports:

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2023-0594 https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/ 2023-01-30 2023-03-01
Grafana -- Stored XSS in geomap panel plugin via attribution grafana 8.5.21 9.0.09.2.13 9.3.09.3.8 grafana8 8.5.21 grafana9 9.0.09.2.13 9.3.09.3.8

Grafana Labs reports:

During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.

The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

CVE-2023-0507 https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/ 2023-01-25 2023-03-01
redis -- multiple vulnerabilities redis 7.0.9 redis-devel 7.0.9.20230228 redis62 6.2.11 redis6 6.0.18

The Redis core team reports:

CVE-2023-25155
Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
CVE-2022-36021
String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.
CVE-2023-25155 CVE-2022-36021 https://groups.google.com/g/redis-db/c/3hQ1oTO4hMI 2023-02-28 2023-03-01
emacs -- multiple vulnerabilities emacs emacs-canna emacs-nox 28.2_3,3 emacs-devel emacs-devel-nox 30.0.50.20230101,3

Xi Lu reports:

CVE-2022-48337
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.
CVE-2022-48338
An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.
CVE-2022-48339
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 https://www.debian.org/security/2023/dsa-5360 2022-12-06 2023-02-27
freerdp -- clients using the `/video` command line switch might read uninitialized data freerdp 2.8.1

MITRE reports:

All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected.

CVE-2022-39283 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh 2022-10-13 2023-02-24
freerdp -- clients using `/parallel` command line switch might read uninitialized data freerdp 2.8.1

MITRE reports:

FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected.

CVE-2022-39282 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq 2022-10-13 2023-02-24
chromium -- multiple vulnerabilities chromium 110.0.5481.177 ungoogled-chromium 110.0.5481.177

Chrome Releases reports:

This update includes 10 security fixes:

  • [1415366] Critical CVE-2023-0941: Use after free in Prompts. Reported by Anonymous on 2023-02-13
  • [1414738] High CVE-2023-0927: Use after free in Web Payments API. Reported by Rong Jian of VRI on 2023-02-10
  • [1309035] High CVE-2023-0928: Use after free in SwiftShader. Reported by Anonymous on 2022-03-22
  • [1399742] High CVE-2023-0929: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2022-12-09
  • [1410766] High CVE-2023-0930: Heap buffer overflow in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-27
  • [1407701] High CVE-2023-0931: Use after free in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-17
  • [1413005] High CVE-2023-0932: Use after free in WebRTC. Reported by Omri Bushari (Talon Cyber Security) on 2023-02-05
  • [1404864] Medium CVE-2023-0933: Integer overflow in PDF. Reported by Zhiyi Zhang from Codesafe Team of Legendsec at QI-ANXIN
CVE-2023-0941 CVE-2023-0927 CVE-2023-0928 CVE-2023-0929 CVE-2023-0930 CVE-2023-0931 CVE-2023-0932 CVE-2023-0933 https://chromereleases.googleblog.com/2023/02/stable-channel-desktop-update_22.html 2023-02-22 2023-02-22
zeek -- potential DoS vulnerabilities zeek 5.0.7

Tim Wojtulewicz of Corelight reports:

Receiving DNS responses from async DNS requests (via the lookup_addr, etc BIF methods) with the TTL set to zero could cause the DNS manager to eventually stop being able to make new requests.

Specially-crafted FTP packets with excessively long usernames, passwords, or other fields could cause log writes to use large amounts of disk space.

The find_all and find_all_ordered BIF methods could take extremely large amounts of time to process incoming data depending on the size of the input.

https://github.com/zeek/zeek/releases/tag/v5.0.7 2023-02-21 2023-02-21
libde256 -- multiple vulnerabilities libde265 1.0.11

Libde265 developer reports:

This release fixes the known CVEs below. Many of them are actually caused by the same underlying issues that manifest in different ways.

CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2020-21599 CVE-2020-21600 CVE-2020-21601 CVE-2020-21602 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606 CVE-2022-1253 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655 https://github.com/strukturag/libde265/releases/tag/v1.0.10 2023-01-27 2023-02-21
git -- "git apply" overwriting paths outside the working tree git 2.39.2

git team reports:

By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply".

CVE-2023-23946 https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-23946 2023-02-14 2023-02-21
git -- Local clone-based data exfiltration with non-local transports git 2.39.2

git team reports:

Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.

These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

CVE-2023-22490 https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-22490 2023-02-14 2023-02-21
git -- gitattributes parsing integer overflow git 2.39.1

git team reports:

gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes file(s) within your repository.

The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names.

These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading .gitattributes from a file, but not when parsing it from the index. Successfully exploiting this vulnerability depends on the location of the .gitattributes file in question.

This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.

CVE-2022-23521 https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/#cve-2022-23521 2023-01-17 2023-02-21
git -- Heap overflow in `git archive`, `git log --format` leading to RCE git 2.39.1

The git team reports:

git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.

When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.

This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.

This integer overflow can result in arbitrary heap writes, which may result in remote code execution.

CVE-2022-41903 https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/#cve-2022-41903 2023-01-17 2023-02-21
gitea -- password hash quality gitea 1.18.4

The Gitea team reports:

This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters.

In addition it takes the opportunity to adjust the settings for pbkdf2 in order to make the hashing a little stronger.

Add command to bulk set must-change-password

As part of administration sometimes it is appropriate to forcibly tell users to update their passwords.

This PR creates a new command gitea admin user must-change-password which will set the MustChangePassword flag on the provided users.

https://blog.gitea.io/2023/02/gitea-1.18.4-is-released/ https://github.com/go-gitea/gitea/releases/tag/v1.18.4 2022-02-14 2023-02-20
traefik -- Use of vulnerable Go module x/net/http2 traefik 2.9.8

The Go project reports:

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

CVE-2022-41721 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41721 2022-10-22 2023-02-19
Rundeck3 -- Log4J RCE vulnerability rundeck3 3.4.10

The Rundeck project reports:

This release updates both Community and Enterprise with the latest Log4J to address CVE-2021-44832 by updating it to 2.17.1.

CVE-2021-44832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 2021-12-11 2023-02-16
MinIO -- unprivileged users can create service accounts for admin users minio 2022.04.12.06.55.35

MinIO reports:

A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials.

CVE-2022-24842 https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q 2022-04-11 2023-02-13
clamav -- Multiple vulnerabilities clamav 1.0.1,1 clamav-lts 0.103.8,1

Simon Scannell reports:

CVE-2023-20032
Fixed a possible remote code execution vulnerability in the HFS+ file parser.
CVE-2023-20052
Fixed a possible remote information leak vulnerability in the DMG file parser.
CVE-2023-20032 CVE-2023-20052 https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html 2023-02-15 2023-02-16
go -- multiple vulnerabilities go119 1.19.6 go120 1.20.1

The Go project reports:

path/filepath: path traversal in filepath.Clean on Windows

On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.

net/http, mime/multipart: denial of service from excessive resource consumption

Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.

crypto/tls: large handshake records may cause panics

Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.

net/http: avoid quadratic complexity in HPACK decoding

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

CVE-2022-41722 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 https://groups.google.com/g/golang-dev/c/G2APtTxT1HQ/m/6O6aksDaBAAJ 2023-02-14 2023-02-15
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 3.2.18 py38-django40 py39-django40 py310-django40 4.0.10 py38-django41 py39-django41 py310-django41 4.1.7

Django reports:

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.

CVE-2023-24580 https://www.djangoproject.com/weblog/2023/feb/14/security-releases/ 2023-02-01 2023-02-14
GnuTLS -- timing sidechannel in RSA decryption gnutls 3.7.9

The GnuTLS project reports:

A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected.

CVE-2023-0361 https://gnutls.org/security-new.html#GNUTLS-SA-2020-07-14 2023-02-10 2023-02-13
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.11

phpmyfaq developers report:

a bypass to flood admin with FAQ proposals

stored XSS in questions

stored HTML injections

weak passwords

https://huntr.dev/bounties/14fc4841-0f5d-4e12-bf9e-1b60d2ac6a6c/ https://huntr.dev/bounties/8c74ccab-0d1d-4c6b-a0fa-803aa65de04f/ https://huntr.dev/bounties/87397c71-7b84-4617-a66e-fa6c73be9024/ https://huntr.dev/bounties/808d5452-607c-4af1-812f-26c49faf3e61/ https://huntr.dev/bounties/d9375178-2f23-4f5d-88bd-bba3d6ba7cc5/ https://huntr.dev/bounties/06af150b-b481-4248-9a48-56ded2814156/ https://huntr.dev/bounties/7152b340-c6f3-4ac8-9f62-f764a267488d/ https://huntr.dev/bounties/9e21156b-ab1d-4c60-88ef-8c9f3e2feb7f/ https://huntr.dev/bounties/b3881a1f-2f1e-45cb-86f3-735f66e660e9/ https://huntr.dev/bounties/949975f1-271d-46aa-85e5-1a013cdb5efb/ 2023-02-12 2023-02-12
chromium -- multiple vulnerabilities chromium 110.0.5481.77 ungoogled-chromium 110.0.5481.77

Chrome Releases reports:

This release contains 15 security fixes, including:

  • [1402270] High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18
  • [1341541] High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on 2022-07-03
  • [1403573] High CVE-2023-0698: Out of bounds read in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2022-12-25
  • [1371859] Medium CVE-2023-0699: Use after free in GPU. Reported by 7o8v and Cassidy Kim(@cassidy6564) on 2022-10-06
  • [1393732] Medium CVE-2023-0700: Inappropriate implementation in Download. Reported by Axel Chong on 2022-11-26
  • [1405123] Medium CVE-2023-0701: Heap buffer overflow in WebUI. Reported by Sumin Hwang of SSD Labs on 2023-01-05
  • [1316301] Medium CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14
  • [1405574] Medium CVE-2023-0703: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-07
  • [1385982] Low CVE-2023-0704: Insufficient policy enforcement in DevTools. Reported by Rhys Elsmore and Zac Sims of the Canva security team on 2022-11-18
  • [1238642] Low CVE-2023-0705: Integer overflow in Core. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-11
CVE-2023-0696 CVE-2023-0697 CVE-2023-0698 CVE-2023-0699 CVE-2023-0700 CVE-2023-0701 CVE-2023-0702 CVE-2023-0703 CVE-2023-0704 CVE-2023-0705 https://chromereleases.googleblog.com/2023/02/stable-channel-update-for-desktop.html 2023-02-07 2023-02-10
PostgreSQL server -- Client memory disclosure when connecting, with Kerberos, to modified server. postgresql15-client 15.2 postgresql14-client 14.7 postgresql13-client 13.10 postgresql12-client 12.14

PostgreSQL Project reports:

A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.

CVE-2022-41862 https://www.postgresql.org/support/security/CVE-2022-41862/ 2023-02-09 2023-02-09
Grafana -- Stored XSS in ResourcePicker component grafana 8.1.08.5.16 9.0.09.2.10 9.3.09.3.4 grafana8 8.1.08.5.16 grafana9 9.0.09.2.10 9.3.09.3.4

Grafana Labs reports:

On 2022-12-16 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin GeoMap.

The stored XSS vulnerability was possible due to SVG-files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

CVE-2022-23552 https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv 2022-12-16 2023-02-09
Grafana -- Spoofing originalUrl of snapshots grafana 8.0.08.5.16 9.0.09.2.10 9.3.09.3.4 grafana8 8.0.08.5.16 grafana9 9.0.09.2.10 9.3.09.3.4

Grafana Labs reports:

A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.)

We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).

CVE-2022-39324 https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw 2023-01-25 2023-02-09
LibreSSL -- Arbitrary memory read libressl 3.5.4 libressl-devel 3.6.2

The OpenBSD project reports:

A malicious certificate revocation list or timestamp response token would allow an attacker to read arbitrary memory.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.4-relnotes.txt 2023-02-08 2023-02-08
xorg-server -- Security issue in the X server xorg-server xephyr xorg-vfbserver 21.1.7,1 xorg-nestserver 21.1.7,2 xwayland 22.1.8,1 xwayland-devel 21.0.99.1.386

The X.org project reports:

  • CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses use-after-free

    A dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory.

https://lists.x.org/archives/xorg-announce/2023-February/003320.html CVE-2023-0494 2023-02-07 2023-02-08
TightVNC -- Muliple Vulnerabilities tightvnc 1.3.10_6

MITRE reports:

TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.

TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.

CVE-2019-8287 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15678 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15679 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15680 2019-02-12 2023-02-08
OpenSSL -- Multiple vulnerabilities openssl 1.1.1t,1 openssl-devel 3.0.8 openssl-quictls 3.0.8

The OpenSSL project reports:

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High): There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate): A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate): A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate): The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate): The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate): An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

NULL dereference validating DSA public key (CVE-2023-0217) (Moderate): An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack.

NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate): A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash.

CVE-2023-0286 CVE-2022-4304 CVE-2022-4203 CVE-2023-0215 CVE-2022-4450 CVE-2023-0216 CVE-2023-0401 https://www.openssl.org/news/secadv/20230207.txt 2023-02-07 2023-02-07
Django -- multiple vulnerabilities py37-django32 py38-django32 py39-django32 py310-django32 3.2.17 py38-django40 py39-django40 py310-django40 4.0.9 py38-django41 py39-django41 py310-django41 4.1.6

Django reports:

CVE-2023-23969: Potential denial-of-service via Accept-Language headers.

CVE-2023-23969 https://www.djangoproject.com/weblog/2023/feb/01/security-releases/ 2023-02-01 2023-02-06
kafka -- Denial Of Service vulnerability kafka 3.3.2

NIST reports:

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVE-2020-36518 https://nvd.nist.gov/vuln/detail/CVE-2020-36518 2022-03-11 2023-02-04
node_exporter -- bypass security with cache poisoning node_exporter 1.5.0

Prometheus team reports:

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

CVE-2022-46146 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46146 2021-11-28 2023-02-04
Asterisk -- multiple vulnerabilities asterisk18 18.15.1

The Asterisk project reports:

AST-2022-007: Remote Crash Vulnerability in H323 channel add on

AST-2022-008: Use after free in res_pjsip_pubsub.c

AST-2022-009: GetConfig AMI Action can read files outside of Asterisk directory

CVE-2022-37325 CVE-2022-42705 CVE-2022-42706 https://downloads.asterisk.org/pub/security/AST-2022-007.html https://downloads.asterisk.org/pub/security/AST-2022-008.html https://downloads.asterisk.org/pub/security/AST-2022-009.html 2022-12-01 2023-02-02
Spotipy -- Path traversal vulnerability py37-spotipy py38-spotipy py39-spotipy py310-spotipy py311-spotipy 2.22.0

Stéphane Bruckert

If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.

CVE-2023-23608 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23608 https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-q764-g6fm-555v 2023-01-16 2023-02-02
zeek -- potential DoS vulnerabilities zeek 5.0.6

Tim Wojtulewicz of Corelight reports:

A missing field in the SMB FSControl script-land record could cause a heap buffer overflow when receiving packets containing those header types.

Receiving a series of packets that start with HTTP/1.0 and then switch to HTTP/0.9 could cause Zeek to spend a large amount of time processing the packets.

Receiving large numbers of FTP commands sequentially from the network with bad data in them could cause Zeek to spend a large amount of time processing the packets, and generate a large amount of events.

https://github.com/zeek/zeek/releases/tag/v5.0.6 2023-02-01 2023-02-01
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.8.015.8.1 15.7.015.7.6 12.4.015.6.7

Gitlab reports:

Denial of Service via arbitrarily large Issue descriptions

CSRF via file upload allows an attacker to take over a repository

Sidekiq background job DoS by uploading malicious CI job artifact zips

Sidekiq background job DoS by uploading a malicious Helm package

CVE-2022-3411 CVE-2022-4138 CVE-2022-3759 CVE-2023-0518 https://about.gitlab.com/releases/2023/01/31/security-release-gitlab-15-8-1-released/ 2023-01-31 2023-02-01
Plex Media Server -- security vulnerability plexmediaserver plexmediaserver-plexpass 1.25.0

Plex Security Team reports:

We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.

Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.

CVE-2021-42835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42835 2021-10-22 2023-01-30
prometheus2 -- basic authentication bypass prometheus 0.8.1

Prometheus team reports:

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

CVE-2022-46146 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46146 2022-11-28 2023-01-30
chromium -- multiple vulnerabilities chromium 109.0.5414.119 ungoogled-chromium 109.0.5414.119

Chrome Releases reports:

This release contains 6 security fixes, including:

  • [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
  • [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
  • [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
  • [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14
CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474 https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop_24.html 2023-01-24 2023-01-25
re2c -- uncontrolled recursion re2c 2.0

re2c reports:

re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.

CVE-2018-21232 https://nvd.nist.gov/vuln/detail/CVE-2018-21232 2022-05-24 2023-01-25
gitea -- information disclosure gitea 1.18.3

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.

https://blog.gitea.io/2023/01/gitea-1.18.3-is-released/ 2022-01-22 2023-01-24
net/krill -- DoS vulnerability krill 0.12.1

MITRE reports:

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated. .

CVE-2023-0158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0158 2023-01-10 2023-01-23
www/awstats -- Partial absolute pathname awstats 7.8

MITRE reports:

It seems #90 is not completely fixed in 7.8. (that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed). In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

CVE-2020-35176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176 2022-12-11 2023-01-23
net/eternalterminal -- Multiple vulnerabilities eternalterminal 6.2.1

Mitre reports:

etserver and etclient have predictable logfile names in /tmp and they are world-readable logfiles

CVE-2022-48257 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48257 CVE-2022-48258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48258 2023-01-13 2023-01-23
powerdns-recursor -- denial of service powerdns-recursor 4.8.04.8.1

PowerDNS Team reports:

PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination

CVE-2023-22617 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-01.html 2023-01-20 2023-01-23
shells/fish -- arbitrary code execution via git fish 3.1.03.4.0

Peter Ammon reports:

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the fish_git_prompt function from the prompt.

CVE-2022-20001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20001 2021-12-26 2023-01-21
MySQL -- Multiple vulnerabilities mysql-connector-c++ 8.0.33 mysql-connector-odbc 8.0.33 mysql-client57 5.7.42 mysql-server57 5.7.42 mysql-client80 8.0.33 mysql-server80 8.0.33

Oracle reports:

This Critical Patch Update contains 37 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network withouti requiring user credentials.

CVE-2022-32221 CVE-2022-24407 CVE-2022-24407 CVE-2022-3171 CVE-2022-1941 CVE-2023-21868 CVE-2023-21860 CVE-2023-21875 CVE-2023-21869 CVE-2023-21877 CVE-2023-21880 CVE-2023-21872 CVE-2023-21871 CVE-2023-21836 CVE-2023-21887 CVE-2023-21863 CVE-2023-21864 CVE-2023-21865 CVE-2023-21866 CVE-2023-21867 CVE-2023-21870 CVE-2023-21873 CVE-2023-21876 CVE-2023-21878 CVE-2023-21879 CVE-2023-21881 CVE-2023-21883 CVE-2023-21840 CVE-2023-21882 CVE-2023-21874 https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL 2023-01-20 2023-01-21
phpmyfaq -- multiple vulnerabilities phpmyfaq 3.1.10

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in "Add new question"

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in admin user page

phpMyFAQ does not implement sufficient checks to avoid a stored XSS in FAQ comments

phpMyFAQ does not implement sufficient checks to avoid a blind stored XSS in admin open question page

phpMyFAQ does not implement sufficient checks to avoid a reflected XSS in the admin backend login

phpMyFAQ does not implement sufficient checks to avoid stored XSS on user, category, FAQ, news and configuration admin backend

phpMyFAQ does not implement sufficient checks to avoid weak passwords

https://huntr.dev/bounties/cbba22f0-89ed-4d01-81ea-744979c8cbde/ https://huntr.dev/bounties/fac01e9f-e3e5-4985-94ad-59a76485f215/ https://huntr.dev/bounties/83cfed62-af8b-4aaa-94f2-5a33dc0c2d69/ https://huntr.dev/bounties/051d5e20-7fab-4769-bd7d-d986b804bb5a/ https://huntr.dev/bounties/c03c5925-43ff-450d-9827-2b65a3307ed6/ https://huntr.dev/bounties/f50ec8d1-cd60-4c2d-9ab8-3711870d83b9/ https://huntr.dev/bounties/82b0b629-c56b-4651-af3f-17f749751857/ https://huntr.dev/bounties/eac0a9d7-9721-4191-bef3-d43b0df59c67/ https://huntr.dev/bounties/bc27e84b-1f91-4e1b-a78c-944edeba8256/ 2023-01-15 2023-01-20
rack -- Multiple vulnerabilities rubygem-rack 3.0.4.1,3 rubygem-rack22 2.2.6.2,3 rubygem-rack16 1.6.14

Aaron Patterson reports:

CVE-2022-44570
Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
CVE-2022-44571
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
CVE-2022-44572
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 https://github.com/rack/rack/blob/v3.0.4.1/CHANGELOG.md https://github.com/advisories/GHSA-65f5-mfpf-vfhj https://github.com/advisories/GHSA-93pm-5p5f-3ghx https://github.com/advisories/GHSA-rqv2-275x-2jq5 2023-01-17 2023-01-19
Apache httpd -- Multiple vulnerabilities apache24 2.4.55

The Apache httpd project reports:

mod_dav out of bounds read, or write of zero byte (CVE-2006-20001) (moderate)

mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)

mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (CVE-2022-37436) (moderate)

CVE-2022-37436 CVE-2022-36760 CVE-2006-20001 https://downloads.apache.org/httpd/CHANGES_2.4.55 2023-01-17 2023-01-17
redis -- multiple vulnerabilities redis 7.0.8 redis-devel 7.0.8.20230116 redis62 6.2.9 redis6 6.0.17

The Redis core team reports:

CVE-2022-35977
Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic.
CVE-2023-22458
Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service.
CVE-2022-35977 CVE-2023-22458 https://github.com/redis/redis/releases/tag/7.0.8 2023-01-16 2023-01-16
security/keycloak -- Multiple possible DoS attacks keycloak 20.0.3

CIRCL reports:

  • CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream.
  • CVE-2022-40151: If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVE-2022-40151 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40151 CVE-2022-41966 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41966 2022-09-07 2023-01-16
security/tor -- SOCKS4(a) inversion bug tor 0.4.7.13

The Tor Project reports:

TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through

This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a). Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.

https://hackerone.com/bugs?subject=torproject&report_id=1784589 https://gitlab.torproject.org/tpo/core/tor/-/issues/40730 2023-01-12 2023-01-14
emacs -- arbitary shell command execution vulnerability of ctags emacs emacs-canna emacs-nox 28.2_2,3 emacs-devel emacs-devel-nox 30.0.50.202211128,2

lu4nx reports:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVE-2022-45939 https://nvd.nist.gov/vuln/detail/CVE-2022-45939 2022-11-28 2023-01-12
cassandra3 -- multiple vulnerabilities cassandra3 3.11.14

Cassandra tema reports:

This release contains 6 security fixes including

  • CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
  • CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
  • CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
  • CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
  • CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
  • CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
CVE-2022-24823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823 CVE-2020-7238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238 CVE-2019-2684 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684 CVE-2022-25857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857 CVE-2022-42003 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003 CVE-2022-42004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004 2023-01-11 2023-01-11
cassandra3 -- arbitrary code execution cassandra3 3.11.13

Marcus Eriksson reports:

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.

CVE-2021-44521 https://www.cvedetails.com/cve/CVE-2021-44521 2022-02-11 2023-01-11
cassandra3 -- jBCrypt integer overflow cassandra3 3.11.12

mindrot project reports:

There is an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.

CVE-2015-0886 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886 2015-01-30 2023-01-11
xorg-server -- Multiple security issues in X server extensions xorg-server xephyr xorg-vfbserver 21.1.5,1 xorg-nestserver 21.1.5,2 xwayland 22.1.6,1 xwayland-devel 21.0.99.1.319

The X.org project reports:

  • CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack overflow

    The swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request.

    This issue does not affect systems where client and server use the same byte order.

  • CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab out-of-bounds access

    The handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code.

  • CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify use-after-free

    The handler for the XvdiSelectVideoNotify request may write to memory after it has been freed.

  • CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes use-after-free

    The handler for the ScreenSaverSetAttributes request may write to memory after it has been freed.

  • CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty out-of-bounds access

    The handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure.

  • CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free

    The XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.

https://lists.x.org/archives/xorg-announce/2022-December/003302.html CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2022-4283 2022-12-14 2023-01-11
Gitlab -- Multiple Vulnerabilities gitlab-ce 15.7.015.7.2 15.6.015.6.4 6.6.015.5.7

Gitlab reports:

Race condition on gitlab.com enables verified email forgery and third-party account hijacking

DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint

Maintainer can leak sentry token by changing the configured URL

Maintainer can leak masked webhook secrets by changing target URL of the webhook

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP

Group access tokens continue to work after owner loses ability to revoke them

Users' avatar disclosure by user ID in private GitLab instances

Arbitrary Protocol Redirection in GitLab Pages

Regex DoS due to device-detector parsing user agents

Regex DoS in the Submodule Url Parser

CVE-2022-4037 CVE-2022-3613 CVE-2022-4365 CVE-2022-4342 CVE-2022-3573 CVE-2022-4167 CVE-2022-3870 CVE-2023-0042 CVE-2022-4131 CVE-2022-3514 https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released/ 2023-01-09 2023-01-11
chromium -- multiple vulnerabilities chromium 109.0.5414.74 ungoogled-chromium 109.0.5414.74

Chrome Releases reports:

This release contains 17 security fixes, including:

  • [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
  • [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
  • [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
  • [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
  • [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
  • [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
  • [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
  • [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
  • [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
  • [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
  • [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
  • [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
  • [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
  • [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12
CVE-2023-0128 CVE-2023-0129 CVE-2023-0130 CVE-2023-0131 CVE-2023-0132 CVE-2023-0133 CVE-2023-0134 CVE-2023-0135 CVE-2023-0136 CVE-2023-0137 CVE-2023-0138 CVE-2023-0139 CVE-2023-0140 CVE-2023-0141 https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html 2023-01-10 2023-01-10
net-mgmt/cacti is vulnerable to remote command injection cacti 1.2.23

cacti team reports:

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

CVE-2022-46169 https://nvd.nist.gov/vuln/detail/CVE-2022-46169 2022-12-05 2023-01-05 2023-01-09
devel/viewvc-devel is vulnerable to cross-site scripting py37-viewvc-devel py38-viewvc-devel py39-viewvc-devel 1.3.0.20230104

C. Michael Pilato reports:

security fix: escape revision view copy paths (#311) [CVE-2023-22464]

security fix: escape revision view changed paths (#311) [CVE-2023-22456]

CVE-2023-22464 CVE-2023-22456 https://nvd.nist.gov/vuln/detail/CVE-2023-22464 https://nvd.nist.gov/vuln/detail/CVE-2023-22456 2023-01-04 2023-01-05
rxvt-unicode is vulnerable to a remote code execution rxvt-unicode 9.31

Marc Lehmann reports:

The biggest issue is resolving CVE-2022-4170, which allows command execution inside urxvt from within the terminal (that means anything that can output text in the terminal can start commands in the context of the urxvt process, even remotely).

CVE-2022-4170 https://nvd.nist.gov/vuln/detail/CVE-2022-4170 2022-12-05 2023-01-03
gitea -- multiple issues gitea 1.18.0

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips

https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/ https://github.com/go-gitea/gitea/releases/tag/v1.18.0 2022-08-23 2023-01-02