The Gitea Team reports for release 1.13.1:
- Hide private participation in Orgs
- Fix escaping issue in diff
The InspIRCd development team reports:
The websocket module before v3.8.1 contains a double free vulnerability. When combined with a HTTP reverse proxy this vulnerability can be used by any user who is [GKZ]-lined to remotely crash an InspIRCd server.
Intel reports:
Intel CPUs suffer Special Register Buffer Data Sampling vulnerability
The Asterisk project reports:
AST-2020-003: A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.
AST-2020-004: A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.
postsrsd developer reports:
PostSRSd could be tricked into consuming a lot of CPU time with an SRS address that has an excessively long time stamp tag.
PowerDNS developers report:
A remote, unauthenticated attacker can trigger a race condition leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.
A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature.
A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.
Vault developers report:
Vault allowed enumeration of users via the LDAP auth method. This vulnerability, was fixed in Vault 1.6.1 and 1.5.6.
An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method
JasPer NEWS:
Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c.
Matrix developers reports:
A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.
The p11-glue project reports:
CVE-2020-29363: Out-of-bounds write in p11_rpc_buffer_get_byte_array_value function
A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.CVE-2020-29362: Out-of-bounds read in p11_rpc_buffer_get_byte_array function
A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.CVE-2020-29361: Integer overflow when allocating memory for arrays of attributes and object identifiers
Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.
NLNetLabs reports:
Unbound and NSD when writing the PID file would not check if an existing file was a symlink. This could allow for a local symlink \ attack if an attacker has access to the user Unbound/NSD runs as.
The LibreSSL project reports:
Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference.
MITRE Corporation reports:
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
MITRE Corporation reports:
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
MITRE Corporation reports:
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
MITRE Corporation reports:
In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.
MITRE Corporation reports:
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
MITRE Corporation reports:
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
MITRE Corporation reports:
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
MITRE Corporation reports:
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
MITRE Corporation reports:
In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
MITRE Corporation reports:
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.
MITRE Corporation reports:
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
MITRE Corporation reports:
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.
MITRE Corporation reports:
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
The cURL project reports:
Trusting FTP PASV responses (CVE-2020-8284)
FTP wildcard stack overflow (CVE-2020-8285)
Inferior OCSP verification (CVE-2020-8286)
The OpenSSL project reports:
EDIPARTYNAME NULL pointer de-reference (High)
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.
Gitlab reports:
XSS in Zoom Meeting URL
Limited Information Disclosure in Private Profile
User email exposed via GraphQL endpoint
Group and project membership potentially exposed via GraphQL
Search terms logged in search parameter in rails logs
Un-authorised access to feature flag user list
A specific query on the explore page causes statement timeouts
Exposure of starred projects on private user profiles
Uncontrolled Resource Consumption in any Markdown field using Mermaid
Former group members able to view updates to confidential epics
Update GraphicsMagick dependency
Update GnuPG dependency
Update libxml dependency
Hashicorp reports:
Increase the permissions to read from the /connect/ca/configuration endpoint to operator:write. Previously Connect CA configuration, including the private key, set via this endpoint could be read back by an operator with operator:read privileges.
Chrome Releases reports:
This release contains 8 security fixes, including:
- [1142331] High CVE-2020-16037: Use after free in clipboard. Reported by Ryoya Tsukasaki on 2020-10-26
- [1138683] High CVE-2020-16038: Use after free in media. Reported by Khalil Zhani on 2020-10-14
- [1149177] High CVE-2020-16039: Use after free in extensions. Reported by Anonymous on 2020-11-15
- [1150649] High CVE-2020-16040: Insufficient data validation in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-11-19
- [1151865] Medium CVE-2020-16041: Out of bounds read in networking. Reported by Sergei Glazunov and Mark Brand of Google Project Zero on 2020-11-23
- [1151890] Medium CVE-2020-16042: Uninitialized Use in V8. Reported by André Bargull on 2020-11-2
The Gitea Team reports for release 1.13.0:
- Add Allow-/Block-List for Migrate and Mirrors
- Prevent git operations for inactive users
- Disallow urlencoded new lines in git protocol paths if there is a port
- Mitigate Security vulnerability in the git hook feature
- Disable DSA ssh keys by default
- Set TLS minimum version to 1.2
- Use argon as default password hash algorithm
- Escape failed highlighted files
Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs.
Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer.
It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root. Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening.
In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process.
When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may extract information from the message to hand to upper-layer protocols. As a part of this operation, it may parse IPv6 header options from a packet embedded in the ICMPv6 message.
The handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free.
A remote host may be able to trigger a read of freed kernel memory. This may trigger a kernel panic if the address had been unmapped.
The X.org project reports:
These issues can lead to privileges elevations for authorized clients on systems where the X server is running privileged.
Insufficient checks on the lengths of the XkbSetMap request can lead to out of bounds memory accesses in the X server.
Insufficient checks on input of the XkbSetDeviceInfo request can lead to a buffer overflow on the head in the X server.
The HashiCorp team reports:
- artifact: Fixed a bug where interpolation can be used in the artifact destination field to write artifact payloads outside the allocation directory.
- template: Fixed a bug where interpolation can be used in the template source and destination fields to read or write files outside the allocation directory even when disable_file_sandbox was set to false (the default).
- template: Fixed a bug where the disable_file_sandbox configuration was only respected for the template file function and not the template source and destination fields.
The Gitea Team reports for release 1.12.6:
- Prevent git operations for inactive users
- Disallow urlencoded new lines in git protocol paths if there is a port
Node.js reports:
Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues.
Denial of Service through DNS request (CVE-2020-8277)
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of service by getting the application to resolve a DNS record with a larger number of responses.
Kevin J. McCarthy reports:
Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS.
NIST reports:
- Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
libjpeg-turbo releases reports:
This release fixes the following security issue:
- Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
Mantis 2.24.3 release reports:
This release fixes 3 security issues:
- 0027039: CVE-2020-25781: Access to private bug note attachments
- 0027275: CVE-2020-25288: HTML Injection on bug_update_page.php
- 0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
The Go project reports:
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected.
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.
The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names.
SaltStack reports multiple security vulnerabilities in Salt 3002:
- CVE-2020-16846: Prevent shell injections in netapi ssh client.
- CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
- CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh.
The Apache Openofffice project reports:
CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents
Description
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.
Severity: Low
There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.Thanks to the reporter for discovering this issue.
Acknowledgments
The Apache OpenOffice Security Team would like to thank Imre Rad for discovering and reporting this attack vector.
CVE MITRE reports:
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).
Jupyter reports:
6.1.5 is a security release, fixing one vulnerability: Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned)
The Asterisk project reports:
If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
The Asterisk project reports:
Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.
Chrome Releases reports:
This release contains 10 security fixes, including:
- [1138911] High CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15
- [1139398] High CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2020-10-16
- [1133527] High CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill Parks on 2020-09-29
- [1125018] High CVE-2020-16007: Insufficient data validation in installer. Reported by Abdelhamid Naceri (halov) on 2020-09-04
- [1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya Korniltsev on 2020-10-01
- [1143772] High CVE-2020-16009: Inappropriate implementation in V8. Reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on 2020-10-29
- [1144489] High CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei Glazunov of Google Project Zero on 2020-11-01
There are reports that an exploit for CVE-2020-16009 exists in the wild.
Gitlab reports:
Path Traversal in LFS Upload
Path traversal allows saving packages in arbitrary location
Kubernetes agent API leaks private repos
Terraform state deletion API exposes object storage URL
Stored-XSS in error message of build-dependencies
Git credentials persisted on disk
Potential Denial of service via container registry
Info leak when group is transferred from private to public group
Limited File Disclosure Via Multipart Bypass
Unauthorized user is able to access scheduled pipeline variables and values
CSRF in runner administration page allows an attacker to pause/resume runners
Regex backtracking attack in path parsing of Advanced Search result
Bypass of required CODEOWNERS approval
SAST CiConfiguration information visible without permissions
wordpress developers reports:
Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues: -Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. -Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. -Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. -Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. -Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. -Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. -Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
The Samba Team reports:
- CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
- CVE-2020-14323: Unprivileged user can crash winbind
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records
Nicholas Marriott reports:
tmux has a stack overflow in CSI parsing.
cxsecurity.com reports:
A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request
The freetype project reports:
A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6.
Oracle reports:
This Critical Patch Update contains 48 new security patches for Oracle MySQL.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.
NOTE: MariaDB only contains CVE-2020-14812 CVE-2020-14765 CVE-2020-14776 and CVE-2020-14789
Chrome Releases reports:
This release includes 5 security fixes:
- [1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
- [1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
- [1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-10-13
- [1139963] High CVE-2020-15999: Heap buffer overflow in Freetype. Reported by Sergei Glazunov of Google Project Zero on 2020-10-19
- [1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
PowerDNS Team reports:
CVE-2020-25829: An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the ‘Bogus’ DNSSEC validation state, instead of their actual DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate) and for clients requesting validation when on-demand validation is enabled (dnssec=process).
The MariaDB project reports:
Details of this vulnerability have not yet been disclosed
Matrix developers reports:
The fallback authentication endpoint served via Synapse were vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains.
Drupal Security Team reports:
The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Adobe reports:
- This update resolves a NULL pointer dereference vulnerability that could lead to arbitrary code execution (CVE-2020-9746).
Ruby on Rails blog:
Rails version 6.0.3.4 has been released! This version is a security release and addresses one possible XSS attack vector in Actionable Exceptions.
Payara Releases reports:
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
- CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters
Payara Releases reports:
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
- CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9
Payara Releases reports:
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
- CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks
- CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks
- CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
- CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
- CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter
Jon Siwek of Corelight reports:
This release fixes the following security issue:
- A memory leak in multipart MIME code has potential for remote exploitation and cause for Denial of Service via resource exhaustion.
Chrome releases reports:
This release contains 35 security fixes, including:
- [1127322] Critical CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
- [1126424] High CVE-2020-15968: Use after free in Blink. Reported by Anonymous on 2020-09-09
- [1124659] High CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous on 2020-09-03
- [1108299] High CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub Security Lab on 2020-07-22
- [1114062] High CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-08-07
- [1115901] High CVE-2020-15972: Use after free in audio. Reported by Anonymous on 2020-08-13
- [1133671] High CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
- [1133688] High CVE-2020-15991: Use after free in password manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on 2020-09-30
- [1106890] Medium CVE-2020-15973: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-17
- [1104103] Medium CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im (junorouse) of Theori on 2020-07-10
- [1110800] Medium CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous on 2020-07-29
- [1123522] Medium CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee (@ashuu_lee) of Raon Whitehat on 2020-08-31
- [1083278] Medium CVE-2020-6557: Inappropriate implementation in networking. Reported by Matthias Gierlings and Marcus Brinkmann (NDS Ruhr-University Bochum) on 2020-05-15
- [1097724] Medium CVE-2020-15977: Insufficient data validation in dialogs. Reported by Narendra Bhati (@imnarendrabhati) on 2020-06-22
- [1116280] Medium CVE-2020-15978: Insufficient data validation in navigation. Reported by Luan Herrera (@lbherrera_) on 2020-08-14
- [1127319] Medium CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay Cohen (@SeraphicAlgorithms) on 2020-09-11
- [1092453] Medium CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by Yongke Wang (@Rudykewang) and Aryb1n (@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
- [1123023] Medium CVE-2020-15981: Out of bounds read in audio. Reported by Christoph Guttandin on 2020-08-28
- [1039882] Medium CVE-2020-15982: Side-channel information leakage in cache. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- [1076786] Medium CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-30
- [1080395] Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by Rayyan Bijoora on 2020-05-07
- [1099276] Medium CVE-2020-15985: Inappropriate implementation in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2020-06-25
- [1100247] Medium CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of Google Project Zero on 2020-06-29
- [1127774] Medium CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke on 2020-09-14
- [1110195] Medium CVE-2020-15992: Insufficient policy enforcement in networking. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-28
- [1092518] Low CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by Samuel Attard on 2020-06-08
- [1108351] Low CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans (Microsoft) on 2020-07-22
Release notes:
Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others:
CVE-2016-6328: fixed integer overflow when parsing maker notes
CVE-2017-7544: fixed buffer overread
CVE-2018-20030: Fix for recursion DoS
CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
CVE-2020-0093: read overflow
CVE-2020-12767: fixed division by zero
CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
CVE-2020-13113: Potential use of uninitialized memory
CVE-2020-13114: Time consumption DoS when parsing canon array markers
Albert Astals Cid reports:
KDE Project Security Advisory
Title KDE Connect: packet manipulation can be exploited in a Denial of Service attack Risk Rating Important CVE CVE-2020-26164 Versions kdeconnect <= 20.08.1 Author Albert Vaca Cintora <albertvaka@gmail.com> Date 2 October 2020 Overview
An attacker on your local network could send maliciously crafted packets to other hosts running kdeconnect on the network, causing them to use large amounts of CPU, memory or network connections, which could be used in a Denial of Service attack within the network.
Impact
Computers that run kdeconnect are susceptible to DoS attacks from the local network.
Workaround
We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.
Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute force approach is to uninstall the kdeconnect package from your system and then run
kquitapp5 kdeconnectdJust install the package again once you're back in a trusted network.
Solution
KDE Connect 20.08.2 patches several code paths that could result in a DoS.
You can apply these patches on top of 20.08.1:
- https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
- https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
- https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
- https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
- https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
- https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
- https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
- https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
- https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
- https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306
Credits
Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.
Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.
CVE mitre reports:
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
Gitlab reports:
Potential Denial Of Service Via Update Release Links API
Insecure Storage of Session Key In Redis
Improper Access Expiration Date Validation
Cross-Site Scripting in Multiple Pages
Unauthorized Users Can View Custom Project Template
Cross-Site Scripting in SVG Image Preview
Incomplete Handling in Account Deletion
Insufficient Rate Limiting at Re-Sending Confirmation Email
Improper Type Check in GraphQL
To-dos Are Not Redacted When Membership Changes
Guest users can modify confidentiality attribute
Command injection on runner host
Insecure Runner Configuration in Kubernetes Environments
tt-rss project reports:
The cached_url feature mishandles JavaScript inside an SVG document.
imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message.
It does not validate all URLs before requesting them.
Allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
Apache reports:
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
PowerDNS Team reports
CVE-2020-17482: An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. Such a user could be a customer inserting data via a control panel, or somebody with access to the REST API. Crafted records cannot be inserted via AXFR.
Chrome Releases reports:
This release fixes 10 security issues, including:
- [1100136] High CVE-2020-15960: Out of bounds read in storage. Reported by Anonymous on 2020-06-28
- [1114636] High CVE-2020-15961: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-10
- [1121836] High CVE-2020-15962: Insufficient policy enforcement in serial. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-26
- [1113558] High CVE-2020-15963: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
- [1126249] High CVE-2020-15965: Out of bounds write in V8. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2020-09-08
- [1113565] Medium CVE-2020-15966: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-08-06
- [1121414] Low CVE-2020-15964: Insufficient data validation in media. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-08-25
CVE mitre reports:
CVE-2019-20388
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
CVE-2020-7595
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVE-2020-24977
GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal
Affected Synapse versions assume that all events have an "origin" field set. If an event without the "origin" field is sent into a federated room, servers not already joined to the room will be unable to do so due to failing to fetch the malformed event.
An attacker could cause a denial of service by deliberately sending a malformed event into a room, thus preventing new servers (and thus their users) from joining the room.
Python reports:
bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).
bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.
bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.
bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.
bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
bpo-41183: Use 3072 RSA keys and SHA-256 signature for test certs and keys.
bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.
The Samba Team reports:
An unauthenticated attacker on the network can gain administrator access by exploiting a netlogon protocol flaw.
The Nextcloud project reports:
NC-SA-2020-026 (low): Password of share by mail is not hashed when given on the create share call
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
The WebKitGTK project reports vulnerabilities:
- CVE-2020-9802: Processing maliciously crafted web content may lead to arbitrary code execution.
- CVE-2020-9803: Processing maliciously crafted web content may lead to arbitrary code execution.
- CVE-2020-9805: Processing maliciously crafted web content may lead to universal cross site scripting.
- CVE-2020-9806: Processing maliciously crafted web content may lead to arbitrary code execution.
- CVE-2020-9807: Processing maliciously crafted web content may lead to arbitrary code execution.
- CVE-2020-9843: Processing maliciously crafted web content may lead to a cross site scripting attack.
- CVE-2020-9850: A remote attacker may be able to cause arbitrary code execution.
- CVE-2020-13753: CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal’s input buffer.
Node.js reports:
Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.
HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.
Impacts:
- All versions of the 14.x and 12.x releases line
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)
Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.
Impacts:
- All versions of the 14.x release line
fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)
libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Impacts:
- All versions of the 10.x release line
- All versions of the 12.x release line
- All versions of the 14.x release line before 14.9.0
A ftpd(8) bug in the implementation of the file system sandbox, combined with capabilities available to an authenticated FTP user, can be used to escape the file system restriction configured in ftpchroot(5). Moreover, the bug allows a malicious client to gain root privileges.
A malicious FTP user can gain privileged access to an affected system.
A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.
From kernel mode a malicious guest can write to arbitrary host memory (with some constraints), affording the guest full control of the host.
AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures.
An attacker with host root access (including to a jailed bhyve instance) can use this vulnerability to achieve kernel code execution.
A programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes.
An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs.
An attacker that can send large frames (larger than 2048 bytes in size) to be received by the host (be it VLAN, or non-VLAN tagged packet), can inject arbitrary packets to be received and processed by the host. This includes spoofing packets from other hosts, or injecting packets to other VLANs than the host is on.
Ruby on Rails blog:
Rails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an important security fix, so please upgrade when you can.
Both releases contain the following fix: [CVE-2020-15169] Potential XSS vulnerability in Action View
Jon Siwek of Corelight reports:
This release fixes the following security issue:
- The AYIYA and GTPv1 parsing/decapsulation logic may leak memory -- These leaks have potential for remote exploitation to cause Denial of Service via resource exhaustion.
Chrome Releases reports:
This release contains 5 security fixes:
- [1116304] High CVE-2020-6573: Use after free in video. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-08-14
- [1102196] High CVE-2020-6574: Insufficient policy enforcement in installer. Reported by CodeColorist of Ant-Financial LightYear Labs on 2020-07-05
- [1081874] High CVE-2020-6575: Race in Mojo. Reported by Microsoft on 2020-05-12
- [1111737] High CVE-2020-6576: Use after free in offscreen canvas. Reported by Looben Yang on 2020-07-31
- [1122684] High CVE-2020-15959: Insufficient policy enforcement in networking. Reported by Eric Lawrence of Microsoft on 2020-08-27
Version 5.9 contains security fix for L2TP clients and servers. Insufficient validation of incoming L2TP control packet specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 4.0 that brought in initial support for L2TP. Installations not using L2TP clients nor L2TP server configuration were not affected.
Manuel Pégourié-Gonnard reports:
An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations.
Manuel Pégourié-Gonnard reports:
When decrypting/authenticating (D)TLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the padding to remote attackers, as recommended in the original Lucky Thirteen paper.
A local attacker who is able to observe the state of the cache could monitor the presence of mbedtls_md_process() in the cache in order to determine when the actual computation ends and when the dummy rounds start. This is a reliable target as it's always called at least once, in response to a previous attack. The attacker can then continue with one of many well-documented Lucky 13 variants.
The GnuTLS project reports:
It was found by oss-fuzz that the server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake can cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
Django Release notes:
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions).
Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour.
Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04.
When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer.
The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox.
Due to improper handling in the kernel, a use-after-free bug can be triggered by sending large user messages from multiple threads on the same socket.
Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.
Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface.
Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.
Gitlab reports:
Vendor Cross-Account Assume-Role Attack
Stored XSS on the Vulnerability Page
Outdated Job Token Can Be Reused to Access Unauthorized Resources
File Disclosure Via Workhorse File Upload Bypass
Unauthorized Maintainer Can Edit Group Badge
Denial of Service Within Wiki Functionality
Sign-in Vulnerable to Brute-force Attacks
Invalidated Session Allows Account Access With an Old Password
GitLab Omniauth Endpoint Renders User Controlled Messages
Blind SSRF Through Repository Mirroring
Information Disclosure Through Incorrect Group Permission Verifications
No Rate Limit on GitLab Webhook Feature
GitLab Session Revocation Feature Does Not Invalidate All Sessions
OAuth Authorization Scope for an External Application Can Be Changed Without User Consent
Unauthorized Maintainer Can Delete Repository
Improper Verification of Deploy-Key Leads to Access Restricted Repository
Disabled Repository Still Accessible With a Deploy-Token
Duplicated Secret Code Generated by 2 Factor Authentication Mechanism
Lack of Validation Within Project Invitation Flow
Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication
Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab
Lack of Upper Bound Check Leading to Possible Denial of Service
2 Factor Authentication for Groups Was Not Enforced Within API Endpoint
GitLab Runner Denial of Service via CI Jobs
Update jQuery Dependency
The Go project reports:
When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.
Albert Astals Cid reports:
Overview
A maliciously crafted TAR archive containing symlink entries would install files anywhere in the user's home directory upon extraction.
Proof of concept
For testing, an example of malicious archive can be found at dirsymlink.tar
Impact
Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart.
Workaround
Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively, 8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases.
Credits
Thanks to Fabian Vogt for reporting this issue and for fixing it.
grigoritchy at gmail dot com reports:
The phar_parse_zipfile function had use-after-free vulnerability because of mishandling of the actual_alias variable.
Chrome Releases reports:
This update includes 20 security fixes, including:
- [1109120] High CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-24
- [1116706] High CVE-2020-6559: Use after free in presentation API. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-08-15
- [1108181] Medium CVE-2020-6560: Insufficient policy enforcement in autofill. Reported by Nadja Ungethuem from www.unnex.de on 2020-07-22
- [932892] Medium CVE-2020-6561: Inappropriate implementation in Content Security Policy. Reported by Rob Wu on 2019-02-16
- [1086845] Medium CVE-2020-6562: Insufficient policy enforcement in Blink. Reported by Masato Kinugawa on 2020-05-27
- [1104628] Medium CVE-2020-6563: Insufficient policy enforcement in intent handling. Reported by Pedro Oliveira on 2020-07-12
- [841622] Medium CVE-2020-6564: Incorrect security UI in permissions. Reported by Khalil Zhani on 2018-05-10
- [1029907] Medium CVE-2020-6565: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2019-12-02
- [1065264] Medium CVE-2020-6566: Insufficient policy enforcement in media. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-27
- [937179] Low CVE-2020-6567: Insufficient validation of untrusted input in command line handling. Reported by Joshua Graham of TSS on 2019-03-01
- [1092451] Low CVE-2020-6568: Insufficient policy enforcement in intent handling. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
- [995732] Low CVE-2020-6569: Integer overflow in WebUSB. Reported by guaixiaomei on 2019-08-20
- [1084699] Low CVE-2020-6570: Side-channel information leakage in WebRTC. Reported by Signal/Tenable on 2020-05-19
- [1085315] Low CVE-2020-6571: Incorrect security UI in Omnibox. Reported by Rayyan Bijoora on 2020-05-21
JasPer NEWS:
- Fix CVE-2018-9154
- Fix CVE-2018-19541
- Fix CVE-2016-9399, CVE-2017-13751
- Fix CVE-2018-19540
- Fix CVE-2018-9055
- Fix CVE-2017-13748
- Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
- Fix CVE-2018-9252
- Fix CVE-2018-19139
- Fix CVE-2018-19543, CVE-2017-9782
- Fix CVE-2018-20570
- Fix CVE-2018-20622
- Fix CVE-2016-9398
- Fix CVE-2017-14132
- Fix CVE-2017-5499
- Fix CVE-2018-18873
- Fix CVE-2017-13750
The X.org project reports:
All theses issuses can lead to local privileges elevation on systems where the X server is running privileged.
The handler for the XkbSetNames request does not validate the request length before accessing its contents.
An integer underflow exists in the handler for the XIChangeHierarchy request.
An integer underflow exist in the handler for the XkbSelectEvents request.
An integer underflow exist in the handler for the CreateRegister request of the X record extension.
The X.org project reports:
There is an integer overflow and a double free vulnerability in the way LibX11 handles locales. The integer overflow is a necessary precursor to the double free.
Miroslav Lichvar reports:
chrony-3.5.1 [...] fixes a security issue in writing of the pidfile.
When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.
This issue was reported by Matthias Gerstner of SUSE.
Andrew Walker reports:
Issue 1:
Users are always granted permissions to cd into a directory. The check for whether execute is present on directories is a de-facto no-op. This cannot be mitigated without upgrading. Even setting an explicit "deny - execute" NFSv4 ACE will be bypassed.
Issue 2:
All ACEs for the owner_group (group@) and regular groups (group:<foo>) are granted the current user. This means that POSIX mode 770 is de-facto 777, and the below ACL is also de-facto 777 because the groupmember check for builtin_administrators returns True.
root@TESTBOX[~]# getfacl testfile # file: testfile # owner: root # group: wheel group:builtin_administrators:rwxpDdaARWcCos:-------:allow
Elastic reports:
A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Ian Jackson and the adns project reports:
Vulnerable applications: all adns callers. Exploitable by: the local recursive resolver. Likely worst case: Remote code execution.
Vulnerable applications: those that make SOA queries. Exploitable by: upstream DNS data sources. Likely worst case: DoS (crash of the adns-using application)
Vulnerable applications: those that use adns_qf_quoteok_query. Exploitable by: sources of query domain names. Likely worst case: DoS (crash of the adns-using application)
Vulnerable applications: adnshost. Exploitable by: code responsible for framing the input. Likely worst case: DoS (adnshost crashes at EOF).
Icinga development team reports:
CVE-2020-24368
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.
curl security problems:
CVE-2020-8231: wrong connect-only connection
An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.
CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an actual transfer, only connect. When that operation is completed, libcurl remembers which connection it used for that transfer and "easy handle". It remembers the connection using a pointer to the internal connectdata struct in memory.
If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.
If after those operations, the application then wants to use the original transfer's connect-only setup to for example use curl_easy_send() to send raw data over that connection, libcurl could erroneously find an existing connection still being alive at the address it remembered since before even though this is now a new and different connection.
The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly.
Python reports:
bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(...).
the TrouSerS project reports reports:
If the tcsd daemon is started with root privileges, it fails to drop the root gid after it is no longer needed.
If the tcsd daemon is started with root privileges, the tss user has read and write access to the /etc/tcsd.conf file.
If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks.
Chrome Releases reports:
This release contains one security fix:
- [1115345] High CVE-2020-6556: Heap buffer overflow in SwiftShader. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-08-12
Red Hat bugzilla reports:
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made.
Jenkins Security Advisory:
Description
(Critical) SECURITY-1983 / CVE-2019-17638
Buffer corruption in bundled Jetty
rsync developers reports:
Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840
py-ecdsa developers report:
Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding.
Fix CVE-2019-14859 - signature malleability caused by insufficient checks of DER encoding
Snmptt reports:
Fixed a security issue with EXEC / PREXEC / unknown_trap_exec that could allow malicious shell code to be executed.
Fixed a bug with EXEC / PREXEC / unknown_trap_exec that caused commands to be run as root instead of the user defined in daemon_uid.
Aki Tuomi reports:
Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory..
Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash
lmtp/submission: Issuing the RCPT command with an address that has the empty quoted string as local-part causes the lmtp service to crash.
Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on.
Cary Phillips reports:
v2.5.3 - Patch release with various bug/security fixes [...]:
- Various sanitizer/fuzz-identified issues related to handling of invalid input
Jenkins Security Advisory:
Description
(High) SECURITY-1955 / CVE-2020-2229
Stored XSS vulnerability in help icons
(High) SECURITY-1957 / CVE-2020-2230
Stored XSS vulnerability in project naming strategy
(High) SECURITY-1960 / CVE-2020-2231
Stored XSS vulnerability in 'Trigger builds remotely'
Chrome Releases reports:
This release contains 15 security fixes, including:
- [1107433] High CVE-2020-6542: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2020-07-20
- [1104046] High CVE-2020-6543: Use after free in task scheduling. Reported by Looben Yang on 2020-07-10
- [1108497] High CVE-2020-6544: Use after free in media. Reported by Tim Becker of Theori on 2020-07-22
- [1095584] High CVE-2020-6545: Use after free in audio. Reported by Anonymous on 2020-06-16
- [1100280] High CVE-2020-6546: Inappropriate implementation in installer. Reported by Andrew Hess (any1) on 2020-06-29
- [1102153] High CVE-2020-6547: Incorrect security UI in media. Reported by David Albert on 2020-07-05
- [1103827] High CVE-2020-6548: Heap buffer overflow in Skia. Reported by Choongwoo Han, Microsoft Browser Vulnerability Research on 2020-07-09
- [1105426] High CVE-2020-6549: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2020-07-14
- [1106682] High CVE-2020-6550: Use after free in IndexedDB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
- [1107815] High CVE-2020-6551: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2020-07-21
- [1108518] High CVE-2020-6552: Use after free in Blink. Reported by Tim Becker of Theori on 2020-07-22
- [1111307] High CVE-2020-6553: Use after free in offline mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-30
- [1094235] Medium CVE-2020-6554: Use after free in extensions. Reported by Anonymous on 2020-06-12
- [1105202] Medium CVE-2020-6555: Out of bounds read in WebGL. Reported by Marcin Towalski of Cisco Talos on 2020-07-13
Puppetlabs reports:
In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18 contains an updated version of jackson-databind that has patched the vulnerabilities.
Bftpd project reports:
Bftpd is vulnerable to out of bounds memory access, file descriptor leak and a potential buffer overflow.
Bryan Call reports:
ATS is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.
The Apache httpd projec reports:
- mod_http2: Important: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490)
A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.- mod_proxy_uwsgi: Moderate: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)
info disclosure and possible RCE- mod_http2: Moderate: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993)
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.
The Go project reports:
Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.
Gitlab reports:
Arbitrary File Read when Moving an Issue
Memory Exhaustion via Excessive Logging of Invite Email Error
Denial of Service Through Project Import Feature
User Controlled Git Configuration Settings Resulting in SSRF
Stored XSS in Issue Reference Number Tooltip
Stored XSS in Issues List via Milestone Title
Improper Access Control After Group Transfer
Bypass Email Verification Required for OAuth Flow
Confusion When Using Hexadecimal Branch Names
Insufficient OAuth Revocation
Improper Access Control for Project Sharing
Stored XSS in Jobs Page
Improper Access Control of Applications Page
SSRF into Shared Runner
Update Kramdown Gem
When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers. The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a malicious userspace program to modify control message headers after they were validated by the kernel.
The TOCTOU bug can be exploited by an unprivileged malicious userspace program to trigger privilege escalation.
A missing length validation code common to these three drivers means that a malicious USB device could write beyond the end of an allocated network packet buffer.
An attacker with physical access to a USB port and the ability to bring a network interface up may be able to use a specially crafted USB device to gain kernel or user-space code execution.
Typo3 Team reports:
In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions.
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.
The X.org project reports:
Allocation for pixmap data in AllocatePixmap() does not initialize the memory in xserver, it leads to leak uninitialize heap memory to clients. When the X server runs with elevated privileges.
This flaw can lead to ASLR bypass, which when combined with other flaws (known/unknown) could lead to lead to privilege elevation in the client.
The X.org project reports:
The X Input Method (XIM) client implementation in libX11 has some integer overflows and signed/unsigned comparison issues that can lead to heap corruption when handling malformed messages from an input method.
Python reports:
bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801).
bpo-39603: Prevent http header injection by rejecting control characters in http.client.putreques().
KDE Project Security Advisory reports:
KDE Project Security Advisory
Title: Ark: maliciously crafted archive can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-16116 Versions: ark <= 20.04.3 Author: Elvis Angelaccio <elvis.angelaccio@kde.org> Date: 30 July 2020 Overview
A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction.
Proof of concept
For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Impact
Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart
Workaround
Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path.
Solution
Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users.
Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases.
Credits
Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it.
Chrome Releases reports:
This update contains 8 security fixes, including:
- [1105318] High CVE-2020-6537: Type Confusion in V8. Reported by Alphalaab on 2020-07-14
- [1096677] High CVE-2020-6538: Inappropriate implementation in WebView. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-18
- [1104061] High CVE-2020-6532: Use after free in SCTP. Reported by Anonymous on 2020-07-09
- [1105635] High CVE-2020-6539: Use after free in CSS. Reported by Oriol Brufau on 2020-07-14
- [1105720] High CVE-2020-6540: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-07-15
- [1106773] High CVE-2020-6541: Use after free in WebUSB. Reported by Sergei Glazunov of Google Project Zero on 2020-07-17
RedHat reports:
It was discovered the fix for CVE-2018-19758 was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.
Bernhard Miklautz reports:
- Integer overflow due to missing input sanitation in rdpegfx channel
- All FreeRDP clients are affected
- The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a memcpy)
Jon Siwek of Corelight reports:
This release fixes the following security issues:
- Fix potential DNS analyzer stack overflow
- Fix potential NetbiosSSN analyzer stack overflow
Cacti developers reports:
Multiple fixes for bundled jQuery to prevent code exec (CVE-2020-11022, CVE-2020-11023).
PHPMail contains a escaping bug (CVE-2020-13625).
SQL Injection via color.php in Cacti (CVE-2020-14295).
GitHub Advisory Database:
When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.
The Apache Software Foundation reports:
An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
Python reports:
bpo-41162:Audit hooks are now cleared later during finalization to avoid missing events.
bpo-29778:Ensure python3.dll is loaded from correct locations when Python is embedded.
Oracle reports:
Vulnerabilities in VirtualBox core can allow users with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of these vulnerabilities can result in unauthorized access to critical data, access to all Oracle VM VirtualBox accessible data, unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) or takeover of Oracle VM VirtualBox.
Micah Snyder reports:
- CVE-2020-3350
- Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.
- CVE-2020-3327
- Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.
- CVE-2020-3481
- Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.
Cary Phillips reports:
openexr 2.5.2 [is a p]atch release with various bug/security and build/install fixes:
- Invalid input could cause a heap-use-after-free error in DeepScanLineInputFile::DeepScanLineInputFile()
- Invalid chunkCount attributes could cause heap buffer overflow in getChunkOffsetTableSize()
- Invalid tiled input file could cause invalid memory access TiledInputFile::TiledInputFile()
Chrome Releases reports:
This update contains 38 security fixes, including:
- [1103195] Critical CVE-2020-6510: Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
- [1074317] High CVE-2020-6511: Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
- [1084820] High CVE-2020-6512: Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
- [1091404] High CVE-2020-6513: Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
- [1076703] High CVE-2020-6514: Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30
- [1082755] High CVE-2020-6515: Use after free in tab strip. Reported by DDV_UA on 2020-05-14
- [1092449] High CVE-2020-6516: Policy bypass in CORS. Reported by Yongke Wang(@Rudykewang) and Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
- [1095560] High CVE-2020-6517: Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
- [986051] Medium CVE-2020-6518: Use after free in developer tools. Reported by David Erceg on 2019-07-20
- [1064676] Medium CVE-2020-6519: Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
- [1092274] Medium CVE-2020-6520: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
- [1075734] Medium CVE-2020-6521: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
- [1052093] Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
- [1080481] Medium CVE-2020-6523: Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
- [1081722] Medium CVE-2020-6524: Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
- [1091670] Medium CVE-2020-6525: Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
- [1074340] Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
- [992698] Low CVE-2020-6527: Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
- [1063690] Low CVE-2020-6528: Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
- [978779] Low CVE-2020-6529: Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
- [1016278] Low CVE-2020-6530: Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
- [1042986] Low CVE-2020-6531: Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
- [1069964] Low CVE-2020-6533: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
- [1072412] Low CVE-2020-6534: Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
- [1073409] Low CVE-2020-6535: Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
- [1080934] Low CVE-2020-6536: Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09
Jenkins Security Advisory:
Description
(High) SECURITY-1868 / CVE-2020-2220
Stored XSS vulnerability in job build time trend
(High) SECURITY-1901 / CVE-2020-2221
Stored XSS vulnerability in upstream cause
(High) SECURITY-1902 / CVE-2020-2222
Stored XSS vulnerability in 'keep forever' badge icons
(High) SECURITY-1945 / CVE-2020-2223
Stored XSS vulnerability in console links
Oracle reports:
This Critical Patch Update contains 40 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.
This Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2020, which will be released on Tuesday, July 14, 2020.
The IPV6_2292PKTOPTIONS set handler was missing synchronization, so racing accesses could modify freed memory.
A malicious user application could trigger memory corruption, leading to privilege escalation.
posix_spawnp spawns a new thread with a limited stack allocated on the heap before delegating to execvp for the final execution within that thread.
execvp would previously make unbounded allocations on the stack, directly proportional to the length of the user-controlled PATH environment variable.
Long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of stack that was allocated, ultimately overflowing the heap-allocated stack with a direct copy of the value stored in PATH.
mybb Team reports:
High risk: Installer RCE on settings file write
Medium risk: Arbitrary upload paths and Local File Inclusion RCE
Medium risk: XSS via insufficient HTML sanitization of Blog feed and Extend data
Low risk: Open redirect on login
Low risk: SCEditor reflected XSS
kramdown news:
CVE-2020-14001 is addressed to avoid problems when using the {::options /} extension together with the 'template' option.
Manuel Pégourié-Gonnard reports:
The scalar multiplication function in Mbed TLS accepts a random number generator (RNG) as an optional argument and, if provided, uses it to protect against some attacks.
It is the caller's responsibility to provide a RNG if protection against side-channel attacks is desired; however two groups of functions in Mbed TLS itself fail to pass a RNG:
- mbedtls_pk_parse_key() and mbedtls_pk_parse_keyfile()
- mbedtls_ecp_check_pub_priv() and mbedtls_pk_check_pair()
When those functions are called, scalar multiplication is computed without randomisation, a number of old and new attacks apply, allowing a powerful local attacker to fully recover the private key.
Gitlab reports:
Workhorse bypass allows files in /tmp to be read via Maven Repository APIs
Python reports:
The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.
Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
The Samba Team reports:
Four vulnerabilities were fixed in samba:
- CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results
- CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU in the AD DC (only)
- CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV
- CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd
Anydesk reports:
AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.
Matrix developers report:
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
- A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers.
- HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade.
GitHub Security Lab reports:
D-Bus has a file descriptor leak, which can lead to denial of service when the dbus-daemon runs out of file descriptors. An unprivileged local attacker can use this to attack the system dbus-daemon, leading to denial of service for all users of the machine.
Gitlab reports:
Missing Permission Check on Time Tracking
Cross-Site Scripting in PyPi Files API
Insecure Authorization Check on Private Project Security Dashboard
Cross-Site Scripting in References
Cross-Site Scripting in Group Names
Cross-Site Scripting in Blob Viewer
Cross-Site Scripting in Error Tracking
Insecure Authorisation Check on Creation and Deletion of Deploy Tokens
User Name Format Restiction Bypass
Denial of Service in Issue Comments
Cross-Site Scripting in Wiki Pages
Private Merge Request Updates Leaked via Todos
Private User Activity Leaked via API
Cross-Site Scripting in Bitbucket Import Feature
Github Project Restriction Bypass
Update PCRE Dependency
Update Kaminari Gem
Cross-Site Scripting in User Profile
Update Xterm.js
Felix Dörre reports:
The issue is that STUN/TURN response buffer is not initialized properly. (CWE 665) This is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client.
PowerDNS Team reports:
CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.
Drupal Security Team reports:
The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Ashley Newson reports:
The xrdp-sesman service can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350.
reports:
Improper serialization of MongoDB Server's internal authorization state permits a user with valid credentials to bypass IP source address protection mechanisms following administrative action.
Credit
Discovered by Tony Yesudas.
Two vulnerabilities were fixed in the upstream repository:
Simon Tatham reports:
[Release 0.74] fixes the following security issues:
- New configuration option to disable PuTTY's default policy of changing its host key algorithm preferences to prefer keys it already knows. (There is a theoretical information leak in this policy.) [CVE-2020-14002]
- In some situations an SSH server could cause PuTTY to access freed mdmory by pretending to accept an SSH key and then refusing the actual signature. It can only happen if you're using an SSH agent.
Chrome Releases reports:
This update includes 2 security fixes, including:
- [1092308] High CVE-2020-6509: Use after free in extensions. Reported by Anonymous on 2020-06-08
mutt 1.14.4 updates:
CVE-2020-14954 - Machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP
mutt 1.14.3 updates:
CVE-2020-14093 - IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response.
curl security problems:
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).
libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded.
In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: http://user:password@host/path. In this case, the name and password are URL encoded as that's how they appear in URLs.
If the options are set, they override the credentials set in the URL.
Internally, this is handled by storing the credentials in the "URL object" so that there is only a single set of credentials stored associated with this single URL.
When libcurl handles a relative redirect (as opposed to an absolute URL redirect) for an HTTP transfer, the server is only sending a new path to the client and that path is applied on to the existing URL. That "applying" of the relative path on top of an absolute URL is done by libcurl first generating a full absolute URL out of all the components it has, then it applies the redirect and finally it deconstructs the URL again into its separate components.
This security vulnerability originates in the fact that curl did not correctly URL encode the credential data when set using one of the curl_easy_setopt options described above. This made curl generate a badly formatted full URL when it would do a redirect and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name.
The wrong host name would then be used in a name resolve lookup, potentially leaking the host name + partial password in clear text over the network (if plain DNS was used) and in particular to the used DNS server(s).
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.
The command line tool offers the -J option that saves a remote file using the file name present in the Content-Disposition: response header. curl then refuses to overwrite an existing local file using the same name, if one already exists in the current directory.
The -J flag is designed to save a response body, and so it doesn't work together with -i and there's logic that forbids it. However, the check is flawed and doesn't properly check for when the options are used in the reversed order: first using -J and then -i were mistakenly accepted.
The result of this mistake was that incoming HTTP headers could overwrite a local file if one existed, as the check to avoid the local file was done first when body data was received, and due to the mistake mentioned above, it could already have received and saved headers by that time.
The saved file would only get response headers added to it, as it would abort the saving when the first body byte arrives. A malicious server could however still be made to send back virtually anything as headers and curl would save them like this, until the first CRLF-CRLF sequence appears.
(Also note that -J needs to be used in combination with -O to have any effect.)
Apple reports:
- CVE-2019-8842: The ippReadIO function may under-read an extension.
- CVE-2020-3898: The ppdOpen function did not handle invalid UI constraint. ppdcSource::get_resolution function did not handle invalid resolution strings. An application may be able to gain elevated privileges.
Ruby on Rails blog:
Rails 6.0.3.2 has been released! This version of Rails contains an important security patch, and you should upgrade! The release contains only one patch that addresses CVE-2020-8185.
Thomas Guillem reports:
A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.
lynis update:
This release resolves two security issues
ISC reports:
The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node.
A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure.
ISC reports:
An assertion check in BIND (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer.
LibreOffice reports:
Two flaws were found in LibreOffice:
- CVE-2020-12802: remote graphics contained in docx format retrieved in 'stealth mode'
- CVE-2020-12803: XForms submissions could overwrite local files
sqlite3 update:
Various security issues could be used by an attacker to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.
Node.js reports:
Updates are now available for all supported Node.js release lines for the following issues.
TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172)
The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.
The 'session' event will now only be emitted after the 'secureConnect' event, and only for authorized connections.
HTTP/2 Large Settings Frame DoS (Low) (CVE-2020-11080)
Receiving unreasonably large HTTP/2 SETTINGS frames can consume 100% CPU to process all the settings, blocking all other activities until complete.
The HTTP/2 session frame is limited to 32 settings by default. This can be configured if necessary using the maxSettings option.
napi_get_value_string_*() allows various kinds of memory corruption (High) (CVE-2020-8174)
Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.
A exploit has not been reported and it may be difficult but the following is suggested:
- All users of LTS Node.js versions should update to the versions announced in this security post. This will address the issue for any non pre-built add-on.
- Maintainers who support EOL Node.js versions and/or build against a version of Node.js that did not support N-API internally should update to use the new versions of node-addon-api 1.x and 2.x that will be released soon after this announcement.
ICU-20958 Prevent SEGV_MAPERR in append (High) (CVE-2020-10531)
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
Fix was applied to 10.x in an abundance of caution, even though there is no known way to trigger the overflow in 10.x.
fklassen on Github reports:
This release fixes the following security issues:
- memory access in do_checksum()
- NULL pointer dereference get_layer4_v6()
- NULL pointer dereference get_ipv6_l4proto()
Mitre reports:
ZNC 1.8.0 up to 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.
NPM reports:
Global node_modules Binary Overwrite
Symlink reference outside of node_modules
Arbitrary File Write
Malvineous on Github reports:
This release fixes the following security issues:
- buffer overflow in .bmf
- buffer overflow in .dtm
- buffer overflow in .mkj
- buffer overflow in .a2m
- buffer overflow in .rad
- buffer overflow in .mtk
- double free and OOB reads in .u6m
Jon Siwek of Corelight reports:
This release fixes the following security issues:
- Fix potential stack overflow in NVT analyzer
- Fix NVT analyzer memory leak from multiple telnet authn name options
- Fix multiple content-transfer-encoding headers causing a memory leak
- Fix potential leak of Analyzers added to tree during Analyzer::Done
- Prevent IP fragment reassembly on packets without minimal IP header
Adobe reports:
- This update resolves a use-after-free vulnerability that could lead to arbitrary code execution (CVE-2020-9633).
If the push/pop level of the USB HID state is not restored within the processing of the same HID item, an invalid memory location may be used for subsequent HID item processing.
An attacker with physical access to a USB port may be able to use a specially crafted USB device to gain kernel or user-space code execution.
The FreeRDP changelog reports 14 CVEs addressed after 2.0.0-rc4
Chrome Releases reports:
This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers.
- [1082105] High CVE-2020-6493: Use after free in WebAuthentication. Reported by Anonymous on 2020-05-13
- [1083972] High CVE-2020-6494: Incorrect security UI in payments. Reported by Juho Nurminen on 2020-05-18
- [1072116] High CVE-2020-6495: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-18
- [1085990] High CVE-2020-6496: Use after free in payments. Reported by Khalil Zhani on 2020-05-24
Gitlab reports:
CI Token Access Control
Django security release reports:
CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.
git security advisory reports:
Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.
git security advisory reports:
Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.
The GnuTLS project reports:
It was found that GnuTLS 3.6.4 introduced a regression in the TLS protocol implementation. This caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a MitM attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2.
Changelog:
Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)
nghttp2 security advisories:
The overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.
The Gitea Team reports for release 1.11.6:
- Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
- Use session for retrieving org teams (#11438) (#11439)
Kaminari Security Advisories:
There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.
The 1.2.1 gem including the patch has already been released.
All past released versions are affected by this vulnerability.
The Sane Project reports:
epson2: fixes CVE-2020-12867 (GHSL-2020-075) and several memory management issues found while addressing that CVE
epsonds: addresses out-of-bound memory access issues to fix CVE-2020-12862 (GHSL-2020-082) and CVE-2020-12863 (GHSL-2020-083), addresses a buffer overflow fixing CVE-2020-12865 (GHSL-2020-084) and disables network autodiscovery to mitigate CVE-2020-12866 (GHSL-2020-079), CVE-2020-12861 (GHSL-2020-080) and CVE-2020-12864 (GHSL-2020-081). Note that this backend does not support network scanners to begin with.
magicolor: fixes a floating point exception and uninitialized data read
fixes an overflow in sanei_tcp_read()
Gitlab reports:
User Email Verification Bypass
OAuth Flow Missing Email Verification Checks
Notification Email Verification Bypass
Undisclosed Vulnerability on a Third-Party Rendering Engine
Group Sign-Up Restriction Bypass
Mirror Project Owner Impersonation
Missing Permission Check on Fork Relation Creation
Cross-Site Scripting in Repository Files API
Kubernetes Cluster Token Disclosure
Object Storage File Enumeration
Insecure Authorization Check on Project Deploy Keys
Cross-Site Scripting on Metrics Dashboard
Denial of Service on Custom Dashboards
Client-Side Code Injection through Mermaid Markup
Cross-Site Scripting on Static Site Editor
Disclosure of Amazon EKS Credentials
Denial of Service on Workhorse
Javier Moreno discovered a vulnerability in Sympa web interface that can cause denial of service (DoS) attack.
By submitting requests with malformed parameters, this flaw allows to create junk files in Sympa's directory for temporary files. And particularly by tampering token to prevent CSRF, it allows to originate exessive notification messages to listmasters.
A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers:
The FastCGI wrappers wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi were used to make the web interface running under privileges of a dedicated user.
The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges.
Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected, forged code might be loaded and executed under privileges of setuid-ed users.
PowerDNS Team reports:
CVE-2020-10995: An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect.
CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation.
CVE-2020-10030: An issue has been found in PowerDNS Authoritative Server allowing an attacker with enough privileges to change the system's hostname to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not null-terminate the returned string if the hostname is larger than the supplied buffer. Linux systems are not affected because the buffer is always large enough. OpenBSD systems are not affected because the returned hostname is always null-terminated. Under some conditions this issue can lead to the writing of one null-byte out-of-bounds on the stack, causing a denial of service or possibly arbitrary code execution.
Google Chrome Releases reports:
This release includes 38 security fixes, including CVEs CVE-2020-6465 through CVE-2020-6491.
Piwigo reports:
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
The Apache Software Foundation reports:
Under certain circumstances an attacker will be able to trigger remote code execution via deserialization of the file under their control
NLNetLabs reports:
This release fixes CVE-2020-12662 and CVE-2020-12663.
Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.
Drupal Security Team reports:
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are: ... Security issues in jQuerys DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.
Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.
Zabbix reports:
Fixed security vulnerability cve-2020-11800 (remote code execution). (ZBX-17600)
Ruby on Rails blog:
Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.
Both releases contain the following fixes:
CVE-2020-8162: Circumvention of file size limits in ActiveStorage
CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack
CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token
CVE-2020-8167: CSRF Vulnerability in rails-ujs
Aki Tuomi reports:
Vulnerability Details: Sending malformed NOOP command causes crash in submission, submission-login or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: Send ``NOOP EE"FY`` to submission port, or similarly malformed command.
Vulnerability Details: Sending command followed by sufficient number of newlines triggers a use-after-free bug that might crash submission-login, submission or lmtp service. Risk: Remote attacker can keep submission-login service down, causing denial of service attack. For lmtp the risk is neglible, as lmtp is usually behind a trusted MTA. Steps to reproduce: This can be currently reproduced with ASAN or Valgrind. Reliable way to crash has not yet been discovered.
Vulnerability Details: Sending mail with empty quoted localpart causes submission or lmtp component to crash. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad sender or recipient address. Steps to reproduce: Send mail with envelope sender or recipient as <""@example.org>. Workaround: For submission there is no workaround, but triggering the bug requires valid credentials. For lmtp, one can implement sufficient filtering on MTA level to prevent mails with such addresses from ending up in LMTP delivery.
Micah Snyder reports:
CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.
Ruby on Rails blog:
Due to an unfortunate oversight, Rails 4.2.11.2 has a missing constant error. To address this Rails 4.2.11.3 has been released.
The original announcement for CVE-2020-8163 has a follow-up message with an updated patch if you’re unable to use the gems.
F-Secure reports:
CVE-2020-11651 - Authentication bypass vulnerabilities
The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root.
The ClearFuncs class also exposes the method _prep_auth_info(), which returns the "root key" used to authenticate commands from the local root user on the master server. This "root key" can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.
CVE-2020-11652 - Directory traversal vulnerabilities
The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.
The get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of ".." path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().
Tobias Stöckmann reports:
I have discovered a way to trigger an out of boundary write while parsing a huge json file through a malicious input source. It can be triggered if an attacker has control over the input stream or if a huge load during filesystem operations can be triggered.
Typo3 News:
CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset
It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not.
CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine
It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.
CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling
It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.
CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized
Calling unserialize() on malicious user-submitted content can result in the following scenarios:
- trigger deletion of arbitrary directory in file system (if writable for web server)
- trigger message submission via email using identity of web site (mail relay)
Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.
CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings
It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.
CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface
It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims’ user session.
In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’ actually a same-site request forgery (SSRF).
Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location.
The attacked victim requires an active and valid backend or install tool user session at the time of the attack to be successful.
Requests to create cryptography sessions using a MAC did not validate the user-supplied MAC key length. The cryptodev module allocates a buffer whose size is this user-suppled length.
An unprivileged process can trigger a kernel panic.
A race condition permitted a data structure in the kernel to be used after it was freed by the cryptodev module.
An unprivileged process can overwrite arbitrary kernel memory.
The SCTP layer does improper checking when an application tries to update a shared key. Therefore an unprivileged local user can trigger a use-after- free situation, for example by specific sequences of updating shared keys and closing the SCTP association.
Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.
The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).
A malicious attacker could send specially constructed packets that exploit the erroneous calculation allowing the attacker to disclose small amount of memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).
libalias(3) packet handlers do not properly validate the packet length before accessing the protocol headers. As a result, if a libalias(3) module does not properly validate the packet length before accessing the protocol header, it is possible for an out of bound read or write condition to occur.
A malicious attacker could send specially constructed packets that exploit the lack of validation allowing the attacker to read or write memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).
Qutebrowser developers report:
After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.
Python reports:
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.
MITRE Corporation reports:
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
Jon Siwek of Corelight reports:
This release fixes the following security issues:
- Fix buffer over-read in Ident analyzer
- Fix SSL scripting error leading to uninitialized field access and memory leak
- Fix POP3 analyzer global buffer over-read
- Fix potential stack overflows due to use of Variable-Length-Arrays
Wagtail release notes:
CVE-2020-11037: Potential timing attack on password-protected private pages
This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)
Mark Sapiro reports:
A content injection vulnerability via the options login page has been discovered and reported by Vishal Singh.
An issue similar to CVE-2018-13796 exists at different endpoint & param. It can lead to a phishing attack.
(added 2020-05-07) This is essentially the same as https://bugs.launchpad.net/mailman/+bug/1873722 except the vector is the private archive login page and the attack only succeeds if the list's roster visibility (private_roster) setting is 'Anyone'.
Cacti developer reports:
Lack of escaping of color items can lead to XSS exposure.
The Squid developers reports:
Improper Input Validation issues in HTTP Request processing (CVE-2020-8449, CVE-2020-8450).
Information Disclosure issue in FTP Gateway (CVE-2019-12528).
Buffer Overflow issue in ext_lm_group_acl helper (CVE-2020-8517).
Webin security lab - dbapp security Ltd reports:
The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.
Gitlab reports:
Path Traversal in NuGet Package Registry
Workhorse Bypass Leads to File Disclosure
OAuth Application Client Secrets Revealed
Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes
Code Owners Protection Not Enforced from Web UI
Repository Mirror Passwords Exposed To Maintainers
Admin Audit Log Page Denial of Service
Private Project ID Revealed Through Group API
Elasticsearch Credentials Logged to ELK
GitHub Personal Access Token Exposed on Integrations Page
Update Nokogiri dependency
Update OpenSSL Dependency
Update git
VideoLAN reports:
Details
A remote user could:
- Create a specifically crafted image file that could trigger an out of bounds read
- Send a specifically crafter request to the microdns service discovery, potentially triggering various memory management issues
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerabilities
CVE-2019-19721 affects VLC 3.0.8 and earlier, and only reads 1 byte out of bound
The Samba Team reports:
CVE-2020-10700
A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server.
CVE-2020-10704
A deeply nested filter in an un-authenticated LDAP search can exhaust the LDAP server's stack memory causing a SIGSEGV.
RedHat reports:
ceph: secure mode of msgr2 breaks both confidentiality and integrity aspects for long-lived sessions.
ceph: header-splitting in RGW GetObject has a possible XSS.
Howard Chu reports:
nested filters leads to stack overflow
Riccardo Schirone (https://github.com/ret2libc) reports:
In FullLoader python/object/new constructor, implemented by construct_python_object_apply, has support for setting the state of a deserialized instance through the set_python_instance_state method. After setting the state, some operations are performed on the instance to complete its initialization, however it is possible for an attacker to set the instance' state in such a way that arbitrary code is executed by the FullLoader.
This patch tries to block such attacks in FullLoader by preventing set_python_instance_state from setting arbitrar properties. It implements a blacklist that includes extend method (called by construct_python_object_apply) and all special methods (e.g. __set__, __setitem__, etc.).
Users who need special attributes being set in the state of a deserialized object can still do it through the UnsafeLoader, which however should not be used on untrusted input. Additionally, they can subclass FullLoader and redefine state_blacklist_regexp to include the additional attributes they need, passing the subclassed loader to yaml.load.
Bleach developers reports:
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).
Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
Oracle reports:
This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
MariaDB reports 4 of these vulnerabilities exist in their software
Oracle reports:
This Critical Patch Update contains 45 new security patches for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Nextcloud reports:
XSS in Files PDF viewer (NC-SA-2020-019)
Missing ownership check on remote wipe endpoint (NC-SA-2020-018)
Ben Caller and Matt Schwager reports:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Wagtail release notes:
CVE-2020-11001: Possible XSS attack via page revision comparison view
This release addresses a cross-site scripting (XSS) vulnerability on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
NVD reports:
Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request.
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer.
A malicious peer could exploit the NULL pointer dereference crash, causing a denial of service attack.
Incomplete packet data validation may result in accessing out-of-bounds memory (CVE-2019-5614) or may access memory after it has been freed (CVE-2019-15874).
Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.
Twisted developers reports:
All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability.
The HTTP/2 server implementation now enforces TCP flow control on control frame messages and times out clients that send invalid data without reading responses. This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks to Jonathan Looney and Piotr Sikora.
twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.
The libssh team reports (originally reported by Yasheng Yang from Google):
A malicious client or server could crash the counterpart implemented with libssh AES-CTR ciphers are used and don't get fully initialized. It will crash when it tries to cleanup the AES-CTR ciphers when closing the connection.
The WebKitGTK project reports the following vulnerability.
Processing maliciously crafted web content may lead to arbitrary code execution or application crash (denial of service). Description: A memory corruption issue (use-after-free) was addressed with improved memory handling.
Drupal Security Team reports:
The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.
Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can createor edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.
The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.
Borja Tarraso reports:
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Borja Tarraso reports:
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
Borja Tarraso reports:
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.
Google Chrome Releases reports:
[1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04
Lev Stipakov and Gert Doering report:
There is a time frame between allocating peer-id and initializing data channel key (which is performed on receiving push request or on async push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address.
The net effect of this behaviour is that the VPN session for the "victim client" is broken. Since the "attacker client" does not have suitable keys, it can not inject or steal VPN traffic from the other session. The time window is small and it can not be used to attack a specific client's session, unless some other way is found to make it disconnect and reconnect first.
Manuel Pégourié-Gonnard reports:
An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can fully recover an ECDSA private key after observing a number of signature operations.
Gitlab reports:
NuGet Package and File Disclosure through GitLab Workhorse
Job Artifact Uploads and File Disclosure through GitLab Workhorse
Incorrect membership following group removal
Logging of Praefect tokens
Update Rack dependency
Update OpenSSL dependency
Jon Siwek of Corelight reports:
This release fixes the following security issue:
- An attacker can crash Zeek remotely via crafted packet sequence.
Google Chrome Releases reports:
This updates includes 32 security fixes, including:
- [1019161] High CVE-2020-6454: Use after free in extensions. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2019-10-29
- [1043446] High CVE-2020-6423: Use after free in audio. Reported by Anonymous on 2020-01-18
- [1059669] High CVE-2020-6455: Out of bounds read in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of Alpha Lab, Qihoo 360 on 2020-03-09
- [1031479] Medium CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
- [1040755] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-01-10
- [852645] Medium CVE-2020-6431: Insufficient policy enforcement in full screen. Reported by Luan Herrera (@lbherrera_) on 2018-06-14
- [965611] Medium CVE-2020-6432: Insufficient policy enforcement in navigations. Reported by David Erceg on 2019-05-21
- [1043965] Medium CVE-2020-6433: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-01-21
- [1048555] Medium CVE-2020-6434: Use after free in devtools. Reported by HyungSeok Han (DaramG) of Theori on 2020-02-04
- [1032158] Medium CVE-2020-6435: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-09
- [1034519] Medium CVE-2020-6436: Use after free in window management. Reported by Igor Bukanov from Vivaldi on 2019-12-16
- [639173] Low CVE-2020-6437: Inappropriate implementation in WebView. Reported by Jann Horn on 2016-08-19
- [714617] Low CVE-2020-6438: Insufficient policy enforcement in extensions. Reported by Ng Yik Phang on 2017-04-24
- [868145] Low CVE-2020-6439: Insufficient policy enforcement in navigations. Reported by remkoboonstra on 2018-07-26
- [894477] Low CVE-2020-6440: Inappropriate implementation in extensions. Reported by David Erceg on 2018-10-11
- [959571] Low CVE-2020-6441: Insufficient policy enforcement in omnibox. Reported by David Erceg on 2019-05-04
- [1013906] Low CVE-2020-6442: Inappropriate implementation in cache. Reported by B@rMey on 2019-10-12
- [1040080] Low CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
- [922882] Low CVE-2020-6444: Uninitialized Use in WebRTC. Reported by mlfbrown on 2019-01-17
- [933171] Low CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
- [933172] Low CVE-2020-6446: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
- [991217] Low CVE-2020-6447: Inappropriate implementation in developer tools. Reported by David Erceg on 2019-08-06
- [1037872] Low CVE-2020-6448: Use after free in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2019-12-26
Google Chrome Releases reports:
This update contains 8 security fixes.
- [1062247] High CVE-2020-6450: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-17
- [1061018] High CVE-2020-6451: Use after free in WebAudio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-12
- [1059764] High CVE-2020-6452: Heap buffer overflow in media Reported by asnine on 2020-03-09
- [1066247] Various fixes from internal audits, fuzzing and other initiatives.
The HAproxy Project reports:
The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue.
Apache Team reports:
SECURITY: CVE-2020-1934
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP server.
SECURITY: CVE-2020-1927
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. The fix for CVE-2019-10098 was not effective.
The Cacti developers reports:
When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813).
Lack of escaping on some pages can lead to XSS exposure (CVE-2020-7106).
Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237).
The GnuTLS project reports:
It was found that GnuTLS 3.6.3 introduced a regression in the DTLS protocol implementation. This caused the DTLS client to not contribute any randomness to the DTLS negotiation breaking the security guarantees of the DTLS protocol.
The PostgreSQL project reports:
Versions Affected: 9.6 - 12
The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION.
Mediawiki reports:
Security fixes: T246602:jquery.makeCollapsible allows applying event handler to any CSS selector.
Gitlab reports:
Arbitrary File Read when Moving an Issue
Path Traversal in NPM Package Registry
SSRF on Project Import
External Users Can Create Personal Snippet
Triggers Decription Can be Updated by Other Maintainers in Project
Information Disclosure on Confidential Issues Moved to Private Programs
Potential DoS in Repository Archive Download
Blocked Users Can Still Pull/Push Docker Images
Repository Mirroring not Disabled when Feature not Activated
Vulnerability Feedback Page Was Leaking Information on Vulnerabilities
Stored XSS Vulnerability in Admin Feature
Upload Feature Allowed a User to Read Unauthorized Exported Files
Unauthorized Users Are Able to See CI Metrics
Last Pipeline Status of a Merge Request Leaked
Blind SSRF on FogBugz
Update Nokogiri dependency
When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary bjects may cause severe security consequences depending upon the application code.
Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.
Jenkins Security Advisory:
Description
(High) SECURITY-1774 / CVE-2020-2160
CSRF protection for any URL could be bypassed
(Medium) SECURITY-1781 / CVE-2020-2161
Stored XSS vulnerability in label expression validation
(Medium) SECURITY-1793 / CVE-2020-2162
Stored XSS vulnerability in file parameters
(Medium) SECURITY-1796 / CVE-2020-2163
Stored XSS vulnerability in list view column headers
phpMyAdmin Team reports:
PMASA-2020-2 SQL injection vulnerability in the user accounts page, particularly when changing a password
PMASA-2020-3 SQL injection vulnerability relating to the search feature
PMASA-2020-4 SQL injection and XSS having to do with displaying results
Removing of the "options" field for the external transformation
Puppetlabs reports:
Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.
PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.
Puppetlabs reports:
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master.
Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.
A missing NUL-termination check for the jail_set(2) configration option "osrelease" may return more bytes when reading the jail configuration back with jail_get(2) than were originally set.
For jails with a non-default setting of children.max > 0 ("nested jails") a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory.
Incorrect use of a potentially user-controlled pointer in the kernel allowed vnet jailed users to panic the system and potentially execute aribitrary code in the kernel.
Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic the system, or potentially escape the jail or execute arbitrary code with kernel priviliges.
The driver-specific ioctl(2) command handlers in ixl(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation.
The ixl(4) handler permits unprivileged users to trigger updates to the device's non-volatile memory (NVM).
The driver-specific ioctl(2) command handlers in oce(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation.
The oce(4) handler permits unprivileged users to send passthrough commands to device firmware.
When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6, the Traffic Class field is not initialized. This also applies to challenge ACK segments, which are sent in response to received RST segments during the TCP connection setup phase.
For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte of kernel memory is transmitted over the network.
* ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS.
Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.
* ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior.
Calls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.
Jon Siwek of Corelight reports:
This release addresses the following security issues:
- Potential Denial of Service due to memory leak in DNS TSIG message parsing.
- Potential Denial of Service due to memory leak (or assertion when compiling with assertions enabled) when receiving a second SSH KEX message after a first.
- Potential Denial of Service due to buffer read overflow and/or memory leaks in Kerberos analyzer. The buffer read overflow could occur when the Kerberos message indicates it contains an IPv6 address, but does not send enough data to parse out a full IPv6 address. A memory leak could occur when processing KRB_KDC_REQ KRB_KDC_REP messages for message types that do not match a known/expected type.
- Potential Denial of Service when sending many zero-length SSL/TLS certificate data. Such messages underwent the full Zeek file analysis treatment which is expensive (and meaninguless here) compared to how cheaply one can "create" or otherwise indicate many zero-length contained in an SSL message.
- Potential Denial of Service due to buffer read overflow in SMB transaction data string handling. The length of strings being parsed from SMB messages was trusted to be whatever the message claimed instead of the actual length of data found in the message.
- Potential Denial of Service due to null pointer dereference in FTP ADAT Base64 decoding.
- Potential Denial of Service due buffer read overflow in FTP analyzer word/whitespace handling. This typically won't be a problem in most default deployments of Zeek since the FTP analyzer receives data from a ContentLine (NVT) support analyzer which first null-terminates the buffer used for further FTP parsing.
Albert Astals Cid:
Okular can be tricked into executing local binaries via specially crafted PDF files.
This binary execution can require almost no user interaction.
No parameters can be passed to those local binaries.
We have not been able to identify any binary that will cause actual damage, be it in the hardware or software level, when run without parameters.
We remain relatively confident that for this issue to do any actual damage, it has to run a binary specially crafted. That binary must have been deployed to the user system via another method, be it the user downloading it directly as an email attachment, webpage download, etc. or by the system being already compromised.
Gitlab reports:
Email Confirmation not Required on Sign-up
MITRE CVE reports:
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Matrix developers report:
[The 1.11.1] release includes a security fix impacting installations using Single Sign-On (i.e. SAML2 or CAS) for authentication. Administrators of such installations are encouraged to upgrade as soon as possible.
Node.js reports:
Updates are now available for all active Node.js release lines for the following issues.
HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.
HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)
Optional whitespace should be trimmed from HTTP header values. Its presence may allow attackers to bypass security checks based on HTTP header values.
Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)
Connecting to a NodeJS TLS server with a client certificate that has a type 19 string in its subjectAltName will crash the TLS server if it tries to read the peer certificate.
Strict HTTP header parsing (None)
Increase the strictness of HTTP header parsing. There are no known vulnerabilities addressed, but lax HTTP parsing has historically been a source of problems. Some commonly used sites are known to generate invalid HTTP headers, a --insecure-http-parser CLI option or insecureHTTPParser http option can be used if necessary for interoperability, but is not recommended.
The Gitea Team reports for release 1.11.0:
- Never allow an empty password to validate (#9682) (#9683)
- Prevent redirect to Host (#9678) (#9679)
- Swagger hide search field (#9554)
- Add "search" to reserved usernames (#9063)
- Switch to fomantic-ui (#9374)
- Only serve attachments when linked to issue/release and if accessible by user (#9340)
The Gitea Team reports for release 1.11.2:
- Ensure only own addresses are updated (#10397) (#10399)
- Logout POST action (#10582) (#10585)
- Org action fixes and form cleanup (#10512) (#10514)
- Change action GETs to POST (#10462) (#10464)
- Fix admin notices (#10480) (#10483)
- Change admin dashboard to POST (#10465) (#10466)
- Update markbates/goth (#10444) (#10445)
- Update crypto vendors (#10385) (#10398)
SaltStack reports:
With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH.
Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.
Gitlab reports:
Directory Traversal to Arbitrary File Read
Account Takeover Through Expired Link
Server Side Request Forgery Through Deprecated Service
Group Two-Factor Authentication Requirement Bypass
Stored XSS in Merge Request Pages
Stored XSS in Merge Request Submission Form
Stored XSS in File View
Stored XSS in Grafana Integration
Contribution Analytics Exposed to Non-members
Incorrect Access Control in Docker Registry via Deploy Tokens
Denial of Service via Permission Checks
Denial of Service in Design For Public Issue
Incorrect Access Control via LFS Import
Unescaped HTML in Header
Private Merge Request Titles Leaked via Widget
Project Namespace Exposed via Vulnerability Feedback Endpoint
Denial of Service Through Recursive Requests
Project Authorization Not Being Updated
Incorrect Permission Level For Group Invites
Disclosure of Private Group Epic Information
User IP Address Exposed via Badge images
nwtime.org reports:
Three ntp vulnerabilities, Depending on configuration, may have little impact up to termination of the ntpd process.
NTP Bug 3610: Process_control() should exit earlier on short packets. On systems that override the default and enable ntpdc (mode 7) fuzz testing detected that a short packet will cause ntpd to read uninitialized data.
NTP Bug 3596: An unauthenticated unmonitored ntpd is vulnerable to attack on IPv4 with highly predictable transmit timestamps. An off-path attacker who can query time from the victim's ntp which receives time from an unauthenticated time source must be able to send from a spoofed IPv4 address of upstream ntp server and and the victim must be able to process a large number of packets with the spoofed IPv4 address of the upstream server. After eight or more successful attacks in a row the attacker can either modify the victim's clock by a small amount or cause ntpd to terminate. The attack is especially effective when unusually short poll intervals have been configured.
NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such that a ntp can be prevented from initiating a time volley to its peer resulting in a DoS.
All three NTP bugs may result in DoS or terimation of the ntp daemon.
Librsvg2 developers reports:
Backport the following fixes from 2.46.x:
Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. This is to mitigate malicious SVGs which try to consume all memory, and those which try to consume an exponential amount of CPU time.
Fix stack exhaustion with circular references in <use> elements.
Fix a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG <use> elements in malicious SVGs. This is similar to the XML "billion laughs attack" but for SVG instancing.
qflb.wu of DBAPPSecurity reports:
Ihe insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of service(divide-by-zero error and application crash) via a crafted mid file.
The resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of service(heap-buffer-overflow) via a crafted mid file.
The play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large loop and CPU consumption) via a crafted mid file.
Community reports:
8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting
Apache Solr RCE vulnerability due to bad config default
Apache Solr RCE through VelocityResponseWriter
OpenSMTPD developers reports:
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem).
Janos Follath reports:
If Mbed TLS is running in an SGX enclave and the adversary has control of the main operating system, they can launch a side channel attack to recover the RSA private key when it is being imported.
The attack only requires access to fine grained measurements to cache usage. Therefore the attack might be applicable to a scenario where Mbed TLS is running in TrustZone secure world and the attacker controls the normal world or possibly when Mbed TLS is part of a hypervisor and the adversary has full control of a guest OS.
Janos Follath reports:
Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key.
The WeeChat project reports:
Buffer overflow when receiving a malformed IRC message 324 (channel mode). (CVE-2020-8955)
Buffer overflow when a new IRC message 005 is received with longer nick prefixes.
Crash when receiving a malformed IRC message 352 (WHO).
The WebKitGTK project reports multiple vulnerabilities.
Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process.
Sensitive kernel data may be disclosed.
A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint.
The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated.
A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers.
An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution.
Gitlab reports:
Incorrect membership handling of group sharing feature
Aki Tuomi reports:
lib-smtp doesn't handle truncated command parameters properly, resulting in infinite loop taking 100% CPU for the process. This happens for LMTP (where it doesn't matter so much) and also for submission-login where unauthenticated users can trigger it.
Aki also reports:
Snippet generation crashes if: message is large enough that message-parser returns multiple body blocks The first block(s) don't contain the full snippet (e.g. full of whitespace) input ends with '>'
Reno Robert reports:
FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD guests, a modified grub-emu is used (grub-bhyve). Grub-bhyve executes command from guest grub.cfg file. This is a security problem because grub was never written to handle inputs from OS as untrusted. In the current design, grub and guest OS works across trust boundaries. This exposes a grub to untrusted inputs from guest.
grub-bhyve (emu) is built without SDL graphics support which reduces lot of gfx attack surface, however font loading code is still accessible. Guest can provide arbitrary font file, which is parsed by grub-bhyve running as root.
In grub-core/font/font.c,
read_section_as_string()allocatessection->length + 1bytes of memory. However, untrustedsection->lengthis an unsigned 32-bit number, and the result can overflow tomalloc(0). This can result in a controlled buffer overflow via the 'loadfont' command in a guest VM grub2.cfg, eventually leading to privilege escalation from guest to host.
Reno Robert also reports:
GRUB supports commands to read and write addresses of choice. In grub-bhyve, these commands provide a way to write to arbitrary virtual addresses within the grub-bhyve process. This is another way for a guest grub2.cfg, run by the host, to eventually escalate privileges.
These vulnerabilities are mitigated by disabling the 'loadfont', 'write_dword', 'read_dword', 'inl', 'outl', and other width variants of the same functionality in grub2-bhyve.
There is also work in progress to sandbox the grub-bhyve utility such that an escaped guest ends up with nobody:nobody in a Capsium sandbox. It is not included in 0.40_8.
Mitre reports:
In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation.
Adobe reports:
- This update resolves a type confusion vulnerability that could lead to arbitrary code execution (CVE-2020-3757).
NGINX Team reports:
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
Upstream ksh93 maintainer Siteshwar Vashisht reports:
A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
Micah Snyder reports:
A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
MITRE CVE reports:
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
MariaDB reports:
Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.
The libssh team reports:
In an environment where a user is only allowed to copy files and not to execute applications, it would be possible to pass a location which contains commands to be executed in additon.
When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of ssh_scp_new(), it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.
The Apache SpamAssassin project reports:
A nefarious rule configuration (.cf) files can be configured to run system commands. This issue is less stealthy and attempts to exploit the issue will throw warnings.
Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.
Todd C. Miller reports:
Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.
Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.
Gitlab reports:
Path Traversal to Arbitrary File Read
User Permissions Not Validated in ProjectExportWorker
XSS Vulnerability in File API
Package and File Disclosure through GitLab Workhorse
XSS Vulnerability in Create Groups
Issue and Merge Request Activity Counts Exposed
Email Confirmation Bypass Using AP
Disclosure of Forked Private Project Source Code
Private Project Names Exposed in GraphQL queries
Disclosure of Issues and Merge Requests via Todos
Denial of Service via AsciiDoc
Last Pipeline Status Exposed
Arbitrary Change of Pipeline Status
Grafana Token Displayed in Plaintext
Update excon gem
Update rdoc gem
Update rack-cors gem
Update rubyzip gem
OpenSMTPD developers report:
An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user
Jenkins Security Advisory:
Description
(High) SECURITY-1682 / CVE-2020-2099
Inbound TCP Agent Protocol/3 authentication bypass
(Medium) SECURITY-1641 / CVE-2020-2100
Jenkins vulnerable to UDP amplification reflection attack
(Medium) SECURITY-1659 / CVE-2020-2101
Non-constant time comparison of inbound TCP agent connection secret
(Medium) SECURITY-1660 / CVE-2020-2102
Non-constant time HMAC comparison
(Medium) SECURITY-1695 / CVE-2020-2103
Diagnostic page exposed session cookies
(Medium) SECURITY-1650 / CVE-2020-2104
Memory usage graphs accessible to anyone with Overall/Read
(Low) SECURITY-1704 / CVE-2020-2105
Jenkins REST APIs vulnerable to clickjacking
(Medium) SECURITY-1680 / CVE-2020-2106
Stored XSS vulnerability in Code Coverage API Plugin
(Medium) SECURITY-1565 / CVE-2020-2107
Fortify Plugin stored credentials in plain text
(High) SECURITY-1719 / CVE-2020-2108
XXE vulnerability in WebSphere Deployer Plugin
A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers.
The Samba Team reports:
CVE-2019-14902
The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers.
CVE-2019-14907
When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs.
CVE-2019-19344
During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed.
The WebKitGTK project reports multiple vulnerabilities.
Pillow developers report:
This release addresses several security problems, as well as addressing CVE-2019-19911.
CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow.
Buffer overruns were found when processing an SGI, PCX or FLI image. Checks have been added to prevent this.
Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image.
The Gitea Team reports:
- Hide credentials when submitting migration
- Never allow an empty password to validate
- Prevent redirect to Host
- Hide public repos owned by private orgs
Oracle reports:
This Critical Patch Update contains 17 new security fixes for Oracle MySQL. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Intel reports:
.A potential security vulnerability in Intel(R) Processor Graphics may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability.
Description: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.
This patch provides mitigation for Gen9 hardware only. Patches for Gen7 and Gen7.5 will be provided later. Note that Gen8 is not impacted due to a previously implemented workaround. The mitigation involves using an existing hardware feature to forcibly clear down all EU state at each context switch.
Art Manion and Will Dormann report:
By using an older and less-secure form of open(), it is possible for untrusted template files to cause reads/writes outside of the template directories. This vulnerability is a component of the recent Citrix exploit.
Gitlab reports:
Private objects exposed through project importi
Lilith of Cisco Talos reports:
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Theodore Y. Ts'o reports:
E2fsprogs 1.45.5 [...:] Fix a potential out of bounds write when checking a maliciously corrupted file system. This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables. (Addresses CVE-2019-5188)
The phpMyAdmin development team reports:
A SQL injection flaw has been discovered in the user accounts page
The cacti developers reports:
When viewing graphs, some input variables are not properly checked (SQL injection possible).
Multiple instances of lib/functions.php are affected by unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
SO-AND-SO reports:
Group Maintainers Can Update/Delete Group Runners Using API
GraphQL Queries Can Hang the Application
Unauthorized Users Have Access to Milestones of Releases
Private Group Name Revealed Through Protected Tags API
Users Can Publish Reviews on Locked Merge Requests
DoS in the Issue and Commit Comments Pages
Project Name Disclosed Through Unsubscribe Link
Private Project Name Disclosed Through Notification Settings
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6508.
- Security: backported fix for CVE-2023-7024.
The Gitea team reports:
Update golang.org/x/crypto
The Gitea team reports:
Fix missing check
Do some missing checks
By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.
Upstream reports:
Security fix:
- Update golang.org/x/crypto, which includes a fix for CVE-2023-48795.
Chrome Releases reports:
This update includes 1 security fix:
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19
Simon Tatham reports:
PuTTY version 0.80 [contains] one security fix [...] for a newly discovered security issue known as the 'Terrapin' attack, also numbered CVE-2023-48795. The issue affects widely-used OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305 cipher system, and 'encrypt-then-MAC' mode.
In order to benefit from the fix, you must be using a fixed version of PuTTY _and_ a server with the fix, so that they can agree to adopt a modified version of the protocol. [...]
Slurm releases notes:
Description
CVE-2023-49933 through CVE-2023-49938
Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They've been assigned CVE-2023-49933 through CVE-2023-49938.
Nick Vatamane reports:
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using various design document functions.
Gitlab reports:
Smartcard authentication allows impersonation of arbitrary user using user's public certificate
When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge
The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags
Project maintainer can escalate to Project owner using project access token rotate API
Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content
Unvalidated timeSpent value leads to unable to load issues on Issue board
Developer can bypass predefined variables via REST API
Auditor users can create merge requests on projects they don't have access to
Chrome Releases reports:
This update includes 9 security fixes:
- [1501326] High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10
- [1502102] High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14
- [1504792] High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23
- [1505708] High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28
- [1500921] High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09
- [1504036] Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21
In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the performance of IO_APPEND writes, that is, writes which add data to the end of a file and so extend its size. This uncovered an old bug in some routines which copy userspace data into the kernel. The bug also affects the NFS client's implementation of direct I/O; however, this implementation is disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only used to handle synchronous writes.
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication.
The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network.
Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem.
The X.Org project reports:
- CVE-2023-6377/ZDI-CAN-22412/ZDI-CAN-22413: X.Org server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the device. When a logical device switch happens (e.g. moving from a touchpad to a mouse), the server re-calculates the information available on the respective master device (typically the Virtual Core Pointer). This re-calculation only allocated enough memory for a single XKB action rather instead of enough for the newly active physical device's number of button. As a result, querying or changing the XKB button actions results in out-of-bounds memory reads and writes.
This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).
- CVE-2023-6478/ZDI-CAN-22561: X.Org server: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->nUnits value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->nUnits bytes, i.e. 4GB.
Chrome Releases reports:
This update includes 10 security fixes:
- [1497984] High CVE-2023-6508: Use after free in Media Stream. Reported by Cassidy Kim(@cassidy6564) on 2023-10-31
- [1494565] High CVE-2023-6509: Use after free in Side Panel Search. Reported by Khalil Zhani on 2023-10-21
- [1480152] Medium CVE-2023-6510: Use after free in Media Capture. Reported by [pwn2car] on 2023-09-08
- [1478613] Low CVE-2023-6511: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-09-04
- [1457702] Low CVE-2023-6512: Inappropriate implementation in Web Browser UI. Reported by Om Apip on 2023-06-24
security@apache.org reports:
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped.As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6350.
- Security: backported fix for CVE-2023-6351.
As part of its stateful TCP connection tracking implementation, pf performs sequence number validation on inbound packets. This makes it difficult for a would-be attacker to spoof the sender and inject packets into a TCP stream, since crafted packets must contain sequence numbers which match the current connection state to avoid being rejected by the firewall.
A bug in the implementation of sequence number validation means that the sequence number is not in fact validated, allowing an attacker who is able to impersonate the remote host and guess the connection's port numbers to inject packets into the TCP stream.
An attacker can, with relatively little effort, inject packets into a TCP stream destined to a host behind a pf firewall. This could be used to implement a denial-of-service attack for hosts behind the firewall, for example by sending TCP RST packets to the host.
Varnish Cache Project reports:
A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large volume of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the Varnish server to consume unnecessary resources processing requests for which the response will not be delivered.
Gitlab reports:
XSS and ReDoS in Markdown via Banzai pipeline of Jira
Members with admin_group_member custom permission can add members with higher role
Release Description visible in public projects despite release set as project members only through atom response
Manipulate the repository content in the UI (CVE-2023-3401 bypass)
External user can abuse policy bot to gain access to internal projects
Client-side DOS via Mermaid Flowchart
Developers can update pipeline schedules to use protected branches even if they don't have permission to merge
Users can install Composer packages from public projects even when Package registry is turned off
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
Guest users can react (emojis) on confidential work items which they cant see in a project
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6345.
- Security: backported fix for CVE-2023-6346.
- Security: backported fix for CVE-2023-6347.
- Security: backported fix for CVE-2023-6350.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6345.
- Security: backported fix for CVE-2023-6346.
- Security: backported fix for CVE-2023-6347.
Chrome Releases reports:
This update includes 7 security fixes:
- [1491459] High CVE-2023-6348: Type Confusion in Spellcheck. Reported by Mark Brand of Google Project Zero on 2023-10-10
- [1494461] High CVE-2023-6347: Use after free in Mojo. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21
- [1500856] High CVE-2023-6346: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-09
- [1501766] High CVE-2023-6350: Out of bounds memory access in libavif. Reported by Fudan University on 2023-11-13
- [1501770] High CVE-2023-6351: Use after free in libavif. Reported by Fudan University on 2023-11-13
- [1505053] High CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24
The MariaDB project reports:
Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
strongSwan reports:
A vulnerability in charon-tkm related to processing DH public values was discovered in strongSwan that can result in a buffer overflow and potentially remote code execution. All versions since 5.3.0 are affected.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5997.
Chrome Releases reports:
This update includes 4 security fixes:
- [1497997] High CVE-2023-5997: Use after free in Garbage Collection. Reported by Anonymous on 2023-10-31
- [1499298] High CVE-2023-6112: Use after free in Navigation. Reported by Sergei Glazunov of Google Project Zero on 2023-11-04
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5996.
The OpenVPN community project team reports:
CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
Reported by Niccolo Belli and WIPocket (Github #400, #417).CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)
security-advisories@github.com reports:
Weak Authentication in Session Handling in typo3/cms-core: In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Information Disclosure in Install Tool in typo3/cms-install: In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - classic non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
By-passing Cross-Site Scripting Protection in HTML Sanitizer: In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.
PostgreSQL Project reports:
While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-5849.
- Security: backported fix for CVE-2023-5482.
cve@mitre.org reports:
Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.
Chrome Releases reports:
This update includes 1 security fix:
- [1497859] High CVE-2023-5996: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023 on 2023-10-30
The OpenSSL project reports:
Excessive time spent in DH check / generation with large Q parameter value (low). Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.
Casper services allow limiting operations that a process can perform. Each service maintains a specific list of permitted operations. Certain operations can be further restricted, such as specifying which domain names can be resolved. During the verification of limits, the service must ensure that the new set of constraints is a subset of the previous one. In the case of the cap_net service, the currently limited set of domain names was fetched incorrectly.
In certain scenarios, if only a list of resolvable domain names was specified without setting any other limitations, the application could submit a new list of domains including include entries not previously in the list.
For line-buffered streams the __sflush() function did not correctly update the FILE object's write space member when the write(2) system call returns an error.
Depending on the nature of an application that calls libc's stdio functions and the presence of errors returned from the write(2) system call (or an overridden stdio write routine) a heap buffer overfly may occur. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program.
Frank-Z7 reports:
Heap buffer overflow when vorbis-tools/oggenc converts WAV files to Ogg files.
Frank-Z7 reports:
Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out" configuration options enabled raises a global-buffer-overflow bug, which could allow a remote attacker to conduct a denial-of-service attack or other unspecified effect on a crafted file.
Chrome Releases reports:
This update includes 15 security fixes:
- [1492698] High CVE-2023-5480: Inappropriate implementation in Payments. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2023-10-14
- [1492381] High CVE-2023-5482: Insufficient data validation in USB. Reported by DarkNavy on 2023-10-13
- [1492384] High CVE-2023-5849: Integer overflow in USB. Reported by DarkNavy on 2023-10-13
- [1281972] Medium CVE-2023-5850: Incorrect security UI in Downloads. Reported by Mohit Raj (shadow2639) on 2021-12-22
- [1473957] Medium CVE-2023-5851: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-08-18
- [1480852] Medium CVE-2023-5852: Use after free in Printing. Reported by [pwn2car] on 2023-09-10
- [1456876] Medium CVE-2023-5853: Incorrect security UI in Downloads. Reported by Hafiizh on 2023-06-22
- [1488267] Medium CVE-2023-5854: Use after free in Profiles. Reported by Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ on 2023-10-01
- [1492396] Medium CVE-2023-5855: Use after free in Reading Mode. Reported by ChaobinZhang on 2023-10-13
- [1493380] Medium CVE-2023-5856: Use after free in Side Panel. Reported by Weipeng Jiang (@Krace) of VRI on 2023-10-17
- [1493435] Medium CVE-2023-5857: Inappropriate implementation in Downloads. Reported by Will Dormann on 2023-10-18
- [1457704] Low CVE-2023-5858: Inappropriate implementation in WebApp Provider. Reported by Axel Chong on 2023-06-24
- [1482045] Low CVE-2023-5859: Incorrect security UI in Picture In Picture. Reported by Junsung Lee on 2023-09-13
phpmyfaq developers report:
XSS
Insufficient session expiration
VMware reports:
This update includes 2 security fixes:
- High CVE-2023-34058: SAML token signature bypass vulnerability
- High CVE-2023-34059: File descriptor hijack vulnerability in the vmware-user-suid-wrapper
Gitlab reports:
Disclosure of CI/CD variables using Custom project templates
GitLab omnibus DoS crash via OOM with CI Catalogs
Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service
DoS - Blocking FIFO files in Tar archives
Titles exposed by service-desk template
Approval on protected environments can be bypassed
Version information disclosure when super_sidebar_logged_out feature flag is enabled
Add abuse detection for search syntax filter pipes
Tim Wojtulewicz of Corelight reports:
A specially-crafted SSL packet could cause Zeek to leak memory and potentially crash.
A specially-crafted series of FTP packets could cause Zeek to log entries for requests that have already been completed, using resources unnecessarily and potentially causing Zeek to lose other traffic.
A specially-crafted series of SSL packets could cause Zeek to output a very large number of unnecessary alerts for the same record.
A specially-crafted series of SSL packets could cause Zeek to generate very long ssl_history fields in the ssl.log, potentially using a large amount of memory due to unbounded state growth
A specially-crafted IEEE802.11 packet could cause Zeek to overflow memory and potentially crash
Chrome Releases reports:
This update includes 2 security fixes:
- [1491296] High CVE-2023-5472: Use after free in Profiles. Reported by @18楼梦想改造家 on 2023-10-10
The X.Org project reports:
- ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty
When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy() would write into memory outside the heap-allocated array.
- ZDI-CAN-21608/CVE-2023-5380: Use-after-free bug in DestroyWindow
This vulnerability requires a legacy multi-screen setup with multiple protocol screens ("Zaphod"). If the pointer is warped from one screen to the root window of the other screen, the enter/leave code may retain a reference to the previous pointer window. Destroying this window leaves that reference in place, other windows may then trigger a use-after-free bug when they are destroyed.
The squid-cache project reports:
- Denial of Service in FTP
- Request/Response smuggling in HTTP/1.1 and ICAP
- Denial of Service in HTTP Digest Authentication
SO-AND-SO reports:
Moderate severity: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.
Oracle reports:
This Critical Patch Update contains 37 new security patches, plus additional third party patches noted below, for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Request Tracker reports:
CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface.
CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface.
CVE-2023-45024 SECURITY: RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5218.
The Apache httpd project reports:
- CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
- CVE-2023-31122: mod_macro buffer over-read
The moonlight-embedded project reports:
Moonlight Embedded v2.6.1 fixed CVE-2023-42799, CVE-2023-42800, and CVE-2023-42801.
Jenkins Security Advisory:
Description
(High) SECURITY-3291 / CVE-2023-36478, CVE-2023-44487
HTTP/2 denial of service vulnerability in bundled Jetty
The Roundcube project reports:
cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages
Redis core team reports:
The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup.
The libcue team reports:
There is a vulnerability to out-of-bounds array access.
The traefik authors report:
There is a vulnerability in GO managing HTTP/2 requests, which impacts Traefik. This vulnerability could be exploited to cause a denial of service.
The X.Org project reports:
- CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
- An out-of-bounds read is located in ParseComment() when reading from a memory buffer instead of a file, as it continued to look for the closing comment marker past the end of the buffer.
- CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
- A corrupted colormap section may cause libXpm to read out of bounds.
The X.Org project reports:
- CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
- When libX11 is processing the reply from the X server to the XkbGetMap request, if it detected the number of symbols in the new map was less than the size of the buffer it had allocated, it always added room for 128 more symbols, instead of the actual size needed. While the _XkbReadBufferCopyKeySyms() helper function returned an error if asked to copy more keysyms into the buffer than there was space allocated for, the caller never checked for an error and assumed the full set of keysyms was copied into the buffer and could then try to read out of bounds when accessing the buffer. libX11 1.8.7 has been patched to both fix the size allocated and check for error returns from _XkbReadBufferCopyKeySyms().
- CVE-2023-43786: stack exhaustion in XPutImage
- When splitting a single line of pixels into chunks that fit in a single request (not using the BIG-REQUESTS extension) to send to the X server, the code did not take into account the number of bits per pixel, so would just loop forever finding it needed to send more pixels than fit in the given request size and not breaking them down into a small enough chunk to fit. An XPM file was provided that triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function, which in turn calls XPutImage() and hit this bug.
- CVE-2023-43787: integer overflow in XCreateImage() leading to a heap overflow
- When creating an image, there was no validation that the multiplication of the caller-provided width by the visual's bits_per_pixel did not overflow and thus result in the allocation of a buffer too small to hold the data that would be copied into it. An XPM file was provided that triggered this bug when loaded via libXpm's XpmReadFileToPixmap() function, which in turn calls XCreateImage() and hit this bug.i
Chrome Releases reports:
This update includes 20 security fixes:
- [1487110] Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦想改造家 on 2023-09-27
- [1062251] Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17
- [1414936] Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11
- [1476952] Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30
- [1425355] Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17
- [1458934] Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28
- [1474253] Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20
- [1483194] Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15
- [1471253] Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09
- [1395164] Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02
- [1472404] Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12
- [1472558] Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13
- [1357442] Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29
- [1484000] Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5187.
The curl team reports:
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.
Kazuo Okuhu reports:
H2O is vulnerable to the HTTP/2 Rapid Reset attack. An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.
Django reports:
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator.
Trendmicro ZDI reports:
Integer Underflow Remote Code Execution Vulnerability
The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account.
Chrome Releases reports:
This update includes 1 security fix:
- [1485829] High CVE-2023-5346: Type Confusion in V8. Reported by Amit Kumar on 2023-09-22
On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized.
No speculative execution workarounds are installed on CPU 0.
The syscall checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the syscall must additionally require the CAP_SEEK capability.
A sandboxed process with only read or write but no seek capability on a file descriptor may be able to read data from or write data to an arbitrary location within the file corresponding to that file descriptor.
In certain cases using the truncate or ftruncate system call to extend a file size populates the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes.
A user with write access to files on a msdosfs file system may be able to read unintended data (for example, from a previously deleted file).
Mediawikwi reports:
(T264765, CVE-2023-PENDING) SECURITY: Users without correct permission are incorrectly shown MediaWiki:Missing-revision-permission.
(T333050, CVE-2023-PENDING) SECURITY: Fix infinite loop for self-redirects with variants conversion.
(T340217, CVE-2023-PENDING) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.
(T340220, CVE-2023-PENDING) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.
(T340221, CVE-2023-PENDING) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
(T341529, CVE-2023-PENDING) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.
(T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration).
Composer project reports:
Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.
Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.
Chrome Releases reports:
This update includes 10 security fixes:
- [1486441] High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25
- [1478889] High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05
- [1475798] High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-5217.
Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project
Group import allows impersonation of users in CI pipelines
Developers can bypass code owners approval by changing a MR's base branch
Leaking source code of restricted project through a fork
Third party library Consul requires enable-script-checks to be False to enable patch
Service account not deleted when namespace is deleted allowing access to internal projects
Enforce SSO settings bypassed for public projects for Members without identity
Removed project member can write to protected branches
Unauthorised association of CI jobs for Machine Learning experiments
Force pipelines to not have access to protected variables and will likely fail using tags
Maintainer can create a fork relationship between existing projects
Disclosure of masked CI variables via processing CI/CD configuration of forks
Asset Proxy Bypass using non-ASCII character in asset URI
Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches
Removed Developer can continue editing the source code of a public project
A project reporter can leak owner's Sentry instance projects
Math rendering in markdown can escape container and hijack clicks
xrdp team reports:
Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
xrdp team reports:
In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.
sep@nlnetlabs.nl reports:
NLnet Labs Routinator 0.9.0 up to and including 0.12.1 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests. The location of these stored responses is constructed from the URL of the request. Due to insufficient sanitation of the URL, it is possible for an attacker to craft a URL that results in the response being stored outside of the directory specified for it.
Jenkins Security Advisory:
Description
(Medium) SECURITY-3261 / CVE-2023-43494
Builds can be filtered by values of sensitive build variables
(High) SECURITY-3245 / CVE-2023-43495
Stored XSS vulnerability
(High) SECURITY-3072 / CVE-2023-43496
Temporary plugin file created with insecure permissions
(Low) SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)
Temporary uploaded file created with insecure permissions
Mailpit author reports:
Update Go modules to address CVE-2023-42821 (go markdown module DoS).
Google Chrome reports:
Heap buffer overflow in WebP ... allowed a remote attacker to perform an out of bounds memory write ...
chrome-cve-admin@google.com reports:
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) The Tor browser is based on Firefox and GeckoView and uses also libwep so it is affected by this bug.
Gitlab reports:
Attacker can abuse scan execution policies to run pipelines as another user
NLnet Labs report:
This release fixes two issues in Routinator that can be exploited remotely by rogue RPKI CAs and repositories. We therefore advise all users of Routinator to upgrade to this release at their earliest convenience.
The first issue, CVE-2022-39915, can lead to Routinator crashing when trying to decode certain illegal RPKI objects.
The second issue, CVE-2022-39916, only affects users that have the rrdp-keep-responses option enabled which allows storing all received RRDP responses on disk. Because the file name for these responses is derived from the URI and the path wasn't checked properly, a RRDP URI could be constructed that results in the response stored outside the directory, possibly overwriting existing files.
selmelc on hackerone reports:
When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.
However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.
The Roundcube webmail project reports:
cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4763.
- Security: backported fix for CVE-2023-4762.
- Security: backported fix for CVE-2023-4761.
- Security: backported fix for CVE-2023-4863.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4572.
- Security: backported fix for CVE-2023-4762.
- Security: backported fix for CVE-2023-4863.
Chrome Releases reports:
This update includes 16 security fixes:
- [1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06
- [1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06
- [1459281] Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29
- [1454515] Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14
- [1446709] Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18
- [1453501] Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09
- [1441228] Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29
- [1449874] Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30
- [1462104] Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04
- [1451543] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06
- [1463293] Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09
VSCode developers report:
Visual Studio Code Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.
VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.
Tim Wojtulewicz of Corelight reports:
File extraction limits were not correctly enforced for files containing large amounts of missing bytes.
Sessions are sometimes not cleaned up completely within Zeek during shutdown, potentially causing a crash when using the -B dpd flag for debug logging.
A specially-crafted HTTP packet can cause Zeek's filename extraction code to take a long time to process the data.
A specially-crafted series of FTP packets made up of a CWD request followed by a large amount of ERPT requests may cause Zeek to spend a long time logging the commands.
A specially-crafted VLAN packet can cause Zeek to overflow memory and potentially crash.
The Gitea team reports:
check blocklist for emails when adding them to account
Python reports:
gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.
The Go project reports:
cmd/go: go.mod toolchain directive allows arbitrary execution
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
html/template: improper handling of HTML-like comments within script contexts
The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
html/template: improper handling of special tags within script contexts
The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script< contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
crypto/tls: panic when processing post-handshake message on QUIC connections
Processing an incomplete post-handshake message for a QUIC connection caused a panic.
The net80211 subsystem would fallback to the multicast key for unicast traffic in the event the unicast key was removed. This would result in buffered unicast traffic being exposed to any stations with access to the multicast key.
As described in the "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues" paper, an attacker can induce an access point to buffer frames for a client, deauthenticate the client (causing the unicast key to be removed from the access point), and subsequent flushing of the buffered frames now encrypted with the multicast key. This would give the attacker access to the data.
With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.
IPv6 fragments may bypass firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.
yangbodong22011 reports:
Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.
Chrome Releases reports:
This update includes 4 security fixes:
- [1476403] High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by DarkNavy on 2023-08-28
- [1473247] High CVE-2023-4762: Type Confusion in V8. Reported by Rong Jian of VRI on 2023-08-16
- [1469928] High CVE-2023-4763: Use after free in Networks. Reported by anonymous on 2023-08-03
- [1447237] High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan Kurniawan (sourc7) on 2023-05-20
Django reports:
CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri().
Gitlab reports:
Privilege escalation of "external user" to internal access through group service account
Maintainer can leak sentry token by changing the configured URL (fix bypass)
Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners
Information disclosure via project import endpoint
Developer can leak DAST scanners "Site Profile" request headers and auth password
Project forking outside current group
User is capable of creating Model experiment and updating existing run's status in public project
ReDoS in bulk import API
Pagination for Branches and Tags can be skipped leading to DoS
Internal Open Redirection Due to Improper handling of "../" characters
Subgroup Member With Reporter Role Can Edit Group Labels
Banned user can delete package registries
Thomas Waldmann reports:
A flaw in the cryptographic authentication scheme in Borg allowed an attacker to fake archives and potentially indirectly cause backup data loss in the repository.
The attack requires an attacker to be able to
- insert files (with no additional headers) into backups
- gain write access to the repository
This vulnerability does not disclose plaintext to the attacker, nor does it affect the authenticity of existing archives. Creating plausible fake archives may be feasible for empty or small archives, but is unlikely for large archives.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
- Security: backported fix for CVE-2023-4429.
- Security: backported fix for CVE-2023-4430.
- Security: backported fix for CVE-2023-4572.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
- Security: backported fix for CVE-2023-4430.
- Security: backported fix for CVE-2023-4572.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4427.
- Security: backported fix for CVE-2023-4428.
Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks.
A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.
A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.
For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.
For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.
A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents.
For both images and documents, files are loaded into memory during upload for additional processing.
A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
It can only be exploited by admin users with permission to upload images or documents.
Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.
Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary.
Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies").
This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.
kmike and nramirezuy report:
Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.
ranjit-git reports:
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.
When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.
There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.
Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.
These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.
If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.
If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;
patching that downloader middlware may be necessary as well.
lebr0nli reports:
Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
Glyph reports:
HTTPie is a command-line HTTP client.
HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage.
Before 3.1.0, HTTPie didn't distinguish between cookies and hosts they belonged.
This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website.
Users are advised to upgrade.
There are no known workarounds.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.
Snyk reports:
This affects all versions of package Flask-Security.
When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`.
This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`.
**Note:** Flask-Security is not maintained anymore.
praetorian-colby-morgan reports:
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9.
It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
subnix reports:
The Flask-Caching extension through 2.0.2 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.
If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
domiee13 reports:
A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic.
Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler.
The manipulation of the argument object.caption leads to cross site scripting.
The attack may be launched remotely.
Upgrading to version 3.16 is able to address this issue.
The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7.
It is recommended to apply a patch to fix this issue.
VDB-215906 is the identifier assigned to this vulnerability.
Red Hat reports:
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Ben Caller reports:
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.
Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.
By crafting malicious input, an attacker can cause a denial of service.
Ben Caller reports:
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability.
If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
TheGrandPew reports:
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds.
For example, an attack might use elementname@ or elementname- with an onclick attribute.
yeisonvargasf reports:
dparse is a parser for Python dependency files.
dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service.
All the users parsing index server URLs with dparse are impacted by this vulnerability.
Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.
The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following the patch for that advisory.
The impact described in FreeBSD-SA-23:04.pam_krb5 persists.
The server may cause ssh-agent to load shared libraries other than those required for PKCS#11 support. These shared libraries may have side effects that occur on load and unload (dlopen and dlclose).
An attacker with access to a server that accepts a forwarded ssh-agent connection may be able to execute code on the machine running ssh-agent. Note that the attack relies on properties of operating system-provided libraries. This has been demonstrated on other operating systems; it is unknown whether this attack is possible using the libraries provided by a FreeBSD installation.
The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string.
A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header.
Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field.
Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service.
When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop destination constraints, a logic error prevented the constraints from being sent to the agent resulting in keys being added to the agent without constraints.
A malicious server could leverage the keys provided by a forwarded agent that would normally not be allowed due to the logic error.
pam_krb5 authenticates the user by essentially running kinit(1) with the password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password.
Normally, the system running the pam_krb5 module will also have a keytab, a key provisioned by the KDC. The pam_krb5 module will use the tgt to get a service ticket and validate it against the keytab, ensuring the tgt is valid and therefore, the password is valid.
However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid.
In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.
A timing based side channel exists in the OpenSSL RSA Decryption implementation.
The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed.
When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
A use-after-free will occur under certain conditions. This will most likely result in a crash.
A double free may occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.
A flaw in the backwards-compatibility key exchange route allows a pointer to be freed twice.
A remote, unauthenticated attacker may be able to cause a denial of service, or possibly remote code execution.
Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of OpenSSH, and are not affected. FreeBSD 13.2-BETA1 and later include the fix.
When GELI reads a key file from a standard input, it doesn't store it anywhere. If the user tries to initialize multiple providers at once, for the second and subsequent devices the standard input stream will be already empty. In this case, GELI silently uses a NULL key as the user key file. If the user used only a key file without a user passphrase, the master key was encrypted with an empty key file. This might not be noticed if the devices were also decrypted in a batch operation.
Some GELI providers might be silently encrypted with a NULL key file.
ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.
The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.
The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.
Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC.
A malicious actor with control of the network between a client and a service using Kerberos for authentication can impersonate either the client or the service, enabling a man-in-the-middle (MITM) attack circumventing mutual authentication.
Note that, while CVE-2022-44640 is a severe vulnerability, possibly enabling remote code execution on other platforms, the version of Heimdal included with the FreeBSD base system cannot be exploited in this way on FreeBSD.
Chrome Releases reports:
This update includes 1 security fix:
- [1472492] High CVE-2023-4572: Use after free in MediaStream. Reported by fwnfwn(@_fwnfwn) on 2023-08-12
The Gitea team reports:
Fix API leaking Usermail if not logged in
The API should only return the real Mail of a User, if the caller is logged in. The check do to this don't work. This PR fixes this. This not really a security issue, but can lead to Spam.
Chrome Releases reports:
This update includes 5 security fixes:
- [1469542] High CVE-2023-4430: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2023-08-02
- [1469754] High CVE-2023-4429: Use after free in Loader. Reported by Anonymous on 2023-08-03
- [1470477] High CVE-2023-4428: Out of bounds memory access in CSS. Reported by Francisco Alonso (@revskills) on 2023-08-06
- [1470668] High CVE-2023-4427: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-08-07
- [1469348] Medium CVE-2023-4431: Out of bounds memory access in Fonts. Reported by Microsoft Security Researcher on 2023-08-01
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4071.
- Security: backported fix for CVE-2023-4070.
- Security: backported fix for CVE-2023-4075.
- Security: backported fix for CVE-2023-4076.
- Security: backported fix for CVE-2023-4074.
- Security: backported fix for CVE-2023-4072.
- Security: backported fix for CVE-2023-4068.
- Security: backported fix for CVE-2023-4073.
- Security: backported fix for CVE-2023-4355.
- Security: backported fix for CVE-2023-4354.
- Security: backported fix for CVE-2023-4353.
- Security: backported fix for CVE-2023-4351.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-4355.
- Security: backported fix for CVE-2023-4354.
- Security: backported fix for CVE-2023-4353.
- Security: backported fix for CVE-2023-4352.
- Security: backported fix for CVE-2023-4351.
phpmyfaq developers report:
Cross Site Scripting vulnerability
CSV injection vulnerability
Chrome Releases reports:
This update includes 26 security fixes:
- [1448548] High CVE-2023-2312: Use after free in Offline. Reported by avaue at S.S.L. on 2023-05-24
- [1458303] High CVE-2023-4349: Use after free in Device Trust Connectors. Reported by Weipeng Jiang (@Krace) of VRI on 2023-06-27
- [1454817] High CVE-2023-4350: Inappropriate implementation in Fullscreen. Reported by Khiem Tran (@duckhiem) on 2023-06-14
- [1465833] High CVE-2023-4351: Use after free in Network. Reported by Guang and Weipeng Jiang of VRI on 2023-07-18
- [1452076] High CVE-2023-4352: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-06-07
- [1458046] High CVE-2023-4353: Heap buffer overflow in ANGLE. Reported by Christoph Diehl / Microsoft Vulnerability Research on 2023-06-27
- [1464215] High CVE-2023-4354: Heap buffer overflow in Skia. Reported by Mark Brand of Google Project Zero on 2023-07-12
- [1468943] High CVE-2023-4355: Out of bounds memory access in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-07-31
- [1449929] Medium CVE-2023-4356: Use after free in Audio. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-05-30
- [1458911] Medium CVE-2023-4357: Insufficient validation of untrusted input in XML. Reported by Igor Sak-Sakovskii on 2023-06-28
- [1466415] Medium CVE-2023-4358: Use after free in DNS. Reported by Weipeng Jiang (@Krace) of VRI on 2023-07-20
- [1443722] Medium CVE-2023-4359: Inappropriate implementation in App Launcher. Reported by @retsew0x01 on 2023-05-09
- [1462723] Medium CVE-2023-4360: Inappropriate implementation in Color. Reported by Axel Chong on 2023-07-07
- [1465230] Medium CVE-2023-4361: Inappropriate implementation in Autofill. Reported by Thomas Orlita on 2023-07-17
- [1316379] Medium CVE-2023-4362: Heap buffer overflow in Mojom IDL. Reported by Zhao Hai of NanJing Cyberpeace TianYu Lab on 2022-04-14
- [1367085] Medium CVE-2023-4363: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2022-09-23
- [1406922] Medium CVE-2023-4364: Inappropriate implementation in Permission Prompts. Reported by Jasper Rebane on 2023-01-13
- [1431043] Medium CVE-2023-4365: Inappropriate implementation in Fullscreen. Reported by Hafiizh on 2023-04-06
- [1450784] Medium CVE-2023-4366: Use after free in Extensions. Reported by asnine on 2023-06-02
- [1467743] Medium CVE-2023-4367: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
- [1467751] Medium CVE-2023-4368: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26
Oracle reports:
This Critical Patch Update contains 24 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The ClamAV project reports:
There is a possible denial of service vulnerability in the AutoIt file parser.
Steve Smith reports:
There is a possible denial of service vulnerability in the HFS+ file parser.
SO-AND-SO reports:
When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket to the new ticket. Copying the whole structure causes the enc_part pointer to be aliased to the header ticket until krb5_encrypt_tkt_part() is called, resulting in a double-free if handle_authdata() fails..
TYPO3 reports:
TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer
TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution
TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin
PostgreSQL Project reports
PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY to define a row security policy.
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3732.
- Security: backported fix for CVE-2023-3728.
- Security: backported fix for CVE-2023-3730.
The Samba Team reports:
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability
- When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where keys are character strings and values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker.
- CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
- When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still part of the protocol. If the system is running Samba's ntlm_auth as authentication backend for services like Squid (or a very unusual configuration with FreeRADIUS), the vulnarebility is remotely exploitable. If not so configured, or to exploit this vulnerability locally, the user must have access to the privileged winbindd UNIX domain socket (a subdirectory with name 'winbindd_privileged' under "state directory", as set in the smb.conf). This access is normally only given so special system services like Squid or FreeRADIUS, use this feature.
- CVE-2023-34968: Spotlight server-side Share Path Disclosure
- As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients. Known server side paths could be used to mount subsequent more serious security attacks or could disclose confidential information that is part of the path. To mitigate the issue, Samba will replace the real server-side path with a fake path constructed from the sharename.
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability
- When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This bug only affects servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes".
- CVE-2023-3347: SMB2 packet signing not enforced
- SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. SMB2 packet signing is a mechanism that ensures the integrity and authenticity of data exchanged between a client and a server using the SMB2 protocol. It provides protection against certain types of attacks, such as man-in-the-middle attacks, where an attacker intercepts network traffic and modifies the SMB2 messages. Both client and server of an SMB2 connection can require that signing is being used. The server-side setting in Samba to configure signing to be required is "server signing = required". Note that on an Samba AD DCs this is also the default for all SMB2 connections. Unless the client requires signing which would result in signing being used on the SMB2 connection, sensitive data might have been modified by an attacker. Clients connecting to IPC$ on an AD DC will require signed connections being used, so the integrity of these connections was not affected.
Chrome Releases reports:
This update includes 17 security fixes:
- [1466183] High CVE-2023-4068: Type Confusion in V8. Reported by Jerry on 2023-07-20
- [1465326] High CVE-2023-4069: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-07-17
- [1462951] High CVE-2023-4070: Type Confusion in V8. Reported by Jerry on 2023-07-07
- [1458819] High CVE-2023-4071: Heap buffer overflow in Visuals. Reported by Guang and Weipeng Jiang of VRI on 2023-06-28
- [1464038] High CVE-2023-4072: Out of bounds read and write in WebGL. Reported by Apple Security Engineering and Architecture (SEAR) on 2023-07-12
- [1456243] High CVE-2023-4073: Out of bounds memory access in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-06-20
- [1464113] High CVE-2023-4074: Use after free in Blink Task Scheduling. Reported by Anonymous on 2023-07-12
- [1457757] High CVE-2023-4075: Use after free in Cast. Reported by Cassidy Kim(@cassidy6564) on 2023-06-25
- [1459124] High CVE-2023-4076: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2023-06-29
- [1451146] Medium CVE-2023-4077: Insufficient data validation in Extensions. Reported by Anonymous on 2023-06-04
- [1461895] Medium CVE-2023-4078: Inappropriate implementation in Extensions. Reported by Anonymous on 2023-07-04
The Go project reports:
crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits.
net/http: insufficient sanitization of Host header
The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo.
runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers.
cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
html/template: improper handling of JavaScript whitespace
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
html/template: improper handling of empty HTML attributes
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Gitlab reports:
ReDoS via ProjectReferenceFilter in any Markdown fields
ReDoS via AutolinkFilter in any Markdown fields
Regex DoS in Harbor Registry search
Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality
Stored XSS in Web IDE Beta via crafted URL
securityPolicyProjectAssign mutation does not authorize security policy project ID
An attacker can run pipeline jobs as arbitrary user
Possible Pages Unique Domain Overwrite
Access tokens may have been logged when a query was made to an endpoint
Reflected XSS via PlantUML diagram
The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code
Invalid 'start_sha' value on merge requests page may lead to Denial of Service
Developers can create pipeline schedules on protected branches even if they don't have access to merge
Potential DOS due to lack of pagination while loading license data
Leaking emails of newly created users
The OpenSSL project reports:
Checking excessively long DH keys or parameters may be very slow (severity: Low).
Jenkins Security Advisory:
Description
(High) SECURITY-3188 / CVE-2023-39151
Stored XSS vulnerability
The Gitea team reports:
Disallow javascript, vbscript and data (data uri images still work) url schemes even if all other schemes are allowed
OpenSSH project reports:
Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team.
Chrome Releases reports:
This update includes 20 security fixes:
- [1454086] High CVE-2023-3727: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-06-12
- [1457421] High CVE-2023-3728: Use after free in WebRTC. Reported by Zhenghang Xiao (@Kipreyyy) on 2023-06-23
- [1453465] High CVE-2023-3730: Use after free in Tab Groups. Reported by @ginggilBesel on 2023-06-09
- [1450899] High CVE-2023-3732: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-06-02
- [1450203] Medium CVE-2023-3733: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-31
- [1450376] Medium CVE-2023-3734: Inappropriate implementation in Picture In Picture. Reported by Thomas Orlita on 2023-06-01
- [1394410] Medium CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts. Reported by Ahmed ElMasry on 2022-11-29
- [1434438] Medium CVE-2023-3736: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2023-04-19
- [1446754] Medium CVE-2023-3737: Inappropriate implementation in Notifications. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2023-05-19
- [1434330] Medium CVE-2023-3738: Inappropriate implementation in Autofill. Reported by Hafiizh on 2023-04-18
- [1405223] Low CVE-2023-3740: Insufficient validation of untrusted input in Themes. Reported by Fardeen Siddiqui on 2023-01-06
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
secalert_us@oracle.com reports:
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Matrix Developers reports:
The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.
The Gitea team reports:
Test if container blob is accessible before mounting.
Set type="password" on all auth_token fields
Seen when migrating from other hosting platforms.
Prevents exposing the token to screen capture/cameras/eyeballs.
Prevents the browser from saving the value in its autocomplete dictionary, which often is not secure.
The OpenSSL project reports:
The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3422.
- Security: backported fix for CVE-2023-3421.
- Security: backported fix for CVE-2023-3420.
Albin Eldstål-Ahrens reports:
An out-of-bounds read on a heap buffer in the importshp plugin may allow an attacker to read sensitive data via a crafted DBF file.
Redis core team reports:
Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Specifically: using COMMAND GETKEYS* and validation of key names in ACL rules.
Redis core team reports:
A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution.
The Gitea team reports:
If redirect_to parameter has set value starting with \\example.com redirect will be created with header Location: /\\example.com that will redirect to example.com domain.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3422.
- Security: backported fix for CVE-2023-3421.
- Security: backported fix for CVE-2023-3420.
Gitlab reports:
A user can change the name and path of some public GitLab groups
cve@mitre.org reports:
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php.
Django reports:
CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator.
Mediawiki reports:
(T335203, CVE-2023-29197) Upgrade guzzlehttp/psr7 to >= 1.9.1/2.4.5.
(T335612, CVE-2023-36674) Manualthumb bypasses badFile lookup.
(T332889, CVE-2023-36675) XSS in BlockLogFormatter due to unsafe message use.
Gitlab reports:
ReDoS via EpicReferenceFilter in any Markdown fields
New commits to private projects visible in forks created while project was public
New commits to private projects visible in forks created while project was public
Maintainer can leak masked webhook secrets by manipulating URL masking
Information disclosure of project import errors
Sensitive information disclosure via value stream analytics controller
Bypassing Code Owners branch protection rule in GitLab
HTML injection in email address
Webhook token leaked in Sidekiq logs if log format is 'default'
Private email address of service desk issue creator disclosed via issues API
Daiyuu Nobori reports:
The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code.
The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways.
The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc.
- CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
- CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels
- CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process
- CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person
- CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process
- CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read
oss-fuzz reports:
heap buffer overflow in internal_huf_decompress.
Cary Phillips reports:
v3.1.9 - Patch release that addresses [...] also OSS-fuzz 59382 Heap-buffer-overflow in internal_huf_decompress
Kimball Thurston reports:
Fix scenario where malformed dwa file could read past end of buffer - fixes OSS-Fuzz 59382
Chrome Releases reports:
This update includes 4 security fixes:
- [1452137] High CVE-2023-3420: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-06-07
- [1447568] High CVE-2023-3421: Use after free in Media. Reported by Piotr Bania of Cisco Talos on 2023-05-22
- [1450397] High CVE-2023-3422: Use after free in Guest View. Reported by asnine on 2023-06-01
Grafana Labs reports:
Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3215.
- Security: backported fix for CVE-2023-3216.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3215.
- Security: backported fix for CVE-2023-3216.
- Security: backported fix for CVE-2023-0698.
- Security: backported fix for CVE-2023-0932.
The X.Org project reports:
- Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]
The functions in src/InitExt.c in libX11 prior to 1.8.6 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. Instead they trusted that they were called with values provided by an Xserver that was adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do.
As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself. Testing has found it is possible to at least cause the client to crash with this memory corruption.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2934.
- Security: backported fix for CVE-2023-2930.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-2724.
- Security: backported fix for CVE-2023-2725.
- Security: backported fix for CVE-2023-2721.
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2934.
- Security: backported fix for CVE-2023-2930.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-2724.
- Security: backported fix for CVE-2023-2723.
- Security: backported fix for CVE-2023-2725.
- Security: backported fix for CVE-2023-2721.
- Security: backported fix for CVE-2023-3079.
- Security: backported fix for CVE-2023-2933.
- Security: backported fix for CVE-2023-2932.
- Security: backported fix for CVE-2023-2931.
- Security: backported fix for CVE-2023-2936.
- Security: backported fix for CVE-2023-2935.
- Security: backported fix for CVE-2023-2930.
Jenkins Security Advisory:
Description
(High) SECURITY-3135 / CVE-2023-35141
CSRF protection bypass vulnerability
VSCode developers reports:
VS Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
Chrome Releases reports:
This update includes 5 security fixes:
- [1450568] Critical CVE-2023-3214: Use after free in Autofill payments. Reported by Rong Jian of VRI on 2023-06-01
- [1446274] High CVE-2023-3215: Use after free in WebRTC. Reported by asnine on 2023-05-17
- [1450114] High CVE-2023-3216: Type Confusion in V8. Reported by 5n1p3r0010 from Topsec ChiXiao Lab on 2023-05-31
- [1450601] High CVE-2023-3217: Use after free in WebXR. Reported by Sergei Glazunov of Google Project Zero on 2023-06-01
Shibboleth consortium reports:
An updated version of the XMLTooling library that is part of the OpenSAML and Shibboleth Service Provider software is now available which corrects a server-side request forgery (SSRF) vulnerability.
Including certain legal but "malicious in intent" content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs.
While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future.
Neil Pang reports:
HiCA was injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine.
Python reports:
gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True.
gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory.
gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock.
gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local.
Grafana Labs reports:
Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.
The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
Grafana Labs reports:
We have discovered a vulnerability with Grafana’s data source query endpoints that could end up crashing a Grafana instance.
If you have public dashboards (PD) enabled, we are scoring this as a CVSS 7.5 High.
If you have disabled PD, this vulnerability is still a risk, but triggering the issue requires data source read privileges and access to the Grafana API through a developer script.
Chrome Releases reports:
This update includes 2 security fixes:
- [1450481] High CVE-2023-3079: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-06-01
Gitlab reports:
Stored-XSS with CSP-bypass in Merge requests
ReDoS via FrontMatterFilter in any Markdown fields
ReDoS via InlineDiffFilter in any Markdown fields
ReDoS via DollarMathPostFilter in Markdown fields
DoS via malicious test report artifacts
Restricted IP addresses can clone repositories of public projects
Reflected XSS in Report Abuse Functionality
Privilege escalation from maintainer to owner by importing members from a project
Bypassing tags protection in GitLab
Denial of Service using multiple labels with arbitrarily large descriptions
Ability to use an unverified email for public and commit emails
Open Redirection Through HTTP Response Splitting
Disclosure of issue notes to an unauthorized user when exporting a project
Ambiguous branch name exploitation
cve@mitre.org reports:
qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.
Kanboard is project management software that focuses on the Kanban methodology. The last update includes 4 vulnerabilities:
security-advisories@github.com reports:
- Missing access control in internal task links feature
- Stored Cross site scripting in the Task External Link Functionality in Kanboard
- Missing Access Control allows User to move and duplicate tasks in Kanboard
- Parameter based Indirect Object Referencing leading to private file exposure in Kanboard
The OpenSSL project reports:
Severity: Moderate. Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.
security-advisories@github.com reports:
Kanboard is project management software that focuses on the Kanban methodology. Due to improper handling of elements under the `contentEditable` element, maliciously crafted clipboard content can inject arbitrary HTML tags into the DOM. A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. This issue has been patched in version 1.2.29.
Chrome Releases reports:
This update includes 16 security fixes:
- [1410191] High CVE-2023-2929: Out of bounds write in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-25
- [1443401] High CVE-2023-2930: Use after free in Extensions. Reported by asnine on 2023-05-08
- [1444238] High CVE-2023-2931: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-10
- [1444581] High CVE-2023-2932: Use after free in PDF. Reported by Huyna at Viettel Cyber Security on 2023-05-11
- [1445426] High CVE-2023-2933: Use after free in PDF. Reported by Quang Nguyễn (@quangnh89) of Viettel Cyber Security and Nguyen Phuong on 2023-05-15
- [1429720] High CVE-2023-2934: Out of bounds memory access in Mojo. Reported by Mark Brand of Google Project Zero on 2023-04-01
- [1440695] High CVE-2023-2935: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-27
- [1443452] High CVE-2023-2936: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-05-08
- [1413813] Medium CVE-2023-2937: Inappropriate implementation in Picture In Picture. Reported by NDevTK on 2023-02-08
- [1416350] Medium CVE-2023-2938: Inappropriate implementation in Picture In Picture. Reported by Alesandro Ortiz on 2023-02-15
- [1427431] Medium CVE-2023-2939: Insufficient data validation in Installer. Reported by ycdxsb from VARAS@IIE on 2023-03-24
- [1426807] Medium CVE-2023-2940: Inappropriate implementation in Downloads. Reported by Axel Chong on 2023-03-22
- [1430269] Low CVE-2023-2941: Inappropriate implementation in Extensions API. Reported by Jasper Rebane on 2023-04-04
The MariaDB project reports:
MariaDB Server is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
phpmyfaq developers report:
Multiple XSS vulnerabilities
Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:
This update fixes 4 security vulnerabilities:
- Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
- Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
- Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
- Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of FTP packets with a CMD command with a large path followed by a very large number of replies could cause Zeek to spend a long time processing the data.
A specially-crafted with a truncated header can cause Zeek to overflow memory and potentially crash.
A specially-crafted series of SMTP packets can cause Zeek to generate a very large number of events and take a long time to process them.
A specially-crafted series of POP3 packets containing MIME data can cause Zeek to spend a long time dealing with each individual file ID.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2023-29469
Chrome Releases reports:
This update includes 12 security fixes:
- [1444360] Critical CVE-2023-2721: Use after free in Navigation. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2023-05-10
- [1400905] High CVE-2023-2722: Use after free in Autofill UI. Reported by Rong Jian of VRI on 2022-12-14
- [1435166] High CVE-2023-2723: Use after free in DevTools. Reported by asnine on 2023-04-21
- [1433211] High CVE-2023-2724: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2023-04-14
- [1442516] High CVE-2023-2725: Use after free in Guest View. Reported by asnine on 2023-05-04
- [1442018] Medium CVE-2023-2726: Inappropriate implementation in WebApp Installs. Reported by Ahmed ElMasry on 2023-05-03
Gitlab reports:
Smuggling code changes via merge requests with refs/replace
Piwigo reports:
Piwigo is affected by multiple SQL injection issues.
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
PostgreSQL Project reports
This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.
secure@microsoft.com reports:
Visual Studio Code Information Disclosure Vulnerability
A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
glpi Project reports:
Multiple vulnerabilities found and fixed in this version:
- High CVE-2023-28849: SQL injection and Stored XSS via inventory agent request.
- High CVE-2023-28632: Account takeover by authenticated user.
- High CVE-2023-28838: SQL injection through dynamic reports.
- Moderate CVE-2023-28852: Stored XSS through dashboard administration.
- Moderate CVE-2023-28636: Stored XSS on external links.
- Moderate CVE-2023-28639: Reflected XSS in search pages.
- Moderate CVE-2023-28634: Privilege Escalation from technician to super-admin.
- Low CVE-2023-28633: Blind Server-Side Request Forgery (SSRF) in RSS feeds.
Redis core team reports:
Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that may later crash Redis on access.
Gitlab reports:
Malicious Runner Attachment via GraphQL
Django reports:
CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field.
Chrome Releases reports:
This update includes 15 security fixes:
- [1423304] Medium CVE-2023-2459: Inappropriate implementation in Prompts. Reported by Rong Jian of VRI on 2023-03-10
- [1419732] Medium CVE-2023-2460: Insufficient validation of untrusted input in Extensions. Reported by Martin Bajanik, Fingerprint[.]com on 2023-02-27
- [1350561] Medium CVE-2023-2461: Use after free in OS Inputs. Reported by @ginggilBesel on 2022-08-06
- [1375133] Medium CVE-2023-2462: Inappropriate implementation in Prompts. Reported by Alesandro Ortiz on 2022-10-17
- [1406120] Medium CVE-2023-2463: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2023-01-10
- [1418549] Medium CVE-2023-2464: Inappropriate implementation in PictureInPicture. Reported by Thomas Orlita on 2023-02-23
- [1399862] Medium CVE-2023-2465: Inappropriate implementation in CORS. Reported by @kunte_ctf on 2022-12-10
- [1385714] Low CVE-2023-2466: Inappropriate implementation in Prompts. Reported by Jasper Rebane (popstonia) on 2022-11-17
- [1413586] Low CVE-2023-2467: Inappropriate implementation in Prompts. Reported by Thomas Orlita on 2023-02-07
- [1416380] Low CVE-2023-2468: Inappropriate implementation in PictureInPicture. Reported by Alesandro Ortiz on 2023-02-15
Gitlab reports:
Privilege escalation for external users when OIDC is enabled under certain conditions
Account takeover through open redirect for Group SAML accounts
Users on banned IP addresses can still commit to projects
User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables
The Gitlab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.
Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.
The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.
XSS and content injection and iframe injection when viewing raw files on iOS devices
Authenticated users can find other users by their private email
security@ubuntu.com reports:
Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.
Elijah Glover reports:
Malformed HTTP/1.1 requests can crash worker processes. occasionally locking up child workers and causing denial of service, and an outage dropping any open connections.
git developers reports:
This update includes 2 security fixes:
- CVE-2023-25652: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)
- CVE-2023-29007: A specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user's git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on
Grafana Labs reports:
An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.
The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).
Grafana Labs reports:
When setting up Grafana, there is an option to enable JWT authentication. Enabling this will allow users to authenticate towards the Grafana instance with a special header (default
X-JWT-Assertion).In Grafana, there is an additional way to authenticate using JWT called URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header, which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 Medium
Matrix developers report:
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.
security-advisories@github.com reports:
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
phpmyfaq developers report:
XSS
email address manipulation
Oracle reports:
This Critical Patch Update contains 34 new security patches, plus additional third party patches noted below, for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Chrome Releases reports:
This update includes 8 security fixes:
- [1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [1424337] High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
- [1432603] High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-12
- [1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
The libxml2 project reports:
Hashing of empty dict strings isn't deterministic
Fix null deref in xmlSchemaFixupComplexType
The mod_gnutls project reports:
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space.
Chrome Releases reports:
This update includes 2 security fixes:
- [1432210] High CVE-2023-2033: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-11
cve@mitre.org reports:
In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.
Tim Wojtulewicz of Corelight reports:
Receiving DNS responses from async DNS requests (via A specially-crafted stream of FTP packets containing a command reply with many intermediate lines can cause Zeek to spend a large amount of time processing data.
A specially-crafted set of packets containing extremely large file offsets cause cause the reassembler code to allocate large amounts of memory.
The DNS manager does not correctly expire responses that don't contain any data, such those containing NXDOMAIN or NODATA status codes. This can lead to Zeek allocating large amounts of memory for these responses and never deallocating them.
A specially-crafted stream of RDP packets can cause Zeek to spend large protocol validation.
A specially-crafted stream of SMTP packets can cause Zeek to spend large amounts of time processing data.
matheusbrat reports:
The Beaker library through 1.12.1 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
ret2libc reports:
psutil (aka python-psutil) through 5.6.5 can have a double free.
This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
abeluck reports:
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed.
Files would remain in the bucket exposing the data.
This issue affects directly data confidentiality.
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers.
Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes.
This issue affects mainly the service availability.
Tapas jena reports:
A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory.
Any secret information in an async status file will be readable by a malicious user on that system.
This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
macosforgebot reports:
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
pyca/cryptography's wheels include a statically linked copy of OpenSSL.
The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue.
More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL.
Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
alex reports:
Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers.
This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python.
This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.
This now correctly raises an exception.
This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Kang Hong Jin, Neophytos Christou, 刘力源 and Pattarakrit Rattankul report:
Another instance of CVE-2022-35935, where `SobolSample` is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
Pattarakrit Rattankul reports:
Another instance of CVE-2022-35991, where `TensorListScatter` and `TensorListScatterV2` crash via non scalar inputs in`element_shape`, was found in eager mode and fixed.
Jingyi Shi reports:
The 'AvgPoolOp' function takes an argument `ksize` that must be positive but is not checked.
A negative `ksize` can trigger a `CHECK` failure and crash the program.
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.
ztauras reports:
Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.
Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.
SUSE reports:
cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.
asolino reports:
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
Thibaut Goetghebuer-Planchon reports:
The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.
Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.
An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.
It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.
This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).
Yakun Zhang of Baidu Security reports:
An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service
Utkarsh Gupta reports:
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0.
By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
Duncan Thomas reports:
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
The Go project reports:
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
OpenStack project reports:
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0.
When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element.
This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume.
Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint.
Jorge Rosillo reports:
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.
This affects all XML parsing in the codebase.
jwang-a reports:
An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5.
It allows local attackers to escape the sandbox.
An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability.
The specific flaw exists within the virtual memory manager.
The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block.
An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code on the host machine.
Philipp Jeitner and Haya Shulman report:
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.
The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 44.1.1_1.
SCH227 reports:
Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.
This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.
Tom Wolters reports:
When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry.
These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.
SCH227 reports:
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
jimlinntu reports:
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
DarkTinia reports:
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).
**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
Snyk reports:
This affects the package celery before 5.2.2.
It by default trusts the messages and metadata stored in backends (result stores).
When reading task metadata from the backend, the data is deserialized.
Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
drago-balto reports:
redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.
NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
drago-balto reports:
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner.
The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665).
CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
21k reports:
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
nosecurity reports:
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
TeamSeri0us reports:
An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.
Red Hat Security Response Team reports:
Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.
NIST reports:
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
Chrome Releases reports:
This update includes 16 security fixes:
- [1414018] High CVE-2023-1810: Heap buffer overflow in Visuals. Reported by Weipeng Jiang (@Krace) of VRI on 2023-02-08
- [1420510] High CVE-2023-1811: Use after free in Frames. Reported by Thomas Orlita on 2023-03-01
- [1418224] Medium CVE-2023-1812: Out of bounds memory access in DOM Bindings. Reported by Shijiang Yu on 2023-02-22
- [1423258] Medium CVE-2023-1813: Inappropriate implementation in Extensions. Reported by Axel Chong on 2023-03-10
- [1417325] Medium CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2023-02-18
- [1278708] Medium CVE-2023-1815: Use after free in Networking APIs. Reported by DDV_UA on 2021-12-10
- [1413919] Medium CVE-2023-1816: Incorrect security UI in Picture In Picture. Reported by NDevTK on 2023-02-08
- [1418061] Medium CVE-2023-1817: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2023-02-22
- [1223346] Medium CVE-2023-1818: Use after free in Vulkan. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research, Eric Lawrence, Microsoft, Patrick Walker (@HomeSen), and Kirtikumar Anandrao Ramchandani on 2021-06-24
- [1406588] Medium CVE-2023-1819: Out of bounds read in Accessibility. Reported by Microsoft Edge Team on 2023-01-12
- [1408120] Medium CVE-2023-1820: Heap buffer overflow in Browser History. Reported by raven at KunLun lab on 2023-01-17
- [1413618] Low CVE-2023-1821: Inappropriate implementation in WebShare. Reported by Axel Chong on 2023-02-07
- [1066555] Low CVE-2023-1822: Incorrect security UI in Navigation. Reported by 강우진 on 2020-04-01
- [1406900] Low CVE-2023-1823: Inappropriate implementation in FedCM. Reported by Jasper Rebane (popstonia) on 2023-01-13
The Go project reports:
go/parser: infinite loop in parsing
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
html/template: backticks not treated as string delimiters
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a Go template action within a Javascript template literal, the contents of the action could be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. Template.Parse will now return an Error when it encounters templates like this, with a currently unexported ErrorCode with a value of 12. This ErrorCode will be exported in the next major release.
net/http, net/textproto: denial of service from excessive memory allocation
HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers.
net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
The Samba Team reports:
An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.
The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.
The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.
NVD reports:
An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.
A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.
A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.
Mediawikwi reports:
(T285159, CVE-2023-PENDING) SECURITY: X-Forwarded-For header allows brute-forcing autoblocked IP addresses.
(T326946, CVE-2020-36649) SECURITY: Bundled PapaParse copy in VisualEditor has known ReDos.
(T330086, CVE-2023-PENDING) SECURITY: OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure Default Configuration.
Gitlab reports:
Cross-site scripting in "Maximum page reached" page
Private project guests can read new changes using a fork
Mirror repository error reveals password in Settings UI
DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint
Unauthenticated users can view Environment names from public projects limited to project members only
Copying information to the clipboard could lead to the execution of unexpected commands
Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL
Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release
Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown
MR for security reports are available to everyone
API timeout when searching for group issues
Unauthorised user can add child epics linked to victim's epic in an unrelated group
GitLab search allows to leak internal notes
Ambiguous branch name exploitation in GitLab
Improper permissions checks for moving an issue
Private project branches names can be leaked through a fork
ooooooo_q reports:
The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects.
Dominic Couture reports:
A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
PowerDNS Team reports:
PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
The X.Org project reports:
- ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability
If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.
The OpenSSL project reports:
Severity: low
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.
Grafana Labs reports:
When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
Matrix developers report:
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a pair of High severity vulnerabilities (CVE-2023-28427 / GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv for matrix-react-sdk).
The issues involve prototype pollution via events containing special strings in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk and matrix-react-sdk, potentially impacting the consumer's ability to process data safely.
phpmyfaq developers report:
XSS
weak passwords
privilege escalation
Captcha bypass
The OpenSSL project reports:
Severity: Low
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.
ooooooo_q reports:
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.
Dino team reports:
Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.
The X.Org project reports:
- CVE-2022-46285: Infinite loop on unclosed comments
When reading XPM images from a file with libXpm 3.5.14 or older, if a comment in the file is not closed (i.e. a C-style comment starts with "/*" and is missing the closing "*/"), the ParseComment() function will loop forever calling getc() to try to read the rest of the comment, failing to notice that it has returned EOF, which may cause a denial of service to the calling program.
This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team.
The fix is provided in https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148
- CVE-2022-44617: Runaway loop on width of 0 and enormous height
When reading XPM images from a file with libXpm 3.5.14 or older, if a image has a width of 0 and a very large height, the ParsePixels() function will loop over the entire height calling getc() and ungetc() repeatedly, or in some circumstances, may loop seemingly forever, which may cause a denial of service to the calling program when given a small crafted XPM file to parse.
This issue was found by Martin Ettl.
The fix is provided in https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28 and https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d
- CVE-2022-4883: compression commands depend on $PATH
By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands. If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges.
This issue was found by Alan Coopersmith of the Oracle Solaris team.
Tailscale team reports:
A vulnerability identified in the implementation of Tailscale SSH in FreeBSD allowed commands to be run with a higher privilege group ID than that specified by Tailscale SSH access rules.
Chrome Releases reports:
This update includes 8 security fixes:
- [1421773] High CVE-2023-1528: Use after free in Passwords. Reported by Wan Choi of Seoul National University on 2023-03-07
- [1419718] High CVE-2023-1529: Out of bounds memory access in WebHID. Reported by anonymous on 2023-02-27
- [1419831] High CVE-2023-1530: Use after free in PDF. Reported by The UK's National Cyber Security Centre (NCSC) on 2023-02-27
- [1415330] High CVE-2023-1531: Use after free in ANGLE. Reported by Piotr Bania of Cisco Talos on 2023-02-13
- [1421268] High CVE-2023-1532: Out of bounds read in GPU Video. Reported by Mark Brand of Google Project Zero on 2023-03-03
- [1422183] High CVE-2023-1533: Use after free in WebProtect. Reported by Weipeng Jiang (@Krace) of VRI on 2023-03-07
- [1422594] High CVE-2023-1534: Out of bounds read in ANGLE. Reported by Jann Horn and Mark Brand of Google Project Zero on 2023-03-08
Yupeng Yang reports:
Authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.
Harry Sintonen reports:
- CVE-2023-27533
- curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.
- CVE-2023-27534
- curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse.
- CVE-2023-27535
- libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.
- CVE-2023-27536
- ibcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
- CVE-2023-27537
- libcurl supports sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
- CVE-2023-27538
- libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.
phpMyAdmin Team reports:
PMASA-2023-1 XSS vulnerability in drag-and-drop upload
The Apache httpd project reports:
- CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org). HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
- CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org). Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
Chrome Releases reports:
This update includes 40 security fixes:
- [1411210] High CVE-2023-1213: Use after free in Swiftshader. Reported by Jaehun Jeong(@n3sk) of Theori on 2023-01-30
- [1412487] High CVE-2023-1214: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2023-02-03
- [1417176] High CVE-2023-1215: Type Confusion in CSS. Reported by Anonymous on 2023-02-17
- [1417649] High CVE-2023-1216: Use after free in DevTools. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-02-21
- [1412658] High CVE-2023-1217: Stack buffer overflow in Crash reporting. Reported by sunburst of Ant Group Tianqiong Security Lab on 2023-02-03
- [1413628] High CVE-2023-1218: Use after free in WebRTC. Reported by Anonymous on 2023-02-07
- [1415328] High CVE-2023-1219: Heap buffer overflow in Metrics. Reported by Sergei Glazunov of Google Project Zero on 2023-02-13
- [1417185] High CVE-2023-1220: Heap buffer overflow in UMA. Reported by Sergei Glazunov of Google Project Zero on 2023-02-17
- [1385343] Medium CVE-2023-1221: Insufficient policy enforcement in Extensions API. Reported by Ahmed ElMasry on 2022-11-16
- [1403515] Medium CVE-2023-1222: Heap buffer overflow in Web Audio API. Reported by Cassidy Kim(@cassidy6564) on 2022-12-24
- [1398579] Medium CVE-2023-1223: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2022-12-07
- [1403539] Medium CVE-2023-1224: Insufficient policy enforcement in Web Payments API. Reported by Thomas Orlita on 2022-12-25
- [1408799] Medium CVE-2023-1225: Insufficient policy enforcement in Navigation. Reported by Roberto Ffrench-Davis @Lihaft on 2023-01-20
- [1013080] Medium CVE-2023-1226: Insufficient policy enforcement in Web Payments API. Reported by Anonymous on 2019-10-10
- [1348791] Medium CVE-2023-1227: Use after free in Core. Reported by @ginggilBesel on 2022-07-31
- [1365100] Medium CVE-2023-1228: Insufficient policy enforcement in Intents. Reported by Axel Chong on 2022-09-18
- [1160485] Medium CVE-2023-1229: Inappropriate implementation in Permission prompts. Reported by Thomas Orlita on 2020-12-20
- [1404230] Medium CVE-2023-1230: Inappropriate implementation in WebApp Installs. Reported by Axel Chong on 2022-12-30
- [1274887] Medium CVE-2023-1231: Inappropriate implementation in Autofill. Reported by Yan Zhu, Brave on 2021-11-30
- [1346924] Low CVE-2023-1232: Insufficient policy enforcement in Resource Timing. Reported by Sohom Datta on 2022-07-24
- [1045681] Low CVE-2023-1233: Insufficient policy enforcement in Resource Timing. Reported by Soroush Karami on 2020-01-25
- [1404621] Low CVE-2023-1234: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-01-03
- [1404704] Low CVE-2023-1235: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-03
- [1374518] Low CVE-2023-1236: Inappropriate implementation in Internals. Reported by Alesandro Ortiz on 2022-10-14
Jenkins Security Advisory:
Description
(High) SECURITY-3037 / CVE-2023-27898
XSS vulnerability in plugin manager
(Medium) SECURITY-3030 / CVE-2023-24998 (upstream issue), CVE-2023-27900 (MultipartFormDataParser), CVE-2023-27901 (StaplerRequest)
DoS vulnerability in bundled Apache Commons FileUpload library
(Medium) SECURITY-1807 / CVE-2023-27902
Workspace temporary directories accessible through directory browser
(Low) SECURITY-3058 / CVE-2023-27903
Temporary file parameter created with insecure permissions
(Low) SECURITY-2120 / CVE-2023-27904
Information disclosure through error stack traces related to agents
The Go project reports:
crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).
Mantis 2.25.6 release reports:
Security and maintenance release
- 0031086: Private issue summary disclosure (CVE-2023-22476)
- 0030772: Update (bundled) moment.js to 2.29.4 (CVE-2022-31129)
- 0030791: Allow adding relation type noopener/noreferrer to outgoing links
The Apache Openoffice project reports:
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
Aaron Patterson reports:
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
Harry Sintonen and Patrick Monnerat report:
- CVE-2023-23914
- A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on.
- CVE-2023-23915
- A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
- CVE-2023-23916
- An allocation of resources without limits or throttling vulnerability exists in curl < v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
strongSwan reports:
A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.
Gitlab reports:
Stored XSS via Kroki diagram
Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings
Improper validation of SSO and SCIM tokens while managing groups
Maintainer can leak Datadog API key by changing Datadog site
Clipboard based XSS in the title field of work items
Improper user right checks for personal snippets
Release Description visible in public projects despite release set as project members only
Group integration settings sensitive information exposed to project maintainers
Improve pagination limits for commits
Gitlab Open Redirect Vulnerability
Maintainer may become an Owner of a project
Grafana Labs reports:
During an internal audit of Grafana on January 1, a member of the security team found a stored XSS vulnerability affecting the core text plugin.
The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass through the unsanitized HTML code, but in the next cycle, the HTML is cleaned up and saved in Grafana’s database.
The CVSS score for this vulnerability is 6.4 Medium (CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
Grafana Labs reports:
During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the
TraceViewpanel.The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.
The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Grafana Labs reports:
During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.
The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
The Redis core team reports:
- CVE-2023-25155
- Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
- CVE-2022-36021
- String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.
Xi Lu reports:
- CVE-2022-48337
- GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.
- CVE-2022-48338
- An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.
- CVE-2022-48339
- An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
MITRE reports:
All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected.
MITRE reports:
FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected.
Chrome Releases reports:
This update includes 10 security fixes:
- [1415366] Critical CVE-2023-0941: Use after free in Prompts. Reported by Anonymous on 2023-02-13
- [1414738] High CVE-2023-0927: Use after free in Web Payments API. Reported by Rong Jian of VRI on 2023-02-10
- [1309035] High CVE-2023-0928: Use after free in SwiftShader. Reported by Anonymous on 2022-03-22
- [1399742] High CVE-2023-0929: Use after free in Vulkan. Reported by Cassidy Kim(@cassidy6564) on 2022-12-09
- [1410766] High CVE-2023-0930: Heap buffer overflow in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-27
- [1407701] High CVE-2023-0931: Use after free in Video. Reported by Cassidy Kim(@cassidy6564) on 2023-01-17
- [1413005] High CVE-2023-0932: Use after free in WebRTC. Reported by Omri Bushari (Talon Cyber Security) on 2023-02-05
- [1404864] Medium CVE-2023-0933: Integer overflow in PDF. Reported by Zhiyi Zhang from Codesafe Team of Legendsec at QI-ANXIN
Tim Wojtulewicz of Corelight reports:
Receiving DNS responses from async DNS requests (via the lookup_addr, etc BIF methods) with the TTL set to zero could cause the DNS manager to eventually stop being able to make new requests.
Specially-crafted FTP packets with excessively long usernames, passwords, or other fields could cause log writes to use large amounts of disk space.
The find_all and find_all_ordered BIF methods could take extremely large amounts of time to process incoming data depending on the size of the input.
Libde265 developer reports:
This release fixes the known CVEs below. Many of them are actually caused by the same underlying issues that manifest in different ways.
git team reports:
By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply".
git team reports:
Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.
git team reports:
gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes file(s) within your repository.
The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names.
These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading .gitattributes from a file, but not when parsing it from the index. Successfully exploiting this vulnerability depends on the location of the .gitattributes file in question.
This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.
The git team reports:
git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><( ), an integer overflow can occur in pretty.c::format_and_pad_commit() where a size_t is improperly stored as an int, and then added as an offset to a subsequent memcpy() call.
This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive.
This integer overflow can result in arbitrary heap writes, which may result in remote code execution.
The Gitea team reports:
This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters.
In addition it takes the opportunity to adjust the settings for pbkdf2 in order to make the hashing a little stronger.
Add command to bulk set must-change-password
As part of administration sometimes it is appropriate to forcibly tell users to update their passwords.
This PR creates a new command gitea admin user must-change-password which will set the MustChangePassword flag on the provided users.
The Go project reports:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
The Rundeck project reports:
This release updates both Community and Enterprise with the latest Log4J to address CVE-2021-44832 by updating it to 2.17.1.
MinIO reports:
A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials.
Simon Scannell reports:
- CVE-2023-20032
- Fixed a possible remote code execution vulnerability in the HFS+ file parser.
- CVE-2023-20052
- Fixed a possible remote information leak vulnerability in the DMG file parser.
The Go project reports:
path/filepath: path traversal in filepath.Clean on Windows
On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.
net/http, mime/multipart: denial of service from excessive resource consumption
Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue.
crypto/tls: large handshake records may cause panics
Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses.
net/http: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Django reports:
CVE-2023-24580: Potential denial-of-service vulnerability in file uploads.
The GnuTLS project reports:
A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected.
phpmyfaq developers report:
a bypass to flood admin with FAQ proposals
stored XSS in questions
stored HTML injections
weak passwords
Chrome Releases reports:
This release contains 15 security fixes, including:
- [1402270] High CVE-2023-0696: Type Confusion in V8. Reported by Haein Lee at KAIST Hacking Lab on 2022-12-18
- [1341541] High CVE-2023-0697: Inappropriate implementation in Full screen mode. Reported by Ahmed ElMasry on 2022-07-03
- [1403573] High CVE-2023-0698: Out of bounds read in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2022-12-25
- [1371859] Medium CVE-2023-0699: Use after free in GPU. Reported by 7o8v and Cassidy Kim(@cassidy6564) on 2022-10-06
- [1393732] Medium CVE-2023-0700: Inappropriate implementation in Download. Reported by Axel Chong on 2022-11-26
- [1405123] Medium CVE-2023-0701: Heap buffer overflow in WebUI. Reported by Sumin Hwang of SSD Labs on 2023-01-05
- [1316301] Medium CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14
- [1405574] Medium CVE-2023-0703: Type Confusion in DevTools. Reported by raven at KunLun lab on 2023-01-07
- [1385982] Low CVE-2023-0704: Insufficient policy enforcement in DevTools. Reported by Rhys Elsmore and Zac Sims of the Canva security team on 2022-11-18
- [1238642] Low CVE-2023-0705: Integer overflow in Core. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-11
PostgreSQL Project reports:
A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.
Grafana Labs reports:
On 2022-12-16 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin GeoMap.
The stored XSS vulnerability was possible due to SVG-files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
Grafana Labs reports:
A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
The OpenBSD project reports:
A malicious certificate revocation list or timestamp response token would allow an attacker to read arbitrary memory.
The X.org project reports:
- CVE-2023-0494/ZDI-CAN-19596: X.Org Server DeepCopyPointerClasses use-after-free
A dangling pointer in DeepCopyPointerClasses can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read/write into freed memory.
MITRE reports:
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
The OpenSSL project reports:
X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) (High): There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.
Timing Oracle in RSA Decryption (CVE-2022-4304) (Moderate): A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) (Moderate): A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
Use-after-free following BIO_new_NDEF (CVE-2023-0215) (Moderate): The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.
Double free after calling PEM_read_bio_ex (CVE-2022-4450) (Moderate): The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.
Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) (Moderate): An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
NULL dereference validating DSA public key (CVE-2023-0217) (Moderate): An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack.
NULL dereference during PKCS7 data verification (CVE-2023-0401) (Moderate): A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash.
Django reports:
CVE-2023-23969: Potential denial-of-service via Accept-Language headers.
NIST reports:
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.
The Asterisk project reports:
AST-2022-007: Remote Crash Vulnerability in H323 channel add on
AST-2022-008: Use after free in res_pjsip_pubsub.c
AST-2022-009: GetConfig AMI Action can read files outside of Asterisk directory
Stéphane Bruckert
If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.
Tim Wojtulewicz of Corelight reports:
A missing field in the SMB FSControl script-land record could cause a heap buffer overflow when receiving packets containing those header types.
Receiving a series of packets that start with HTTP/1.0 and then switch to HTTP/0.9 could cause Zeek to spend a large amount of time processing the packets.
Receiving large numbers of FTP commands sequentially from the network with bad data in them could cause Zeek to spend a large amount of time processing the packets, and generate a large amount of events.
Gitlab reports:
Denial of Service via arbitrarily large Issue descriptions
CSRF via file upload allows an attacker to take over a repository
Sidekiq background job DoS by uploading malicious CI job artifact zips
Sidekiq background job DoS by uploading a malicious Helm package
Plex Security Team reports:
We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.
Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus. A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.
Chrome Releases reports:
This release contains 6 security fixes, including:
- [1376354] High CVE-2023-0471: Use after free in WebTransport. Reported by chichoo Kim(chichoo) and Cassidy Kim(@cassidy6564) on 2022-10-19
- [1405256] High CVE-2023-0472: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-01-06
- [1404639] Medium CVE-2023-0473: Type Confusion in ServiceWorker API. Reported by raven at KunLun lab on 2023-01-03
- [1400841] Medium CVE-2023-0474: Use after free in GuestView. Reported by avaue at S.S.L on 2022-12-14
re2c reports:
re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags.
The Gitea team reports:
Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.
MITRE reports:
NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated. .
MITRE reports:
It seems #90 is not completely fixed in 7.8. (that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed). In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Mitre reports:
etserver and etclient have predictable logfile names in /tmp and they are world-readable logfiles
PowerDNS Team reports:
PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
Peter Ammon reports:
fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the fish_git_prompt function from the prompt.
Oracle reports:
This Critical Patch Update contains 37 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network withouti requiring user credentials.
phpmyfaq developers report:
phpMyFAQ does not implement sufficient checks to avoid a stored XSS in "Add new question"
phpMyFAQ does not implement sufficient checks to avoid a stored XSS in admin user page
phpMyFAQ does not implement sufficient checks to avoid a stored XSS in FAQ comments
phpMyFAQ does not implement sufficient checks to avoid a blind stored XSS in admin open question page
phpMyFAQ does not implement sufficient checks to avoid a reflected XSS in the admin backend login
phpMyFAQ does not implement sufficient checks to avoid stored XSS on user, category, FAQ, news and configuration admin backend
phpMyFAQ does not implement sufficient checks to avoid weak passwords
Aaron Patterson reports:
- CVE-2022-44570
- Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
- CVE-2022-44571
- Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
- CVE-2022-44572
- Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
The Apache httpd project reports:
mod_dav out of bounds read, or write of zero byte (CVE-2006-20001) (moderate)
mod_proxy_ajp Possible request smuggling (CVE-2022-36760) (moderate)
mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (CVE-2022-37436) (moderate)
The Redis core team reports:
- CVE-2022-35977
- Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic.
- CVE-2023-22458
- Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service.
CIRCL reports:
- CVE-2022-41966: XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream.
- CVE-2022-40151: If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
The Tor Project reports:
TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through
This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a). Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.
lu4nx reports:
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
Cassandra tema reports:
This release contains 6 security fixes including
- CVE-2022-24823: When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory
- CVE-2020-7238: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
- CVE-2019-2684: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE
- CVE-2022-25857: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- CVE-2022-42003: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2022-42004: In FasterXML jackson-databind, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays.
Marcus Eriksson reports:
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.
mindrot project reports:
There is an integer overflow that occurs with very large log_rounds values, first reported by Marcus Rathsfeld.
The X.org project reports:
- CVE-2022-46340/ZDI-CAN-19265: X.Org Server XTestSwapFakeInput stack overflow
The swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request.
This issue does not affect systems where client and server use the same byte order.
- CVE-2022-46341/ZDI-CAN-19381: X.Org Server XIPassiveUngrab out-of-bounds access
The handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code.
- CVE-2022-46342/ZDI-CAN-19400: X.Org Server XvdiSelectVideoNotify use-after-free
The handler for the XvdiSelectVideoNotify request may write to memory after it has been freed.
- CVE-2022-46343/ZDI-CAN-19404: X.Org Server ScreenSaverSetAttributes use-after-free
The handler for the ScreenSaverSetAttributes request may write to memory after it has been freed.
- CVE-2022-46344/ZDI-CAN-19405: X.Org Server XIChangeProperty out-of-bounds access
The handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure.
- CVE-2022-4283/ZDI-CAN-19530: X.Org Server XkbGetKbdByName use-after-free
The XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.
Gitlab reports:
Race condition on gitlab.com enables verified email forgery and third-party account hijacking
DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint
Maintainer can leak sentry token by changing the configured URL
Maintainer can leak masked webhook secrets by changing target URL of the webhook
Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP
Group access tokens continue to work after owner loses ability to revoke them
Users' avatar disclosure by user ID in private GitLab instances
Arbitrary Protocol Redirection in GitLab Pages
Regex DoS due to device-detector parsing user agents
Regex DoS in the Submodule Url Parser
Chrome Releases reports:
This release contains 17 security fixes, including:
- [1353208] High CVE-2023-0128: Use after free in Overview Mode. Reported by Khalil Zhani on 2022-08-16
- [1382033] High CVE-2023-0129: Heap buffer overflow in Network Service. Reported by asnine on 2022-11-07
- [1370028] Medium CVE-2023-0130: Inappropriate implementation in Fullscreen API. Reported by Hafiizh on 2022-09-30
- [1357366] Medium CVE-2023-0131: Inappropriate implementation in iframe Sandbox. Reported by NDevTK on 2022-08-28
- [1371215] Medium CVE-2023-0132: Inappropriate implementation in Permission prompts. Reported by Jasper Rebane (popstonia) on 2022-10-05
- [1375132] Medium CVE-2023-0133: Inappropriate implementation in Permission prompts. Reported by Alesandro Ortiz on 2022-10-17
- [1385709] Medium CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17
- [1385831] Medium CVE-2023-0135: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18
- [1356987] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API. Reported by Axel Chong on 2022-08-26
- [1399904] Medium CVE-2023-0137: Heap buffer overflow in Platform Apps. Reported by avaue and Buff3tts at S.S.L. on 2022-12-10
- [1346675] Low CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23
- [1367632] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads. Reported by Axel Chong on 2022-09-24
- [1326788] Low CVE-2023-0140: Inappropriate implementation in File System API. Reported by harrison.mitchell, cybercx.com.au on 2022-05-18
- [1362331] Low CVE-2023-0141: Insufficient policy enforcement in CORS. Reported by scarlet on 2022-09-12
cacti team reports:
A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.
C. Michael Pilato reports:
security fix: escape revision view copy paths (#311) [CVE-2023-22464]
security fix: escape revision view changed paths (#311) [CVE-2023-22456]
Marc Lehmann reports:
The biggest issue is resolving CVE-2022-4170, which allows command execution inside urxvt from within the terminal (that means anything that can output text in the terminal can start commands in the context of the urxvt process, even remotely).
The Gitea team reports:
Remove ReverseProxy authentication from the API
Support Go Vulnerability Management
Forbid HTML string tooltips
From the GLPI 10.0.10 Changelog:
+++You will find below security issues fixed in this bugfixes version: + [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
+
The mentioned CVE is invalid
+ +security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The ITIL + actors input field from the Ticket form can be used to perform a + SQL injection. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The lack + of path filtering on the GLPI URL may allow an attacker to transmit + a malicious URL of login page that can be used to attempt a phishing + attack on user credentials. Users are advised to upgrade to version + 10.0.10. There are no known workarounds for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An + unauthenticated user can enumerate users logins. Users are advised + to upgrade to version 10.0.10. There are no known workarounds for + this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. A user + with write access to another user can make requests to change the + latter's password and then take control of their account. + Users are advised to upgrade to version 10.0.10. There are no known + work around for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An API + user can enumerate sensitive fields values on resources on which + he has read access. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The document + upload process can be diverted to delete some files. Users are + advised to upgrade to version 10.0.10. There are no known workarounds + for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An API + user that have read access on users resource can steal accounts of + other users. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. A logged + user from any profile can hijack the Kanban feature to alter any + user field, and end-up with stealing its account. Users are advised + to upgrade to version 10.0.10. There are no known workarounds for + this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. UI layout + preferences management can be hijacked to lead to SQL injection. + This injection can be use to takeover an administrator account. + Users are advised to upgrade to version 10.0.10. There are no known + workarounds for this vulnerability.
+
security-advisories@github.com reports:
+++ +GLPI is a Free Asset and IT Management Software package, Data center + management, ITIL Service Desk, licenses tracking and software + auditing. An administrator can trigger SQL injection via dashboards + administration. This vulnerability has been patched in version + 10.0.9. +
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Versions + of the software starting with 0.68 and prior to 10.0.8 have an + incorrect rights check on a on a file accessible by an authenticated + user. This allows access to the list of all users and their personal + information. Users should upgrade to version 10.0.8 to receive a + patch.
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Versions + of the software starting with 9.2.0 and prior to 10.0.8 have an + incorrect rights check on a on a file accessible by an authenticated + user, allows access to the view all KnowbaseItems. Version 10.0.8 + has a patch for this issue.
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Starting + in version 9.4.0 and prior to version 10.0.8, a malicious link can + be crafted by an unauthenticated user that can exploit a reflected + XSS in case any authenticated user opens the crafted link. Users + should upgrade to version 10.0.8 to receive a patch.
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Starting + in version 9.5.0 and prior to version 10.0.8, an incorrect rights + check on a file allows an unauthenticated user to be able to access + dashboards data. Version 10.0.8 contains a patch for this issue.
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Starting + in version 9.5.0 and prior to version 10.0.8, an incorrect rights + check on a on a file accessible by an authenticated user (or not + for certain actions), allows a threat actor to interact, modify, + or see Dashboard data. Version 10.0.8 contains a patch for this + issue.
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Starting + in version 0.80 and prior to version 10.0.8, Computer Virtual Machine + form and GLPI inventory request can be used to perform a SQL injection + attack. Version 10.0.8 has a patch for this issue. As a workaround, + one may disable native inventory.
+
security-advisories@github.com reports:
+++ +GLPI is a free asset and IT management software package. Starting + in version 10.0.0 and prior to version 10.0.8, GLPI inventory + endpoint can be used to drive a SQL injection attack. By default, + GLPI inventory endpoint requires no authentication. Version 10.0.8 + has a patch for this issue. As a workaround, one may disable native + inventory.
+
Matrix developers report:
Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage. (High severity)
Gitlab reports:
GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider
Path Traversal leads to DoS and Restricted File Read
Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search
Personal Access Token scopes not honoured by GraphQL subscriptions
Domain based restrictions bypass using a crafted email address
GLPI team reports:
GLPI 10.0.13 Changelog
- [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
- [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
- [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
- [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
- [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
- [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)
GLPI team reports:
GLPI 10.0.12 Changelog
- [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
- [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)
GLPI team reports:
GLPI 10.0.11 Changelog
- [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
- [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
- [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
sp2ip reports:
If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.
GitHub Security Lab reports:
stb_image.h and stb_vorbis libraries contain several memory access violations of different severity
- Wild address read in stbi__gif_load_next (GHSL-2023-145).
- Multi-byte read heap buffer overflow in stbi__vertical_flip (GHSL-2023-146).
- Disclosure of uninitialized memory in stbi__tga_load (GHSL-2023-147).
- Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148).
- Null pointer dereference in stbi__convert_format (GHSL-2023-149).
- Possible double-free or memory leak in stbi__load_gif_main (GHSL-2023-150).
- Null pointer dereference because of an uninitialized variable (GHSL-2023-151).
- 0 byte write heap buffer overflow in start_decoder (GHSL-2023-165)
- Multi-byte write heap buffer overflow in start_decoder (GHSL-2023-166)
- Heap buffer out of bounds write in start_decoder (GHSL-2023-167)
- Off-by-one heap buffer write in start_decoder (GHSL-2023-168)
- Attempt to free an uninitialized memory pointer in vorbis_deinit (GHSL-2023-169)
- Null pointer dereference in vorbis_deinit (GHSL-2023-170)
- Out of bounds heap buffer write (GHSL-2023-171)
- Wild address read in vorbis_decode_packet_rest (GHSL-2023-172)
Chrome Releases reports:
This update includes 23 security fixes:
- [331358160] High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
- [331383939] High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
- [330759272] High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
- [326607008] High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24
- [41491379] Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15
- [328278717] Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06
- [41491859] Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16
- [41493458] Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22
- [330376742] Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19
- [41486690] Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24
- [40058873] Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23
- [323583084] Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03
- [40064754] Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23
- [328690293] Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08
Błażej Pawłowski reports:
A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
Jenkins Security Advisory:
Description
(Medium) SECURITY-3386 / CVE-2023-48795
Terrapin SSH vulnerability in Jenkins CLI client
Electron develpers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-3515.
- Security: backported fix for CVE-2024-3516.
- Security: backported fix for CVE-2024-3157.
- Security: backported fix for CVE-2024-1580.
This update includes 3 security fixes:
- High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
- High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
- Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
- High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs
The Go project reports:
http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
Chrome Releases reports:
This update includes 3 security fixes:
- [331237485] High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26
- [328859176] High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao (zx) Pham and Toan (suto) Pham of Qrious Secure on 2024-03-09
- [331123811] High CVE-2024-3515: Use after free in Dawn. Reported by wgslfuzz on 2024-03-25
Simon Tatham reports:
ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise known as ecdsa-sha2-nistp521) were generated with biased random numbers. This permits an attacker in possession of a few dozen signatures to RECOVER THE PRIVATE KEY.
Any 521-bit ECDSA private key that PuTTY or Pageant has used to sign anything should be considered compromised.
Additionally, if you have any 521-bit ECDSA private keys that you've used with PuTTY, you should consider them to be compromised: generate new keys, and remove the old public keys from any authorized_keys files.
A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), [...] and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-3159.
The OpenSSL project reports:
Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions
security@golang.org reports:
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
cve@mitre.org reports:
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
Gitlab reports:
Stored XSS injected in diff viewer
Stored XSS via autocomplete results
Redos on Integrations Chat Messages
Redos During Parse Junit Test Report
The Wordpress team reports:
A cross-site scripting (XSS) vulnerability affecting the Avatar block type
The Apache httpd project reports:
HTTP/2 DoS by memory exhaustion on endless continuation frames
HTTP Response Splitting in multiple modules
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-2885.
- Security: backported fix for CVE-2024-2883.
- Security: backported fix for CVE-2024-2887.
- Security: backported fix for CVE-2024-2886.
Chrome Releases reports:
This update includes 3 security fixes:
- [329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
- [329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17
- [330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
The X.Org project reports:
- CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
The ProcXIGetSelectedEvents() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.
- CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.
- CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.
Jenkins Security Advisory:
Description
(High) SECURITY-3379 / CVE-2024-22201
HTTP/2 denial of service vulnerability in bundled Jetty
Mediawiki reports:
(T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.
(T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2625.
Gitlab reports:
Stored-XSS injected in Wiki page via Banzai pipeline
DOS using crafted emojis
Chrome Releases reports:
This update includes 7 security fixes:
- [327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
- [328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
- [330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
- [330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21
phpMyFAQ team reports:
The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.
GNU Emacs developers report:
Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.
- Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
- New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
- Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
- LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
- Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
Quiche Releases reports:
This release includes 2 security fixes:
- CVE-2024-1410: Unbounded storage of information related to connection ID retirement, in quiche. Reported by Marten Seeman (@marten-seeman)
- CVE-2024-1765: Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche. Reported by Marten Seeman (@marten-seeman)
Chrome Releases reports:
This update includes 12 security fixes:
- [327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01
- [40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22
- [41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21
- [41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03
- [41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02
- [41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07
- [41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29
Shibboleth Developers report:
The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter.
MongoDB, Inc. reports:
A security vulnerability was found where a server process running MongoDB 3.2.6 or later will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured (CVE-2024-1351).
The Varnish Development Team reports:
A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of streams, retaining the associated resources.
The Amavis project reports:
Emails which consist of multiple parts (`Content-Type: multipart/*`) incorporate boundary information stating at which point one part ends and the next part begins.
A boundary is announced by an Content-Type header's `boundary` parameter. To our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a parser should handle multiple boundary parameters that contain conflicting values. As a result, there is no canonical choice which of the values should or should not be used for mime part decomposition.
Typo3 developers reports:
All versions are security releases and contain important security fixes - read the corresponding security advisories here:
- Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451
- Code Execution in TYPO3 Install Tool CVE-2024-22188
- Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118
- Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119
- Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120
- Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2173.
Intel reports:
2024.1 IPU - Intel Processor Bus Lock Advisory
A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.
2024.1 IPU - Intel Processor Return Predictions Advisory
A potential security vulnerability in some Intel Processors may allow information disclosure.
2024.1 IPU - Intel Atom Processor Advisory
A potential security vulnerability in some Intel Atom Processors may allow information disclosure.
2024.1 IPU - Intel Xeon Processor Advisory
A potential security vulnerability in some 3rd and 4th Generation Intel Xeon Processors when using Intel Software Guard Extensions (SGX) or Intel Trust Domain Extensions (TDX) may allow escalation of privilege.
2024.1 IPU OOB - Intel Xeon D Processor Advisory
A potential security vulnerability in some Intel Xeon D Processors with Intel Software Guard Extensions (SGX) may allow information disclosure.
Grafana Labs reports:
The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.
By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.
When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.
The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.
The CVSS score for this vulnerability is 6 Medium.
NLNet Labs reports:
Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-25062.
Gitlab reports:
Bypassing CODEOWNERS approval allowing to steal protected variables
Guest with manage group access tokens can rotate and see group access token with owner permissions
The Go project reports reports:
crypto/x509: Verify panics on certificates with an unknown public key algorithm
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.
net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.
net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.
html/template: errors returned from MarshalJSON methods may break template escaping
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
Chrome Releases reports:
This update includes 3 security fixes:
- [325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19
- [325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19
- [325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20
Django reports:
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words().
Node.js reports:
Code injection and privilege escalation through Linux capabilities- (High)
http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
Path traversal by monkey-patching Buffer internals- (High)
setuid() does not drop all privileges due to io_uring - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1670.
Chrome Releases reports:
This update includes 4 security fixes:
- [324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11
- [323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05
sep@nlnetlabs.nl reports:
Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.
Hiroki Kurosawa reports:
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
Chrome Releases reports:
This update includes 12 security fixes:
- [41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
- [41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
- [41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
- [41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
- [41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
- [40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
- [41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartłomiej Wacko on 2023-12-21
- [40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
Grafana Labs reports:
The vulnerability impacts instances where Grafana basic authentication is enabled.
Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.
This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
c-ares project reports:
Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.
Suricata team reports:
Multiple vulnerabilities fixed in the last release of suricata.
No details have been disclosed yet
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1283.
- Security: backported fix for CVE-2024-1284.
Gitlab reports:
Stored-XSS in user's profile page
User with "admin_group_members" permission can invite other groups to gain owner access
ReDoS issue in the Codeowners reference extractor
LDAP user can reset password using secondary email and login using direct authentication
Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard
Users with the Guest role can change Custom dashboard projects settings for projects in the victim group
Group member with sub-maintainer role can change title of shared private deploy keys
Bypassing approvals of CODEOWNERS
cve@mitre.org reports:
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
The nginx development team reports:
When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session.
The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail.
Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.
In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
Chrome Releases reports:
This update includes 1 security fix.
Simon Kelley reports:
If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.
Stichting NLnet Labs reports:
The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.
The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.
phpMyFAQ team reports:
phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.
Austin Hackers Anonymous report:
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.
[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.
Google reports:
A heap buffer overflow exists in readstat_convert.
Spreadsheet-ParseExcel reports:
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
PostgreSQL Project reports:
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.
Gitlab reports:
Restrict group access token creation for custom roles
Project maintainers can bypass group's scan result policy block_branch_modification setting
ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax
Resource exhaustion using GraphQL vulnerabilitiesCountByDay
Copmposer reports:
Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.
Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar's self-update.
Git community reports:
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities
Chrome Releases reports:
This update includes 3 security fixes:
- [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
- [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
The ClamAV project reports:
- CVE-2024-20290
- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.
- CVE-2024-20328
- Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.
Django reports:
CVE-2024-24680:Potential denial-of-service in intcomma template filter.
Chrome Releases reports:
This update includes 4 security fixes:
- [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
- [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
- [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
Chrome Releases reports:
This update includes 17 security fixes:
- [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
- [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
- [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
- [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
- [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25
- [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
- [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
- [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
- [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
Electron developers reports:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0807.
Qt qtwebengine-chromium repo reports:
Backports for 3 security bugs in Chromium:
- [1505080] High CVE-2024-0807: Use after free in WebAudio
- [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
The OpenSSL project reports:
Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
PKCS12 Decoding crashes (CVE-2024-0727)
cve@mitre.org reports:
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.
Qt qtwebengine-chromium repo reports:
Backports for 15 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1500856] High CVE-2023-6346: Use after free in WebAudio
- [1494461] High CVE-2023-6347: Use after free in Mojo
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1502102] High CVE-2023-6703: Use after free in Blink
- [1505708] High CVE-2023-6705: Use after free in WebRTC
- [1500921] High CVE-2023-6706: Use after free in FedCM
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1506923] High CVE-2024-0225: Use after free in WebGPU
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
Qt qtwebengine-chromium repo reports:
Backports for 8 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
Multiple vulnerabilities in ssh and golang
- CVE-2023-45286: HTTP request body disclosure in go-resty disclosure across requests.
- CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks.
Gitlab reports:
Arbitrary file write while creating workspace
ReDoS in Cargo.toml blob viewer
Arbitrary API PUT requests via HTML injection in user's name
Disclosure of the public email in Tags RSS Feed
Non-Member can update MR Assignees of owned MRs
Jenkins Security Advisory:
Description
(Critical) SECURITY-3314 / CVE-2024-23897
Arbitrary file read vulnerability through the CLI can lead to RCE
Description
(High) SECURITY-3315 / CVE-2024-23898
Cross-site WebSocket hijacking vulnerability in the CLI
TinyMCE reports:
Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of packets containing nested MIME entities can cause Zeek to spend large amounts of time parsing the entities.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0519.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0518.
- Security: backported fix for CVE-2024-0517.
Chrome Releases reports:
This update includes 4 security fixes:
- [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
- [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
The X.Org project reports:
- CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used.
- CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access
If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function.
- CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow.
- CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0224.
- Security: backported fix for CVE-2024-0225.
- Security: backported fix for CVE-2024-0223.
- Security: backported fix for CVE-2024-0222.
Gitlab reports:
Account Takeover via Password Reset without user interactions
Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
Bypass CODEOWNERS approval removal
Workspaces able to be created under different root namespace
Commit signature validation ignores headers after signature
SO-AND-SO reports:
The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.
Chrome Releases reports:
This update includes 1 security fix:
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
Andy Shaw reports:
A potential integer overflow has been discovered in Qt's HTTP2 implementation. If the HTTP2 implementation receives more than 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.
Mantis 2.25.8 release reports:
Security and maintenance release
- 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
- 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
Chrome Releases reports:
This update includes 6 security fixes:
- [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
- [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
- [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6706.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
- Security: backported fix for CVE-2023-6704.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6704.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
The SSH protocol executes an initial handshake between the server and the client. This protocol handshake includes the possibility of several extensions allowing different options to be selected. Validation of the packets in the handshake is done through sequence numbers.
A man in the middle attacker can silently manipulate handshake messages to truncate extension negotiation messages potentially leading to less secure client authentication algorithms or deactivating keystroke timing attack countermeasures.
Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.