cve@mitre.org reports:
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
The nginx development team reports:
When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session.
The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail.
Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.
In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
Chrome Releases reports:
This update includes 1 security fix.
Simon Kelley reports:
If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.
Stichting NLnet Labs reports:
The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.
The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.
phpMyFAQ team reports:
phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.
Austin Hackers Anonymous report:
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.
[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.
Google reports:
A heap buffer overflow exists in readstat_convert.
Spreadsheet-ParseExcel reports:
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
PostgreSQL Project reports:
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.
Gitlab reports:
Restrict group access token creation for custom roles
Project maintainers can bypass group's scan result policy block_branch_modification setting
ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax
Resource exhaustion using GraphQL vulnerabilitiesCountByDay
Copmposer reports:
Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.
Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar's self-update.
Git community reports:
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities
Chrome Releases reports:
This update includes 3 security fixes:
- [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
- [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
The ClamAV project reports:
- CVE-2024-20290
- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.
- CVE-2024-20328
- Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.
Django reports:
CVE-2024-24680:Potential denial-of-service in intcomma template filter.
Chrome Releases reports:
This update includes 4 security fixes:
- [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
- [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
- [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
Chrome Releases reports:
This update includes 17 security fixes:
- [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
- [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
- [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
- [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
- [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25
- [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
- [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
- [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
- [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
Electron developers reports:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0807.
Qt qtwebengine-chromium repo reports:
Backports for 3 security bugs in Chromium:
- [1505080] High CVE-2024-0807: Use after free in WebAudio
- [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
The OpenSSL project reports:
Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
PKCS12 Decoding crashes (CVE-2024-0727)
cve@mitre.org reports:
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.
Qt qtwebengine-chromium repo reports:
Backports for 15 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1500856] High CVE-2023-6346: Use after free in WebAudio
- [1494461] High CVE-2023-6347: Use after free in Mojo
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1502102] High CVE-2023-6703: Use after free in Blink
- [1505708] High CVE-2023-6705: Use after free in WebRTC
- [1500921] High CVE-2023-6706: Use after free in FedCM
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1506923] High CVE-2024-0225: Use after free in WebGPU
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
Qt qtwebengine-chromium repo reports:
Backports for 8 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
Multiple vulnerabilities in ssh and golang
- CVE-2023-45286: HTTP request body disclosure in go-resty disclosure across requests.
- CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks.
Gitlab reports:
Arbitrary file write while creating workspace
ReDoS in Cargo.toml blob viewer
Arbitrary API PUT requests via HTML injection in user's name
Disclosure of the public email in Tags RSS Feed
Non-Member can update MR Assignees of owned MRs
Jenkins Security Advisory:
Description
(Critical) SECURITY-3314 / CVE-2024-23897
Arbitrary file read vulnerability through the CLI can lead to RCE
Description
(High) SECURITY-3315 / CVE-2024-23898
Cross-site WebSocket hijacking vulnerability in the CLI
TinyMCE reports:
Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of packets containing nested MIME entities can cause Zeek to spend large amounts of time parsing the entities.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0519.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0518.
- Security: backported fix for CVE-2024-0517.
Chrome Releases reports:
This update includes 4 security fixes:
- [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
- [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
The X.Org project reports:
- CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used.
- CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access
If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function.
- CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow.
- CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0224.
- Security: backported fix for CVE-2024-0225.
- Security: backported fix for CVE-2024-0223.
- Security: backported fix for CVE-2024-0222.
Gitlab reports:
Account Takeover via Password Reset without user interactions
Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
Bypass CODEOWNERS approval removal
Workspaces able to be created under different root namespace
Commit signature validation ignores headers after signature
SO-AND-SO reports:
The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.
Chrome Releases reports:
This update includes 1 security fix:
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
Andy Shaw reports:
A potential integer overflow has been discovered in Qt's HTTP2 implementation. If the HTTP2 implementation receives more than 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.
Mantis 2.25.8 release reports:
Security and maintenance release
- 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
- 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
Chrome Releases reports:
This update includes 6 security fixes:
- [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
- [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
- [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6706.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
- Security: backported fix for CVE-2023-6704.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6704.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
The SSH protocol executes an initial handshake between the server and the client. This protocol handshake includes the possibility of several extensions allowing different options to be selected. Validation of the packets in the handshake is done through sequence numbers.
A man in the middle attacker can silently manipulate handshake messages to truncate extension negotiation messages potentially leading to less secure client authentication algorithms or deactivating keystroke timing attack countermeasures.
Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.