diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 52ab5c647d4c..6eb7ab4f297f 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,6239 +1,6243 @@ forgejo -- multiple issues forgejo 7.0.4

The forgejo team reports:

CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file.

The OAuth2 implementation does not always require authentication for public clients, a requirement of RFC 6749 Section 10.2. A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.

CVE-2024-24789 https://nvd.nist.gov/vuln/detail/CVE-2024-24789 2024-04-04 2024-04-11
traefik -- Unexpected behavior with IPv4-mapped IPv6 addresses traefik 2.11.4

The traefik authors report:

There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

CVE-2024-24790 https://github.com/traefik/traefik/security/advisories/GHSA-7jmw-8259-q9jx 2024-06-05 2024-06-15
go -- multiple vulnerabilities go122 1.22.4 go121 1.21.11

The Go project reports:

archive/zip: mishandling of corrupt central directory record

The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE-2024-24789 CVE-2024-24790 https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ 2024-06-04 2024-06-15
Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.0.017.0.2 16.11.016.11.4 5.116.10.7

Gitlab reports:

ReDoS in gomod dependency linker

ReDoS in CI interpolation (fix bypass)

ReDoS in Asana integration issue mapping when webhook is called

XSS and content injection when viewing raw XHTML files on iOS devices

Missing agentk request validation could cause KAS to panic

CVE-2024-1495 CVE-2024-1736 CVE-2024-1963 CVE-2024-4201 CVE-2024-5469 https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/ 2024-06-12 2024-06-13
plasma[56]-plasma-workspace -- Unauthorized users can access session manager plasma5-plasma-workspace 5.27.11.1 plasma6-plasma-workspace 6.0.4_2

David Edmundson reports:

KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager.

A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot.

CVE-2024-36041 https://kde.org/info/security/advisory-20240531-1.txt 2024-05-31 2024-06-11
Composer -- Multiple command injections via malicious git/hg branch names php81-composer 2.7.7 php82-composer 2.7.7 php83-composer 2.7.7

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

CVE-2024-35241 https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c CVE-2024-35242 https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf 2024-06-10 2024-06-10
kanboard -- Project Takeover via IDOR in ProjectPermissionController kanboard 1.2.37

security-advisories@github.com reports:

Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.

CVE-2024-36399 https://nvd.nist.gov/vuln/detail/CVE-2024-36399 2024-06-06 2024-06-07
cyrus-imapd -- unbounded memory allocation cyrus-imapd38 3.8.2_1 cyrus-imapd36 3.6.4_1 cyrus-imapd34 3.4.7_1 cyrus-imapd32 cyrus-imapd30 cyrus-imapd25 0

Cyrus IMAP 3.8.3 Release Notes states:

Fixed CVE-2024-34055: Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.

The IMAP protocol allows for command arguments to be LITERALs of negotiated length, and for these the server allocates memory to receive the content before instructing the client to proceed. The allocated memory is released when the whole command has been received and processed.

The IMAP protocol has a number commands that specify an unlimited number of arguments, for example SEARCH. Each of these arguments can be a LITERAL, for which memory will be allocated and not released until the entire command has been received and processed. This can run a server out of memory, with varying consequences depending on the server's OOM policy.

CVE-2024-34055 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34055 2024-04-30 2024-06-05
chromium -- multiple security fixes chromium 125.0.6422.141 ungoogled-chromium 125.0.6422.141

Chrome Releases reports:

This update includes 11 security fixes:

  • [339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11
  • [338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01
  • [338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06
  • [339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07
  • [339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09
  • [339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11
CVE-2024-5493 CVE-2024-5494 CVE-2024-5495 CVE-2024-5496 CVE-2024-5497 CVE-2024-5498 CVE-2024-5499 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_30.html 2024-05-30 2024-06-03
- nginx-devel -- Multiple Vulnerabilities in HTTP/3 + nginx -- Multiple Vulnerabilities in HTTP/3 nginx-devel 1.25.01.27.0 + + nginx + 1.26.01.26.1 +

The nginx development team reports:

This update fixes the following vulnerabilities:

  • Stack overflow and use-after-free in HTTP/3
  • Buffer overwrite in HTTP/3
  • Memory disclosure in HTTP/3
  • NULL pointer dereference in HTTP/3
CVE-2024-31079 CVE-2024-32760 CVE-2024-34161 CVE-2024-35200 2024-05-29 2024-05-29
chromium -- security fix chromium 125.0.6422.112 ungoogled-chromium 125.0.6422.112

Chrome Releases reports:

This update includes 1 security fix:

  • [341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20
CVE-2024-5274 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html 2024-05-23 2024-05-29
OpenSSL -- Use after free vulnerability openssl 3.0.13_5,1 openssl31 3.1.5_5 openssl32 3.2.1_5 openssl33 3.3.0_2 openssl-quictls 3.0.13_5 openssl31-quictls 3.1.5_5

The OpenSSL project reports:

Use After Free with SSL_free_buffers (low).

Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

CVE-2024-4741 https://www.openssl.org/news/secadv/20240528.txt 2024-05-28 2024-05-28
electron29 -- use after free in Dawn electron29 29.4.1

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-4948.
CVE-2024-4948 https://github.com/advisories/GHSA-xvp9-87cv-m4fv 2024-05-22 2024-05-25
electron28 -- multiple vulnerabilities electron28 28.3.2

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-4948.
  • Security: backported fix for CVE-2024-3914.
  • Security: backported fix for CVE-2024-4060.
  • Security: backported fix for CVE-2024-4058.
  • Security: backported fix for CVE-2024-4558.
CVE-2024-4948 https://github.com/advisories/GHSA-xvp9-87cv-m4fv CVE-2024-3914 https://github.com/advisories/GHSA-jv87-hfr8-8j2r CVE-2024-4060 https://github.com/advisories/GHSA-4qw6-vwc8-mh38 CVE-2024-4058 https://github.com/advisories/GHSA-23rw-79p3-xgcm CVE-2024-4558 https://github.com/advisories/GHSA-r4j8-j63p-24j8 2024-05-22 2024-05-25
QtNetworkAuth -- predictable seeding of PRNG in QAbstractOAuth qt5-networkauth 5.15.13_1 qt6-networkauth 6.7.1

Andy Shaw reports:

The OAuth1 implementation in QtNetworkAuth created nonces using a PRNG that was seeded with a predictable seed.

This means that an attacker that can somehow control the time of the first OAuth1 flow of the process has a high chance of predicting the nonce used in said OAuth flow.

CVE-2024-36048 https://www.qt.io/blog/security-advisory-qstringconverter-0 https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 2024-05-08 2024-05-24
Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.0.017.0.1 16.11.016.11.3 11.1116.10.6

Gitlab reports:

1-click account takeover via XSS in the code editor in gitlab.com

A DOS vulnerability in the 'description' field of the runner

CSRF via K8s cluster-integration

Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match

Redos on wiki render API/Page

Resource exhaustion and denial of service with test_report API calls

Guest user can view dependency lists of private projects through job artifacts

Stored XSS via PDFjs

CVE-2024-4835 CVE-2024-2874 CVE-2023-7045 CVE-2023-6502 CVE-2024-1947 CVE-2024-4367 https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ 2024-05-22 2024-05-22
chromium -- multiple security fixes chromium 125.0.6422.76 ungoogled-chromium 125.0.6422.76

Chrome Releases reports:

This update includes 15 security fixes:

  • [336012573] High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang on 2024-04-21
  • [338908243] High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-06
  • [335613092] High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop) on 2024-04-18
  • [338161969] High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz on 2024-05-01
  • [340221135] High CVE-2024-4947: Type Confusion in V8. Reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on 2024-05-13
  • [333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
  • [326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
  • [40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06
CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160 CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_21.html 2024-05-21 2024-05-22
Openfire administration console authentication bypass openfire 4.6.8

security-advisories@github.com reports:

Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isnt available for a specific release, or isnt quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

CVE-2023-32315 https://nvd.nist.gov/vuln/detail/CVE-2023-32315 2023-05-26 2024-05-21
Roundcube -- Cross-site scripting vulnerabilities roundcube 1.6.7,1

The Roundcube project reports:

cross-site scripting (XSS) vulnerability in handling SVG animate attributes.

cross-site scripting (XSS) vulnerability in handling list columns from user preferences.

https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7 2024-05-19 2024-05-21
qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.16.p9_2

Backports for 2 security bugs in Chromium:

  • CVE-2024-3157: Out of bounds write in Compositing
  • CVE-2024-3516: Heap buffer overflow in ANGLE
CVE-2024-3157 CVE-2024-3516 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-04-16 2024-05-19
Arti -- Security issues related to circuit construction arti 1.2.3

Tor Project reports:

When building anonymizing circuits to or from an onion service with 'lite' vanguards (the default) enabled, the circuit manager code would build the circuits with one hop too few.

When 'full' vanguards are enabled, some circuits are supposed to be built with an extra hop to minimize the linkability of the guard nodes. In some circumstances, the circuit manager would build circuits with one hop too few, making it easier for an adversary to discover the L2 and L3 guards of the affected clients and services.

CVE-2024-35313 https://gitlab.torproject.org/tpo/core/arti/-/issues/1400 CVE-2024-35312 https://gitlab.torproject.org/tpo/core/arti/-/issues/1409 2024-05-14 2024-05-18
OpenSSL -- Denial of Service vulnerability openssl 3.0.13_4,1 openssl31 3.1.5_4 openssl32 3.2.1_4 openssl33 3.3.0_1 openssl-quictls 3.0.13_4 openssl31-quictls 3.1.5_4

The OpenSSL project reports:

Excessive time spent checking DSA keys and parameters (Low)

Checking excessively long DSA keys or parameters may be very slow.

CVE-2024-4603 https://www.openssl.org/news/secadv/20240516.txt 2024-05-16 2024-05-17
electron29 -- setuid() does not affect libuv's internal io_uring electron29 29.4.0

Electron developers report:

This update fixes the following vulnerability:

  • Backported fix for CVE-2024-22017.
CVE-2024-22017 https://github.com/advisories/GHSA-vr4q-vx84-9g5x 2024-05-15 2024-05-17
qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.7.0

Qt qtwebengine-chromium repo reports:

Backports for 16 security bugs in Chromium:

  • CVE-2024-2625: Object lifecycle issue in V8
  • CVE-2024-2626: Out of bounds read in Swiftshader
  • CVE-2024-2885: Use after free in Dawn
  • CVE-2024-2887: Type Confusion in WebAssembly
  • CVE-2024-3157: Out of bounds write in Compositing
  • CVE-2024-3159: Out of bounds memory access in V8
  • CVE-2024-3516: Heap buffer overflow in ANGLE
  • CVE-2024-3837: Use after free in QUIC
  • CVE-2024-3839: Out of bounds read in Fonts
  • CVE-2024-3914: Use after free in V8
  • CVE-2024-3840: Insufficient policy enforcement in Site Isolation
  • CVE-2024-4058: Type Confusion in ANGLE
  • CVE-2024-4060: Use after free in Dawn
  • CVE-2024-4331: Use after free in Picture In Picture
  • CVE-2024-4368: Use after free in Dawn
  • CVE-2024-4671: Use after free in Visuals
CVE-2024-2625 CVE-2024-2626 CVE-2024-2885 CVE-2024-2887 CVE-2024-3157 CVE-2024-3159 CVE-2024-3516 CVE-2024-3837 CVE-2024-3839 CVE-2024-3914 CVE-2024-3840 CVE-2024-4058 CVE-2024-4060 CVE-2024-4331 CVE-2024-4368 CVE-2024-4671 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=118-based 2024-04-03 2024-05-15
qt6-base (core module) -- Invalid pointer in QStringConverter qt6-base 6.5.06.5.5 6.6.06.7.0

Andy Shaw reports:

QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack. Qt itself is not vulnerable to remote attack however an application using QStringDecoder either directly or indirectly can be vulnerable.

This requires:

  1. the attacker be able to tell the application a specific codec to use
  2. the attacker be able to feed the application data in a specific way to cause the desired modification
  3. the attacker what in the stack will get modified, which requires knowing the build of the application (and not all builds will be vulnerable)
  4. the modification do anything in particular that is useful to the attacker, besides maybe crashing the application

Qt does not automatically use any of those codecs, so this needs the application to implement something using QStringDecoder to be vulnerable.

CVE-2024-33861 https://www.qt.io/blog/security-advisory-qstringconverter 2024-05-02 2024-05-15
dnsdist -- Transfer requests received over DoH can lead to a denial of service dnsdist 1.9.4

PowerDNS Security Advisory reports:

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

CVE-2024-25581 https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html 2024-05-13 2024-05-13
Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20240514

Intel reports:

Potential security vulnerabilities in some Intel Trust Domain Extensions (TDX) module software may allow escalation of privilege. Improper input validation in some Intel TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

A potential security vulnerability in some Intel Processors may allow information disclosure. Hardware logic contains race conditions in some Intel Processors that may allow an authenticated user to potentially enable partial information disclosure via local access. Intel is releasing microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in Intel Core Ultra Processors may allow denial of service. Sequence of processor instructions leads to unexpected behavior in Intel Core Ultra Processors may allow an authenticated user to potentially enable denial of service via local access. Intel is releasing microcode updates to mitigate this potential vulnerability.

CVE-2023-45745 CVE-2023-45733 CVE-2023-46103 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 2024-05-14 2024-05-14
chromium -- multiple security fixes chromium 124.0.6367.207 ungoogled-chromium 124.0.6367.207

Chrome Releases reports:

This update includes 1 security fix:

  • [339458194] High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09
CVE-2024-4761 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html 2024-05-13 2024-05-14
go -- net: malformed DNS message can cause infinite loop go122 1.22.3 go121 1.21.10

The Go project reports:

net: malformed DNS message can cause infinite loop

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

CVE-2024-24788 https://go.dev/issue/66754 2024-04-25 2024-05-13
chromium -- multiple security fixes chromium 124.0.6367.201 ungoogled-chromium 124.0.6367.201

Chrome Releases reports:

This update includes 1 security fix:

  • [339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07
CVE-2024-4671 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html 2024-05-09 2024-05-12
PostgreSQL server -- Potentially allowing authenicated database users to see data that they shouldn't. postgresql-server 16.3 15.7 14.12

PostgreSQL project reports:

A security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql for each of your databases. See the link for details.

CVE-2024-4317 https://www.postgresql.org/support/security/CVE-2024-4317/ 2024-05-09 2024-05-09
tailscale -- Insufficient inbound packet filtering in subnet routers and exit nodes tailscale 1.66.0

Tailscale team reports:

In Tailscale versions earlier than 1.66.0, exit nodes, subnet routers, and app connectors, could allow inbound connections to other tailnet nodes from their local area network (LAN). This vulnerability only affects Linux exit nodes, subnet routers, and app connectors in tailnets where ACLs allow "src": "*", such as with default ACLs.

https://tailscale.com/security-bulletins#ts-2024-005 2024-05-08 2024-05-09
electron29 -- multiple vulnerabilities electron29 29.3.3

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-3914.
  • Security: backported fix for CVE-2024-4558.
CVE-2024-3914 https://github.com/advisories/GHSA-jv87-hfr8-8j2r CVE-2024-4558 https://github.com/advisories/GHSA-r4j8-j63p-24j8 2024-05-09 2024-05-09
Gitlab -- vulnerabilities gitlab-ce gitlab-ee 16.11.016.11.2 16.10.016.10.5 10.6.016.9.7

Gitlab reports:

ReDoS in branch search when using wildcards

ReDoS in markdown render pipeline

Redos on Discord integrations

Redos on Google Chat Integration

Denial of Service Attack via Pin Menu

DoS by filtering tags and branches via the API

MR approval via CSRF in SAML SSO

Banned user from groups can read issues updates via the api

Require confirmation before linking JWT identity

View confidential issues title and description of any public project via export

SSRF via Github importer

CVE-2024-2878 CVE-2024-2651 CVE-2023-6682 CVE-2023-6688 CVE-2024-2454 CVE-2024-4539 CVE-2024-4597 CVE-2024-1539 CVE-2024-1211 CVE-2024-3976 CVE-2023-6195 https://about.gitlab.com/releases/2024/05/08/patch-release-gitlab-16-11-2-released/ 2024-05-08 2024-05-09
electron29 -- multiple vulnerabilities electron29 29.3.2

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-4060.
  • Security: backported fix for CVE-2024-4058.
CVE-2024-4060 https://github.com/advisories/GHSA-4qw6-vwc8-mh38 CVE-2024-4058 https://github.com/advisories/GHSA-23rw-79p3-xgcm 2024-05-03 2024-05-08
chromium -- multiple security fixes chromium 124.0.6367.118 ungoogled-chromium 124.0.6367.118

Chrome Releases reports:

This update includes 2 security fixes:

  • [335003891] High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16
  • [333508731] High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
CVE-2024-4058 CVE-2024-4059 CVE-2024-4060 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_30.html 2024-04-30 2024-05-02
R -- arbitrary code execution vulnerability R 4.4.0

HiddenLayer Research reports:

Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system.

CVE-2024-27322 https://nvd.nist.gov/vuln/detail/CVE-2024-27322 2024-04-29 2024-05-02
hcode -- buffer overflow in mail.c ko-hcode 2.1.3_2

The openSUSE project reports:

The problematic function in question is putSDN() in mail.c. The static variable `cp` is used as an index for a fixed-sized buffer `ibuf`. There is a range check: `if ( cp >= HDR_BUF_LEN ) ...` but under certain circumstances, cp can be incremented beyond the buffer size, leading to a buffer overwrite

CVE-2024-34020 https://bugzilla.suse.com/show_bug.cgi?id=1223534 2024-04-29 2024-05-01
GLPI -- multiple vulnerabilities glpi 10.0.15,1

GLPI team reports:

GLPI 10.0.15 Changelog

  • [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
  • [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)
CVE-2024-31456 CVE-2024-29889 https://github.com/glpi-project/glpi/releases/tag/10.0.15 2024-04-03 2024-04-28
py-social-auth-app-django -- Improper Handling of Case Sensitivity py38-social-auth-app-django py39-social-auth-app-django py310-social-auth-app-django py311-social-auth-app-django 5.4.1

GitHub Advisory Database:

Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

CVE-2024-32879 https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 2024-04-24 2024-04-28
chromium -- multiple security fixes chromium 124.0.6367.78 ungoogled-chromium 124.0.6367.78

Chrome Releases reports:

This update includes 4 security fixes:

  • [332546345] Critical CVE-2024-4058: Type Confusion in ANGLE. Reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02
  • [333182464] High CVE-2024-4059: Out of bounds read in V8 API. Reported by Eirik on 2024-04-08
  • [333420620] High CVE-2024-4060: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
CVE-2024-4058 CVE-2024-4059 CVE-2024-4060 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html 2024-04-24 2024-04-25
Unallowed PHP script execution in GLPI glpi 10.0.10,1

From the GLPI 10.0.10 Changelog:

You will find below security issues fixed in this bugfixes version: [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).

The mentioned CVE is invalid

CVE-2023-42802 https://github.com/glpi-project/glpi/releases/tag/10.0.10 2023-09-27 2023-10-11
glpi-project -- SQL injection in ITIL actors in GLPI glpi 10.0.8,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-42461 https://nvd.nist.gov/vuln/detail/CVE-2023-42461 2023-09-27 2023-10-11
Phishing through a login page malicious URL in GLPI glpi 10.0.8,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41888 https://nvd.nist.gov/vuln/detail/CVE-2023-41888 2023-09-27 2023-10-11
Users login enumeration by unauthenticated user in GLPI glpi 10.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41323 https://nvd.nist.gov/vuln/detail/CVE-2023-41323 2023-09-27 2023-10-11
Privilege Escalation from technician to super-admin in GLPI glpi 9.1.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.

CVE-2023-41322 https://nvd.nist.gov/vuln/detail/CVE-2023-41322 2023-09-27 2023-10-11
Sensitive fields enumeration through API in GLPI glpi 9.1.1,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41321 https://nvd.nist.gov/vuln/detail/CVE-2023-41321 2023-09-27 2023-10-11
File deletion through document upload process in GLPI glpi 10.0.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-42462 https://nvd.nist.gov/vuln/detail/CVE-2023-42462 2023-09-27 2023-10-11
Account takeover through API in GLPI glpi 9.3.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41324 https://nvd.nist.gov/vuln/detail/CVE-2023-41324 2023-09-27 2023-10-11
Account takeover via Kanban feature in GLPI glpi 9.5.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41326 https://nvd.nist.gov/vuln/detail/CVE-2023-41326 2023-09-27 2023-10-11
Account takeover via SQL Injection in UI layout preferences in GLPI glpi 10.0.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41320 https://nvd.nist.gov/vuln/detail/CVE-2023-41320 2023-09-27 2023-10-11
GLPI vulnerable to SQL injection via dashboard administration glpi 9.5.0,110.0.9,1

security-advisories@github.com reports:

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

CVE-2023-37278 https://nvd.nist.gov/vuln/detail/CVE-2023-37278 2023-07-13 2023-10-11
GLPI vulnerable to unauthorized access to User data glpi 10.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

CVE-2023-34106 https://nvd.nist.gov/vuln/detail/CVE-2023-34106 2023-07-05 2023-10-11
GLPI vulnerable to unauthorized access to KnowbaseItem data glpi 9.2.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

CVE-2023-34107 https://nvd.nist.gov/vuln/detail/CVE-2023-34107 2023-07-05 2023-10-11
GLPI vulnerable to reflected XSS in search pages glpi 9.4.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.

CVE-2023-34244 https://nvd.nist.gov/vuln/detail/CVE-2023-34244 2023-07-05 2023-10-11
GLPI vulnerable to unauthenticated access to Dashboard data glpi 9.5.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

CVE-2023-35940 https://nvd.nist.gov/vuln/detail/CVE-2023-35940 2023-07-05 2023-10-11
GLPI vulnerable to unauthorized access to Dashboard data glpi 9.5.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

CVE-2023-35939 https://nvd.nist.gov/vuln/detail/CVE-2023-35939 2023-07-05 2023-10-11
GLPI vulnerable to SQL injection through Computer Virtual Machine information glpi 10.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-36808 https://nvd.nist.gov/vuln/detail/CVE-2023-36808 2023-07-05 2023-10-11
GLPI vulnerable to SQL injection via inventory agent request glpi 10.0.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-35924 https://nvd.nist.gov/vuln/detail/CVE-2023-35924 2023-07-05 2023-10-11
py-matrix-synapse -- weakness in auth chain indexing allows DoS py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse py311-matrix-synapse 1.105.1

Matrix developers report:

Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage. (High severity)

CVE-2024-31208 https://element.io/blog/security-release-synapse-1-105-1/ https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v 2024-04-23 2024-04-24
Gitlab -- vulnerabilities gitlab-ce gitlab-ee 16.11.016.11.1 16.10.016.10.4 7.8.016.9.6

Gitlab reports:

GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider

Path Traversal leads to DoS and Restricted File Read

Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search

Personal Access Token scopes not honoured by GraphQL subscriptions

Domain based restrictions bypass using a crafted email address

CVE-2024-4024 CVE-2024-2434 CVE-2024-2829 CVE-2024-4006 CVE-2024-1347 https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/ 2024-04-24 2024-04-24
powerdns-recursor -- denial of service powerdns-recursor 5.0.4

PowerDNS Team reports:

PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor

CVE-2024-25583 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html 2024-04-24 2024-04-24
GLPI -- multiple vulnerabilities glpi 10.0.13,1

GLPI team reports:

GLPI 10.0.13 Changelog

  • [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
  • [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
  • [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
  • [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
  • [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
  • [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)
CVE-2024-27096 CVE-2024-27098 CVE-2024-27104 CVE-2024-27914 CVE-2024-27930 CVE-2024-27937 https://github.com/glpi-project/glpi/releases/tag/10.0.13 2024-03-13 2024-04-22
GLPI -- multiple vulnerabilities glpi 10.0.12,1

GLPI team reports:

GLPI 10.0.12 Changelog

  • [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
  • [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)
CVE-2024-23645 CVE-2023-51446 https://github.com/glpi-project/glpi/releases/tag/10.0.12 2024-02-01 2024-04-22
GLPI -- multiple vulnerabilities glpi 10.0.11,1

GLPI team reports:

GLPI 10.0.11 Changelog

  • [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
  • [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
  • [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
CVE-2023-43813 CVE-2023-46727 CVE-2023-46726 https://github.com/glpi-project/glpi/releases/tag/10.0.11 2023-12-13 2024-04-22
ruby -- Arbitrary memory address read vulnerability with Regex search ruby 3.1.0,13.1.5,1 3.2.0,13.2.4,1 3.3.0,13.3.1,1 ruby31 3.1.0,13.1.5,1 ruby32 3.2.0,13.2.4,1 ruby33 3.3.0,13.3.1,1

sp2ip reports:

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

CVE-2024-27282 https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/ 2024-04-23 2024-04-23
sdl2_sound -- multiple vulnerabilities sdl2_sound 2.0.2_1

GitHub Security Lab reports:

stb_image.h and stb_vorbis libraries contain several memory access violations of different severity

  1. Wild address read in stbi__gif_load_next (GHSL-2023-145).
  2. Multi-byte read heap buffer overflow in stbi__vertical_flip (GHSL-2023-146).
  3. Disclosure of uninitialized memory in stbi__tga_load (GHSL-2023-147).
  4. Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148).
  5. Null pointer dereference in stbi__convert_format (GHSL-2023-149).
  6. Possible double-free or memory leak in stbi__load_gif_main (GHSL-2023-150).
  7. Null pointer dereference because of an uninitialized variable (GHSL-2023-151).
  8. 0 byte write heap buffer overflow in start_decoder (GHSL-2023-165)
  9. Multi-byte write heap buffer overflow in start_decoder (GHSL-2023-166)
  10. Heap buffer out of bounds write in start_decoder (GHSL-2023-167)
  11. Off-by-one heap buffer write in start_decoder (GHSL-2023-168)
  12. Attempt to free an uninitialized memory pointer in vorbis_deinit (GHSL-2023-169)
  13. Null pointer dereference in vorbis_deinit (GHSL-2023-170)
  14. Out of bounds heap buffer write (GHSL-2023-171)
  15. Wild address read in vorbis_decode_packet_rest (GHSL-2023-172)
CVE-2023-45676 CVE-2023-45677 CVE-2023-45680 CVE-2023-45681 CVE-2023-45682 https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ 2023-10-20 2024-04-22
chromium -- multiple security fixes chromium 124.0.6367.60 ungoogled-chromium 124.0.6367.60

Chrome Releases reports:

This update includes 23 security fixes:

  • [331358160] High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
  • [331383939] High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27
  • [330759272] High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
  • [326607008] High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24
  • [41491379] Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15
  • [328278717] Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06
  • [41491859] Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16
  • [41493458] Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22
  • [330376742] Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19
  • [41486690] Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24
  • [40058873] Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23
  • [323583084] Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03
  • [40064754] Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23
  • [328690293] Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08
CVE-2024-3832 CVE-2024-3833 CVE-2024-3914 CVE-2024-3834 CVE-2024-3837 CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841 CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846 CVE-2024-3847 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html 2024-04-16 2024-04-21
clamav -- Possible crash in the HTML file parser that could cause a denial-of-service (DoS) condition clamav 1.3.0,11.3.1,1

Błażej Pawłowski reports:

A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

CVE-2024-20380 https://blog.clamav.net/2024/04/clamav-131-123-106-patch-versions.html 2024-04-17 2024-04-19
jenkins -- Terrapin SSH vulnerability in Jenkins CLI client jenkins 2.452 jenkins-lts 2.440.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-3386 / CVE-2023-48795

Terrapin SSH vulnerability in Jenkins CLI client

CVE-2023-48795 https://www.jenkins.io/security/advisory/2024-04-17/ 2024-04-17 2024-04-19
electron{27,28,29} -- multiple vulnerabilities electron27 27.3.11 electron28 28.3.1 electron29 29.3.1

Electron develpers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-3515.
  • Security: backported fix for CVE-2024-3516.
  • Security: backported fix for CVE-2024-3157.
  • Security: backported fix for CVE-2024-1580.
CVE-2024-3515 https://github.com/advisories/GHSA-x6cj-gx36-vcxv CVE-2024-3516 https://github.com/advisories/GHSA-jf9g-42gm-v87w CVE-2024-3157 https://github.com/advisories/GHSA-4m4g-p795-cmq7 CVE-2024-1580 https://github.com/advisories/GHSA-3p7f-4r2q-wxmm 2024-04-16 2024-04-18
php -- Multiple vulnerabilities php81 8.1.28 php82 8.2.18 php83 8.3.6

This update includes 3 security fixes:

  • High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
  • High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
  • Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
  • High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs
CVE-2024-1874 https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 CVE-2024-2756 https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4 CVE-2024-3096 https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr CVE-2024-2757 https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq 2024-04-11 2024-04-16
go -- http2: close connections when receiving too many headers go122 1.22.2 go121 1.21.9

The Go project reports:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

CVE-2023-45288 https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M/m/khALNYGdAAAJ 2024-04-03 2024-04-15
chromium -- multiple security fixes chromium 123.0.6312.122 ungoogled-chromium 123.0.6312.122

Chrome Releases reports:

This update includes 3 security fixes:

  • [331237485] High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26
  • [328859176] High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao (zx) Pham and Toan (suto) Pham of Qrious Secure on 2024-03-09
  • [331123811] High CVE-2024-3515: Use after free in Dawn. Reported by wgslfuzz on 2024-03-25
CVE-2024-3157 CVE-2024-3516 CVE-2024-3515 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_10.html 2024-04-10 2024-04-12
PuTTY and embedders (f.i., filezilla) -- biased RNG with NIST P521/ecdsa-sha2-nistp521 signatures permits recovering private key putty 0.680.81 putty-nogtk 0.680.81 filezilla 3.67.0

Simon Tatham reports:

ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise known as ecdsa-sha2-nistp521) were generated with biased random numbers. This permits an attacker in possession of a few dozen signatures to RECOVER THE PRIVATE KEY.

Any 521-bit ECDSA private key that PuTTY or Pageant has used to sign anything should be considered compromised.

Additionally, if you have any 521-bit ECDSA private keys that you've used with PuTTY, you should consider them to be compromised: generate new keys, and remove the old public keys from any authorized_keys files.

A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), [...] and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

CVE-2024-31497 https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git https://filezilla-project.org/versions.php https://nvd.nist.gov/vuln/detail/CVE-2024-31497 2024-04-01 2024-04-16
electron{27,28} -- Out of bounds memory access in V8 electron27 27.3.10 electron28 28.3.0

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-3159.
CVE-2024-3159 https://github.com/advisories/GHSA-mh2p-2x66-3hr4 2024-04-10 2024-04-11
OpenSSL -- Unbounded memory growth with session handling in TLSv1.3 openssl 3.0.13_3,1 openssl31 3.1.5_3 openssl32 3.2.1_2 openssl-quictls 3.0.13_3 openssl31-quictls 3.1.5_1

The OpenSSL project reports:

Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

CVE-2024-2511 https://www.openssl.org/news/secadv/20240408.txt 2024-04-08 2024-04-11
forgejo -- HTTP/2 CONTINUATION flood in net/http forgejo 1.21.8

security@golang.org reports:

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

CVE-2023-45288 https://nvd.nist.gov/vuln/detail/CVE-2023-45288 2024-04-04 2024-04-11
jose -- DoS vulnerability jose 13

cve@mitre.org reports:

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

CVE-2023-50967 https://nvd.nist.gov/vuln/detail/CVE-2023-50967 2024-03-20 2024-04-11
Gitlab -- Patch Release: 16.10.2, 16.9.4, 16.8.6 gitlab-ce 16.10.016.10.2 16.9.016.9.4 16.8.6

Gitlab reports:

Stored XSS injected in diff viewer

Stored XSS via autocomplete results

Redos on Integrations Chat Messages

Redos During Parse Junit Test Report

CVE-2024-3092 CVE-2024-2279 CVE-2023-6489 CVE-2023-6678 https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/ 2024-04-10 2024-04-11
wordpress -- XSS wordpress fr-wordpress-fr_FR 6.5.0,16.5.1,1 6.4.4,1 ru-wordpress-ru_RU ja-wordpress-ja zh-wordpress-zh_CN zh-wordpress-zh_TW de-wordpress-de_DE 6.5.06.5.1 6.4.4

The Wordpress team reports:

A cross-site scripting (XSS) vulnerability affecting the Avatar block type

https://wordpress.org/documentation/wordpress-version/version-6-4-4/ 2024-04-09 2024-04-10
Apache httpd -- multiple vulnerabilities apache24 2.4.59 mod_http2 2.0.27

The Apache httpd project reports:

HTTP/2 DoS by memory exhaustion on endless continuation frames

HTTP Response Splitting in multiple modules

CVE-2024-27316 CVE-2024-24795 CVE-2024-38709 https://downloads.apache.org/httpd/CHANGES_2.4.59 2024-04-04 2024-04-05
electron{27,28} -- multiple vulnerabilities electron27 27.3.9 electron28 28.2.10

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-2885.
  • Security: backported fix for CVE-2024-2883.
  • Security: backported fix for CVE-2024-2887.
  • Security: backported fix for CVE-2024-2886.
CVE-2024-2885 https://github.com/advisories/GHSA-qccw-wmvp-8pv9 CVE-2024-2883 https://github.com/advisories/GHSA-gg9c-7j6m-3qq2 CVE-2024-2887 https://github.com/advisories/GHSA-q75f-2pp5-9phj CVE-2024-2886 https://github.com/advisories/GHSA-5pj4-f8gh-j3mr 2024-04-03 2024-04-05
chromium -- multiple security fixes chromium 123.0.6312.105 ungoogled-chromium 123.0.6312.105

Chrome Releases reports:

This update includes 3 security fixes:

  • [329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
  • [329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17
  • [330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22
CVE-2024-3156 CVE-2024-3158 CVE-2024-3159 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html 2024-04-02 2024-04-04
xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.12,1 xorg-nextserver 21.1.12,2 xwayland 23.2.5 xwayland-devel 21.0.99.1.67221.0.99.1.841_1 21.0.99.1.671_1

The X.Org project reports:

  • CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents

    The ProcXIGetSelectedEvents() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

  • CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice

    The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

  • CVE-2024-31083: User-after-free in ProcRenderAddGlyphs

    The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.

CVE-2024-31080 CVE-2024-31081 CVE-2024-31083 https://lists.x.org/archives/xorg-announce/2024-April/003497.html 2024-04-03 2024-04-04
jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty jenkins 2.444 jenkins-lts 2.440.2

Jenkins Security Advisory:

Description

(High) SECURITY-3379 / CVE-2024-22201

HTTP/2 denial of service vulnerability in bundled Jetty

CVE-2024-22201 https://www.jenkins.io/security/advisory/2024-03-20/ 2024-03-20 2024-04-02
mediawiki -- multiple vulnerabilities mediawiki139 1.39.7 mediawiki140 1.40.3 mediawiki141 1.41.1

Mediawiki reports:

(T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.

(T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/ 2024-03-15 2024-03-31
electron{27,28} -- Object lifecycle issue in V8 electron27 27.3.8 electron28 28.2.9

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-2625.
CVE-2024-2625 https://github.com/advisories/GHSA-j7h3-fcrw-g6j8 2024-03-28 2024-03-29
Gitlab -- vulnerabilities gitlab-ce 16.10.016.10.1 16.9.016.9.3 16.8.5

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis

CVE-2023-6371 CVE-2024-2818 https://about.gitlab.com/releases/2024/03/27/security-release-gitlab-16-10-1-released/ 2024-03-27 2024-03-28
chromium -- multiple security fixes chromium 123.0.6312.86 ungoogled-chromium 123.0.6312.86

Chrome Releases reports:

This update includes 7 security fixes:

  • [327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
  • [328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
  • [330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
  • [330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21
CVE-2024-2883 CVE-2024-2885 CVE-2024-2886 CVE-2024-2887 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html 2024-03-26 2024-03-27
phpmyfaq -- multiple vulnerabilities phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83 3.2.6

phpMyFAQ team reports:

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-mmh6-5cpf-2c72 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hm8r-95g3-5hj9 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqh https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-2grw-mc9r-822r https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6p68-36m6-392r https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gf https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-q7g6-xfh2-vhpx https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-qgxx-4xv5-6hcw 2024-03-25 2024-03-26
emacs -- multiple vulnerabilities emacs emacs-canna emacs-nox 29.3,3

GNU Emacs developers report:

Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.

  • Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
  • New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
  • Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
  • LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
  • Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205 https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29.3 2024-03-24 2024-03-26
quiche -- Multiple Vulnerabilities quiche 0.20.1

Quiche Releases reports:

This release includes 2 security fixes:

  • CVE-2024-1410: Unbounded storage of information related to connection ID retirement, in quiche. Reported by Marten Seeman (@marten-seeman)
  • CVE-2024-1765: Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche. Reported by Marten Seeman (@marten-seeman)
CVE-2024-1410 CVE-2024-1765 https://github.com/cloudflare/quiche/releases/tag/0.20.1 2024-03-12 2024-03-26
chromium -- multiple security fixes chromium 123.0.6312.58 ungoogled-chromium 123.0.6312.58

Chrome Releases reports:

This update includes 12 security fixes:

  • [327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01
  • [40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22
  • [41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21
  • [41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03
  • [41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02
  • [41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07
  • [41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29
CVE-2024-2625 CVE-2024-2626 CVE-2024-2627 CVE-2024-2628 CVE-2024-2629 CVE-2024-2630 CVE-2024-2631 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html 2024-03-19 2024-03-22
security/shibboleth-idp -- CAS service SSRF shibboleth-idp 4.3.04.3.2 5.0.05.1.1

Shibboleth Developers report:

The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter.

https://shibboleth.net/community/advisories/secadv_20240320.txt 2024-03-20 2024-03-21
databases/mongodb* -- Improper Certificate Validation mongodb44 4.4.29 mongodb50 5.0.25 mongodb60 6.0.14 mongodb70 7.0.6

MongoDB, Inc. reports:

A security vulnerability was found where a server process running MongoDB 3.2.6 or later will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured (CVE-2024-1351).

CVE-2024-1351 https://nvd.nist.gov/vuln/detail/CVE-2024-1351 2024-03-07 2024-03-20
www/varnish7 -- Denial of Service varnish7 7.4.3

The Varnish Development Team reports:

A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of streams, retaining the associated resources.

CVE-2023-43622 https://varnish-cache.org/security/VSV00014.html#vsv00014 2019-04-19 2024-03-18
amavisd-new -- multipart boundary confusion amavisd-new 2.12.3

The Amavis project reports:

Emails which consist of multiple parts (`Content-Type: multipart/*`) incorporate boundary information stating at which point one part ends and the next part begins.

A boundary is announced by an Content-Type header's `boundary` parameter. To our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a parser should handle multiple boundary parameters that contain conflicting values. As a result, there is no canonical choice which of the values should or should not be used for mime part decomposition.

CVE-2024-28054 https://gitlab.com/amavis/amavis/-/raw/v2.12.3/README_FILES/README.CVE-2024-28054 2024-03-14 2024-03-17
typo3-{11,12} -- multiple vulnerabilities typo3-11 11.5.35 typo3-12 12.4.11

Typo3 developers reports:

All versions are security releases and contain important security fixes - read the corresponding security advisories here:

  • Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451
  • Code Execution in TYPO3 Install Tool CVE-2024-22188
  • Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118
  • Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119
  • Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120
  • Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121
CVE-2023-30451 CVE-2024-22188 CVE-2024-25118 CVE-2024-25119 CVE-2024-25120 CVE-2024-25121 https://typo3.org/article/typo3-1301-12411-and-11535-security-releases-published 2024-02-13 2024-03-16
electron{27,28} -- Out of bounds memory access in V8 electron27 27.3.6 electron28 28.2.7

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-2173.
CVE-2024-2173 https://github.com/advisories/GHSA-6hhg-hj7x-7qv8 2024-03-13 2024-03-14
Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20240312

Intel reports:

2024.1 IPU - Intel Processor Bus Lock Advisory

A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.

2024.1 IPU - Intel Processor Return Predictions Advisory

A potential security vulnerability in some Intel Processors may allow information disclosure.

2024.1 IPU - Intel Atom Processor Advisory

A potential security vulnerability in some Intel Atom Processors may allow information disclosure.

2024.1 IPU - Intel Xeon Processor Advisory

A potential security vulnerability in some 3rd and 4th Generation Intel Xeon Processors when using Intel Software Guard Extensions (SGX) or Intel Trust Domain Extensions (TDX) may allow escalation of privilege.

2024.1 IPU OOB - Intel Xeon D Processor Advisory

A potential security vulnerability in some Intel Xeon D Processors with Intel Software Guard Extensions (SGX) may allow information disclosure.

CVE-2023-39368 CVE-2023-38575 CVE-2023-28746 CVE-2023-22655 CVE-2023-43490 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 2023-03-12 2024-03-12
Grafana -- Data source permission escalation grafana 8.5.09.5.17 10.0.010.0.12 10.1.010.1.8 10.2.010.2.5 10.3.010.3.4 grafana9 9.5.17

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

CVE-2024-1442 https://grafana.com/security/security-advisories/cve-2024-1442/ 2024-02-12 2024-03-11 2024-03-26
Unbound -- Denial-of-Service vulnerability unbound 1.18.01.19.2

NLNet Labs reports:

Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.

CVE-2024-1931 https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt 2024-03-07 2024-03-09
electron{27,28} -- vulnerability in libxml2 electron27 27.3.5 electron28 28.2.6

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-25062.
CVE-2024-25062 https://github.com/advisories/GHSA-x77r-6xxm-wjmx 2024-03-06 2024-03-07
Gitlab -- Vulnerabilities gitlab-ce 16.9.016.9.2 16.8.016.8.4 11.3.016.7.7

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions

CVE-2024-0199 CVE-2024-1299 https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/ 2024-03-06 2024-03-07
go -- multiple vulnerabilities go122 1.22.1 go121 1.21.8

The Go project reports reports:

crypto/x509: Verify panics on certificates with an unknown public key algorithm

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

net/http: memory exhaustion in Request.ParseMultipartForm

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

html/template: errors returned from MarshalJSON methods may break template escaping

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

net/mail: comments in display names are incorrectly handled

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785 https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg/m/46oA5yPABQAJ 2024-03-05 2024-03-06
chromium -- multiple security fixes chromium 122.0.6261.111 ungoogled-chromium 122.0.6261.111

Chrome Releases reports:

This update includes 3 security fixes:

  • [325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19
  • [325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19
  • [325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20
CVE-2024-2173 CVE-2024-2174 CVE-2024-2176 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop.html 2024-03-05 2024-03-06
Django -- multiple vulnerabilities py39-django32 py310-django32 py311-django32 3.2.25 py39-django42 py310-django42 py311-django42 4.2.11 py310-django50 py311-django50 5.0.3

Django reports:

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words().

CVE-2024-27351 https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ 2024-02-25 2024-03-04
NodeJS -- Vulnerabilities node 21.0.021.6.2 20.0.020.11.1 18.0.018.19.1 16.0.016.20.3 node16 16.0.016.20.3 node18 18.0.018.19.1 node20 20.0.020.11.1 node21 21.0.021.6.2

Node.js reports:

Code injection and privilege escalation through Linux capabilities- (High)

http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)

Path traversal by monkey-patching Buffer internals- (High)

setuid() does not drop all privileges due to io_uring - (High)

Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)

Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)

Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)

Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

CVE-2024-21892 CVE-2024-22019 CVE-2024-21896 CVE-2024-22017 CVE-2023-46809 CVE-2024-21891 CVE-2024-21890 CVE-2024-22025 https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#2024-02-14-version-20111-iron-lts-rafaelgss-prepared-by-marco-ippolito 2024-02-14 2024-03-01
electron{27,28} -- Use after free in Mojo electron27 27.3.4 electron28 28.2.5

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-1670.
CVE-2024-1670 https://github.com/advisories/GHSA-wjv4-j3hc-gxvv 2024-02-28 2024-02-29
chromium -- multiple security fixes chromium 122.0.6261.94 ungoogled-chromium 122.0.6261.94

Chrome Releases reports:

This update includes 4 security fixes:

  • [324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11
  • [323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05
CVE-2024-1938 CVE-2024-1939 https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_27.html 2024-02-27 2024-02-29
null -- Routinator terminates when RTR connection is reset too quickly after opening null null

sep@nlnetlabs.nl reports:

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.

CVE-2024-1622 https://nvd.nist.gov/vuln/detail/CVE-2024-1622 2024-02-26 2024-02-28
curl -- OCSP verification bypass with TLS session reuse curl 8.6.0

Hiroki Kurosawa reports:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE-2024-0853 https://curl.se/docs/CVE-2024-0853.html 2024-01-31 2024-02-28
gitea -- Fix XSS vulnerabilities gitea 1.21.6

Problem Description:

https://blog.gitea.com/release-of-1.21.6/ 2024-02-23 2024-02-24
chromium -- multiple security fixes chromium 122.0.6261.57 ungoogled-chromium 122.0.6261.57

Chrome Releases reports:

This update includes 12 security fixes:

  • [41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
  • [41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
  • [41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
  • [41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
  • [41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
  • [40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
  • [41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartłomiej Wacko on 2023-12-21
  • [40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html 2024-02-20 2024-02-24
Grafana -- Email verification is not required after email change grafana 9.5.16 10.0.010.0.11 10.1.010.1.7 10.2.010.2.4 10.3.010.3.3 grafana9 9.5.16 grafana10 10.0.11 10.1.010.1.7 10.2.010.2.4 10.3.010.3.3

Grafana Labs reports:

The vulnerability impacts instances where Grafana basic authentication is enabled.

Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.

This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

CVE-2023-6152 https://grafana.com/security/security-advisories/cve-2023-6152/ 2023-11-10 2024-02-20
dns/c-ares -- malformatted file causes application crash c-ares 1.27.0

c-ares project reports:

Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.

CVE-2024-25629 https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q 2024-02-23 2024-02-23
suricata -- multiple vulnerabilities suricata 7.0.3

Suricata team reports:

Multiple vulnerabilities fixed in the last release of suricata.

No details have been disclosed yet

CVE-2024-23839 CVE-2024-23836 CVE-2024-23835 CVE-2024-24568 CVE-2024-23837 2024-01-22 2024-02-23
electron27 -- multiple vulnerabilities electron27 27.3.3

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-1283.
  • Security: backported fix for CVE-2024-1284.
CVE-2024-1283 https://github.com/advisories/GHSA-7mgj-p9v3-3vxr CVE-2024-1284 https://github.com/advisories/GHSA-pf89-rhhw-xmhp 2024-02-21 2024-02-23
Gitlab -- Vulnerabilities gitlab-ce 16.9.016.9.1 16.8.016.8.3 11.3.016.7.6

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

CVE-2024-1451 CVE-2023-6477 CVE-2023-6736 CVE-2024-1525 CVE-2023-4895 CVE-2024-0861 CVE-2023-3509 CVE-2024-0410 https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/ 2024-02-21 2024-02-22
powerdns-recursor -- Multiple Vulnerabilities powerdns-recursor 5.0.2

cve@mitre.org reports:

CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

CVE-2023-50868 https://nvd.nist.gov/vuln/detail/CVE-2023-50868 CVE-2023-50387 https://nvd.nist.gov/vuln/detail/CVE-2023-50387 2024-02-14 2024-02-16
nginx-devel -- Multiple Vulnerabilities in HTTP/3 nginx-devel 1.25.01.25.4

The nginx development team reports:

When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session.

CVE-2024-24989 CVE-2024-24990 2024-02-14 2024-02-15
FreeBSD -- jail(2) information leak FreeBSD-kernel 14.014.0_5 13.213.2_10

Problem Description:

The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail.

Impact:

Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.

CVE-2024-25941 SA-24:02.tty 2024-02-14 2024-02-14
FreeBSD -- bhyveload(8) host file access FreeBSD 14.014.0_5 13.213.2_10

Problem Description:

`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.

Impact:

In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.

CVE-2024-25940 SA-24:01.bhyveload 2024-02-14 2024-02-14
chromium -- security fix chromium 121.0.6167.184 ungoogled-chromium 121.0.6167.184

Chrome Releases reports:

This update includes 1 security fix.

https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_13.html 2024-02-13 2024-02-14
DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities bind916 9.16.48 bind918 9.18.24 bind9-devel 9.19.21 dnsmasq 2.90 dnsmasq-devel 2.90 powerdns-recursor 5.0.2 unbound 1.19.1 FreeBSD 14.014.0_6 13.213.2_11

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.

CVE-2023-50387 CVE-2023-50868 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ SA-24:03.unbound 2024-02-06 2024-02-13 2024-04-01
phpmyfaq -- multiple vulnerabilities phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83 3.2.5

phpMyFAQ team reports:

phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9hhf-xmcw-r3xg https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6648-6g96-mg35 2024-02-05 2024-02-11
openexr -- Heap Overflow in Scanline Deep Data Parsing openexr 3.1.12 3.2.03.2.2

Austin Hackers Anonymous report:

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.

CVE-2023-5841 https://takeonme.org/cves/CVE-2023-5841.html https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.2 2023-10-26 2024-02-12
readstat -- Heap buffer overflow in readstat_convert readstat 1.1.9

Google reports:

A heap buffer overflow exists in readstat_convert.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33991 https://osv.dev/vulnerability/OSV-2021-732 https://github.com/WizardMac/ReadStat/issues/285 2021-05-05 2024-02-12
p5-Spreadsheet-ParseExcel -- Remote Code Execution Vulnerability p5-Spreadsheet-ParseExcel 0.66

Spreadsheet-ParseExcel reports:

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

CVE-2023-7101 https://nvd.nist.gov/vuln/detail/CVE-2023-7101 2023-12-29 2024-02-11
postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL postgresql-server 15.6 14.11 13.14 12.18

PostgreSQL Project reports:

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.

CVE-2024-0985 https://www.postgresql.org/support/security/CVE-2024-0985/ 2024-02-08 2024-02-08
Gitlab -- vulnerabilities gitlab-ce 16.8.016.8.2 16.7.016.7.5 13.3.016.6.7

Gitlab reports:

Restrict group access token creation for custom roles

Project maintainers can bypass group's scan result policy block_branch_modification setting

ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax

Resource exhaustion using GraphQL vulnerabilitiesCountByDay

CVE-2024-1250 CVE-2023-6840 CVE-2023-6386 CVE-2024-1066 https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/ 2024-02-07 2024-02-08
Composer -- Code execution and possible privilege escalation php81-composer 2.7.0 php82-composer 2.7.0 php83-composer 2.7.0

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

CVE-2024-24821 https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h 2024-02-08 2024-02-08
Libgit2 -- multiple vulnerabilities eza 0.18.2 libgit2 1.7.01.7.2 1.6.5

Git community reports:

A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application

A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application

A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities

CVE-2024-24577 https://github.com/libgit2/libgit2/releases/tag/v1.7.2 2024-02-06 2024-02-08 2024-02-14
chromium -- multiple security fixes chromium 121.0.6167.160 ungoogled-chromium 121.0.6167.160 qt5-webengine 5.15.16.p5_5 qt6-webengine 6.6.1_5

Chrome Releases reports:

This update includes 3 security fixes:

  • [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
  • [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
CVE-2024-1284 CVE-2024-1283 https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop.html 2024-02-06 2024-02-08
clamav -- Multiple vulnerabilities clamav 1.2.2,1 clamav-lts 1.0.5,1

The ClamAV project reports:

CVE-2024-20290
A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.
CVE-2024-20328
Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.
CVE-2024-20290 CVE-2024-20328 https://blog.clamav.net/2023/11/clamav-130-122-105-released.html 2024-02-07 2024-02-07
Django -- multiple vulnerabilities py39-django32 py310-django32 py311-django32 3.2.24 py39-django42 py310-django42 py311-django42 4.2.8 py311-django50 5.0.2

Django reports:

CVE-2024-24680:Potential denial-of-service in intcomma template filter.

CVE-2024-24680 https://www.djangoproject.com/weblog/2024/feb/06/security-releases/ 2024-01-09 2024-02-07
chromium -- multiple security fixes chromium 121.0.6167.139 ungoogled-chromium 121.0.6167.139 qt5-webengine 5.15.16.p5_5 qt6-webengine 6.6.1_5

Chrome Releases reports:

This update includes 4 security fixes:

  • [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
  • [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
  • [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
CVE-2024-1060 CVE-2024-1059 CVE-2024-1077 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html 2024-01-30 2024-02-02
chromium -- multiple security fixes chromium 121.0.6167.85 ungoogled-chromium 121.0.6167.85

Chrome Releases reports:

This update includes 17 security fixes:

  • [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
  • [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
  • [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
  • [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
  • [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
  • [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25
  • [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
  • [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
  • [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
  • [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
CVE-2024-0812 CVE-2024-0808 CVE-2024-0810 CVE-2024-0814 CVE-2024-0813 CVE-2024-0806 CVE-2024-0805 CVE-2024-0804 CVE-2024-0811 CVE-2024-0809 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html 2024-01-23 2024-02-02
electron{26,27,28} -- Use after free in Web Audio electron26 26.6.8 electron27 27.3.1 electron28 28.2.1

Electron developers reports:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-0807.
CVE-2024-0807 https://github.com/advisories/GHSA-hjm7-v5pw-x89r 2024-01-31 2024-02-01
qt6-webengine -- Multiple vulnerabilities qt5-webengine 5.15.16.p5_5 qt6-webengine 6.6.1_4

Qt qtwebengine-chromium repo reports:

Backports for 3 security bugs in Chromium:

  • [1505080] High CVE-2024-0807: Use after free in WebAudio
  • [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
  • [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
CVE-2024-0807 CVE-2024-0808 CVE-2024-0810 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=112-based 2024-01-30 2024-01-31
OpenSSL -- Multiple vulnerabilities openssl 3.0.13,1 openssl-quictls 3.0.13 openssl31 3.1.5 openssl31-quictls 3.1.5 openssl32 3.2.1

The OpenSSL project reports:

Excessive time spent checking invalid RSA public keys (CVE-2023-6237)

PKCS12 Decoding crashes (CVE-2024-0727)

CVE-2024-0727 CVE-2023-6237 https://www.openssl.org/news/secadv/20240125.txt https://www.openssl.org/news/secadv/20240115.txt https://www.openssl.org/news/openssl-3.0-notes.html https://www.openssl.org/news/openssl-3.1-notes.html https://www.openssl.org/news/openssl-3.2-notes.html 2024-01-30 2024-01-31
lizard -- Negative size passed to memcpy resulting in memory corruption lizard 1.0_1

cve@mitre.org reports:

In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.

CVE-2018-11498 https://nvd.nist.gov/vuln/detail/CVE-2018-11498 2018-05-26 2024-01-31
qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.6.1_3

Qt qtwebengine-chromium repo reports:

Backports for 15 security bugs in Chromium:

  • [1505053] High CVE-2023-6345: Integer overflow in Skia
  • [1500856] High CVE-2023-6346: Use after free in WebAudio
  • [1494461] High CVE-2023-6347: Use after free in Mojo
  • [1501326] High CVE-2023-6702: Type Confusion in V8
  • [1502102] High CVE-2023-6703: Use after free in Blink
  • [1505708] High CVE-2023-6705: Use after free in WebRTC
  • [1500921] High CVE-2023-6706: Use after free in FedCM
  • [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
  • [1501798] High CVE-2024-0222: Use after free in ANGLE
  • [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
  • [1505086] High CVE-2024-0224: Use after free in WebAudio
  • [1506923] High CVE-2024-0225: Use after free in WebGPU
  • [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
  • [1507412] High CVE-2024-0518: Type Confusion in V8
  • [1517354] High CVE-2024-0519: Out of bounds memory access in V8
CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6702 CVE-2023-6703 CVE-2023-6705 CVE-2023-6706 CVE-2023-7024 CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225 CVE-2024-0333 CVE-2024-0518 CVE-2024-0519 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=112-based 2024-01-08 2024-01-29
qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.16.p5_4

Qt qtwebengine-chromium repo reports:

Backports for 8 security bugs in Chromium:

  • [1505053] High CVE-2023-6345: Integer overflow in Skia
  • [1501326] High CVE-2023-6702: Type Confusion in V8
  • [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
  • [1501798] High CVE-2024-0222: Use after free in ANGLE
  • [1505086] High CVE-2024-0224: Use after free in WebAudio
  • [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
  • [1507412] High CVE-2024-0518: Type Confusion in V8
  • [1517354] High CVE-2024-0519: Out of bounds memory access in V8
CVE-2023-6345 CVE-2023-6702 CVE-2023-7024 CVE-2024-0222 CVE-2024-0224 CVE-2024-0333 CVE-2024-0518 CVE-2024-0519 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-01-08 2024-01-29
rclone -- Multiple vulnerabilities rclone 1.65.1

Multiple vulnerabilities in ssh and golang

  • CVE-2023-45286: HTTP request body disclosure in go-resty disclosure across requests.
  • CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks.
CVE-2023-45286 CVE-2023-48795 https://nvd.nist.gov/vuln/detail/CVE-2023-45286 https://nvd.nist.gov/vuln/detail/CVE-2023-48795 2023-11-28 2024-01-26
Gitlab -- vulnerabilities gitlab-ce 16.8.016.8.1 16.7.016.7.4 16.6.016.6.6 12.7.016.5.8

Gitlab reports:

Arbitrary file write while creating workspace

ReDoS in Cargo.toml blob viewer

Arbitrary API PUT requests via HTML injection in user's name

Disclosure of the public email in Tags RSS Feed

Non-Member can update MR Assignees of owned MRs

CVE-2024-0402 CVE-2023-6159 CVE-2023-5933 CVE-2023-5612 CVE-2024-0456 https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ 2024-01-25 2024-01-26
jenkins -- multiple vulnerabilities jenkins 2.422 jenkins-lts 2.426.3

Jenkins Security Advisory:

Description

(Critical) SECURITY-3314 / CVE-2024-23897

Arbitrary file read vulnerability through the CLI can lead to RCE

Description

(High) SECURITY-3315 / CVE-2024-23898

Cross-site WebSocket hijacking vulnerability in the CLI

CVE-2024-23897 CVE-2024-23898 https://www.jenkins.io/security/advisory/2024-01-24/ 2024-01-24 2024-01-24
TinyMCE -- mXSS in multiple plugins tinymce 6.7.3 roundcube 1.6.6,1

TinyMCE reports:

Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin

CVE-2023-48219 https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8 https://github.com/roundcube/roundcubemail/releases/tag/1.6.6 2023-11-15 2024-01-23
zeek -- potential DoS vulnerability zeek 6.0.3

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of packets containing nested MIME entities can cause Zeek to spend large amounts of time parsing the entities.

https://github.com/zeek/zeek/releases/tag/v6.0.3 2024-01-22 2024-01-22
electron26 -- Out of bounds memory access in V8 electron26 26.6.7

Electron developers report:

This update fixes the following vulnerability:

  • Security: backported fix for CVE-2024-0519.
CVE-2024-0519 https://github.com/advisories/GHSA-vg6w-jr5m-86c8 2024-01-18 2024-01-19
electron{26,27} -- multiple vulnerabilities electron26 26.6.6 electron27 27.2.4

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-0518.
  • Security: backported fix for CVE-2024-0517.
CVE-2024-0518 https://github.com/advisories/GHSA-4pvg-f3m8-ff3j CVE-2024-0517 https://github.com/advisories/GHSA-v39r-662x-j524 2024-01-17 2024-01-17 2024-01-18
chromium -- multiple security fixes chromium 120.0.6099.224 ungoogled-chromium 120.0.6099.224

Chrome Releases reports:

This update includes 4 security fixes:

  • [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
  • [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
  • [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
CVE-2024-0517 CVE-2024-0518 CVE-2024-0519 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html 2024-01-16 2024-01-17
xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.11,1 xorg-nextserver 21.1.11,2 xwayland 23.2.4 xwayland-devel 21.0.99.1.653

The X.Org project reports:

  • CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer

    Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used.

  • CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access

    If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function.

  • CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent

    The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow.

  • CVE-2024-21886: Heap buffer overflow in DisableDevice

    The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.

CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 https://lists.x.org/archives/xorg/2024-January/061525.html 2024-01-16 2024-01-16
electron{26,27} -- multiple vulnerabilities electron26 26.6.5 electron27 27.2.2

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2024-0224.
  • Security: backported fix for CVE-2024-0225.
  • Security: backported fix for CVE-2024-0223.
  • Security: backported fix for CVE-2024-0222.
CVE-2024-0224 https://github.com/advisories/GHSA-83wx-v283-85g9 CVE-2024-0225 https://github.com/advisories/GHSA-gqr9-4fcc-c9jq CVE-2024-0223 https://github.com/advisories/GHSA-w8x8-g534-x4rp CVE-2024-0222 https://github.com/advisories/GHSA-c87c-56pw-mwgh 2024-01-10 2024-01-12
Gitlab -- vulnerabilities gitlab-ce 16.7.016.7.2 16.6.016.6.4 8.13.016.5.6

Gitlab reports:

Account Takeover via Password Reset without user interactions

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user

Bypass CODEOWNERS approval removal

Workspaces able to be created under different root namespace

Commit signature validation ignores headers after signature

CVE-2023-7028 CVE-2023-5356 CVE-2023-4812 CVE-2023-6955 CVE-2023-2030 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ 2024-01-11 2024-01-12
OpenSSL -- Vector register corruption on PowerPC openssl 3.0.12_2,1 openssl-quictls 3.0.12_2 openssl31 3.1.4_2 openssl31-quictls 3.1.4_2 openssl32 3.2.0_1

SO-AND-SO reports:

The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

CVE-2023-6129 https://www.openssl.org/news/secadv/20240109.txt 2024-01-09 2024-01-11
chromium -- security fix chromium 120.0.6099.216 ungoogled-chromium 120.0.6099.216

Chrome Releases reports:

This update includes 1 security fix:

  • [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
CVE-2024-0333 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_9.html 2024-01-09 2024-01-10
QtNetwork -- potential buffer overflow qt5-network 5.15.12p148_1 qt6-base 6.6.1_2

Andy Shaw reports:

A potential integer overflow has been discovered in Qt's HTTP2 implementation. If the HTTP2 implementation receives more than 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.

CVE-2023-51714 https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-http2-implementation 2023-12-14 2024-01-07
mantis -- multiple vulnerabilities mantis-php74 mantis-php80 mantis-php81 mantis-php82 mantis-php83 2.25.8,1

Mantis 2.25.8 release reports:

Security and maintenance release

  • 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
  • 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
CVE-2023-29197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197 CVE-2023-44394 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44394 2023-10-14 2024-01-06
chromium -- multiple security fixes chromium 120.0.6099.199 ungoogled-chromium 120.0.6099.199

Chrome Releases reports:

This update includes 6 security fixes:

  • [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
  • [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
  • [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
  • [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html 2024-01-03 2024-01-04
electron27 -- multiple vulnerabilities electron27 27.2.1

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6706.
  • Security: backported fix for CVE-2023-6705.
  • Security: backported fix for CVE-2023-6703.
  • Security: backported fix for CVE-2023-6702.
  • Security: backported fix for CVE-2023-6704.
CVE-2023-6706 https://github.com/advisories/GHSA-jqrg-rvpw-5fw5 CVE-2023-6705 https://github.com/advisories/GHSA-h27f-fw5q-c2gh CVE-2023-6703 https://github.com/advisories/GHSA-9v72-359m-2vx4 CVE-2023-6702 https://github.com/advisories/GHSA-7hjc-c62g-4w73 CVE-2023-6704 https://github.com/advisories/GHSA-587x-fmc5-99p9 2024-01-04 2024-01-04
electron26 -- multiple vulnerabilities electron26 26.6.4

Electron developers report:

This update fixes the following vulnerabilities:

  • Security: backported fix for CVE-2023-6704.
  • Security: backported fix for CVE-2023-6705.
  • Security: backported fix for CVE-2023-6703.
  • Security: backported fix for CVE-2023-6702.
CVE-2023-6704 https://github.com/advisories/GHSA-587x-fmc5-99p9 CVE-2023-6705 https://github.com/advisories/GHSA-h27f-fw5q-c2gh CVE-2023-6703 https://github.com/advisories/GHSA-9v72-359m-2vx4 CVE-2023-6702 https://github.com/advisories/GHSA-7hjc-c62g-4w73 2024-01-04 2024-01-04
FreeBSD -- Prefix Truncation Attack in the SSH protocol FreeBSD 14.014.0_4 13.213.2_9

Problem Description:

The SSH protocol executes an initial handshake between the server and the client. This protocol handshake includes the possibility of several extensions allowing different options to be selected. Validation of the packets in the handshake is done through sequence numbers.

Impact:

A man in the middle attacker can silently manipulate handshake messages to truncate extension negotiation messages potentially leading to less secure client authentication algorithms or deactivating keystroke timing attack countermeasures.

CVE-2023-48795 SA-23:19.openssh 2023-12-19 2024-01-02
gitea -- Prevent anonymous container access gitea 1.21.5

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.

https://blog.gitea.com/release-of-1.21.5/ 2024-01-24 2024-02-15