diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 56af61aba418..9a3ef8b7a291 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -1,108 +1,120 @@ PORTNAME= vuxml PORTVERSION= 1.1 PORTREVISION= 6 CATEGORIES= security textproc MASTER_SITES= http://www.vuxml.org/dtd/vuxml-1/ DISTFILES= vuxml-10.dtd vuxml-model-10.mod \ vuxml-11.dtd vuxml-model-11.mod \ xml1.dcl catalog catalog.xml DIST_SUBDIR= vuxml MAINTAINER= ports-secteam@FreeBSD.org COMMENT= Vulnerability and eXposure Markup Language DTD WWW= https://vuxml.freebsd.org/ LICENSE= BSD2CLAUSE RUN_DEPENDS= xmlcatmgr:textproc/xmlcatmgr \ xsltproc:textproc/libxslt \ ${LOCALBASE}/share/xml/dtd/xhtml-modularization/VERSION:textproc/xhtml-modularization \ ${LOCALBASE}/share/xml/dtd/xhtml-basic/xhtml-basic10.dtd:textproc/xhtml-basic USES= python:run NO_MTREE= yes NO_ARCH= yes NO_BUILD= yes WRKSRC= ${WRKDIR} dir_DTD= share/xml/dtd/vuxml .include VUXML_FILE?= ${PKGDIR}/vuln.xml VUXML_FLAT_NAME= vuln-flat.xml VUXML_FLAT_FILE?= ${PKGDIR}/${VUXML_FLAT_NAME} _YEAR!= date +%Y VUXML_CURRENT_FILE?= ${PKGDIR}/vuln/${_YEAR}.xml post-clean: @${RM} "${VUXML_FILE}.tidy" @${RM} "${VUXML_FLAT_FILE}" do-extract: @${RM} -r ${WRKDIR} @${MKDIR} ${WRKDIR} .for f in ${DISTFILES} ${CP} ${_DISTDIR}/${f} ${WRKDIR}/${f} .endfor do-install: @${MKDIR} ${STAGEDIR}${PREFIX}/${dir_DTD} .for f in ${DISTFILES} ${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${PREFIX}/${dir_DTD}/${f} .endfor do-test: @${MKDIR} ${WRKDIR}/test @${CP} -R ${.CURDIR}/vuln.xml ${.CURDIR}/vuln ${WRKDIR}/test @cd ${.CURDIR} && make validate PKGDIR=${WRKDIR}/test ${VUXML_FLAT_NAME}: ${VUXML_FILE} vuln/*.xml xmllint -noent ${.ALLSRC:[1]} > ${.TARGET} validate: tidy @${SH} ${FILESDIR}/validate.sh "${VUXML_FLAT_FILE}" @${ECHO_MSG} Checking if tidy differs... @if ${DIFF} -u "${VUXML_FLAT_FILE}" "${VUXML_FILE}.tidy"; \ then \ ${ECHO_MSG} ... seems okay; \ ${RM} "${VUXML_FILE}.tidy"; \ else \ return 1; \ fi @${ECHO_MSG} Checking for space/tab... @unexpand "${VUXML_FLAT_FILE}" | ${SED} -E 's,[[:space:]]*$$,,g' > "${VUXML_FILE}.unexpanded" @if ${DIFF} -u "${VUXML_FLAT_FILE}" "${VUXML_FILE}.unexpanded"; \ then \ ${ECHO_MSG} ... seems okay; \ ${RM} "${VUXML_FILE}.unexpanded"; \ else \ ${ECHO_MSG} ... see above; \ ${ECHO_CMD} Consider using ${VUXML_FILE}.unexpanded for final commit; \ return 1; \ fi ${PYTHON_CMD} ${FILESDIR}/extra-validation.py ${VUXML_FLAT_FILE} + @${ECHO_CMD} + @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!' + @${ECHO_CMD} 'Also, tags are usually wrong in ranges. Use where adequate.' + @${ECHO_CMD} tidy: ${VUXML_FLAT_NAME} @if [ ! -e ${LOCALBASE}/share/xml/dtd/vuxml/catalog.xml ]; \ then \ echo "Please install the VuXML port prior to running make validate/tidy."; \ exit 1; \ fi ${SH} ${FILESDIR}/tidy.sh "${FILESDIR}/tidy.xsl" "${VUXML_FLAT_FILE}" > "${VUXML_FILE}.tidy" newentry: + @${ECHO_CMD} + @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!' + @${ECHO_CMD} 'Also, tags are usually wrong in ranges. Use where adequate.' + @${ECHO_CMD} @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" + @${ECHO_CMD} + @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!' + @${ECHO_CMD} 'Also, tags are usually wrong in ranges. Use where adequate.' + @${ECHO_CMD} .if defined(VID) && !empty(VID) html: work/${VID}.html work/${VID}.html: ${FILESDIR}/html.xsl ${FILESDIR}/common.css ${VUXML_FILE} ${MKDIR} work xsltproc --stringparam vid "${VID}" \ --output ${.TARGET} \ ${FILESDIR}/html.xsl ${VUXML_FILE} ${INSTALL_DATA} ${FILESDIR}/common.css work .endif .include diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index c824f0b19868..64f19bfb38aa 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,13784 +1,13785 @@ Perl -- heap buffer overflow when transliterating non-ASCII bytes perl5.36 5.36.3 perl5.38 5.38.4 perl5.40 5.40.2 perl5-devel 5.41.10

9b29abf9-4ab0-4765-b253-1875cd9b441e reports:

A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2024-56406 https://nvd.nist.gov/vuln/detail/CVE-2024-56406 2025-04-13 2025-04-15 gogs -- Multiple vulnerabilities gogs 0.13.0

cve@mitre.org reports:

CVE-2024-44625: Directory Traversal via the editFilePost function of internal/route/repo/editor.go.

CVE-2024-39933: Gogs allows argument injection during the tagging of a new release.

CVE-2024-39932: Gogs allows argument injection during the previewing of changes.

CVE-2024-39931: Gogs allows deletion of internal files.

CVE-2024-39930: The built-in SSH server of Gogs allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated.

CVE-2024-44625 https://nvd.nist.gov/vuln/detail/CVE-2024-44625 CVE-2024-39933 https://nvd.nist.gov/vuln/detail/CVE-2024-39933 CVE-2024-39932 https://nvd.nist.gov/vuln/detail/CVE-2024-39932 CVE-2024-39931 https://nvd.nist.gov/vuln/detail/CVE-2024-39931 CVE-2024-39930 https://nvd.nist.gov/vuln/detail/CVE-2024-39930 2024-11-15 2025-04-14 Mozilla -- null pointer dereference firefox 133.0,2 thunderbird 133.0

security@mozilla.org reports:

A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files.

CVE-2024-11706 https://nvd.nist.gov/vuln/detail/CVE-2024-11706 2024-11-26 2025-04-13 mozilla -- double free error firefox 133.0,2 firefox-esr 128.7.0 thunderbird 133.0

security@mozilla.org reports:

A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption.

CVE-2024-11704 https://nvd.nist.gov/vuln/detail/CVE-2024-11704 2024-11-26 2025-04-13 Apache Tomcat -- RCE due to TOCTOU issue in JSP compilation tomcat110 11.0.0 11.0.1 tomcat101 10.1.0 10.1.33 tomcat9 9.0.0 9.0.97

security@apache.org reports:

Time-of-check Time-of-use (TOCTOU) Race Condition The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system propertysun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: thesystem property sun.io.useCanonCaches, if set, must be set to false(it defaults to false) - running on Java 21 onwards: no further configuration is required(the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks thatsun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also setsun.io.useCanonCaches to false by default where it can.

CVE-2024-56337 https://nvd.nist.gov/vuln/detail/CVE-2024-56337 2024-12-20 2024-12-29 kanboard -- Insufficient session invalidation kanboard 1.2.43

security-advisories@github.com reports:

Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionHandler.php`), to store the session data in a database. Therefore, when a `session_id` is given, kanboard queries the data from the `sessions` sql table. At this point, it does not correctly verify, if a given `session_id` has already exceeded its lifetime (`expires_at`). Thus, a session which's lifetime is already `> time()`, is still queried from the database and hence a valid login. The implemented **SessionHandlerInterface::gc** function, that does remove invalid sessions, is called only **with a certain probability** (_Cleans up expired sessions. Called by `session_start()`, based on `session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime` settings_) accordingly to the php documentation. In the official Kanboard docker image these values default to: session.gc_probability=1, session.gc_divisor=1000. Thus, an expired session is only terminated with probability 1/1000. There are no known workarounds for this vulnerability.

CVE-2024-55603 https://nvd.nist.gov/vuln/detail/CVE-2024-55603 2024-12-19 2024-12-24 Vaultwarden -- Admin organization permissions vaultwarden 1.32.7

The Vaultwarden project reports:

Admins from any organization were able to modify or delete groups in any other organization if they know the group's uuid.

https://github.com/dani-garcia/vaultwarden/pull/5291 2024-12-20 2024-12-20 chromium -- multiple security fixes chromium 131.0.6778.204 ungoogled-chromium 131.0.6778.204

Chrome Releases reports:

This update includes 3 security fixes:

[382291459] High CVE-2024-12692: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-12-05

[382190919] High CVE-2024-12693: Out of bounds memory access in V8. Reported by 303f06e3 on 2024-12-04

[368222741] High CVE-2024-12694: Use after free in Compositing. Reported by Anonymous on 2024-09-19

[383647255] High CVE-2024-12695: Out of bounds write in V8. Reported by 303f06e3 on 2024-12-12

CVE-2024-12692 CVE-2024-12693 CVE-2024-12694 CVE-2024-12695 https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_18.html 2024-12-18 2024-12-19 liboqs -- Correctness error in HQC decapsulation liboqs 0.12.0

The Open Quantum Safe project reports:

A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.

No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.

CVE-2024-54137 https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7 2024-11-29 2024-12-18 gitea -- Fix misuse of PublicKeyCallback gitea 1.22.6

Problem Description:

Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto

https://github.com/go-gitea/gitea/pull/32810 https://github.com/advisories/GHSA-v778-237x-gjrc 2024-12-12 2024-12-17 gitea -- multiple vulnerabilities gitea 1.22.5

Problem Description:

Fix delete branch perm checking
Upgrade crypto library

https://github.com/go-gitea/gitea/pull/32791 https://github.com/go-gitea/gitea/pull/32654 2024-11-27 2024-12-17 gitea -- multiple vulnerabilities gitea 1.22.4

Problem Description:

Fix basic auth with webauthn
Refactor internal routers (partial backport, auth token const time comparing)

https://github.com/go-gitea/gitea/pull/32531 https://github.com/go-gitea/gitea/pull/32473 2024-11-16 2024-12-17 forgejo -- multiple vulnerabilities forgejo 9.0.2 forgejo7 7.0.11

Problem Description:

It was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.
A fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.
The members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.
The tokens used when replying by email to issues or pull requests were weaker than the rfc2104 recommendations. The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.
A registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.
It was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.
Some markup sanitation rules were not as strong as they could be (e.g. allowing emoji somethingelse as well as emoji). The rules are now stricter and do not allow for such cases.
When Forgejo is configured to enable instance wide search (e.g. with bleve), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.

https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 https://codeberg.org/forgejo/forgejo/pulls/5974 2024-12-12 2024-12-17 2024-12-18 forgejo -- unauthorized user impersonation forgejo 7.0.12

Problem Description:

When Forgejo is configured to run the internal ssh server with [server].START_SSH_SERVER=true, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server.
Revert "allow synchronizing user status from OAuth2 login providers"

https://codeberg.org/forgejo/forgejo/pulls/6248 2024-12-12 2024-12-17 forgejo -- multiple vulnerabilities forgejo 9.0.3

Problem Description:

When Forgejo is configured to run the internal ssh server with [server].START_SSH_SERVER=true, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server.
Revert "allow synchronizing user status from OAuth2 login providers"

https://codeberg.org/forgejo/forgejo/pulls/6248 https://codeberg.org/forgejo/forgejo/pulls/6249 2024-12-12 2024-12-17 py-matrix-synapse -- multiple vulnerabilities in versions prior to 1.120.1 py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse py311-matrix-synapse 1.120.1

element-hq/synapse developers report:

[The 1.120.1] release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.

Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.

CVE-2024-52805 https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2 CVE-2024-52815 https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h CVE-2024-53863 https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g CVE-2024-53867 https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h CVE-2024-37302 https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x CVE-2024-37303 https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr 2024-12-03 2024-12-15 zeek -- potential DoS vulnerability zeek 7.0.5

Tim Wojtulewicz of Corelight reports:

Large QUIC packets can cause Zeek to overflow memory and potentially crash. Due to the possibility of receiving these packets from remote hosts, this is a DoS risk.

https://github.com/zeek/zeek/releases/tag/v7.0.5 2024-12-16 2024-12-16 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.6.017.6.2 17.5.017.5.4 9.4.017.4.6

Gitlab reports:

Injection of Network Error Logging (NEL) headers in kubernetes proxy response could lead to ATO abusing OAuth flows

Denial of Service by repeatedly sending unauthenticated requests for diff-files

CI_JOB_TOKEN could be used to obtain GitLab session

Open redirect in releases API

Client-Side Path Traversal in Harbor artifact links

HTML injection in vulnerability details could lead to Cross Site Scripting

Leak branch names of projects with confidential repository

Non member can view unresolved threads marked as internal notes

Uncontrolled Resource Consumption through a maliciously crafted file

Certain sensitive information passed as literals inside GraphQL mutations retained in GraphQL logs

Information disclosure of confidential incidents details to a group member in Gitlab Wiki

Domain Confusion in GitLab Pages Unique Domain Implementation

CVE-2024-11274 CVE-2024-8233 CVE-2024-9387 CVE-2024-8647 CVE-2024-8179 CVE-2024-8116 CVE-2024-8650 CVE-2024-9367 CVE-2024-12292 CVE-2024-12292 CVE-2024-10043 https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ 2024-12-11 2024-12-12 chromium -- multiple security fixes chromium 131.0.6778.139 ungoogled-chromium 131.0.6778.139

Chrome Releases reports:

This update includes 3 security fixes:

[381696874] High CVE-2024-12381: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-12-02

[379516109] High CVE-2024-12382: Use after free in Translate. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-11-18

CVE-2024-12381 CVE-2024-12382 https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html 2024-12-10 2024-12-11 chromium -- multiple security fixes chromium 131.0.6778.108 ungoogled-chromium 131.0.6778.108

Chrome Releases reports:

This update includes 4 security fixes:

[379009132] High CVE-2024-12053: Type Confusion in V8. Reported by gal1ium and chluo on 2024-11-14

CVE-2024-12053 https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop.html 2024-12-03 2024-12-11 firefox -- multiple vulnerabilities firefox 133.0.0,2 firefox-esr 128.5,1 thunderbird 128.5 129133

security@mozilla.org reports:

CVE-2024-11692: An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks.

CVE-2024-11696: The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue.

CVE-2024-11697: When handling keypress events, an attacker may have been able to trick a user into bypassing the " Open Executable File?" confirmation dialog. This could have led to malicious code execution.

CVE-2024-11699: Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-11692 https://nvd.nist.gov/vuln/detail/CVE-2024-11692 CVE-2024-11696 https://nvd.nist.gov/vuln/detail/CVE-2024-11696 CVE-2024-11697 https://nvd.nist.gov/vuln/detail/CVE-2024-11697 CVE-2024-11699 https://nvd.nist.gov/vuln/detail/CVE-2024-11699 2024-11-26 2024-12-10 qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.7.3_3

Qt qtwebengine-chromium repo reports:

Backports for 5 security bugs in Chromium:

CVE-2024-11110: Inappropriate implementation in Blink

CVE-2024-11112: Use after free in Media

CVE-2024-11114: Inappropriate implementation in Views

CVE-2024-11116: Inappropriate implementation in Paint

CVE-2024-11117: Inappropriate implementation in FileSystem

CVE-2024-11110 CVE-2024-11112 CVE-2024-11114 CVE-2024-11116 CVE-2024-11117 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=118-based 2024-11-29 2024-12-07 gstreamer1-plugins-vorbis -- Stack buffer-overflow in Vorbis decoder gstreamer1-plugins-vorbis 1.24.10

The GStreamer Security Center reports:

Stack buffer-overflow in Vorbis decoder that can cause crashes for certain input files.

CVE-2024-47538 https://gstreamer.freedesktop.org/security/sa-2024-0022.html 2024-12-03 2024-12-06 gstreamer1-plugins-opus -- Stack buffer-overflow in Opus decoder gstreamer1-plugins-opus 1.24.10

The GStreamer Security Center reports:

Stack buffer-overflow in Opus decoder that can cause crashes for certain input files.

CVE-2024-47607 https://gstreamer.freedesktop.org/security/sa-2024-0024.html 2024-12-03 2024-12-06 gstreamer1-plugins-ogg -- Out-of-bounds write in Ogg demuxer gstreamer1-plugins-ogg 1.24.10

The GStreamer Security Center reports:

An out-of-bounds write in the Ogg demuxer that can cause crashes for certain input files.

CVE-2024-47615 https://gstreamer.freedesktop.org/security/sa-2024-0026.html 2024-12-03 2024-12-06 gstreamer1-plugins-jpeg -- NULL-pointer dereferences in JPEG decoder gstreamer1-plugins-jpeg 1.24.10

The GStreamer Security Center reports:

Insufficient error handling in the JPEG decoder that can lead to NULL-pointer dereferences, and that can cause crashes for certain input files.

CVE-2024-47599 https://gstreamer.freedesktop.org/security/sa-2024-0016.html 2024-12-03 2024-12-06 gstreamer1-plugins-gdkpixbuf -- NULL-pointer dereference gstreamer1-plugins-gdkpixbuf 1.24.10

The GStreamer Security Center reports:

A NULL-pointer dereference in the gdk-pixbuf decoder that can cause crashes for certain input files.

CVE-2024-47613 https://gstreamer.freedesktop.org/security/sa-2024-0025.html 2024-12-03 2024-12-06 gstreamer1-plugins-good -- multiple vulnerabilities gstreamer1-plugins-good 1.24.10

The GStreamer Security Center reports:

20 security bugs.

CVE-2024-47537: Integer overflow in MP4/MOV sample table parser leading to out-of-bounds writes

CVE-2024-47598: MP4/MOV sample table parser out-of-bounds read

CVE-2024-47539: MP4/MOV Closed Caption handling out-of-bounds write

CVE-2024-47543: MP4/MOV demuxer out-of-bounds read

CVE-2024-47545: Integer overflow in MP4/MOV demuxer that can result in out-of-bounds read

CVE-2024-47544: NULL-pointer dereferences in MP4/MOV demuxer CENC handling

CVE-2024-47597: Out-of-bounds reads in MP4/MOV demuxer sample table parser

CVE-2024-47546: Integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads

CVE-2024-47606: Integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes

CVE-2024-47596: Integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads

CVE-2024-47540: Usage of uninitialized stack memory in Matroska/WebM demuxer

CVE-2024-47602: NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer

CVE-2024-47601: NULL-pointer dereference in Matroska/WebM demuxer

CVE-2024-47603: NULL-pointer dereference in Matroska/WebM demuxer

CVE-2024-47775: Out-of-bounds read in WAV parser

CVE-2024-47776: Out-of-bounds read in WAV parser

CVE-2024-47777: Out-of-bounds read in WAV parser

CVE-2024-47778: Out-of-bounds read in WAV parser

CVE-2024-47774: Integer overflow in AVI subtitle parser that leads to out-of-bounds reads

CVE-2024-47834: Use-after-free in Matroska demuxer

CVE-2024-47537 https://gstreamer.freedesktop.org/security/sa-2024-0005.html CVE-2024-47598 https://gstreamer.freedesktop.org/security/sa-2024-0006.html CVE-2024-47539 https://gstreamer.freedesktop.org/security/sa-2024-0007.html CVE-2024-47543 https://gstreamer.freedesktop.org/security/sa-2024-0009.html CVE-2024-47545 https://gstreamer.freedesktop.org/security/sa-2024-0010.html CVE-2024-47544 https://gstreamer.freedesktop.org/security/sa-2024-0011.html CVE-2024-47597 https://gstreamer.freedesktop.org/security/sa-2024-0012.html CVE-2024-47546 https://gstreamer.freedesktop.org/security/sa-2024-0013.html CVE-2024-47606 https://gstreamer.freedesktop.org/security/sa-2024-0014.html CVE-2024-47596 https://gstreamer.freedesktop.org/security/sa-2024-0015.html CVE-2024-47540 https://gstreamer.freedesktop.org/security/sa-2024-0017.html CVE-2024-47602 https://gstreamer.freedesktop.org/security/sa-2024-0019.html CVE-2024-47601 https://gstreamer.freedesktop.org/security/sa-2024-0020.html CVE-2024-47603 https://gstreamer.freedesktop.org/security/sa-2024-0021.html CVE-2024-47775 https://gstreamer.freedesktop.org/security/sa-2024-0027.html CVE-2024-47776 https://gstreamer.freedesktop.org/security/sa-2024-0027.html CVE-2024-47777 https://gstreamer.freedesktop.org/security/sa-2024-0027.html CVE-2024-47778 https://gstreamer.freedesktop.org/security/sa-2024-0027.html CVE-2024-47835 https://gstreamer.freedesktop.org/security/sa-2024-0028.html CVE-2024-47834 https://gstreamer.freedesktop.org/security/sa-2024-0030.html 2024-12-03 2024-12-06 gstreamer1-plugins -- multiple vulnerabilities gstreamer1-plugins 1.24.10

The GStreamer Security Center reports:

3 security bugs.

CVE-2024-47542: ID3v2 parser out-of-bounds read and NULL-pointer dereference

CVE-2024-47600: Out-of-bounds read in gst-discoverer-1.0 commandline tool

CVE-2024-47541: Out-of-bounds write in SSA subtitle parser

CVE-2024-47542 https://gstreamer.freedesktop.org/security/sa-2024-0008.html CVE-2024-47600 https://gstreamer.freedesktop.org/security/sa-2024-0018.html CVE-2024-47541 https://gstreamer.freedesktop.org/security/sa-2024-0023.html 2024-12-03 2024-12-06 zabbix -- SQL injection in user.get API zabbix6-frontend 6.0.31 zabbix64-frontend 6.4.16 zabbix7-frontend 7.0.0

security@zabbix.com reports:

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

CVE-2024-42327 https://nvd.nist.gov/vuln/detail/CVE-2024-42327 2024-11-27 2024-12-02 electron33 -- Inappropriate implementation in Extensions electron33 33.2.1

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-11110.

CVE-2024-11110 https://github.com/advisories/GHSA-4mww-gp9h-h59m 2024-11-27 2024-12-02 jenkins -- Denial of service vulnerability in bundled json-lib jenkins 2.487 jenkins-lts 2.479.2

Jenkins Security Advisory:

Description

(High) SECURITY-3463 / CVE-2024-47855

Denial of service vulnerability in bundled json-lib

CVE-2024-47855 https://www.jenkins.io/security/advisory/2024-11-27/ 2024-11-27 2024-11-29 keycloak -- Multiple security fixes keycloak 26.0.6

Keycloak reports:

This update includes 5 security fixes:

CVE-2024-10451: Sensitive Data Exposure in Keycloak Build Process

CVE-2024-10270: Potential Denial of Service

CVE-2024-10492: Keycloak path trasversal

CVE-2024-9666: Keycloak proxy header handling Denial-of-Service (DoS) vulnerability

CVE-2024-10039: Bypassing mTLS validation

CVE-2021-9666 CVE-2021-10039 CVE-2021-10270 CVE-2021-10451 CVE-2021-10492 2024-11-22 2024-11-25 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.6.017.6.1 17.5.017.5.3 8.12.017.4.5

Gitlab reports:

Privilege Escalation via LFS Tokens

DoS through uncontrolled resource consumption when viewing a maliciously crafted cargo.toml file

Unintended Access to Usage Data via Scoped Tokens

Gitlab DOS via Harbor registry integration

Resource exhaustion and denial of service with test_report API calls

Streaming endpoint did not invalidate tokens after revocation

CVE-2024-8114 CVE-2024-8237 CVE-2024-11669 CVE-2024-8177 CVE-2024-11828 CVE-2024-11668 https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-released/ 2024-11-26 2024-11-27 chromium -- multiple security fixes chromium 131.0.6778.85 ungoogled-chromium 131.0.6778.85

Chrome Releases reports:

This update includes 3 security fixes:

[377384894] High CVE-2024-11395: Type Confusion in V8. Reported by Anonymous on 2024-11-05

CVE-2024-11395 https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html 2024-11-19 2024-11-25 qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.7.3_2

Qt qtwebengine-chromium repo reports:

Backports for 16 security bugs in Chromium:

CVE-2024-9120: Use after free in Dawn

CVE-2024-9122: Type Confusion in V8

CVE-2024-9123: Integer overflow in Skia

CVE-2024-9369: Insufficient data validation in Mojo

CVE-2024-9602: Type confusion in V8

CVE-2024-9603: Type confusion in V8

CVE-2024-9965: Insufficient data validation in DevTools

CVE-2024-9966: Inappropriate implementation in Navigations

CVE-2024-10229: Inappropriate implementation in Extensions

CVE-2024-10230: Type confusion in V8

CVE-2024-10231: Type confusion in V8

CVE-2024-10487: Out of bounds write in Dawn

CVE-2024-10827: Use after free in Serial

CVE-2024-45490: Negative length in libexpat

CVE-2024-45491: Integer overflow in libexpat

CVE-2024-45492: Integer overflow in libexpat

CVE-2024-9120 CVE-2024-9122 CVE-2024-9123 CVE-2024-9369 CVE-2024-9602 CVE-2024-9603 CVE-2024-9965 CVE-2024-9966 CVE-2024-10229 CVE-2024-10230 CVE-2024-10231 CVE-2024-10487 CVE-2024-10827 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=118-based 2024-09-26 2024-11-23 qt5-webengine -- Use after free in Serial qt5-webengine 5.15.18p5

Qt qtwebengine-chromium repo reports:

Backports for 1 security bug in Chromium:

CVE-2024-10827: Use after free in Serial

CVE-2024-10827 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-10-24 2024-11-22 xorg server -- _XkbSetCompatMap vulnerability xorg-server 21.1.14,1 xwayland 24.1.4,1

The X.Org project reports:

CVE-2024-9632: Heap buffer Heap-based buffer overflow privilege escalation in _XkbSetCompatMap
The _XkbSetCompatMap() function attempts to resize the `sym_interpret` buffer. However, It didn't update its size properly. It updated `num_si` only, without updating `size_si`. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).

CVE-2024-9632 https://lists.x.org/archives/xorg-announce/2024-October/003545.html 2024-10-29 2024-11-19 mongodb -- Buffer over-reads in MongoDB Server mongodb50 5.0.30 mongodb60 6.0.19 mongodb70 7.0.15 mongodb80 8.0.2

cna@mongodb.com reports:

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server.

CVE-2024-10921 https://nvd.nist.gov/vuln/detail/CVE-2024-10921 2024-11-14 2024-11-17 Vaultwarden -- Multiple vulnerabilities vaultwarden 1.32.5

The Vaultwarden project reports:

This release further fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible.

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5 2024-11-11 2024-11-18 Vaultwarden -- Multiple vulnerabilities vaultwarden 1.32.4

The Vaultwarden project reports:

This release has fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible.

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4 2024-11-10 2024-11-16 chromium -- multiple security fixes chromium 131.0.6778.69 ungoogled-chromium 131.0.6778.69

Chrome Releases reports:

This update includes 12 security fixes:

[373263969] High CVE-2024-11110: Inappropriate implementation in Blink. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2024-10-14

[360520331] Medium CVE-2024-11111: Inappropriate implementation in Autofill. Reported by Narendra Bhati, Suma Soft Pvt. Ltd - Pune (India) on 2024-08-18

[354824998] Medium CVE-2024-11112: Use after free in Media. Reported by Nan Wang(@eternalsakura13) and Zhenghang Xiao(@Kipreyyy) of 360 Vulnerability Research Institute on 2024-07-23

[360274917] Medium CVE-2024-11113: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-08-16

[370856871] Medium CVE-2024-11114: Inappropriate implementation in Views. Reported by Micky on 2024-10-02

[371929521] Medium CVE-2024-11115: Insufficient policy enforcement in Navigation. Reported by mastersplinter on 2024-10-07

[40942531] Medium CVE-2024-11116: Inappropriate implementation in Paint. Reported by Thomas Orlita on 2023-11-14

[40062534] Low CVE-2024-11117: Inappropriate implementation in FileSystem. Reported by Ameen Basha M K on 2023-01-06

CVE-2024-11110 CVE-2024-11111 CVE-2024-11112 CVE-2024-11113 CVE-2024-11114 CVE-2024-11115 CVE-2024-11116 CVE-2024-11117 https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html 2024-11-12 2024-11-16 electron31 -- multiple vulnerabilities electron31 31.7.5 electron32 32.2.5

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-10827.

Security: backported fix for CVE-2024-11110.

CVE-2024-10827 https://github.com/advisories/GHSA-58wv-w3hc-2c76 CVE-2024-11110 https://github.com/advisories/GHSA-4mww-gp9h-h59m 2024-11-15 2024-11-15 2024-11-16 PostgreSQL -- PL/Perl environment variable changes execute arbitrary code postgresql17-plperl 17.1 postgresql16-plperl 16.5 postgresql15-plperl 15.9 postgresql14-plperl 14.14 postgresql13-plperl 13.17 postgresql12-plperl 12.21

PostgreSQL project reports:

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user.

CVE-2024-10979 https://www.postgresql.org/support/security/CVE-2024-10979/ 2024-11-14 2024-11-14 PostgreSQL -- SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID postgresql17-server 17.1 postgresql16-server 16.5 postgresql15-server 15.9 postgresql14-server 14.14 postgresql13-server 13.17 postgresql12-server 12.21

PostgreSQL project reports:

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries

CVE-2024-10978 https://www.postgresql.org/support/security/CVE-2024-10978/ 2024-11-14 2024-11-14 PostgreSQL -- libpq retains an error message from man-in-the-middle postgresql17-client 17.1 postgresql16-client 16.5 postgresql15-client 15.9 postgresql14-client 14.14 postgresql13-client 13.17 postgresql12-client 12.21

PostgreSQL project reports:

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text.

CVE-2024-10977 https://www.postgresql.org/support/security/CVE-2024-10977/ 2024-11-14 2024-11-14 PostgreSQL -- PostgreSQL row security below e.g. subqueries disregards user ID changes postgresql17-server 17.1 postgresql16-server 16.5 postgresql15-server 15.9 postgresql14-server 14.14 postgresql13-server 13.17 postgresql12-server 12.21

PostgreSQL project reports:

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies.

CVE-2024-10976 https://www.postgresql.org/support/security/CVE-2024-10976/ 2024-11-14 2024-11-14 electron31 -- multiple vulnerabilities electron31 31.7.4

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-10231.

Security: backported fix for CVE-2024-10229.

Security: backported fix for CVE-2024-10487.

CVE-2024-10231 https://github.com/advisories/GHSA-3wfx-mj93-vf8v CVE-2024-10229 https://github.com/advisories/GHSA-3hjp-j522-245f CVE-2024-10487 https://github.com/advisories/GHSA-h72p-7xmw-gpp8 2024-11-12 2024-11-14 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.5.017.5.2 17.4.017.4.4 16.0.017.3.7

Gitlab reports:

Unauthorized access to Kubernetes cluster agent

Device OAuth flow allows for cross window forgery

Denial of Service by importing malicious crafted FogBugz import payload

Stored XSS through javascript URL in Analytics dashboards

HTML injection in vulnerability Code flow could lead to XSS on self hosted instances

Information disclosure through an API endpoint

CVE-2024-9693 CVE-2024-7404 CVE-2024-8648 CVE-2024-8180 CVE-2024-10240 https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/ 2024-11-13 2024-11-14 FreeBSD -- Certificate revocation list fetch(1) option fails FreeBSD 14.114.1_6 13.413.4_2 13.313.3_8

Problem Description:

The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.

Impact:

Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option.

CVE-2024-45289 SA-24:19.fetch 2024-10-29 2024-11-13 FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer FreeBSD-kernel 14.114.1_6 13.413.4_2 13.313.3_8

Problem Description:

The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator.

Impact:

A malicious guest could cause a Denial of Service (DoS) on the host.

CVE-2024-39281 SA-24:18.ctl 2024-10-29 2024-11-13 FreeBSD -- Multiple issues in the bhyve hypervisor FreeBSD 14.114.1_6 13.413.4_2 13.313.3_8

Problem Description:

Several vulnerabilities were found in the bhyve hypervisor's device models.

The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over- read from a guest-controlled value. (CVE-2024-51562)

The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition. (CVE-2024-51563)

A guest can trigger an infinite loop in the hda audio driver. (CVE-2024-51564)

The hda driver is vulnerable to a buffer over-read from a guest-controlled value. (CVE-2024-51565)

The NVMe driver queue processing is vulernable to guest-induced infinite loops. (CVE-2024-51566)

Impact:

Malicious guest virtual machines may be able to perform a denial of service (DoS) of the bhyve host, and may read memory within the bhyve process that they should not be able to access.

CVE-2024-51562 CVE-2024-51563 CVE-2024-51564 CVE-2024-51565 CVE-2024-51566 SA-24:17.bhyve 2024-10-29 2024-11-13 element-web -- several vulnerabilities element-web 1.11.85

Element team reports:

Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked.

A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them.

CVE-2024-51749 CVE-2024-51750 https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2 https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc 2024-11-12 2024-11-12 Matrix clients -- mxc uri validation in js sdk cinny 4.2.3 element-web 1.11.85

matrix-js-sdk upstream reports:

matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.

CVE-2024-50336 https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr 2024-11-12 2024-11-12 icinga2 -- TLS Certificate Validation Bypass icinga2 2.14.3

The Icinga project reports:

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

CVE-2024-49369 https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/ https://nvd.nist.gov/vuln/detail/CVE-2024-49369 2024-11-12 2024-11-12 Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20241112

Intel reports:

A potential security vulnerability in some 4th and 5th Generation Intel Xeon Processors may allow denial of service. Intel released microcode updates to mitigate this potential vulnerability.

Potential security vulnerabilities in some Intel Xeon processors using Intel Software Guard Extensions (Intel SGX) may allow escalation of privilege. Intel released firmware updates to mitigate these potential vulnerabilities.

CVE-2024-21853 CVE-2024-23918 CVE-2024-21820 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112 2024-09-10 2024-09-10 x11vnc -- access to shared memory segments x11vnc 0.9.16_8

cve@mitre.org reports:

scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.

CVE-2020-29074 https://nvd.nist.gov/vuln/detail/CVE-2020-29074 2020-11-18 2024-11-08 lrzsz -- Integer overflow in zmodem, crash and information leak lrzsz 0.12.20_7

cve@mitre.org reports:

Lrzsz has an integer overflow vulernability in the src/zm.c:zsdata() function. An attacker could exploit this with the sz command to cause a crash or potentially leak information to the receiving server.

CVE-2018-10195 https://nvd.nist.gov/vuln/detail/CVE-2018-10195 2018-04-26 2024-11-08 tnef -- An attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message tnef 1.4.18

cve@mitre.org reports:

In tnef before 1.4.18, an attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup.

CVE-2019-18849 https://nvd.nist.gov/vuln/detail/CVE-2019-18849 2019-11-11 2024-10-26 tnef -- Invalid read and write operations, controlled by an attacker tnef 1.4.12

cve@mitre.org reports:

CVE-2017-6307: An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker.

CVE-2017-6308: An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation.

CVE-2017-6309: An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker.

CVE-2017-6310: An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker.

CVE-2017-6307 https://nvd.nist.gov/vuln/detail/CVE-2017-6307 CVE-2017-6308 https://nvd.nist.gov/vuln/detail/CVE-2017-6308 CVE-2017-6309 https://nvd.nist.gov/vuln/detail/CVE-2017-6309 CVE-2017-6310 https://nvd.nist.gov/vuln/detail/CVE-2017-6310 2017-02-24 2024-10-26 electron32 -- multiple vulnerabilities electron32 32.2.3

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-10230.

Security: backported fix for CVE-2024-10231.

Security: backported fix for CVE-2024-10229.

Security: backported fix for CVE-2024-10487.

CVE-2024-10230 https://github.com/advisories/GHSA-g4gj-m346-585c CVE-2024-10231 https://github.com/advisories/GHSA-3wfx-mj93-vf8v CVE-2024-10229 https://github.com/advisories/GHSA-3hjp-j522-245f CVE-2024-10487 https://github.com/advisories/GHSA-h72p-7xmw-gpp8 2024-11-08 2024-11-08 gstreamer1-rtsp-server -- Potential Denial-of-Service (DoS) with specially crafted client requests gstreamer1-rtsp-server 1.18.01.24.9

Qingpeng Du reports:

A series of specially crafted client requests during streaming setup (post client authentication, if any) can cause the RTSP server library to abort, if it has been compiled with assertions enabled.

CVE-2024-44331 https://gstreamer.freedesktop.org/security/sa-2024-0004.html 2024-10-29 2024-11-07 chromium -- multiple security fixes chromium 130.0.6723.116 ungoogled-chromium 130.0.6723.116

Chrome Releases reports:

This update includes 2 security fixes:

[370217726] High CVE-2024-10826: Use after free in Family Experiences. Reported by Anonymous on 2024-09-29

[375065084] High CVE-2024-10827: Use after free in Serial. Reported by Anonymous on 2024-10-23

CVE-2024-10826 CVE-2024-10827 https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html 2024-11-05 2024-11-06 libqb -- Buffer overflow libqb 2.0.8

cve@mitre.org reports:

log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.

CVE-2023-39976 https://nvd.nist.gov/vuln/detail/CVE-2023-39976 2023-08-08 2024-11-04 chromium -- multiple security fixes chromium 130.0.6723.91 ungoogled-chromium 130.0.6723.91

Chrome Releases reports:

This update includes 2 security fixes:

[375123371] Critical CVE-2024-10487: Out of bounds write in Dawn. Reported by Apple Security Engineering and Architecture (SEAR) on 2024-10-23

[374310077] High CVE-2024-10488: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-10-18

CVE-2024-10487 CVE-2024-10488 https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html 2024-10-29 2024-11-02 qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.18p2

Backports for 15 security bugs in Chromium:

CVE-2024-4761: Out of bounds write in V8

CVE-2024-5158: Type confusion in V8

CVE-2024-7532: Out of bounds memory access in ANGLE

CVE-2024-7965: Inappropriate implementation in V8

CVE-2024-7967: Heap buffer overflow in Fonts

CVE-2024-7971: Type confusion in V8

CVE-2024-8198: Heap buffer overflow in Skia

CVE-2024-8636: Heap buffer overflow in Skia

CVE-2024-9123: Integer overflow in Skia

CVE-2024-9602: Type confusion in V8

CVE-2024-9603: Type confusion in V8

CVE-2024-10229: Inappropriate implementation in Extensions

CVE-2024-45490: Negative length in libexpat

CVE-2024-45491: Integer overflow in libexpat

CVE-2024-45492: Integer overflow in libexpat

CVE-2024-4761 CVE-2024-5158 CVE-2024-7532 CVE-2024-7965 CVE-2024-7967 CVE-2024-7971 CVE-2024-8198 CVE-2024-8636 CVE-2024-9123 CVE-2024-9602 CVE-2024-9603 CVE-2024-10229 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-09-18 2024-10-31 keycloak -- Missing server identity checks when sending mails via SMTPS keycloak 26.0.4

Red Hat reports:

A vulnerability was found in Apache Sling Commons Messaging Mail(angus-mail), which provides a simple interface for sending emails via SMTPS in OSGi, does not offer an option to enable server identity checks, leaving connections vulnerable to "man-in-the-middle" attacks and can allow insecure email communication.

CVE-2021-44549 https://www.cve.org/CVERecord?id=CVE-2021-44549 2024-10-01 2024-10-31 librewolf -- Undefined behavior in selection node cache librewolf 131.0.3

security@mozilla.org reports:

When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. This vulnerability affects Firefox < 131.0.3.

CVE-2024-9936 https://nvd.nist.gov/vuln/detail/CVE-2024-9936 2024-10-14 2024-10-30 hwloc2 -- Denial of service or other unspecified impacts hwloc2 2.1.02.9.2

cve@mitre.org reports:

An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.

CVE-2022-47022 https://nvd.nist.gov/vuln/detail/CVE-2022-47022 2023-08-22 2024-10-29 forgejo -- multiple vulnerabilities forgejo 9.0.1 forgejo7 7.0.10

Problem Description:

Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.

https://codeberg.org/forgejo/forgejo/milestone/8544 https://codeberg.org/forgejo/forgejo/pulls/5719 https://codeberg.org/forgejo/forgejo/pulls/5718 2024-10-28 2024-10-29 chromium -- multiple security fixes chromium 130.0.6723.69 ungoogled-chromium 130.0.6723.69

Chrome Releases reports:

This update includes 3 security fixes:

[371011220] High CVE-2024-10229: Inappropriate implementation in Extensions. Reported by Vsevolod Kokorin (Slonser) of Solidlab on 2024-10-02

[371565065] High CVE-2024-10230: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-10-05

[372269618] High CVE-2024-10231: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-10-09

CVE-2024-10229 CVE-2024-10230 CVE-2024-10231 https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html 2024-10-22 2024-10-26 chromium -- multiple security fixes chromium 130.0.6723.58 ungoogled-chromium 130.0.6723.58

Chrome Releases reports:

This update includes 17 security fixes:

[367755363] High CVE-2024-9954: Use after free in AI. Reported by DarkNavy on 2024-09-18

[370133761] Medium CVE-2024-9955: Use after free in Web Authentication. Reported by anonymous on 2024-09-29

[370482421] Medium CVE-2024-9956: Inappropriate implementation in Web Authentication. Reported by mastersplinter on 2024-09-30

[358151317] Medium CVE-2024-9957: Use after free in UI. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-08

[40076120] Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture. Reported by Lyra Rebane (rebane2001) on 2023-11-02

[368672129] Medium CVE-2024-9959: Use after free in DevTools. Reported by Sakana.S on 2024-09-21

[354748063] Medium CVE-2024-9960: Use after free in Dawn. Reported by Anonymous on 2024-07-23

[357776197] Medium CVE-2024-9961: Use after free in Parcel Tracking. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-06

[364508693] Medium CVE-2024-9962: Inappropriate implementation in Permissions. Reported by Shaheen Fazim on 2024-09-04

[328278718] Medium CVE-2024-9963: Insufficient data validation in Downloads. Reported by Anonymous on 2024-03-06

[361711121] Low CVE-2024-9964: Inappropriate implementation in Payments. Reported by Hafiizh on 2024-08-23

[352651673] Low CVE-2024-9965: Insufficient data validation in DevTools. Reported by Shaheen Fazim on 2024-07-12

[364773822] Low CVE-2024-9966: Inappropriate implementation in Navigations. Reported by Harry Chen on 2024-09-05

CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957 CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961 CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965 CVE-2024-9966 https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html 2024-10-15 2024-10-26 halibut -- Segmentation fault, denial of service or possibly other unspecified impact via a crafted text document halibut 1.2

cve@mitre.org reports:

CVE-2021-42612: A use after free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have other unspecified impact via a crafted text document.

CVE-2021-42613: A double free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a denial of service or possibly have other unspecified impact via a crafted text document.

CVE-2021-42614: A use after free in info_width_internal in bk_info.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted text document.

CVE-2021-42612 https://nvd.nist.gov/vuln/detail/CVE-2021-42612 CVE-2021-42613 https://nvd.nist.gov/vuln/detail/CVE-2021-42613 CVE-2021-42614 https://nvd.nist.gov/vuln/detail/CVE-2021-42614 2022-05-24 2024-10-26 electron31 -- multiple vulnerabilities electron31 31.7.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-9121.

Security: backported fix for CVE-2024-9122.

Security: backported fix for CVE-2024-7025.

Security: backported fix for CVE-2024-9369.

Security: backported fix for CVE-2024-7965.

Security: backported fix for CVE-2024-7966.

Security: backported fix for CVE-2024-7967.

Security: backported fix for CVE-2024-8198.

Security: backported fix for CVE-2024-8193.

Security: backported fix for CVE-2024-7969.

Security: backported fix for CVE-2024-7970.

Security: backported fix for CVE-2024-8362.

Security: backported fix for CVE-2024-8636.

Security: backported fix for CVE-2024-9123.

Security: backported fix for CVE-2024-9120.

CVE-2024-9121 https://github.com/advisories/GHSA-qcr8-x9j3-5j62 CVE-2024-9122 https://github.com/advisories/GHSA-4fw3-822r-pqw6 CVE-2024-7025 CVE-2024-9369 CVE-2024-7965 https://github.com/advisories/GHSA-x38q-hvmx-rwhg CVE-2024-7966 https://github.com/advisories/GHSA-4pj3-wmgx-2h8r CVE-2024-7967 https://github.com/advisories/GHSA-57cq-jgq2-x7vg CVE-2024-8198 https://github.com/advisories/GHSA-76vg-grjj-w595 CVE-2024-8193 https://github.com/advisories/GHSA-5q6v-fp9h-6rjg CVE-2024-7969 https://github.com/advisories/GHSA-p8h7-64p8-w5pq CVE-2024-7970 https://github.com/advisories/GHSA-4c4w-77f9-v9mq CVE-2024-8362 https://github.com/advisories/GHSA-rw7g-4966-p363 CVE-2024-8636 https://github.com/advisories/GHSA-r6cg-gw4p-5gmj CVE-2024-9123 https://github.com/advisories/GHSA-xwv3-34j2-7jgx CVE-2024-9120 https://github.com/advisories/GHSA-xh87-v57g-jhpw 2024-10-24 2024-10-24 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.5.017.5.1 17.4.017.4.3 11.2.017.3.6

Gitlab reports:

HTML injection in Global Search may lead to XSS

DoS via XML manifest file import

CVE-2024-8312 CVE-2024-6826 https://about.gitlab.com/releases/2024/10/23/patch-release-gitlab-17-5-1-released/ 2024-10-23 2024-10-24 electron32 -- multiple vulnerabilities electron32 32.2.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-7966.

Security: backported fix for CVE-2024-9370.

CVE-2024-7966 https://github.com/advisories/GHSA-4pj3-wmgx-2h8r CVE-2024-9370 2024-10-23 2024-10-23 oauth2-proxy -- multiple vulnerabilities oauth2-proxy 7.7.0

The oauth2-proxy project reports:

Vulnerabilities have been addressed:

CVE-2024-24786

CVE-2024-24791

CVE-2024-24790

CVE-2024-24784

CVE-2024-28180

CVE-2023-45288

CVE-2024-24786 CVE-2024-24791 CVE-2024-24790 CVE-2024-24784 CVE-2024-28180 CVE-2024-45288 https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.7.0 2024-10-02 2024-10-18 OpenSSL -- OOB memory access vulnerability openssl 3.0.15_1,1 openssl31 3.1.7_1 openssl32 3.2.3_1 openssl33 3.3.2_1 openssl-quictls 3.0.15_1,1 openssl31-quictls 3.1.7_1

The OpenSSL project reports:

Low-level invalid GF(2^m) parameters lead to OOB memory access (CVE-2024-9143) (Low)

Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes.

CVE-2024-9143 https://openssl-library.org/news/secadv/20241016.txt 2024-10-16 2024-10-19 electron{31,32} -- multiple vulnerabilities electron31 31.7.1 electron32 32.2.1

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-9602.

Security: backported fix for CVE-2024-9603.

CVE-2024-9602 https://github.com/advisories/GHSA-4v8q-vp3v-vvxh CVE-2024-9603 https://github.com/advisories/GHSA-92m3-m5pw-p2x9 2024-10-16 2024-10-18 element-web -- Potential exposure of access token via authenticated media element-web 1.11.701.11.81

Element team reports:

Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue.

CVE-2024-47779 https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x 2024-10-15 2024-10-15 vscode -- Visual Studio Code for Linux Remote Code Execution Vulnerability vscode 1.94.1

VSCode developers report:

Visual Studio Code for Linux Remote Code Execution Vulnerability

A remote code execution vulnerability exists in VS Code 1.94.0 and earlier versions in the elevated save flow.

CVE-2024-43601 https://nvd.nist.gov/vuln/detail/CVE-2024-43601 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43601 2024-10-08 2024-10-11 firefox -- use-after-free code execution firefox 131.0.2,2 firefox-esr 128.3.1,1

security@mozilla.org reports:

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

CVE-2024-9680 https://nvd.nist.gov/vuln/detail/CVE-2024-9680 2024-10-09 2024-10-10 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.4.017.4.2 17.3.017.3.5 8.1617.2.9

Gitlab reports:

Run pipelines on arbitrary branches

An attacker can impersonate arbitrary user

SSRF in Analytics Dashboard

Viewing diffs of MR with conflicts can be slow

HTMLi in OAuth page

Deploy Keys can push changes to an archived repository

Guests can disclose project templates

GitLab instance version disclosed to unauthorized users

CVE-2024-9164 CVE-2024-8970 CVE-2024-8977 CVE-2024-9631 CVE-2024-6530 CVE-2024-9623 CVE-2024-5005 CVE-2024-9596 https://about.gitlab.com/releases/2024/10/09/patch-release-gitlab-17-4-2-released/ 2024-10-09 2024-10-10 gitea -- token missing access control for packages gitea 1.22.3

Problem Description:

Fix bug when a token is given public only

https://github.com/go-gitea/gitea/pull/32204 2024-10-06 2024-10-09 powerdns-recursor -- denial of service powerdns-recursor 5.1.2

PowerDNS Team reports:

PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor

CVE-2024-25590 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html 2024-10-03 2024-10-09 chromium -- multiple security fixes chromium 129.0.6668.100 ungoogled-chromium 129.0.6668.100

Chrome Releases reports:

This update includes 3 security fixes:

[368241697] High CVE-2024-9602: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-09-20

[367818758] High CVE-2024-9603: Type Confusion in V8. Reported by @WeShotTheMoon and @Nguyen Hoang Thach of starlabs on 2024-09-18

CVE-2024-9602 CVE-2024-9603 https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html 2024-10-08 2024-10-09 chromium -- multiple security fixes chromium 129.0.6668.89 ungoogled-chromium 129.0.6668.89

Chrome Releases reports:

This update includes 4 security fixes:

[367764861] High CVE-2024-7025: Integer overflow in Layout. Reported by Tashita Software Security on 2024-09-18

[368208152] High CVE-2024-9369: Insufficient data validation in Mojo. Reported by Xiantong Hou and Pisanbao of Wuheng Lab on 2024-09-19

[368311899] High CVE-2024-9370: Inappropriate implementation in V8. Reported by Nguyễn Hoàng Thạch, Đỗ Minh Tuấn, and Wu JinLin of STAR Labs SG Pte. Ltd. on 2024-09-19

CVE-2024-7025 CVE-2024-9369 CVE-2024-9370 https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html 2024-10-01 2024-10-09 Unbound -- Denial of service attack unbound 1.21.1

NLnet labs report:

A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for.

Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks.

Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long.

This change should not affect normal DNS traffic.

CVE-2024-8508 https://nlnetlabs.nl/news/2024/Oct/03/unbound-1.21.1-released/ 2024-10-03 2024-10-06 zeek -- potential DoS vulnerability zeek 7.0.3

Tim Wojtulewicz of Corelight reports:

Adding to the POP3 hardening in 7.0.2, the parser now simply discards too many pending commands, rather than any attempting to process them. Further, invalid server responses do not result in command completion anymore. Processing out-of-order commands or finishing commands based on invalid server responses could result in inconsistent analyzer state, potentially triggering null pointer references for crafted traffic.

https://github.com/zeek/zeek/releases/tag/v7.0.3 2024-10-05 2024-10-05 firefox -- multiple vulnerabilities firefox 131.0,2 firefox-esr 128.3.0,1 thunderbird 128.3.0

security@mozilla.org reports:

CVE-2024-9392: A compromised content process could have allowed for the arbitrary loading of cross-origin pages.

CVE-2024-9396: It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption.

CVE-2024-9400: A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation.

CVE-2024-9401: Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-9402: Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-9403: Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-9392 https://nvd.nist.gov/vuln/detail/CVE-2024-9392 CVE-2024-9396 https://nvd.nist.gov/vuln/detail/CVE-2024-9396 CVE-2024-9400 https://nvd.nist.gov/vuln/detail/CVE-2024-9400 CVE-2024-9401 https://nvd.nist.gov/vuln/detail/CVE-2024-9401 CVE-2024-9402 https://nvd.nist.gov/vuln/detail/CVE-2024-9402 CVE-2024-9403 https://nvd.nist.gov/vuln/detail/CVE-2024-9403 2024-10-01 2024-10-03 jenkins -- multiple vulnerabilities jenkins 2.479 jenkins-lts 2.462.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-3451 / CVE-2024-47803

Exposure of multi-line secrets through error messages in Jenkins

Description

(Medium) SECURITY-3448 / CVE-2024-47804

Item creation restriction bypass vulnerability in Jenkins

CVE-2024-47803 CVE-2024-47804 https://www.jenkins.io/security/advisory/2024-10-02/ 2024-10-02 2024-10-03 redis,valkey -- Multiple vulnerabilities redis 7.4.07.4.1 7.2.07.2.6 redis72 7.2.07.2.6 redis62 6.2.06.2.16 valkey 8,0,08.0.1 7.2.07.2.7

Redis core team reports:

CVE-2024-31449

Lua library commands may lead to stack overflow and potential RCE.

CVE-2024-31227

Potential Denial-of-service due to malformed ACL selectors.

CVE-2024-31228

Potential Denial-of-service due to unbounded pattern matching.

CVE-2024-31449 CVE-2024-31227 CVE-2024-31228 https://github.com/redis/redis/releases/tag/7.4.1 2024-10-02 2024-10-02 php -- Multiple vulnerabilities php81 8.1.30 php82 8.2.24 php83 8.3.12

php.net reports:

CVE-2024-8926: CGI: Fixed bug GHSA-9pqp-7h25-4f32 (Bypass of CVE-2024-4577, Parameter Injection Vulnerability).

CVE-2024-8927: CGI: Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is bypassable due to the environment variable collision).

CVE-2024-9026: FPM: Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).

CVE-2024-8925: SAPI: Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).

CVE-2024-8926 CVE-2024-8927 CVE-2024-9026 CVE-2024-8925 https://www.php.net/ChangeLog-8.php 2024-09-26 2024-09-30 Slixmpp -- Lack of SSL Certificate hostname validation in XMLStream py38-slixmpp py39-slixmpp py310-slixmpp py311-slixmpp 1.8.3

NIST reports:

Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.

CVE-2022-45197 https://nvd.nist.gov/vuln/detail/CVE-2022-45197 2022-12-25 2024-09-30 chromium -- multiple security fixes chromium 129.0.6668.70 ungoogled-chromium 129.0.6668.70

Chrome Releases reports:

This update includes 5 security fixes:

[365254285] High CVE-2024-9120: Use after free in Dawn. Reported by Anonymous on 2024-09-08

[363538434] High CVE-2024-9121: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-09-01

[365802567] High CVE-2024-9122: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-09-10

[365884464] High CVE-2024-9123: Integer overflow in Skia. Reported by raven at KunLun lab on 2024-09-11

CVE-2024-9120 CVE-2024-9121 CVE-2024-9122 CVE-2024-9123 https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_24.html 2024-09-24 2024-09-30 sqlite -- use-after-free bug in jsonparseaddnodearray sqlite3 - 3.43.03.43.2,1 + 3.43.0,13.43.2,1 linux-rl9-sqlite - 3.43.03.43.2 + 3.43.0,13.43.2,1 linux-c7-sqlite - 3.43.03.43.2 + 3.43.0,13.43.2,1

secalert@redhat.com reports:

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

CVE-2024-0232 https://nvd.nist.gov/vuln/detail/CVE-2024-0232 2024-01-16 2024-09-29 + 2025-08-01 cups-filters -- remote code execution cups-filters 1.28.17_6 cups 2.4.11

OpenPrinting reports:

Due to the service binding to *:631 ( INADDR_ANY ), multiple bugs in cups-browsed can be exploited in sequence to introduce a malicious printer to the system. This chain of exploits ultimately enables an attacker to execute arbitrary commands remotely on the target machine without authentication when a print job is started. Posing a significant security risk over the network. Notably, this vulnerability is particularly concerning as it can be exploited from the public internet, potentially exposing a vast number of systems to remote attacks if their CUPS services are enabled.

The vulnerability allows an attacker on the internet to create a new printer device with arbitrary commands in the PPD file of the printer. Attacks using mDNS on the local network can also replace an existing printer. The commands are executed when a user attempts to print on the malicious device. They run with the privileges of the user "cups".

It is recommended to disable the cups_browsed service until patches become available. On FreeBSD this is the default. You can check the status and disable the service with the following commands:

# service cups_browsed status # service cups_browsed stop # service cups_browsed disable

If you choose to leave the service enabled, attacks from the internet can be blocked by removing the "cups" protocol from the BrowseRemoteProtocols and BrowseProtocols directives in /usr/local/etc/cups/cups-browsed.conf. Attacks using mDNS can be blocked by removing the "dnssd" protocol as well. Access can be limited to specific IP addresses using BrowseAllow, BrowseDeny, and BrowseOrder directives as documented in cups-browsed.conf(5). Then restart the service with the following command:

# service cups_browsed restart

CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 2024-09-26 2024-09-27 2024-10-02 expat -- multiple vulnerabilities expat 2.6.3

libexpat reports:

CVE-2024-45490: Calling function XML_ParseBuffer with len < 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution.

CVE-2024-45491: Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution.

CVE-2024-45492: Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution.

CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 https://github.com/libexpat/libexpat/blob/master/expat/Changes 2024-09-24 2024-09-24 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.4.017.4.1 17.3.017.3.4 15.6.017.2.8

Gitlab reports:

Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request

AI feature reads unsanitized content, allowing for attacker to hide prompt injection

Project reference can be exposed in system notes

CVE-2024-4278 CVE-2024-4099 CVE-2024-8974 https://about.gitlab.com/releases/2024/09/25/patch-release-gitlab-17-4-1-released/ 2024-09-25 2024-09-26 frr - BGP frr9 9.1.2 frr8 8.5.6

cve@mitre.org reports:

An issue was discovered in FRRouting (FRR). bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.

CVE-2024-44070 https://nvd.nist.gov/vuln/detail/CVE-2024-44070 2024-08-19 2024-09-24 zeek -- potential DoS vulnerability zeek 7.0.2

Tim Wojtulewicz of Corelight reports:

The POP3 parser has been hardened to avoid unbounded state growth in the face of one-sided traffic capture or when enabled for non-POP3 traffic.

https://github.com/zeek/zeek/releases/tag/v7.0.2 2024-09-24 2024-09-24 FreeBSD -- NFS client accepts file names containing path separators FreeBSD-kernel 14.114.1_3 14.014.0_9 13.313.3_5

Problem Description:

When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components.

Impact:

The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory.

CVE-2024-6759 SA-24:07.nfsclient 2024-08-07 2024-09-20 FreeBSD -- ktrace(2) fails to detach when executing a setuid binary FreeBSD-kernel 14.114.1_3 14.014.0_9 13.313.3_5

Problem Description:

A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs.

Impact:

The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database.

CVE-2024-6760 SA-24:06.ktrace 2024-08-07 2024-09-20 FreeBSD -- pf incorrectly matches different ICMPv6 states in the state table FreeBSD-kernel 14.114.1_3 14.014.0_9 13.313.3_5

Problem Description:

In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated.

Impact:

ICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table.

Note:

This advisory introduced additional issues that were addressed by FreeBSD-EN-24:16.pf. Please refer to that erratum for additional fixes.

CVE-2024-6640 SA-24:05.pf https://www.freebsd.org/security/advisories/FreeBSD-EN-24:16.pf.asc 2024-08-07 2024-09-20 FreeBSD -- Integer overflow in libnv FreeBSD-kernel 14.114.1_5 14.014.0_11 13.413.4_1 13.313.3_7 FreeBSD 14.114.1_5 14.014.0_11 13.413.4_1 13.313.3_7

Problem Description:

A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. The introduced check was incorrect, as it took into account the size of the pointer, not the structure. This vulnerability affects both kernel and userland.

This issue was originally intended to be addressed as part of FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was not properly addressed.

Impact:

It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic.

CVE-2024-45287 SA-24:16.libnv 2024-09-19 2024-09-20 FreeBSD -- bhyve(8) out-of-bounds read access via XHCI emulation FreeBSD 14.114.1_5 14.014.0_11 13.413.4_1 13.313.3_7

Problem Description:

bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.

Impact:

A malicious, privileged software running in a guest VM can exploit the vulnerability to crash the hypervisor process or potentially achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

CVE-2024-41721 SA-24:15.bhyve 2024-09-19 2024-09-20 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.3.017.3.3 17.2.017.2.7 017.1.8

Gitlab reports:

SAML authentication bypass

CVE-2024-45409 https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/ 2024-09-17 2024-09-18 OpenSSH -- Pre-authentication async signal safety issue openssh-portable 9.8.p1_1,1 FreeBSD 14.114.1_3 14.014.0_9 13.313.3_5

The FreeBSD Project reports:

A signal handler in sshd(8) may call a logging function that is not async- signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges.

This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD.

CVE-2024-7589 https://nvd.nist.gov/vuln/detail/CVE-2024-7589 SA-24:08.openssh 2024-08-06 2024-09-15 2024-09-20 SnappyMail -- multiple mXSS in HTML sanitizer snappymail-php81 snappymail-php82 snappymail-php83 snappymail-php84 2.38.0

Oskar reports:

SnappyMail uses the `cleanHtml()` function to cleanup HTML and CSS in emails. Research discovered that the function has a few bugs which cause an mXSS exploit. Because the function allowed too many (invalid) HTML elements, it was possible (with incorrect markup) to trick the browser to "fix" the broken markup into valid markup. As a result a motivated attacker may be able to inject javascript.

CVE-2024-45800 https://github.com/the-djmaze/snappymail/security/advisories/GHSA-2rq7-79vp-ffxm 2024-09-16 2024-09-16 chromium -- multiple security fixes chromium 128.0.6613.137 ungoogled-chromium 128.0.6613.137

Chrome Releases reports:

This update includes 4 security fixes:

[361461526] High CVE-2024-8636: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-22

[361784548] High CVE-2024-8637: Use after free in Media Router. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-23

[362539773] High CVE-2024-8638: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-08-28

[362658609] High CVE-2024-8639: Use after free in Autofill. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-08-28

CVE-2024-8636 CVE-2024-8637 CVE-2024-8638 CVE-2024-8639 https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_10.html 2024-09-10 2024-09-13 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.3.017.3.2 17.2.017.2.5 8.14.017.1.7

Gitlab reports:

Execute environment stop actions as the owner of the stop action job

Prevent code injection in Product Analytics funnels YAML

SSRF via Dependency Proxy

Denial of Service via sending a large glm_source parameter

CI_JOB_TOKEN can be used to obtain GitLab session token

Variables from settings are not overwritten by PEP if a template is included

Guests can disclose the full source code of projects using custom group-level templates

IdentitiesController allows linking of arbitrary unclaimed provider identities

Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow

Open redirect in release permanent links can lead to account takeover through broken OAuth flow

Guest user with Admin group member permission can edit custom role to gain other permissions

Exposure of protected and masked CI/CD variables by abusing on-demand DAST

Credentials disclosed when repository mirroring fails

Commit information visible through release atom endpoint for guest users

Dependency Proxy Credentials are Logged in Plaintext in graphql Logs

User Application can spoof the redirect url

Group Developers can view group runners information

CVE-2024-6678 CVE-2024-8640 CVE-2024-8635 CVE-2024-8124 CVE-2024-8641 CVE-2024-8311 CVE-2024-4660 CVE-2024-4283 CVE-2024-4612 CVE-2024-8631 CVE-2024-2743 CVE-2024-5435 CVE-2024-6389 CVE-2024-4472 CVE-2024-6446 CVE-2024-6685 https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/ 2024-09-11 2024-09-12 Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20241112

Intel reports:

A potential security vulnerability in the Running Average Power Limit (RAPL) interface for some Intel Processors may allow information disclosure. Intel has released firmware updates to mitigate this potential vulnerability.

A potential security vulnerability in some Intel Processors may allow denial of service. Intel has released firmware updates to mitigate this potential vulnerability.

CVE-2024-23984 CVE-2024-24968 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910 2024-09-10 2024-09-10 2024-11-12 clamav -- Multiple vulnerabilities clamav 1.3.0,11.3.2,1 1.4.0,11.4.1,1 clamav-lts 1.0.0,11.0.6,1

The ClamAV project reports:

CVE-2024-20505

A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an out of bounds read. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. An exploit could allow the attacker to terminate the scanning process.

CVE-2024-20506

A vulnerability in the ClamD service module of Clam AntiVirus (ClamAV) could allow an authenticated, local attacker to corrupt critical system files. The vulnerability is due to allowing the ClamD process to write to its log file while privileged without checking if the logfile has been replaced with a symbolic link. An attacker could exploit this vulnerability if they replace the ClamD log file with a symlink to a critical system file and then find a way to restart the ClamD process. An exploit could allow the attacker to corrupt a critical system file by appending ClamD log messages after restart.

CVE-2024-20505 CVE-2024-20506 https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html 2024-09-04 2024-09-09 netatalk3 -- multiple WolfSSL vulnerabilities netatalk3 3.2.8,1

Netatalk release reports:

WolfSSL 5.7.0 (included in netatalk) includes multiple security vulnerabilities.

CVE-2024-1544 CVE-2024-5288 CVE-2024-5991 CVE-2024-5814 2024-09-08 2024-09-09 minio -- unintentional information disclosure minio 2024.05.27.19.17.46

Minio security advisory GHSA-95fr-cm4m-q5p9 reports:

when used with anonymous requests by sending a random object name requests you can figure out if the object exists or not on the server on a specific bucket and also gain access to some amount of information.

CVE-2024-36107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36107 2024-05-28 2024-06-05 minio -- privilege escalation via permissions inheritance minio 2024.01.31.20.20.33

Minio security advisory GHSA-xx8w-mq23-29g4 ports:

When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:* actions, but also admin:* actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be able to simply override their own s3 permissions to something more permissive.

CVE-2024-24747 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24747 2024-01-31 2024-06-05 firefox -- Potential memory corruption and exploitable crash firefox 128.0,2

security@mozilla.org reports:

An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash.

CVE-2024-7652 https://nvd.nist.gov/vuln/detail/CVE-2024-7652 2024-09-06 2024-09-07 exiv2 -- Out-of-bounds read in AsfVideo::streamProperties exiv2 0.28.0,10.28.3,1

Kevin Backhouse reports:

An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0, so Exiv2 versions before v0.28 are not affected. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file.

CVE-2024-39695 https://github.com/Exiv2/exiv2/security/advisories/GHSA-38rv-8x93-pvrh 2024-04-21 2024-09-07 forgejo -- multiple vulnerabilities forgejo 8.0.3 forgejo7 7.0.9

Problem Description:

Replace v-html with v-text in search inputbox
Upgrade webpack to v5.94.0 as a precaution to mitigate CVE-2024-43788, although we were not yet able to confirm that this can be exploited in Forgejo.

CVE-2024-43788 https://codeberg.org/forgejo/forgejo/milestone/8231 2024-09-03 2024-09-06 binutils -- Multiple vulnerabilities binutils 2.43,1

alster@vinterdalen.se reports PR/281070:

A new version of devel/binutils has been released fixing CVE-2023-1972, CVE-2023-25585, CVE-2023-25586, and CVE-2023-25588.

CVE-2023-1972 CVE-2023-25585 CVE-2023-25586 CVE-2023-25588 2024-08-25 2024-09-06 gitea -- multiple issues gitea 1.22.2

Problem Description:

Replace v-html with v-text in search inputbox
Fix nuget/conan/container packages upload bugs

https://github.com/go-gitea/gitea/releases/tag/v1.22.2 2024-09-03 2024-09-05 qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.17.p3

Backports for 6 security bugs in Chromium:

CVE-2024-5496: Use after free in Media Session

CVE-2024-5846: Use after free in PDFium

CVE-2024-6291: Use after free in Swiftshader

CVE-2024-6989: Use after free in Loader

CVE-2024-6996: Race in Frames

CVE-2024-7536: Use after free in WebAudio

CVE-2024-5496 CVE-2024-5846 CVE-2024-6291 CVE-2024-6989 CVE-2024-6996 CVE-2024-7536 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-08-05 2024-09-05 firefox -- multiple vulnerabilities firefox 130.0_1,2

security@mozilla.org reports:

This entry contains 8 vulnerabilities:

CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment.

CVE-2024-8382: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console.

CVE-2024-8383: Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will.

CVE-2024-8384: The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption.

CVE-2024-8385: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability.

CVE-2024-8386: If a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform a spoofing attack.

CVE-2024-8387: Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-8389: Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2024-8381 https://nvd.nist.gov/vuln/detail/CVE-2024-8381 CVE-2024-8382 https://nvd.nist.gov/vuln/detail/CVE-2024-8382 CVE-2024-8383 https://nvd.nist.gov/vuln/detail/CVE-2024-8383 CVE-2024-8384 https://nvd.nist.gov/vuln/detail/CVE-2024-8384 CVE-2024-8385 https://nvd.nist.gov/vuln/detail/CVE-2024-8385 CVE-2024-8386 https://nvd.nist.gov/vuln/detail/CVE-2024-8386 CVE-2024-8387 https://nvd.nist.gov/vuln/detail/CVE-2024-8387 CVE-2024-8389 https://nvd.nist.gov/vuln/detail/CVE-2024-8389 2024-09-03 2024-09-05 FreeBSD -- umtx Kernel panic or Use-After-Free FreeBSD 14.114.1_4 14.014.0_10 13.313.3_6

Problem Description:

Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.

Impact:

A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.

CVE-2024-43102 SA-24:14.umtx 2024-09-04 2024-09-05 FreeBSD -- bhyve(8) privileged guest escape via USB controller FreeBSD 14.114.1_4 14.014.0_10 13.313.3_6

Problem Description:

bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.

Impact:

A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

CVE-2024-32668 SA-24:12.bhyve 2024-09-04 2024-09-05 FreeBSD -- Multiple issues in ctl(4) CAM Target Layer FreeBSD-kernel 14.114.1_4 14.014.0_10 13.313.3_6

Problem Description:

Several vulnerabilities were found in the ctl subsystem.

The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing (CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it (CVE-2024-8178). The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory (CVE-2024-42416). The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace (CVE-2024-43110).

Guest virtual machines in the bhyve hypervisor can send SCSI commands to the corresponding kernel driver via the virtio_scsi interface. This provides guests with direct access to the vulnerabilities covered by this advisory.

The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI connections, performs authentication and passes connections to the kernel ctl(4) target layer.

Impact:

Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

CVE-2024-8178 CVE-2024-42416 CVE-2024-43110 SA-24:11.ctl 2024-09-04 2024-09-05 FreeBSD -- bhyve(8) privileged guest escape via TPM device passthrough FreeBSD 14.114.1_4 14.014.0_10

Problem Description:

bhyve can be configured to provide access to the host's TPM device, where it passes the communication through an emulated device provided to the guest. This may be performed on the command-line by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters.

The MMIO handler for the emulated device did not validate the offset and size of the memory access correctly, allowing guests to read and write memory contents outside of the memory area effectively allocated.

Impact:

Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

CVE-2024-41928 SA-24:10.bhyve 2024-09-04 2024-09-05 FreeBSD -- Multiple vulnerabilities in libnv FreeBSD-kernel 14.114.1_4 14.014.0_10 13.313.3_6 FreeBSD 14.114.1_4 14.014.0_10 13.313.3_6

Problem Description:

CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.

CVE-2024-45288 is a vulnerability that affects both the kernel and userland. A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer.

Impact:

CVE-2024-45287 CVE-2024-45288 SA-24:09.libnv 2024-09-04 2024-09-05 OpenSSL -- Multiple vulnerabilities openssl 3.0.15,1 openssl31 3.1.7 openssl32 3.2.3 openssl33 3.3.2 openssl-quictls 3.0.15 openssl31-quictls 3.1.7 FreeBSD 14.114.1_4 14.014.0_10

The OpenSSL project reports:

Possible denial of service in X.509 name checks [Moderate severity] Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

SSL_select_next_proto buffer overread [Low severity] Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-5535 CVE-2024-6119 https://openssl-library.org/news/secadv/20240627.txt https://openssl-library.org/news/secadv/20240903.txt SA-24:13.openssl 2024-09-03 2024-09-03 2024-09-05 chromium -- multiple security fixes chromium 128.0.6613.119 ungoogled-chromium 128.0.6613.119

Chrome Releases reports:

This update includes 4 security fixes:

[357391257] High CVE-2024-8362: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-08-05

[358485426] High CVE-2024-7970: Out of bounds write in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-08-09

CVE-2024-8362 CVE-2024-7970 https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop.html 2024-09-02 2024-09-03 forgejo -- The scope of application tokens was not verified when writing containers or Conan packages. forgejo 8.0.2

The forgejo team reports:

The scope of application tokens was not verified when writing containers or Conan packages. This is of no consequence when the user associated with the application token does not have write access to packages. If the user has write access to packages, such a token can be used to write containers and Conan packages. An application token that was used to write containers or Conan packages without the package:write scope will now fail with an unauthorized error. It must be re-created to include the package:write scope.

https://codeberg.org/forgejo/forgejo/pulls/5149 2024-08-26 2024-08-30 RabbitMQ-C -- auth credentials visible in commandline tool options rabbitmq-c 0.14.0

hadmut reports:

This C library includes 2 command-line tools that can take credentials as command-line options. The credentials are exposed as plain-text in the process list. This could allow an attacker with access to the process list to see the credentials.

CVE-2023-35789 https://nvd.nist.gov/vuln/detail/CVE-2023-35789 2019-09-19 2024-08-30 firefox -- multiple vulnerabilities firefox 129.0,2

security@mozilla.org reports:

Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.

Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode.

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.

It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window.

CVE-2024-7524 https://nvd.nist.gov/vuln/detail/CVE-2024-7524 CVE-2024-6610 https://nvd.nist.gov/vuln/detail/CVE-2024-6610 CVE-2024-6609 https://nvd.nist.gov/vuln/detail/CVE-2024-6609 CVE-2024-6608 https://nvd.nist.gov/vuln/detail/CVE-2024-6608 2024-08-06 2024-08-30 chromium -- multiple security fixes chromium 128.0.6613.113 ungoogled-chromium 128.0.6613.113

Chrome Releases reports:

This update includes 4 security fixes:

[351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09

[360265320] High CVE-2024-8193: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-16

[360533914] High CVE-2024-8194: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) on 2024-08-18

[360758697] High CVE-2024-8198: Heap buffer overflow in Skia. Reported by Renan Rios (@hyhy_100) on 2024-08-19

CVE-2024-7969 CVE-2024-8193 CVE-2024-8194 CVE-2024-8198 https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html 2024-08-28 2024-08-29 Configobj -- Regular Expression Denial of Service attack py38-configobj py39-configobj py310-configobj py311-configobj 5.0.8

report@snyk.io reports:

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)$(.*)$.**Note:** This is only exploitable in the case of a developer putting the offending value in a server side configuration file.

CVE-2023-26112 https://nvd.nist.gov/vuln/detail/CVE-2023-26112 2023-04-03 2024-08-29 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.3.017.3.1 17.2.017.2.4 8.2.017.1.6

Gitlab reports:

The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases

Denial of Service by importing maliciously crafted GitHub repository

Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline

An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions

CVE-2024-6502 CVE-2024-8041 CVE-2024-7110 CVE-2024-3127 https://about.gitlab.com/releases/2024/08/21/patch-release-gitlab-17-3-1-released/ 2024-08-21 2024-08-25 firefox -- Multiple vulnerabilities firefox 127,2

security@mozilla.org reports:

CVE-2024-5697: A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox.

CVE-2024-5698: By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks.

CVE-2024-5697 https://nvd.nist.gov/vuln/detail/CVE-2024-5697 CVE-2024-5698 https://nvd.nist.gov/vuln/detail/CVE-2024-5698 2024-06-11 2024-08-23 mcpp -- Heap-based buffer overflow mcpp 2.7.2

cve@mitre.org reports:

MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function in support.c.

CVE-2019-14274 https://nvd.nist.gov/vuln/detail/CVE-2019-14274 2019-07-26 2024-08-23 md4c -- DoS attack md4c 0.4.7

cve@mitre.org reports:

md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document.

CVE-2021-30027 https://nvd.nist.gov/vuln/detail/CVE-2021-30027 2021-04-29 2024-08-23 chromium -- multiple security fixes chromium 128.0.6613.84 ungoogled-chromium 128.0.6613.84

Chrome Releases reports:

This update includes 38 security fixes:

[358296941] High CVE-2024-7964: Use after free in Passwords. Reported by Anonymous on 2024-08-08

[356196918] High CVE-2024-7965: Inappropriate implementation in V8. Reported by TheDog on 2024-07-30

[355465305] High CVE-2024-7966: Out of bounds memory access in Skia. Reported by Renan Rios (@HyHy100) on 2024-07-25

[355731798] High CVE-2024-7967: Heap buffer overflow in Fonts. Reported by Tashita Software Security on 2024-07-27

[349253666] High CVE-2024-7968: Use after free in Autofill. Reported by Han Zheng (HexHive) on 2024-06-25

[351865302] High CVE-2024-7969: Type Confusion in V8. Reported by CFF of Topsec Alpha Team on 2024-07-09

[360700873] High CVE-2024-7971: Type confusion in V8. Reported by Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) on 2024-08-19

[345960102] Medium CVE-2024-7972: Inappropriate implementation in V8. Reported by Simon Gerst (intrigus-lgtm) on 2024-06-10

[345518608] Medium CVE-2024-7973: Heap buffer overflow in PDFium. Reported by soiax on 2024-06-06

[339141099] Medium CVE-2024-7974: Insufficient data validation in V8 API. Reported by bowu(@gocrashed) on 2024-05-07

[347588491] Medium CVE-2024-7975: Inappropriate implementation in Permissions. Reported by Thomas Orlita on 2024-06-16

[339654392] Medium CVE-2024-7976: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-10

[324770940] Medium CVE-2024-7977: Insufficient data validation in Installer. Reported by Kim Dong-uk (@justlikebono) on 2024-02-11

[40060358] Medium CVE-2024-7978: Insufficient policy enforcement in Data Transfer. Reported by NDevTK on 2022-07-21

[356064205] Medium CVE-2024-7979: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-29

[356328460] Medium CVE-2024-7980: Insufficient data validation in Installer. Reported by VulnNoob on 2024-07-30

[40067456] Low CVE-2024-7981: Inappropriate implementation in Views. Reported by Thomas Orlita on 2023-07-14

[350256139] Low CVE-2024-8033: Inappropriate implementation in WebApp Installs. Reported by Lijo A.T on 2024-06-30

[353858776] Low CVE-2024-8034: Inappropriate implementation in Custom Tabs. Reported by Bharat (mrnoob) on 2024-07-18

[40059470] Low CVE-2024-8035: Inappropriate implementation in Extensions. Reported by Microsoft on 2022-04-26

CVE-2024-7964 CVE-2024-7965 CVE-2024-7966 CVE-2024-7967 CVE-2024-7968 CVE-2024-7969 CVE-2024-7971 CVE-2024-7972 CVE-2024-7973 CVE-2024-7974 CVE-2024-7975 CVE-2024-7976 CVE-2024-7977 CVE-2024-7978 CVE-2024-7979 CVE-2024-7980 CVE-2024-7981 CVE-2024-8033 CVE-2024-8034 CVE-2024-8035 https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html 2024-08-21 2024-08-22 nginx -- Vulnerability in the ngx_http_mp4_module nginx-devel 1.5.13,31.27.1,3 nginx 1.6.0,31.26.2,3

The nginx development team reports:

This update fixes the buffer overread vulnerability in the ngx_http_mp4_module.

CVE-2024-7347 2024-08-14 2024-08-22 Jinja2 -- Vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter py38-Jinja2 py39-Jinja2 py310-Jinja2 py311-Jinja2 3.1.4

security-advisories@github.com reports:

Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.

CVE-2024-34064 https://nvd.nist.gov/vuln/detail/CVE-2024-34064 2024-05-06 2024-08-20 mozilla products -- spoofing attack firefox 129,2

security@mozilla.org reports:

Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

CVE-2024-7518 https://nvd.nist.gov/vuln/detail/CVE-2024-7518 2024-08-06 2024-08-19 electron31 -- multiple vulnerabilities electron31 31.4.0

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-6989.

Security: backported fix for CVE-2024-6991.

CVE-2024-6989 https://github.com/advisories/GHSA-32j6-235r-7fmm CVE-2024-6991 https://github.com/advisories/GHSA-3v8g-fm64-g4mc 2024-08-15 2024-08-18 electron{29,30} -- multiple vulnerabilities electron29 29.4.6 electron30 30.4.0

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-6776.

Security: backported fix for CVE-2024-6778.

Security: backported fix for CVE-2024-6777.

Security: backported fix for CVE-2024-6773.

Security: backported fix for CVE-2024-6774.

Security: backported fix for CVE-2024-6772.

Security: backported fix for CVE-2024-6775.

Security: backported fix for CVE-2024-6779.

Security: backported fix for CVE-2024-6989.

Security: backported fix for CVE-2024-6991.

CVE-2024-6776 https://github.com/advisories/GHSA-7hjm-9cg2-rcg6 CVE-2024-6778 https://github.com/advisories/GHSA-9m98-937v-r97x CVE-2024-6777 https://github.com/advisories/GHSA-w2v8-c457-cjvf CVE-2024-6773 https://github.com/advisories/GHSA-7gj8-545r-5295 CVE-2024-6774 https://github.com/advisories/GHSA-cgm7-mqr6-f7vg CVE-2024-6772 https://github.com/advisories/GHSA-cc8c-62x7-qwjr CVE-2024-6775 https://github.com/advisories/GHSA-mxwm-jm3p-mh5m CVE-2024-6779 https://github.com/advisories/GHSA-v4v9-v4wf-9c86 CVE-2024-6989 https://github.com/advisories/GHSA-32j6-235r-7fmm CVE-2024-6991 https://github.com/advisories/GHSA-3v8g-fm64-g4mc 2024-08-16 2024-08-18 Dovecot -- DoS dovecot 2.3.21.1

Dovecot reports:

A DoS is possible with a large number of address headers or abnormally large email headers.

CVE-2024-23184 CVE-2024-23185 https://dovecot.org/mailman3/hyperkitty/list/dovecot-news@dovecot.org/thread/2CSVL56LFPAXVLWMGXEIWZL736PSYHP5/ 2024-08-14 2024-08-16 Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20240813

Intel reports:

A potential security vulnerability in SMI Transfer monitor (STM) may allow escalation of privilege. Intel has released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some 3rd Generation Intel Xeon Scalable Processors may allow denial of service. Intel has released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some 3rd, 4th, and 5th Generation Intel Xeon Processors may allow escalation of privilege. Intel has released firmware updates to mitigate this potential vulnerability.

A potential security vulnerability in the Intel Core Ultra Processor stream cache mechanism may allow escalation of privilege. Intel has released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some Intel Processor stream cache mechanisms may allow escalation of privilege. Intel has released microcode updates to mitigate this potential vulnerability.

CVE-2024-24853 CVE-2024-25939 CVE-2024-24980 CVE-2023-42667 CVE-2023-49141 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813 2024-08-13 2024-08-14 firefox -- multiple vulnerabilities firefox 129.0,2

security@mozilla.org reports:

CVE-2024-7531: Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

CVE-2024-7529: The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7525: It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7522: Editor code failed to check an attribute value. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7520: A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

CVE-2024-7521: Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7530: Incorrect garbage collection interaction could have led to a use-after-free. This vulnerability affects Firefox < 129.

CVE-2024-7528: Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

CVE-2024-7527: Unexpected marking work at the start of sweeping could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

CVE-2024-7531 https://nvd.nist.gov/vuln/detail/CVE-2024-7531 CVE-2024-7529 https://nvd.nist.gov/vuln/detail/CVE-2024-7529 CVE-2024-7525 https://nvd.nist.gov/vuln/detail/CVE-2024-7525 CVE-2024-7522 https://nvd.nist.gov/vuln/detail/CVE-2024-7522 CVE-2024-7520 https://nvd.nist.gov/vuln/detail/CVE-2024-7520 CVE-2024-7521 https://nvd.nist.gov/vuln/detail/CVE-2024-7521 CVE-2024-7530 https://nvd.nist.gov/vuln/detail/CVE-2024-7530 CVE-2024-7528 https://nvd.nist.gov/vuln/detail/CVE-2024-7528 CVE-2024-7527 https://nvd.nist.gov/vuln/detail/CVE-2024-7527 2024-08-06 2024-08-13 OpenHAB CometVisu addon -- Multiple vulnerabilities openhab-addons 4.2.1

OpenHAB reports:

This patch release addresses the following security advisories:

SSRF/XSS (CometVisu) - GHSA-v7gr-mqpj-wwh3

Sensitive information disclosure (CometVisu) - GHSA-3g4c-hjhr-73rj

RCE through path traversal (CometVisu) - GHSA-f729-58x4-gqgf

Path traversal (CometVisu) - GHSA-pcwp-26pw-j98w

All of these are related to the CometVisu add-on for openHAB - if you are a user of CometVisu, we strongly recommend to upgrade your system to openHAB 4.2.1 in order to fix those vulnerabilities.

https://github.com/openhab/openhab-distro/releases/tag/4.2.1 https://github.com/openhab/openhab-webui/security/advisories/GHSA-v7gr-mqpj-wwh3 https://github.com/openhab/openhab-webui/security/advisories/GHSA-3g4c-hjhr-73rj https://github.com/openhab/openhab-webui/security/advisories/GHSA-f729-58x4-gqgf https://github.com/openhab/openhab-webui/security/advisories/GHSA-pcwp-26pw-j98w 2024-08-09 2024-08-09 Vaultwarden -- Multiple vulnerabilities vaultwarden 1.32.0

SO-AND-SO reports:

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

CVE-2024-39924 CVE-2024-39925 CVE-2024-39926 https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0 2024-08-11 2024-08-12 AMD CPUs -- Guest Memory Vulnerabilities cpu-microcode-amd 20240810

AMD reports:

Researchers from IOActive have reported that it may be possible for an attacker with ring 0 access to modify the configuration of System Management Mode (SMM) even when SMM Lock is enabled. Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.

CVE-2023-31315 https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html 2024-08-09 2024-08-10 Roundcube -- Multiple vulnerabilities roundcube 1.6.8,1

The Roundcube project reports:

XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]

XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]

information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

CVE-2024-42009 CVE-2024-42008 CVE-2024-42010 https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 2024-08-04 2024-08-10 mozilla firefox -- protocol information guessing firefox 127.0,2

security@mozilla.org reports:

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

CVE-2024-5690 https://nvd.nist.gov/vuln/detail/CVE-2024-5690 2024-06-11 2024-08-10 soft-serve -- Remote code execution vulnerability soft-serve 0.7.5

soft-serve team reports:

Arbitrary code execution by crafting git ssh requests

It is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git.

CVE-2024-41956 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2f 2024-08-01 2024-08-09 PostgreSQL -- Prevent unauthorized code execution during pg_dump postgresql12-client 12.20 postgresql13-client 13.16 postgresql14-client 14.13 postgresql15-client 15.8 postgresql16-client 16.4 postgresql12-server 12.20 postgresql13-server 13.16 postgresql14-server 14.13 postgresql15-server 15.8 postgresql16-server 16.4

PostgreSQL project reports:

An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

CVE-2024-7348 https://www.postgresql.org/support/security/CVE-2024-7348/ 2024-08-08 2024-08-08 jenkins -- multiple vulnerabilities jenkins 2.471 jenkins-lts 2.462.1

Jenkins Security Advisory:

Description

(Critical) SECURITY-3430 / CVE-2024-43044

Arbitrary file read vulnerability through agent connections can lead to RCE

Description

(Medium) SECURITY-3349 / CVE-2024-43045

Missing permission check allows accessing other users' "My Views"

CVE-2024-43044 CVE-2024-43045 https://www.jenkins.io/security/advisory/2024-08-07/ 2024-08-07 2024-08-07 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.2.017.2.2 17.1.017.1.4 12.0.017.0.6

Gitlab reports:

Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access

Cross project access of Security policy bot

Advanced search ReDOS in highlight for code results

Denial of Service via banzai pipeline

Denial of service using adoc files

ReDoS in RefMatcher when matching branch names using wildcards

Path encoding can cause the Web interface to not render diffs correctly

XSS while viewing raw XHTML files through API

Ambiguous tag name exploitation

Logs disclosings potentially sensitive data in query params

Password bypass on approvals using policy projects

ReDoS when parsing git push

Webhook deletion audit log can preserve auth credentials

CVE-2024-3035 CVE-2024-6356 CVE-2024-5423 CVE-2024-4210 CVE-2024-2800 CVE-2024-6329 CVE-2024-4207 CVE-2024-3958 CVE-2024-4784 CVE-2024-3114 CVE-2024-7586 https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-released/ 2024-08-07 2024-08-07 Django -- multiple vulnerabilities py39-django42 py310-django42 py311-django42 4.2.15 py310-django50 py311-django50 5.0.8

Django reports:

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat().

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize().

CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget.

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list().

CVE-2024-41989 CVE-2024-41990 CVE-2024-41991 CVE-2024-42005 https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ 2024-08-01 2024-08-07 chromium -- multiple security fixes chromium 127.0.6533.99 ungoogled-chromium 127.0.6533.99

Chrome Releases reports:

This update includes 5 security fixes:

[350528343] Critical CVE-2024-7532: Out of bounds memory access in ANGLE. Reported by wgslfuzz on 2024-07-02

[353552540] High CVE-2024-7533: Use after free in Sharing. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-07-17

[355256380] High CVE-2024-7550: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-07-25

[352467338] High CVE-2024-7534: Heap buffer overflow in Layout. Reported by Tashita Software Security on 2024-07-11

[352690885] High CVE-2024-7535: Inappropriate implementation in V8. Reported by Tashita Software Security on 2024-07-12

[354847246] High CVE-2024-7536: Use after free in WebAudio. Reported by Cassidy Kim(@cassidy6564) on 2024-07-23

CVE-2024-7532 CVE-2024-7550 CVE-2024-7534 CVE-2024-7535 CVE-2024-7536 https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop.html 2024-08-06 2024-08-06 chromium -- multiple security fixes chromium 127.0.6533.88 ungoogled-chromium 127.0.6533.88

Chrome Releases reports:

This update includes 3 security fixes:

[353034820] Critical CVE-2024-6990: Uninitialized Use in Dawn. Reported by gelatin dessert on 2024-07-15

[352872238] High CVE-2024-7255: Out of bounds read in WebTransport. Reported by Marten Richter on 2024-07-13

[354748060] High CVE-2024-7256: Insufficient data validation in Dawn. Reported by gelatin dessert on 2024-07-23

CVE-2024-6990 CVE-2024-7255 CVE-2024-7256 https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_30.html 2024-07-30 2024-07-31 chromium -- multiple security fixes chromium 127.0.6533.72 ungoogled-chromium 127.0.6533.72

Chrome Releases reports:

This update includes 22 security fixes:

[349198731] High CVE-2024-6988: Use after free in Downloads. Reported by lime(@limeSec_) from TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-25

[349342289] High CVE-2024-6989: Use after free in Loader. Reported by Anonymous on 2024-06-25

[346618785] High CVE-2024-6991: Use after free in Dawn. Reported by wgslfuzz on 2024-06-12

[339686368] Medium CVE-2024-6994: Heap buffer overflow in Layout. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2024-05-10

[343938078] Medium CVE-2024-6995: Inappropriate implementation in Fullscreen. Reported by Alesandro Ortiz on 2024-06-01

[333708039] Medium CVE-2024-6996: Race in Frames. Reported by Louis Jannett (Ruhr University Bochum) on 2024-04-10

[325293263] Medium CVE-2024-6997: Use after free in Tabs. Reported by Sven Dysthe (@svn-dys) on 2024-02-15

[340098902] Medium CVE-2024-6998: Use after free in User Education. Reported by Sven Dysthe (@svn-dys) on 2024-05-13

[340893685] Medium CVE-2024-6999: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-15

[339877158] Medium CVE-2024-7000: Use after free in CSS. Reported by Anonymous on 2024-05-11

[347509736] Medium CVE-2024-7001: Inappropriate implementation in HTML. Reported by Jake Archibald on 2024-06-17

[338233148] Low CVE-2024-7003: Inappropriate implementation in FedCM. Reported by Alesandro Ortiz on 2024-05-01

[40063014] Low CVE-2024-7004: Insufficient validation of untrusted input in Safe Browsing. Reported by Anonymous on 2023-02-10

[40068800] Low CVE-2024-7005: Insufficient validation of untrusted input in Safe Browsing. Reported by Umar Farooq on 2023-08-04

CVE-2024-6988 CVE-2024-6989 CVE-2024-6991 CVE-2024-6994 CVE-2024-6995 CVE-2024-6996 CVE-2024-6997 CVE-2024-6998 CVE-2024-6999 CVE-2024-7000 CVE-2024-7001 CVE-2024-7003 CVE-2024-7004 CVE-2024-7005 https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html 2024-07-23 2024-07-30 znc -- remote code execution vulnerability znc 1.9.1

Mitre reports:

In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

CVE-2024-39844 https://wiki.znc.in/ChangeLog/1.9.1 https://www.openwall.com/lists/oss-security/2024/07/03/9 2024-07-03 2024-07-28 Mailpit -- Content Security Policy XSS mailpit 1.19.3

Mailpit developer reports:

A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI.

https://github.com/axllent/mailpit/releases/tag/v1.19.3 2024-07-26 2024-07-26 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.2.017.2.1 17.1.017.1.3 12.0.017.0.5

Gitlab reports:

XSS via the Maven Dependency Proxy

Project level analytics settings leaked in DOM

Reports can access and download job artifacts despite use of settings to prevent it

Direct Transfer - Authorised project/group exports are accessible to other users

Bypassing tag check and branch check through imports

Project Import/Export - Make project/group export files hidden to everyone except user who initiated it

CVE-2024-5067 CVE-2024-7057 CVE-2024-0231 https://about.gitlab.com/releases/2024/07/24/patch-release-gitlab-17-2-1-released/ 2024-07-24 2024-07-25 electron29 -- multiple vulnerabilities electron29 29.4.5

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-6291.

Security: backported fix for CVE-2024-6293.

Security: backported fix for CVE-2024-6290.

Security: backported fix for CVE-2024-6292.

CVE-2024-6291 https://github.com/advisories/GHSA-rpvg-h6p6-42qj CVE-2024-6293 https://github.com/advisories/GHSA-9f8f-453p-rg87 CVE-2024-6290 https://github.com/advisories/GHSA-r5mh-qgc2-26p2 CVE-2024-6292 https://github.com/advisories/GHSA-m848-8f5r-6j4g 2024-07-17 2024-07-19 Apache httpd -- Source code disclosure with handlers configured via AddType apache24 2.4.602.4.62

The Apache httpd project reports:

source code disclosure with handlers configured via AddType (CVE-2024-40725) (Important): A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

CVE-2024-40725 https://httpd.apache.org/security/vulnerabilities_24.html 2024-07-17 2024-07-17 MySQL -- Multiple vulnerabilities mysql80-client 8.0.38 mysql80-server 8.0.38 mysql81-client 8.1.1 mysql81-server 8.1.1 mysql84-client 8.4.1 mysql84-server 8.4.1

Oracle reports:

36 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

https://www.oracle.com/security-alerts/cpujul2024.html#MySQL 2024-07-16 2024-07-16 GLPI -- multiple vulnerabilities glpi 10.0.16,1

GLPI team reports:

GLPI 10.0.16 Changelog

[SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)

[SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)

[SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)

CVE-2024-37148 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37148 CVE-2024-37149 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37149 CVE-2024-37147 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37147 https://github.com/glpi-project/glpi/releases/tag/10.0.16 2024-06-03 2024-07-16 electron30 -- multiple vulnerabilities electron30 30.2.0

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-5493.

Security: backported fix for CVE-2024-5831.

Security: backported fix for CVE-2024-5832.

Security: backported fix for CVE-2024-6100.

Security: backported fix for CVE-2024-6101.

Security: backported fix for CVE-2024-6103.

Security: backported fix for CVE-2024-6291.

Security: backported fix for CVE-2024-6293.

Security: backported fix for CVE-2024-6290.

Security: backported fix for CVE-2024-6292.

CVE-2024-5493 https://github.com/advisories/GHSA-f6rr-qfxh-hcf9 CVE-2024-5831 https://github.com/advisories/GHSA-9pmm-wf44-xjqc CVE-2024-5832 https://github.com/advisories/GHSA-rw9q-cwc5-qqp5 CVE-2024-6100 https://github.com/advisories/GHSA-g779-vpj7-v6c4 CVE-2024-6101 https://github.com/advisories/GHSA-rg42-f9ww-x3w7 CVE-2024-6103 https://github.com/advisories/GHSA-ph5m-227m-fc5g CVE-2024-6291 https://github.com/advisories/GHSA-rpvg-h6p6-42qj CVE-2024-6293 https://github.com/advisories/GHSA-9f8f-453p-rg87 CVE-2024-6290 https://github.com/advisories/GHSA-r5mh-qgc2-26p2 CVE-2024-6292 https://github.com/advisories/GHSA-m848-8f5r-6j4g 2024-07-10 2024-07-13 electron29 -- multiple vulnerabilities electron29 29.4.4

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-6291.

Security: backported fix for CVE-2024-6293.

Security: backported fix for CVE-2024-6290.

Security: backported fix for CVE-2024-6292.

CVE-2024-6291 https://github.com/advisories/GHSA-rpvg-h6p6-42qj CVE-2024-6293 https://github.com/advisories/GHSA-9f8f-453p-rg87 CVE-2024-6290 https://github.com/advisories/GHSA-r5mh-qgc2-26p2 CVE-2024-6292 https://github.com/advisories/GHSA-m848-8f5r-6j4g 2024-07-11 2024-07-13 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.1.017.1.2 17.0.017.0.4 11.8.016.11.6

Gitlab reports:

An attacker can run pipeline jobs as an arbitrary user

Developer user with admin_compliance_framework permission can change group URL

Admin push rules custom role allows creation of project level deploy token

Package registry vulnerable to manifest confusion

User with admin_group_member permission can ban group members

Subdomain takeover in GitLab Pages

CVE-2024-6385 CVE-2024-5257 CVE-2024-5470 CVE-2024-6595 CVE-2024-2880 CVE-2024-5528 https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/ 2024-07-10 2024-07-11 Django -- multiple vulnerabilities py39-django42 py310-django42 py311-django42 4.2.14 py310-django50 py311-django50 5.0.7

Django reports:

CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize().

CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords.

CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save().

CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant().

CVE-2024-38875 CVE-2024-39329 CVE-2024-39330 CVE-2024-39614 https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ 2024-07-01 2024-07-10 traefik -- Bypassing IP allow-lists via HTTP/3 early data requests traefik 2.11.6

The traefik authors report:

There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

CVE-2024-39321 https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9 2024-07-02 2024-07-07 Apache httpd -- source code disclosure apache24 2.4.602.4.61

The Apache httpd project reports:

isource code disclosure with handlers configured via AddType (CVE-2024-39884) (Important). A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

CVE-2024-39884 https://httpd.apache.org/security/vulnerabilities_24.html 2024-07-04 2024-07-04 Request Tracker -- information exposure vulnerability rt50 5.0.6

Request Tracker reports:

CVE-2024-3262 describes previously viewed pages being stored in the browser cache, which is the typical default behavior of most browsers to enable the "back" button. Someone who gains access to a host computer could potentially view ticket data using the back button, even after logging out of RT. The CVE specifically references RT version 4.4.1, but this behavior is present in most browsers viewing all versions of RT before 5.0.6.

CVE-2024-3262 https://github.com/advisories/GHSA-6426-p644-ffcf 2024-04-04 2024-07-04 go -- net/http: denial of service due to improper 100-continue handling go122 1.22.5 go121 1.21.12

The Go project reports:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

CVE-2024-24791 https://go.dev/issue/67555 2024-07-02 2024-07-03 Apache httpd -- Multiple vulnerabilities apache24 2.4.60

The Apache httpd project reports:

DoS by Null pointer in websocket over HTTP/2 (CVE-2024-36387) (Low). Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

Proxy encoding problem (CVE-2024-38473) (Moderate). Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

Weakness with encoded question marks in backreferences (CVE-2024-38474) (Important). Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Weakness in mod_rewrite when first segment of substitution matches filesystem path (CVE-2024-38475) (Important). Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476) (Important). Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerable to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477) (Important). Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.

mod_rewrite proxy handler substitution (CVE-2024-39573) (Moderate). Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.

CVE-2024-36387 CVE-2024-38473 CVE-2024-38474 CVE-2024-38475 CVE-2024-38476 CVE-2024-38477 CVE-2024-39573 https://httpd.apache.org/security/vulnerabilities_24.html 2024-07-01 2024-07-01 OpenSSH -- Race condition resulting in potential remote code execution openssh-portable 9.7.p1_2,1 FreeBSD 14.114.1_2 14.014.0_8 13.313.3_4 13.213.2_12

The OpenSSH project reports:

A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems.

CVE-2024-6387 https://www.openssh.com/security.html SA-24:04.openssh 2024-07-01 2024-07-01 2024-09-20 netatalk3 -- Multiple vulnerabilities netatalk3 3.2.1

cve@mitre.org reports:

This entry documents the following three vulnerabilities:

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.

Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ...

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.

CVE-2024-38440 https://nvd.nist.gov/vuln/detail/CVE-2024-38440 CVE-2024-38441 https://nvd.nist.gov/vuln/detail/CVE-2024-38441 CVE-2024-38439 https://nvd.nist.gov/vuln/detail/CVE-2024-38439 2024-06-16 2024-06-30 electron29 -- multiple vulnerabilities electron29 29.4.3

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-5499.

Security: backported fix for CVE-2024-5493.

Security: backported fix for CVE-2024-5494.

Security: backported fix for CVE-2024-5495.

Security: backported fix for CVE-2024-5496.

Security: backported fix for CVE-2024-5158.

Security: backported fix for CVE-2024-5160.

Security: backported fix for CVE-2024-5157.

Security: backported fix for CVE-2024-5159.

Security: backported fix for CVE-2024-5831.

Security: backported fix for CVE-2024-5832.

Security: backported fix for CVE-2024-6100.

Security: backported fix for CVE-2024-6101.

Security: backported fix for CVE-2024-6103.

CVE-2024-5499 https://github.com/advisories/GHSA-hqfv-mf6j-g3j6 CVE-2024-5493 https://github.com/advisories/GHSA-f6rr-qfxh-hcf9 CVE-2024-5494 https://github.com/advisories/GHSA-fv2x-w8xf-gxpq CVE-2024-5495 https://github.com/advisories/GHSA-wrxh-8wc3-33rm CVE-2024-5496 https://github.com/advisories/GHSA-8xgv-q88p-ghq4 CVE-2024-5158 https://github.com/advisories/GHSA-4433-jwm9-48r5 CVE-2024-5160 https://github.com/advisories/GHSA-c24q-2hx9-mjpc CVE-2024-5157 https://github.com/advisories/GHSA-w7g4-69hj-jcrq CVE-2024-5159 https://github.com/advisories/GHSA-qmp7-vwf7-6g2g CVE-2024-5831 https://github.com/advisories/GHSA-9pmm-wf44-xjqc CVE-2024-5832 https://github.com/advisories/GHSA-rw9q-cwc5-qqp5 CVE-2024-6100 https://github.com/advisories/GHSA-g779-vpj7-v6c4 CVE-2024-6101 https://github.com/advisories/GHSA-rg42-f9ww-x3w7 CVE-2024-6103 https://github.com/advisories/GHSA-ph5m-227m-fc5g 2024-06-27 2024-06-28 frr - Multiple vulnerabilities frr9 9.1.1 frr8 8.5.5

cve@mitre.org reports:

In FRRouting (FRR) through 9.1, there are multiples vulnerabilities.

CVE-2024-31950: buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets

CVE-2024-31951: buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets

CVE-2024-31950 CVE-2024-31951 https://frrouting.org/release/9.1.1/ 2024-04-07 2024-06-28 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.1.017.1.1 17.0.017.0.3 1.0.016.11.5

Gitlab reports:

Run pipelines as any user

Stored XSS injected in imported project's commit notes

CSRF on GraphQL API IntrospectionQuery

Remove search results from public projects with unauthorized repos

Cross window forgery in user application OAuth flow

Project maintainers can bypass group's merge request approval policy

ReDoS via custom built markdown page

Private job artifacts can be accessed by any user

Security fixes for banzai pipeline

ReDoS in dependency linker

Denial of service using a crafted OpenAPI file

Merge request title disclosure

Access issues and epics without having an SSO session

Non project member can promote key results to objectives

CVE-2024-5655 CVE-2024-4901 CVE-2024-4994 CVE-2024-6323 CVE-2024-2177 CVE-2024-5430 CVE-2024-4025 CVE-2024-3959 CVE-2024-4557 CVE-2024-1493 CVE-2024-1816 CVE-2024-2191 CVE-2024-3115 CVE-2024-4011 https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/ 2024-06-26 2024-06-27 chromium -- multiple security fixes chromium 126.0.6478.126 ungoogled-chromium 126.0.6478.126

Chrome Releases reports:

This update includes 5 security fixes:

[342428008] High CVE-2024-6290: Use after free in Dawn. Reported by wgslfuzz on 2024-05-23

[40942995] High CVE-2024-6291: Use after free in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-15

[342545100] High CVE-2024-6292: Use after free in Dawn. Reported by wgslfuzz on 2024-05-24

[345993680] High CVE-2024-6293: Use after free in Dawn. Reported by wgslfuzz on 2024-06-09

CVE-2024-6290 CVE-2024-6291 CVE-2024-6292 CVE-2024-6293 https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html 2024-06-24 2024-06-25 emacs -- Arbitrary shell code evaluation vulnerability emacs emacs-canna emacs-nox emacs-wayland 29.3_3,3 emacs-devel emacs-devel-nox 30.0.50.20240615_1,3

GNU Emacs developers report:

Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability. Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code.

https://seclists.org/oss-sec/2024/q2/296 2024-06-22 2024-06-23 traefik -- Azure Identity Libraries Elevation of Privilege Vulnerability traefik 2.11.5

The traefik authors report:

There is a vulnerability in Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

CVE-2024-35255 https://github.com/traefik/traefik/security/advisories/GHSA-rvj4-q8q5-8grf 2024-06-11 2024-06-22 qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.17.p2_1

Backports for 5 security bugs in Chromium:

CVE-2024-3837: Use after free in QUIC

CVE-2024-3839: Out of bounds read in Fonts

CVE-2024-3914: Use after free in V8

CVE-2024-4058: Type confusion in ANGLE

CVE-2024-4558: Use after free in ANGLE

CVE-2024-3837 CVE-2024-3839 CVE-2024-3914 CVE-2024-4058 CVE-2024-4558 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-05-31 2024-06-20 qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.7.2

Qt qtwebengine-chromium repo reports:

Backports for 7 security bugs in Chromium:

CVE-2024-4948: Use after free in Dawn

CVE-2024-5274: Type Confusion in V8

CVE-2024-5493: Heap buffer overflow in WebRTC

CVE-2024-5494: Use after free in Dawn

CVE-2024-5495: Use after free in Dawn

CVE-2024-5496: Use after free in Media Session

CVE-2024-5499: Out of bounds write in Streams API

CVE-2024-4948 CVE-2024-5274 CVE-2024-5493 CVE-2024-5494 CVE-2024-5495 CVE-2024-5496 CVE-2024-5499 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=118-based 2024-05-31 2024-06-20 openvpn -- two security fixes openvpn 2.6.11

Gert Doering reports that OpenVPN 2.6.11 fixes two security bugs (three on Windows):

CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)

CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. (Reynir Björnsson)

CVE-2024-5594 CVE-2024-28882 https://github.com/OpenVPN/openvpn/blob/v2.6.11/Changes.rst#security-fixes 2024-05-16 2024-06-20 chromium -- multiple security fixes chromium 126.0.6478.114 ungoogled-chromium 126.0.6478.114

Chrome Releases reports:

This update includes 6 security fixes:

[344608204] High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04

[343748812] High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31

[339169163] High CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz on 2024-05-07

[344639860] High CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz on 2024-06-04

CVE-2024-6100 CVE-2024-6101 CVE-2024-6102 CVE-2024-6103 https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html 2024-06-18 2024-06-20 chromium -- multiple security fixes chromium 126.0.6478.54 ungoogled-chromium 126.0.6478.54

Chrome Releases reports:

This update includes 21 security fixes:

[342456991] High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24

[339171223] High CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz on 2024-05-07

[340196361] High CVE-2024-5832: Use after free in Dawn. Reported by wgslfuzz on 2024-05-13

[342602616] High CVE-2024-5833: Type Confusion in V8. Reported by @ginggilBesel on 2024-05-24

[342840932] High CVE-2024-5834: Inappropriate implementation in Dawn. Reported by gelatin dessert on 2024-05-26

[341991535] High CVE-2024-5835: Heap buffer overflow in Tab Groups. Reported by Weipeng Jiang (@Krace) of VRI on 2024-05-22

[341875171] High CVE-2024-5836: Inappropriate Implementation in DevTools. Reported by Allen Ding on 2024-05-21

[342415789] High CVE-2024-5837: Type Confusion in V8. Reported by Anonymous on 2024-05-23

[342522151] High CVE-2024-5838: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-24

[340122160] Medium CVE-2024-5839: Inappropriate Implementation in Memory Allocator. Reported by Micky on 2024-05-13

[41492103] Medium CVE-2024-5840: Policy Bypass in CORS. Reported by Matt Howard on 2024-01-17

[326765855] Medium CVE-2024-5841: Use after free in V8. Reported by Cassidy Kim(@cassidy6564) on 2024-02-26

[40062622] Medium CVE-2024-5842: Use after free in Browser UI. Reported by Sven Dysthe (@svn_dy) on 2023-01-12

[333940412] Medium CVE-2024-5843: Inappropriate implementation in Downloads. Reported by hjy79425575 on 2024-04-12

[331960660] Medium CVE-2024-5844: Heap buffer overflow in Tab Strip. Reported by Sri on 2024-04-01

[340178596] Medium CVE-2024-5845: Use after free in Audio. Reported by anonymous on 2024-05-13

[341095523] Medium CVE-2024-5846: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-16

[341313077] Medium CVE-2024-5847: Use after free in PDFium. Reported by Han Zheng (HexHive) on 2024-05-18

CVE-2024-5830 CVE-2024-5831 CVE-2024-5832 CVE-2024-5833 CVE-2024-5834 CVE-2024-5835 CVE-2024-5836 CVE-2024-5837 CVE-2024-5838 CVE-2024-5839 CVE-2024-5840 CVE-2024-5841 CVE-2024-5842 CVE-2024-5843 CVE-2024-5844 CVE-2024-5845 CVE-2024-5846 CVE-2024-5847 https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html 2024-06-11 2024-06-18 forgejo -- multiple issues forgejo 7.0.4

The forgejo team reports:

CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file.

The OAuth2 implementation does not always require authentication for public clients, a requirement of RFC 6749 Section 10.2. A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.

CVE-2024-24789 https://nvd.nist.gov/vuln/detail/CVE-2024-24789 2024-04-04 2024-04-11 traefik -- Unexpected behavior with IPv4-mapped IPv6 addresses traefik 2.11.4

The traefik authors report:

There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

CVE-2024-24790 https://github.com/traefik/traefik/security/advisories/GHSA-7jmw-8259-q9jx 2024-06-05 2024-06-15 go -- multiple vulnerabilities go122 1.22.4 go121 1.21.11

The Go project reports:

archive/zip: mishandling of corrupt central directory record

The archive/zip package's handling of certain types of invalid zip files differed from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE-2024-24789 CVE-2024-24790 https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ 2024-06-04 2024-06-15 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.0.017.0.2 16.11.016.11.4 5.116.10.7

Gitlab reports:

ReDoS in gomod dependency linker

ReDoS in CI interpolation (fix bypass)

ReDoS in Asana integration issue mapping when webhook is called

XSS and content injection when viewing raw XHTML files on iOS devices

Missing agentk request validation could cause KAS to panic

CVE-2024-1495 CVE-2024-1736 CVE-2024-1963 CVE-2024-4201 CVE-2024-5469 https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/ 2024-06-12 2024-06-13 plasma[56]-plasma-workspace -- Unauthorized users can access session manager plasma5-plasma-workspace 5.27.11.1 plasma6-plasma-workspace 6.0.4_2

David Edmundson reports:

KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager.

A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot.

CVE-2024-36041 https://kde.org/info/security/advisory-20240531-1.txt 2024-05-31 2024-06-11 Composer -- Multiple command injections via malicious git/hg branch names php81-composer 2.7.7 php82-composer 2.7.7 php83-composer 2.7.7

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

CVE-2024-35241 https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c CVE-2024-35242 https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf 2024-06-10 2024-06-10 kanboard -- Project Takeover via IDOR in ProjectPermissionController kanboard 1.2.37

security-advisories@github.com reports:

Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.

CVE-2024-36399 https://nvd.nist.gov/vuln/detail/CVE-2024-36399 2024-06-06 2024-06-07 cyrus-imapd -- unbounded memory allocation cyrus-imapd38 3.8.2_1 cyrus-imapd36 3.6.4_1 cyrus-imapd34 3.4.7_1 cyrus-imapd32 cyrus-imapd30 cyrus-imapd25 0

Cyrus IMAP 3.8.3 Release Notes states:

Fixed CVE-2024-34055: Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.

The IMAP protocol allows for command arguments to be LITERALs of negotiated length, and for these the server allocates memory to receive the content before instructing the client to proceed. The allocated memory is released when the whole command has been received and processed.

The IMAP protocol has a number commands that specify an unlimited number of arguments, for example SEARCH. Each of these arguments can be a LITERAL, for which memory will be allocated and not released until the entire command has been received and processed. This can run a server out of memory, with varying consequences depending on the server's OOM policy.

CVE-2024-34055 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34055 2024-04-30 2024-06-05 chromium -- multiple security fixes chromium 125.0.6422.141 ungoogled-chromium 125.0.6422.141

Chrome Releases reports:

This update includes 11 security fixes:

[339877165] High CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-05-11

[338071106] High CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01

[338103465] High CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz on 2024-05-01

[338929744] High CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564) on 2024-05-06

[339061099] High CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2024-05-07

[339588211] High CVE-2024-5498: Use after free in Presentation API. Reported by anymous on 2024-05-09

[339877167] High CVE-2024-5499: Out of bounds write in Streams API. Reported by anonymous on 2024-05-11

CVE-2024-5493 CVE-2024-5494 CVE-2024-5495 CVE-2024-5496 CVE-2024-5497 CVE-2024-5498 CVE-2024-5499 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_30.html 2024-05-30 2024-06-03 nginx -- Multiple Vulnerabilities in HTTP/3 nginx-devel 1.25.01.27.0 nginx 1.26.01.26.1

The nginx development team reports:

This update fixes the following vulnerabilities:

Stack overflow and use-after-free in HTTP/3

Buffer overwrite in HTTP/3

Memory disclosure in HTTP/3

NULL pointer dereference in HTTP/3

CVE-2024-31079 CVE-2024-32760 CVE-2024-34161 CVE-2024-35200 2024-05-29 2024-05-29 chromium -- security fix chromium 125.0.6422.112 ungoogled-chromium 125.0.6422.112

Chrome Releases reports:

This update includes 1 security fix:

[341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

CVE-2024-5274 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html 2024-05-23 2024-05-29 OpenSSL -- Use after free vulnerability openssl 3.0.13_5,1 openssl31 3.1.5_5 openssl32 3.2.1_5 openssl33 3.3.0_2 openssl-quictls 3.0.13_5 openssl31-quictls 3.1.5_5

The OpenSSL project reports:

Use After Free with SSL_free_buffers (low).

Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

CVE-2024-4741 https://www.openssl.org/news/secadv/20240528.txt 2024-05-28 2024-05-28 electron29 -- use after free in Dawn electron29 29.4.1

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-4948.

CVE-2024-4948 https://github.com/advisories/GHSA-xvp9-87cv-m4fv 2024-05-22 2024-05-25 electron28 -- multiple vulnerabilities electron28 28.3.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-4948.

Security: backported fix for CVE-2024-3914.

Security: backported fix for CVE-2024-4060.

Security: backported fix for CVE-2024-4058.

Security: backported fix for CVE-2024-4558.

CVE-2024-4948 https://github.com/advisories/GHSA-xvp9-87cv-m4fv CVE-2024-3914 https://github.com/advisories/GHSA-jv87-hfr8-8j2r CVE-2024-4060 https://github.com/advisories/GHSA-4qw6-vwc8-mh38 CVE-2024-4058 https://github.com/advisories/GHSA-23rw-79p3-xgcm CVE-2024-4558 https://github.com/advisories/GHSA-r4j8-j63p-24j8 2024-05-22 2024-05-25 QtNetworkAuth -- predictable seeding of PRNG in QAbstractOAuth qt5-networkauth 5.15.13_1 qt6-networkauth 6.7.1

Andy Shaw reports:

The OAuth1 implementation in QtNetworkAuth created nonces using a PRNG that was seeded with a predictable seed.

This means that an attacker that can somehow control the time of the first OAuth1 flow of the process has a high chance of predicting the nonce used in said OAuth flow.

CVE-2024-36048 https://www.qt.io/blog/security-advisory-qstringconverter-0 https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 2024-05-08 2024-05-24 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.0.017.0.1 16.11.016.11.3 11.1116.10.6

Gitlab reports:

1-click account takeover via XSS in the code editor in gitlab.com

A DOS vulnerability in the 'description' field of the runner

CSRF via K8s cluster-integration

Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match

Redos on wiki render API/Page

Resource exhaustion and denial of service with test_report API calls

Guest user can view dependency lists of private projects through job artifacts

Stored XSS via PDFjs

CVE-2024-4835 CVE-2024-2874 CVE-2023-7045 CVE-2023-6502 CVE-2024-1947 CVE-2024-4367 https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ 2024-05-22 2024-05-22 chromium -- multiple security fixes chromium 125.0.6422.76 ungoogled-chromium 125.0.6422.76

Chrome Releases reports:

This update includes 15 security fixes:

[336012573] High CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang on 2024-04-21

[338908243] High CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-05-06

[335613092] High CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop) on 2024-04-18

[338161969] High CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz on 2024-05-01

[340221135] High CVE-2024-4947: Type Confusion in V8. Reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on 2024-05-13

[333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09

[326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24

[40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06

CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160 CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_21.html 2024-05-21 2024-05-22 Openfire administration console authentication bypass openfire 4.6.8

security-advisories@github.com reports:

Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isnt available for a specific release, or isnt quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

CVE-2023-32315 https://nvd.nist.gov/vuln/detail/CVE-2023-32315 2023-05-26 2024-05-21 Roundcube -- Cross-site scripting vulnerabilities roundcube 1.6.7,1

The Roundcube project reports:

cross-site scripting (XSS) vulnerability in handling SVG animate attributes.

cross-site scripting (XSS) vulnerability in handling list columns from user preferences.

https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7 2024-05-19 2024-05-21 qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.16.p9_2

Backports for 2 security bugs in Chromium:

CVE-2024-3157: Out of bounds write in Compositing

CVE-2024-3516: Heap buffer overflow in ANGLE

CVE-2024-3157 CVE-2024-3516 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-04-16 2024-05-19 Arti -- Security issues related to circuit construction arti 1.2.3

Tor Project reports:

When building anonymizing circuits to or from an onion service with 'lite' vanguards (the default) enabled, the circuit manager code would build the circuits with one hop too few.

When 'full' vanguards are enabled, some circuits are supposed to be built with an extra hop to minimize the linkability of the guard nodes. In some circumstances, the circuit manager would build circuits with one hop too few, making it easier for an adversary to discover the L2 and L3 guards of the affected clients and services.

CVE-2024-35313 https://gitlab.torproject.org/tpo/core/arti/-/issues/1400 CVE-2024-35312 https://gitlab.torproject.org/tpo/core/arti/-/issues/1409 2024-05-14 2024-05-18 OpenSSL -- Denial of Service vulnerability openssl 3.0.13_4,1 openssl31 3.1.5_4 openssl32 3.2.1_4 openssl33 3.3.0_1 openssl-quictls 3.0.13_4 openssl31-quictls 3.1.5_4

The OpenSSL project reports:

Excessive time spent checking DSA keys and parameters (Low)

Checking excessively long DSA keys or parameters may be very slow.

CVE-2024-4603 https://www.openssl.org/news/secadv/20240516.txt 2024-05-16 2024-05-17 electron29 -- setuid() does not affect libuv's internal io_uring electron29 29.4.0

Electron developers report:

This update fixes the following vulnerability:

Backported fix for CVE-2024-22017.

CVE-2024-22017 https://github.com/advisories/GHSA-vr4q-vx84-9g5x 2024-05-15 2024-05-17 qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.7.0

Qt qtwebengine-chromium repo reports:

Backports for 16 security bugs in Chromium:

CVE-2024-2625: Object lifecycle issue in V8

CVE-2024-2626: Out of bounds read in Swiftshader

CVE-2024-2885: Use after free in Dawn

CVE-2024-2887: Type Confusion in WebAssembly

CVE-2024-3157: Out of bounds write in Compositing

CVE-2024-3159: Out of bounds memory access in V8

CVE-2024-3516: Heap buffer overflow in ANGLE

CVE-2024-3837: Use after free in QUIC

CVE-2024-3839: Out of bounds read in Fonts

CVE-2024-3914: Use after free in V8

CVE-2024-3840: Insufficient policy enforcement in Site Isolation

CVE-2024-4058: Type Confusion in ANGLE

CVE-2024-4060: Use after free in Dawn

CVE-2024-4331: Use after free in Picture In Picture

CVE-2024-4368: Use after free in Dawn

CVE-2024-4671: Use after free in Visuals

CVE-2024-2625 CVE-2024-2626 CVE-2024-2885 CVE-2024-2887 CVE-2024-3157 CVE-2024-3159 CVE-2024-3516 CVE-2024-3837 CVE-2024-3839 CVE-2024-3914 CVE-2024-3840 CVE-2024-4058 CVE-2024-4060 CVE-2024-4331 CVE-2024-4368 CVE-2024-4671 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=118-based 2024-04-03 2024-05-15 qt6-base (core module) -- Invalid pointer in QStringConverter qt6-base 6.5.06.5.5 6.6.06.7.0

Andy Shaw reports:

QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack. Qt itself is not vulnerable to remote attack however an application using QStringDecoder either directly or indirectly can be vulnerable.

This requires:

the attacker be able to tell the application a specific codec to use

the attacker be able to feed the application data in a specific way to cause the desired modification

the attacker what in the stack will get modified, which requires knowing the build of the application (and not all builds will be vulnerable)

the modification do anything in particular that is useful to the attacker, besides maybe crashing the application

Qt does not automatically use any of those codecs, so this needs the application to implement something using QStringDecoder to be vulnerable.

CVE-2024-33861 https://www.qt.io/blog/security-advisory-qstringconverter 2024-05-02 2024-05-15 dnsdist -- Transfer requests received over DoH can lead to a denial of service dnsdist 1.9.4

PowerDNS Security Advisory reports:

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

CVE-2024-25581 https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html 2024-05-13 2024-05-13 Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20240514

Intel reports:

Potential security vulnerabilities in some Intel Trust Domain Extensions (TDX) module software may allow escalation of privilege. Improper input validation in some Intel TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

A potential security vulnerability in some Intel Processors may allow information disclosure. Hardware logic contains race conditions in some Intel Processors that may allow an authenticated user to potentially enable partial information disclosure via local access. Intel is releasing microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in Intel Core Ultra Processors may allow denial of service. Sequence of processor instructions leads to unexpected behavior in Intel Core Ultra Processors may allow an authenticated user to potentially enable denial of service via local access. Intel is releasing microcode updates to mitigate this potential vulnerability.

CVE-2023-45745 CVE-2023-45733 CVE-2023-46103 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 2024-05-14 2024-05-14 chromium -- multiple security fixes chromium 124.0.6367.207 ungoogled-chromium 124.0.6367.207

Chrome Releases reports:

This update includes 1 security fix:

[339458194] High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09

CVE-2024-4761 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html 2024-05-13 2024-05-14 go -- net: malformed DNS message can cause infinite loop go122 1.22.3 go121 1.21.10

The Go project reports:

net: malformed DNS message can cause infinite loop

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

CVE-2024-24788 https://go.dev/issue/66754 2024-04-25 2024-05-13 chromium -- multiple security fixes chromium 124.0.6367.201 ungoogled-chromium 124.0.6367.201

Chrome Releases reports:

This update includes 1 security fix:

[339266700] High CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07

CVE-2024-4671 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html 2024-05-09 2024-05-12 PostgreSQL server -- Potentially allowing authenicated database users to see data that they shouldn't. postgresql-server 16.3 15.7 14.12

PostgreSQL project reports:

A security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql for each of your databases. See the link for details.

CVE-2024-4317 https://www.postgresql.org/support/security/CVE-2024-4317/ 2024-05-09 2024-05-09 tailscale -- Insufficient inbound packet filtering in subnet routers and exit nodes tailscale 1.66.0

Tailscale team reports:

In Tailscale versions earlier than 1.66.0, exit nodes, subnet routers, and app connectors, could allow inbound connections to other tailnet nodes from their local area network (LAN). This vulnerability only affects Linux exit nodes, subnet routers, and app connectors in tailnets where ACLs allow "src": "*", such as with default ACLs.

https://tailscale.com/security-bulletins#ts-2024-005 2024-05-08 2024-05-09 electron29 -- multiple vulnerabilities electron29 29.3.3

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-3914.

Security: backported fix for CVE-2024-4558.

CVE-2024-3914 https://github.com/advisories/GHSA-jv87-hfr8-8j2r CVE-2024-4558 https://github.com/advisories/GHSA-r4j8-j63p-24j8 2024-05-09 2024-05-09 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 16.11.016.11.2 16.10.016.10.5 10.6.016.9.7

Gitlab reports:

ReDoS in branch search when using wildcards

ReDoS in markdown render pipeline

Redos on Discord integrations

Redos on Google Chat Integration

Denial of Service Attack via Pin Menu

DoS by filtering tags and branches via the API

MR approval via CSRF in SAML SSO

Banned user from groups can read issues updates via the api

Require confirmation before linking JWT identity

View confidential issues title and description of any public project via export

SSRF via Github importer

CVE-2024-2878 CVE-2024-2651 CVE-2023-6682 CVE-2023-6688 CVE-2024-2454 CVE-2024-4539 CVE-2024-4597 CVE-2024-1539 CVE-2024-1211 CVE-2024-3976 CVE-2023-6195 https://about.gitlab.com/releases/2024/05/08/patch-release-gitlab-16-11-2-released/ 2024-05-08 2024-05-09 electron29 -- multiple vulnerabilities electron29 29.3.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-4060.

Security: backported fix for CVE-2024-4058.

CVE-2024-4060 https://github.com/advisories/GHSA-4qw6-vwc8-mh38 CVE-2024-4058 https://github.com/advisories/GHSA-23rw-79p3-xgcm 2024-05-03 2024-05-08 chromium -- multiple security fixes chromium 124.0.6367.118 ungoogled-chromium 124.0.6367.118

Chrome Releases reports:

This update includes 2 security fixes:

[335003891] High CVE-2024-4331: Use after free in Picture In Picture. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-04-16

[333508731] High CVE-2024-4368: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09

CVE-2024-4058 CVE-2024-4059 CVE-2024-4060 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_30.html 2024-04-30 2024-05-02 R -- arbitrary code execution vulnerability R 4.4.0

HiddenLayer Research reports:

Deserialization of untrusted data can occur in the R statistical programming language, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system.

CVE-2024-27322 https://nvd.nist.gov/vuln/detail/CVE-2024-27322 2024-04-29 2024-05-02 hcode -- buffer overflow in mail.c ko-hcode 2.1.3_2

The openSUSE project reports:

The problematic function in question is putSDN() in mail.c. The static variable `cp` is used as an index for a fixed-sized buffer `ibuf`. There is a range check: `if ( cp >= HDR_BUF_LEN ) ...` but under certain circumstances, cp can be incremented beyond the buffer size, leading to a buffer overwrite

CVE-2024-34020 https://bugzilla.suse.com/show_bug.cgi?id=1223534 2024-04-29 2024-05-01 GLPI -- multiple vulnerabilities glpi 10.0.15,1

GLPI team reports:

GLPI 10.0.15 Changelog

[SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)

[SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)

CVE-2024-31456 CVE-2024-29889 https://github.com/glpi-project/glpi/releases/tag/10.0.15 2024-04-03 2024-04-28 py-social-auth-app-django -- Improper Handling of Case Sensitivity py38-social-auth-app-django py39-social-auth-app-django py310-social-auth-app-django py311-social-auth-app-django 5.4.1

GitHub Advisory Database:

Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

CVE-2024-32879 https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 2024-04-24 2024-04-28 chromium -- multiple security fixes chromium 124.0.6367.78 ungoogled-chromium 124.0.6367.78

Chrome Releases reports:

This update includes 4 security fixes:

[332546345] Critical CVE-2024-4058: Type Confusion in ANGLE. Reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02

[333182464] High CVE-2024-4059: Out of bounds read in V8 API. Reported by Eirik on 2024-04-08

[333420620] High CVE-2024-4060: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09

CVE-2024-4058 CVE-2024-4059 CVE-2024-4060 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html 2024-04-24 2024-04-25 Unallowed PHP script execution in GLPI glpi 10.0.10,1

From the GLPI 10.0.10 Changelog:

You will find below security issues fixed in this bugfixes version: [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).

The mentioned CVE is invalid

CVE-2023-42802 https://github.com/glpi-project/glpi/releases/tag/10.0.10 2023-09-27 2023-10-11 glpi-project -- SQL injection in ITIL actors in GLPI glpi 10.0.8,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-42461 https://nvd.nist.gov/vuln/detail/CVE-2023-42461 2023-09-27 2023-10-11 Phishing through a login page malicious URL in GLPI glpi 10.0.8,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41888 https://nvd.nist.gov/vuln/detail/CVE-2023-41888 2023-09-27 2023-10-11 Users login enumeration by unauthenticated user in GLPI glpi 10.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41323 https://nvd.nist.gov/vuln/detail/CVE-2023-41323 2023-09-27 2023-10-11 Privilege Escalation from technician to super-admin in GLPI glpi 9.1.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.

CVE-2023-41322 https://nvd.nist.gov/vuln/detail/CVE-2023-41322 2023-09-27 2023-10-11 Sensitive fields enumeration through API in GLPI glpi 9.1.1,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41321 https://nvd.nist.gov/vuln/detail/CVE-2023-41321 2023-09-27 2023-10-11 File deletion through document upload process in GLPI glpi 10.0.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-42462 https://nvd.nist.gov/vuln/detail/CVE-2023-42462 2023-09-27 2023-10-11 Account takeover through API in GLPI glpi 9.3.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41324 https://nvd.nist.gov/vuln/detail/CVE-2023-41324 2023-09-27 2023-10-11 Account takeover via Kanban feature in GLPI glpi 9.5.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41326 https://nvd.nist.gov/vuln/detail/CVE-2023-41326 2023-09-27 2023-10-11 Account takeover via SQL Injection in UI layout preferences in GLPI glpi 10.0.0,110.0.10,1

security-advisories@github.com reports:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

CVE-2023-41320 https://nvd.nist.gov/vuln/detail/CVE-2023-41320 2023-09-27 2023-10-11 GLPI vulnerable to SQL injection via dashboard administration glpi 9.5.0,110.0.9,1

security-advisories@github.com reports:

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

CVE-2023-37278 https://nvd.nist.gov/vuln/detail/CVE-2023-37278 2023-07-13 2023-10-11 GLPI vulnerable to unauthorized access to User data glpi 10.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

CVE-2023-34106 https://nvd.nist.gov/vuln/detail/CVE-2023-34106 2023-07-05 2023-10-11 GLPI vulnerable to unauthorized access to KnowbaseItem data glpi 9.2.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

CVE-2023-34107 https://nvd.nist.gov/vuln/detail/CVE-2023-34107 2023-07-05 2023-10-11 GLPI vulnerable to reflected XSS in search pages glpi 9.4.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.

CVE-2023-34244 https://nvd.nist.gov/vuln/detail/CVE-2023-34244 2023-07-05 2023-10-11 GLPI vulnerable to unauthenticated access to Dashboard data glpi 9.5.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

CVE-2023-35940 https://nvd.nist.gov/vuln/detail/CVE-2023-35940 2023-07-05 2023-10-11 GLPI vulnerable to unauthorized access to Dashboard data glpi 9.5.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

CVE-2023-35939 https://nvd.nist.gov/vuln/detail/CVE-2023-35939 2023-07-05 2023-10-11 GLPI vulnerable to SQL injection through Computer Virtual Machine information glpi 10.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-36808 https://nvd.nist.gov/vuln/detail/CVE-2023-36808 2023-07-05 2023-10-11 GLPI vulnerable to SQL injection via inventory agent request glpi 10.0.0,110.0.8,1

security-advisories@github.com reports:

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-35924 https://nvd.nist.gov/vuln/detail/CVE-2023-35924 2023-07-05 2023-10-11 py-matrix-synapse -- weakness in auth chain indexing allows DoS py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse py311-matrix-synapse 1.105.1

Matrix developers report:

Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage. (High severity)

CVE-2024-31208 https://element.io/blog/security-release-synapse-1-105-1/ https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v 2024-04-23 2024-04-24 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 16.11.016.11.1 16.10.016.10.4 7.8.016.9.6

Gitlab reports:

GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider

Path Traversal leads to DoS and Restricted File Read

Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search

Personal Access Token scopes not honoured by GraphQL subscriptions

Domain based restrictions bypass using a crafted email address

CVE-2024-4024 CVE-2024-2434 CVE-2024-2829 CVE-2024-4006 CVE-2024-1347 https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/ 2024-04-24 2024-04-24 powerdns-recursor -- denial of service powerdns-recursor 5.0.4

PowerDNS Team reports:

PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor

CVE-2024-25583 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html 2024-04-24 2024-04-24 GLPI -- multiple vulnerabilities glpi 10.0.13,1

GLPI team reports:

GLPI 10.0.13 Changelog

[SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)

[SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)

[SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)

[SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)

[SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)

[SECURITY - moderate] Users emails enumeration (CVE-2024-27937)

CVE-2024-27096 CVE-2024-27098 CVE-2024-27104 CVE-2024-27914 CVE-2024-27930 CVE-2024-27937 https://github.com/glpi-project/glpi/releases/tag/10.0.13 2024-03-13 2024-04-22 GLPI -- multiple vulnerabilities glpi 10.0.12,1

GLPI team reports:

GLPI 10.0.12 Changelog

[SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)

[SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)

CVE-2024-23645 CVE-2023-51446 https://github.com/glpi-project/glpi/releases/tag/10.0.12 2024-02-01 2024-04-22 GLPI -- multiple vulnerabilities glpi 10.0.11,1

GLPI team reports:

GLPI 10.0.11 Changelog

[SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)

[SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)

[SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)

CVE-2023-43813 CVE-2023-46727 CVE-2023-46726 https://github.com/glpi-project/glpi/releases/tag/10.0.11 2023-12-13 2024-04-22 ruby -- Arbitrary memory address read vulnerability with Regex search ruby 3.1.0,13.1.5,1 3.2.0,13.2.4,1 3.3.0,13.3.1,1 ruby31 3.1.0,13.1.5,1 ruby32 3.2.0,13.2.4,1 ruby33 3.3.0,13.3.1,1

sp2ip reports:

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

CVE-2024-27282 https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/ 2024-04-23 2024-04-23 sdl2_sound -- multiple vulnerabilities sdl2_sound 2.0.2_1

GitHub Security Lab reports:

stb_image.h and stb_vorbis libraries contain several memory access violations of different severity

Wild address read in stbi__gif_load_next (GHSL-2023-145).

Multi-byte read heap buffer overflow in stbi__vertical_flip (GHSL-2023-146).

Disclosure of uninitialized memory in stbi__tga_load (GHSL-2023-147).

Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148).

Null pointer dereference in stbi__convert_format (GHSL-2023-149).

Possible double-free or memory leak in stbi__load_gif_main (GHSL-2023-150).

Null pointer dereference because of an uninitialized variable (GHSL-2023-151).

0 byte write heap buffer overflow in start_decoder (GHSL-2023-165)

Multi-byte write heap buffer overflow in start_decoder (GHSL-2023-166)

Heap buffer out of bounds write in start_decoder (GHSL-2023-167)

Off-by-one heap buffer write in start_decoder (GHSL-2023-168)

Attempt to free an uninitialized memory pointer in vorbis_deinit (GHSL-2023-169)

Null pointer dereference in vorbis_deinit (GHSL-2023-170)

Out of bounds heap buffer write (GHSL-2023-171)

Wild address read in vorbis_decode_packet_rest (GHSL-2023-172)

CVE-2023-45676 CVE-2023-45677 CVE-2023-45680 CVE-2023-45681 CVE-2023-45682 https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ 2023-10-20 2024-04-22 chromium -- multiple security fixes chromium 124.0.6367.60 ungoogled-chromium 124.0.6367.60

Chrome Releases reports:

This update includes 23 security fixes:

[331358160] High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27

[331383939] High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27

[330759272] High CVE-2024-3914: Use after free in V8. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21

[326607008] High CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang on 2024-02-24

[41491379] Medium CVE-2024-3837: Use after free in QUIC. Reported by {rotiple, dch3ck} of CW Research Inc. on 2024-01-15

[328278717] Medium CVE-2024-3838: Inappropriate implementation in Autofill. Reported by Ardyan Vicky Ramadhan on 2024-03-06

[41491859] Medium CVE-2024-3839: Out of bounds read in Fonts. Reported by Ronald Crane (Zippenhop LLC) on 2024-01-16

[41493458] Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation. Reported by Ahmed ElMasry on 2024-01-22

[330376742] Medium CVE-2024-3841: Insufficient data validation in Browser Switcher. Reported by Oleg on 2024-03-19

[41486690] Medium CVE-2024-3843: Insufficient data validation in Downloads. Reported by Azur on 2023-12-24

[40058873] Low CVE-2024-3844: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2022-02-23

[323583084] Low CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03

[40064754] Low CVE-2024-3846: Inappropriate implementation in Prompts. Reported by Ahmed ElMasry on 2023-05-23

[328690293] Low CVE-2024-3847: Insufficient policy enforcement in WebUI. Reported by Yan Zhu on 2024-03-08

CVE-2024-3832 CVE-2024-3833 CVE-2024-3914 CVE-2024-3834 CVE-2024-3837 CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841 CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846 CVE-2024-3847 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html 2024-04-16 2024-04-21 clamav -- Possible crash in the HTML file parser that could cause a denial-of-service (DoS) condition clamav 1.3.0,11.3.1,1

Błażej Pawłowski reports:

A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

CVE-2024-20380 https://blog.clamav.net/2024/04/clamav-131-123-106-patch-versions.html 2024-04-17 2024-04-19 jenkins -- Terrapin SSH vulnerability in Jenkins CLI client jenkins 2.452 jenkins-lts 2.440.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-3386 / CVE-2023-48795

Terrapin SSH vulnerability in Jenkins CLI client

CVE-2023-48795 https://www.jenkins.io/security/advisory/2024-04-17/ 2024-04-17 2024-04-19 electron{27,28,29} -- multiple vulnerabilities electron27 27.3.11 electron28 28.3.1 electron29 29.3.1

Electron develpers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-3515.

Security: backported fix for CVE-2024-3516.

Security: backported fix for CVE-2024-3157.

Security: backported fix for CVE-2024-1580.

CVE-2024-3515 https://github.com/advisories/GHSA-x6cj-gx36-vcxv CVE-2024-3516 https://github.com/advisories/GHSA-jf9g-42gm-v87w CVE-2024-3157 https://github.com/advisories/GHSA-4m4g-p795-cmq7 CVE-2024-1580 https://github.com/advisories/GHSA-3p7f-4r2q-wxmm 2024-04-16 2024-04-18 php -- Multiple vulnerabilities php81 8.1.28 php82 8.2.18 php83 8.3.6

This update includes 3 security fixes:

High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows

High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows

Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix

High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs

CVE-2024-1874 https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 CVE-2024-2756 https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4 CVE-2024-3096 https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr CVE-2024-2757 https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq 2024-04-11 2024-04-16 go -- http2: close connections when receiving too many headers go122 1.22.2 go121 1.21.9

The Go project reports:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

CVE-2023-45288 https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M/m/khALNYGdAAAJ 2024-04-03 2024-04-15 chromium -- multiple security fixes chromium 123.0.6312.122 ungoogled-chromium 123.0.6312.122

Chrome Releases reports:

This update includes 3 security fixes:

[331237485] High CVE-2024-3157: Out of bounds write in Compositing. Reported by DarkNavy on 2024-03-26

[328859176] High CVE-2024-3516: Heap buffer overflow in ANGLE. Reported by Bao (zx) Pham and Toan (suto) Pham of Qrious Secure on 2024-03-09

[331123811] High CVE-2024-3515: Use after free in Dawn. Reported by wgslfuzz on 2024-03-25

CVE-2024-3157 CVE-2024-3516 CVE-2024-3515 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_10.html 2024-04-10 2024-04-12 PuTTY and embedders (f.i., filezilla) -- biased RNG with NIST P521/ecdsa-sha2-nistp521 signatures permits recovering private key putty 0.680.81 putty-nogtk 0.680.81 filezilla 3.67.0

Simon Tatham reports:

ECDSA signatures using 521-bit keys (the NIST P521 curve, otherwise known as ecdsa-sha2-nistp521) were generated with biased random numbers. This permits an attacker in possession of a few dozen signatures to RECOVER THE PRIVATE KEY.

Any 521-bit ECDSA private key that PuTTY or Pageant has used to sign anything should be considered compromised.

Additionally, if you have any 521-bit ECDSA private keys that you've used with PuTTY, you should consider them to be compromised: generate new keys, and remove the old public keys from any authorized_keys files.

A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), [...] and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

CVE-2024-31497 https://lists.tartarus.org/pipermail/putty-announce/2024/000038.html https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html https://git.tartarus.org/?h=c193fe9848f50a88a4089aac647fecc31ae96d27&p=simon/putty.git https://filezilla-project.org/versions.php https://nvd.nist.gov/vuln/detail/CVE-2024-31497 2024-04-01 2024-04-16 electron{27,28} -- Out of bounds memory access in V8 electron27 27.3.10 electron28 28.3.0

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-3159.

CVE-2024-3159 https://github.com/advisories/GHSA-mh2p-2x66-3hr4 2024-04-10 2024-04-11 OpenSSL -- Unbounded memory growth with session handling in TLSv1.3 openssl 3.0.13_3,1 openssl31 3.1.5_3 openssl32 3.2.1_2 openssl-quictls 3.0.13_3 openssl31-quictls 3.1.5_1

The OpenSSL project reports:

Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

CVE-2024-2511 https://www.openssl.org/news/secadv/20240408.txt 2024-04-08 2024-04-11 forgejo -- HTTP/2 CONTINUATION flood in net/http forgejo 1.21.8

security@golang.org reports:

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

CVE-2023-45288 https://nvd.nist.gov/vuln/detail/CVE-2023-45288 2024-04-04 2024-04-11 jose -- DoS vulnerability jose 13

cve@mitre.org reports:

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

CVE-2023-50967 https://nvd.nist.gov/vuln/detail/CVE-2023-50967 2024-03-20 2024-04-11 Gitlab -- Patch Release: 16.10.2, 16.9.4, 16.8.6 gitlab-ce 16.10.016.10.2 16.9.016.9.4 16.8.6

Gitlab reports:

Stored XSS injected in diff viewer

Stored XSS via autocomplete results

Redos on Integrations Chat Messages

Redos During Parse Junit Test Report

CVE-2024-3092 CVE-2024-2279 CVE-2023-6489 CVE-2023-6678 https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/ 2024-04-10 2024-04-11 wordpress -- XSS wordpress fr-wordpress-fr_FR 6.5.0,16.5.1,1 6.4.4,1 ru-wordpress-ru_RU ja-wordpress-ja zh-wordpress-zh_CN zh-wordpress-zh_TW de-wordpress-de_DE 6.5.06.5.1 6.4.4

The Wordpress team reports:

A cross-site scripting (XSS) vulnerability affecting the Avatar block type

https://wordpress.org/documentation/wordpress-version/version-6-4-4/ 2024-04-09 2024-04-10 Apache httpd -- multiple vulnerabilities apache24 2.4.59 mod_http2 2.0.27

The Apache httpd project reports:

HTTP/2 DoS by memory exhaustion on endless continuation frames

HTTP Response Splitting in multiple modules

CVE-2024-27316 CVE-2024-24795 CVE-2024-38709 https://downloads.apache.org/httpd/CHANGES_2.4.59 2024-04-04 2024-04-05 electron{27,28} -- multiple vulnerabilities electron27 27.3.9 electron28 28.2.10

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-2885.

Security: backported fix for CVE-2024-2883.

Security: backported fix for CVE-2024-2887.

Security: backported fix for CVE-2024-2886.

CVE-2024-2885 https://github.com/advisories/GHSA-qccw-wmvp-8pv9 CVE-2024-2883 https://github.com/advisories/GHSA-gg9c-7j6m-3qq2 CVE-2024-2887 https://github.com/advisories/GHSA-q75f-2pp5-9phj CVE-2024-2886 https://github.com/advisories/GHSA-5pj4-f8gh-j3mr 2024-04-03 2024-04-05 chromium -- multiple security fixes chromium 123.0.6312.105 ungoogled-chromium 123.0.6312.105

Chrome Releases reports:

This update includes 3 security fixes:

[329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12

[329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17

[330760873] High CVE-2024-3159: Out of bounds memory access in V8. Reported by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks, via Pwn2Own 2024 on 2024-03-22

CVE-2024-3156 CVE-2024-3158 CVE-2024-3159 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html 2024-04-02 2024-04-04 xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.12,1 xorg-nextserver 21.1.12,2 xwayland 23.2.5 xwayland-devel 21.0.99.1.67221.0.99.1.841_1 21.0.99.1.671_1

The X.Org project reports:

CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
The ProcXIGetSelectedEvents() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the return data for the amount of data to return to the client, if the client has a different endianness than the X server.

CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs. ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.

CVE-2024-31080 CVE-2024-31081 CVE-2024-31083 https://lists.x.org/archives/xorg-announce/2024-April/003497.html 2024-04-03 2024-04-04 jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty jenkins 2.444 jenkins-lts 2.440.2

Jenkins Security Advisory:

Description

(High) SECURITY-3379 / CVE-2024-22201

HTTP/2 denial of service vulnerability in bundled Jetty

CVE-2024-22201 https://www.jenkins.io/security/advisory/2024-03-20/ 2024-03-20 2024-04-02 mediawiki -- multiple vulnerabilities mediawiki139 1.39.7 mediawiki140 1.40.3 mediawiki141 1.41.1

Mediawiki reports:

(T355538, CVE-2024-PENDING) SECURITY: XSS in edit summary parser.

(T357760, CVE-2024-PENDING) SECURITY: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages.

https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/ 2024-03-15 2024-03-31 electron{27,28} -- Object lifecycle issue in V8 electron27 27.3.8 electron28 28.2.9

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-2625.

CVE-2024-2625 https://github.com/advisories/GHSA-j7h3-fcrw-g6j8 2024-03-28 2024-03-29 Gitlab -- vulnerabilities gitlab-ce 16.10.016.10.1 16.9.016.9.3 16.8.5

Gitlab reports:

Stored-XSS injected in Wiki page via Banzai pipeline

DOS using crafted emojis

CVE-2023-6371 CVE-2024-2818 https://about.gitlab.com/releases/2024/03/27/security-release-gitlab-16-10-1-released/ 2024-03-27 2024-03-28 chromium -- multiple security fixes chromium 123.0.6312.86 ungoogled-chromium 123.0.6312.86

Chrome Releases reports:

This update includes 7 security fixes:

[327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03

[328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11

[330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21

[330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21

CVE-2024-2883 CVE-2024-2885 CVE-2024-2886 CVE-2024-2887 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html 2024-03-26 2024-03-27 phpmyfaq -- multiple vulnerabilities phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83 3.2.6

phpMyFAQ team reports:

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-mmh6-5cpf-2c72 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-hm8r-95g3-5hj9 https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-48vw-jpf8-hwqh https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-2grw-mc9r-822r https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6p68-36m6-392r https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gf https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-q7g6-xfh2-vhpx https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-qgxx-4xv5-6hcw 2024-03-25 2024-03-26 emacs -- multiple vulnerabilities emacs emacs-canna emacs-nox 29.3,3

GNU Emacs developers report:

Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.

Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.

New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.

Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.

LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.

Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.

CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205 https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29.3 2024-03-24 2024-03-26 quiche -- Multiple Vulnerabilities quiche 0.20.1

Quiche Releases reports:

This release includes 2 security fixes:

CVE-2024-1410: Unbounded storage of information related to connection ID retirement, in quiche. Reported by Marten Seeman (@marten-seeman)

CVE-2024-1765: Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche. Reported by Marten Seeman (@marten-seeman)

CVE-2024-1410 CVE-2024-1765 https://github.com/cloudflare/quiche/releases/tag/0.20.1 2024-03-12 2024-03-26 chromium -- multiple security fixes chromium 123.0.6312.58 ungoogled-chromium 123.0.6312.58

Chrome Releases reports:

This update includes 12 security fixes:

[327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01

[40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22

[41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21

[41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03

[41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02

[41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07

[41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29

CVE-2024-2625 CVE-2024-2626 CVE-2024-2627 CVE-2024-2628 CVE-2024-2629 CVE-2024-2630 CVE-2024-2631 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html 2024-03-19 2024-03-22 security/shibboleth-idp -- CAS service SSRF shibboleth-idp 4.3.04.3.2 5.0.05.1.1

Shibboleth Developers report:

The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter.

https://shibboleth.net/community/advisories/secadv_20240320.txt 2024-03-20 2024-03-21 databases/mongodb* -- Improper Certificate Validation mongodb44 4.4.29 mongodb50 5.0.25 mongodb60 6.0.14 mongodb70 7.0.6

MongoDB, Inc. reports:

A security vulnerability was found where a server process running MongoDB 3.2.6 or later will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured (CVE-2024-1351).

CVE-2024-1351 https://nvd.nist.gov/vuln/detail/CVE-2024-1351 2024-03-07 2024-03-20 www/varnish7 -- Denial of Service varnish7 7.4.3

The Varnish Development Team reports:

A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of streams, retaining the associated resources.

CVE-2023-43622 https://varnish-cache.org/security/VSV00014.html#vsv00014 2019-04-19 2024-03-18 amavisd-new -- multipart boundary confusion amavisd-new 2.12.3

The Amavis project reports:

Emails which consist of multiple parts (`Content-Type: multipart/*`) incorporate boundary information stating at which point one part ends and the next part begins.

A boundary is announced by an Content-Type header's `boundary` parameter. To our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a parser should handle multiple boundary parameters that contain conflicting values. As a result, there is no canonical choice which of the values should or should not be used for mime part decomposition.

CVE-2024-28054 https://gitlab.com/amavis/amavis/-/raw/v2.12.3/README_FILES/README.CVE-2024-28054 2024-03-14 2024-03-17 typo3-{11,12} -- multiple vulnerabilities typo3-11 11.5.35 typo3-12 12.4.11

Typo3 developers reports:

All versions are security releases and contain important security fixes - read the corresponding security advisories here:

Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451

Code Execution in TYPO3 Install Tool CVE-2024-22188

Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118

Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119

Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120

Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121

CVE-2023-30451 CVE-2024-22188 CVE-2024-25118 CVE-2024-25119 CVE-2024-25120 CVE-2024-25121 https://typo3.org/article/typo3-1301-12411-and-11535-security-releases-published 2024-02-13 2024-03-16 electron{27,28} -- Out of bounds memory access in V8 electron27 27.3.6 electron28 28.2.7

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-2173.

CVE-2024-2173 https://github.com/advisories/GHSA-6hhg-hj7x-7qv8 2024-03-13 2024-03-14 Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20240312

Intel reports:

2024.1 IPU - Intel Processor Bus Lock Advisory

A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.

2024.1 IPU - Intel Processor Return Predictions Advisory

A potential security vulnerability in some Intel Processors may allow information disclosure.

2024.1 IPU - Intel Atom Processor Advisory

A potential security vulnerability in some Intel Atom Processors may allow information disclosure.

2024.1 IPU - Intel Xeon Processor Advisory

A potential security vulnerability in some 3rd and 4th Generation Intel Xeon Processors when using Intel Software Guard Extensions (SGX) or Intel Trust Domain Extensions (TDX) may allow escalation of privilege.

2024.1 IPU OOB - Intel Xeon D Processor Advisory

A potential security vulnerability in some Intel Xeon D Processors with Intel Software Guard Extensions (SGX) may allow information disclosure.

CVE-2023-39368 CVE-2023-38575 CVE-2023-28746 CVE-2023-22655 CVE-2023-43490 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 2023-03-12 2024-03-12 Grafana -- Data source permission escalation grafana 8.5.09.5.17 10.0.010.0.12 10.1.010.1.8 10.2.010.2.5 10.3.010.3.4 grafana9 9.5.17

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

CVE-2024-1442 https://grafana.com/security/security-advisories/cve-2024-1442/ 2024-02-12 2024-03-11 2024-03-26 Unbound -- Denial-of-Service vulnerability unbound 1.18.01.19.2

NLNet Labs reports:

Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.

CVE-2024-1931 https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt 2024-03-07 2024-03-09 electron{27,28} -- vulnerability in libxml2 electron27 27.3.5 electron28 28.2.6

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-25062.

CVE-2024-25062 https://github.com/advisories/GHSA-x77r-6xxm-wjmx 2024-03-06 2024-03-07 Gitlab -- Vulnerabilities gitlab-ce 16.9.016.9.2 16.8.016.8.4 11.3.016.7.7

Gitlab reports:

Bypassing CODEOWNERS approval allowing to steal protected variables

Guest with manage group access tokens can rotate and see group access token with owner permissions

CVE-2024-0199 CVE-2024-1299 https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/ 2024-03-06 2024-03-07 go -- multiple vulnerabilities go122 1.22.1 go121 1.21.8

The Go project reports reports:

crypto/x509: Verify panics on certificates with an unknown public key algorithm

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

net/http: memory exhaustion in Request.ParseMultipartForm

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

html/template: errors returned from MarshalJSON methods may break template escaping

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

net/mail: comments in display names are incorrectly handled

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785 https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg/m/46oA5yPABQAJ 2024-03-05 2024-03-06 chromium -- multiple security fixes chromium 122.0.6261.111 ungoogled-chromium 122.0.6261.111

Chrome Releases reports:

This update includes 3 security fixes:

[325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19

[325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19

[325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20

CVE-2024-2173 CVE-2024-2174 CVE-2024-2176 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop.html 2024-03-05 2024-03-06 Django -- multiple vulnerabilities py39-django32 py310-django32 py311-django32 3.2.25 py39-django42 py310-django42 py311-django42 4.2.11 py310-django50 py311-django50 5.0.3

Django reports:

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words().

CVE-2024-27351 https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ 2024-02-25 2024-03-04 NodeJS -- Vulnerabilities node 21.0.021.6.2 20.0.020.11.1 18.0.018.19.1 16.0.016.20.3 node16 16.0.016.20.3 node18 18.0.018.19.1 node20 20.0.020.11.1 node21 21.0.021.6.2

Node.js reports:

Code injection and privilege escalation through Linux capabilities- (High)

http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)

Path traversal by monkey-patching Buffer internals- (High)

setuid() does not drop all privileges due to io_uring - (High)

Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)

Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)

Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)

Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

CVE-2024-21892 CVE-2024-22019 CVE-2024-21896 CVE-2024-22017 CVE-2023-46809 CVE-2024-21891 CVE-2024-21890 CVE-2024-22025 https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#2024-02-14-version-20111-iron-lts-rafaelgss-prepared-by-marco-ippolito 2024-02-14 2024-03-01 electron{27,28} -- Use after free in Mojo electron27 27.3.4 electron28 28.2.5

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-1670.

CVE-2024-1670 https://github.com/advisories/GHSA-wjv4-j3hc-gxvv 2024-02-28 2024-02-29 chromium -- multiple security fixes chromium 122.0.6261.94 ungoogled-chromium 122.0.6261.94

Chrome Releases reports:

This update includes 4 security fixes:

[324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11

[323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05

CVE-2024-1938 CVE-2024-1939 https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_27.html 2024-02-27 2024-02-29 null -- Routinator terminates when RTR connection is reset too quickly after opening null null

sep@nlnetlabs.nl reports:

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.

CVE-2024-1622 https://nvd.nist.gov/vuln/detail/CVE-2024-1622 2024-02-26 2024-02-28 curl -- OCSP verification bypass with TLS session reuse curl 8.6.0

Hiroki Kurosawa reports:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE-2024-0853 https://curl.se/docs/CVE-2024-0853.html 2024-01-31 2024-02-28 gitea -- Fix XSS vulnerabilities gitea 1.21.6

Problem Description:

The Wiki page did not sanitize author name
the reviewer name on a "dismiss review" comment is also affected
the migration page has some spots

https://blog.gitea.com/release-of-1.21.6/ 2024-02-23 2024-02-24 chromium -- multiple security fixes chromium 122.0.6261.57 ungoogled-chromium 122.0.6261.57

Chrome Releases reports:

This update includes 12 security fixes:

[41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26

[41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06

[41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03

[41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19

[41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11

[40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27

[41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartłomiej Wacko on 2023-12-21

[40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21

https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html 2024-02-20 2024-02-24 Grafana -- Email verification is not required after email change grafana 9.5.16 10.0.010.0.11 10.1.010.1.7 10.2.010.2.4 10.3.010.3.3 grafana9 9.5.16 grafana10 10.0.11 10.1.010.1.7 10.2.010.2.4 10.3.010.3.3

Grafana Labs reports:

The vulnerability impacts instances where Grafana basic authentication is enabled.

Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.

This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

CVE-2023-6152 https://grafana.com/security/security-advisories/cve-2023-6152/ 2023-11-10 2024-02-20 dns/c-ares -- malformatted file causes application crash c-ares 1.27.0

c-ares project reports:

Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.

CVE-2024-25629 https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q 2024-02-23 2024-02-23 suricata -- multiple vulnerabilities suricata 7.0.3

Suricata team reports:

Multiple vulnerabilities fixed in the last release of suricata.

No details have been disclosed yet

CVE-2024-23839 CVE-2024-23836 CVE-2024-23835 CVE-2024-24568 CVE-2024-23837 2024-01-22 2024-02-23 electron27 -- multiple vulnerabilities electron27 27.3.3

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-1283.

Security: backported fix for CVE-2024-1284.

CVE-2024-1283 https://github.com/advisories/GHSA-7mgj-p9v3-3vxr CVE-2024-1284 https://github.com/advisories/GHSA-pf89-rhhw-xmhp 2024-02-21 2024-02-23 Gitlab -- Vulnerabilities gitlab-ce 16.9.016.9.1 16.8.016.8.3 11.3.016.7.6

Gitlab reports:

Stored-XSS in user's profile page

User with "admin_group_members" permission can invite other groups to gain owner access

ReDoS issue in the Codeowners reference extractor

LDAP user can reset password using secondary email and login using direct authentication

Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard

Users with the Guest role can change Custom dashboard projects settings for projects in the victim group

Group member with sub-maintainer role can change title of shared private deploy keys

Bypassing approvals of CODEOWNERS

CVE-2024-1451 CVE-2023-6477 CVE-2023-6736 CVE-2024-1525 CVE-2023-4895 CVE-2024-0861 CVE-2023-3509 CVE-2024-0410 https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/ 2024-02-21 2024-02-22 powerdns-recursor -- Multiple Vulnerabilities powerdns-recursor 5.0.2

cve@mitre.org reports:

CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

CVE-2023-50868 https://nvd.nist.gov/vuln/detail/CVE-2023-50868 CVE-2023-50387 https://nvd.nist.gov/vuln/detail/CVE-2023-50387 2024-02-14 2024-02-16 nginx-devel -- Multiple Vulnerabilities in HTTP/3 nginx-devel 1.25.01.25.4

The nginx development team reports:

When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session.

CVE-2024-24989 CVE-2024-24990 2024-02-14 2024-02-15 FreeBSD -- jail(2) information leak FreeBSD-kernel 14.014.0_5 13.213.2_10

Problem Description:

The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail.

Impact:

Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.

CVE-2024-25941 SA-24:02.tty 2024-02-14 2024-02-14 FreeBSD -- bhyveload(8) host file access FreeBSD 14.014.0_5 13.213.2_10

Problem Description:

`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.

Impact:

In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.

CVE-2024-25940 SA-24:01.bhyveload 2024-02-14 2024-02-14 chromium -- security fix chromium 121.0.6167.184 ungoogled-chromium 121.0.6167.184

Chrome Releases reports:

This update includes 1 security fix.

https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_13.html 2024-02-13 2024-02-14 DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities bind916 9.16.48 bind918 9.18.24 bind9-devel 9.19.21 dnsmasq 2.90 dnsmasq-devel 2.90 powerdns-recursor 5.0.2 unbound 1.19.1 FreeBSD 14.014.0_6 13.213.2_11

Simon Kelley reports:

If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.

Stichting NLnet Labs reports:

The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.

The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.

CVE-2023-50387 CVE-2023-50868 https://kb.isc.org/docs/cve-2023-50387 https://kb.isc.org/docs/cve-2023-50868 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ SA-24:03.unbound 2024-02-06 2024-02-13 2024-04-01 phpmyfaq -- multiple vulnerabilities phpmyfaq-php81 phpmyfaq-php82 phpmyfaq-php83 3.2.5

phpMyFAQ team reports:

phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.

https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7m8g-fprr-47fx https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9hhf-xmcw-r3xg https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-6648-6g96-mg35 2024-02-05 2024-02-11 openexr -- Heap Overflow in Scanline Deep Data Parsing openexr 3.1.12 3.2.03.2.2

Austin Hackers Anonymous report:

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.

CVE-2023-5841 https://takeonme.org/cves/CVE-2023-5841.html https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.2 2023-10-26 2024-02-12 readstat -- Heap buffer overflow in readstat_convert readstat 1.1.9

Google reports:

A heap buffer overflow exists in readstat_convert.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33991 https://osv.dev/vulnerability/OSV-2021-732 https://github.com/WizardMac/ReadStat/issues/285 2021-05-05 2024-02-12 p5-Spreadsheet-ParseExcel -- Remote Code Execution Vulnerability p5-Spreadsheet-ParseExcel 0.66

Spreadsheet-ParseExcel reports:

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

CVE-2023-7101 https://nvd.nist.gov/vuln/detail/CVE-2023-7101 2023-12-29 2024-02-11 postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL postgresql-server 15.6 14.11 13.14 12.18

PostgreSQL Project reports:

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.

CVE-2024-0985 https://www.postgresql.org/support/security/CVE-2024-0985/ 2024-02-08 2024-02-08 Gitlab -- vulnerabilities gitlab-ce 16.8.016.8.2 16.7.016.7.5 13.3.016.6.7

Gitlab reports:

Restrict group access token creation for custom roles

Project maintainers can bypass group's scan result policy block_branch_modification setting

ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax

Resource exhaustion using GraphQL vulnerabilitiesCountByDay

CVE-2024-1250 CVE-2023-6840 CVE-2023-6386 CVE-2024-1066 https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/ 2024-02-07 2024-02-08 Composer -- Code execution and possible privilege escalation php81-composer 2.7.0 php82-composer 2.7.0 php83-composer 2.7.0

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

CVE-2024-24821 https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h 2024-02-08 2024-02-08 Libgit2 -- multiple vulnerabilities eza 0.18.2 libgit2 1.7.01.7.2 1.6.5

Git community reports:

A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application

A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application

A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities

CVE-2024-24577 https://github.com/libgit2/libgit2/releases/tag/v1.7.2 2024-02-06 2024-02-08 2024-02-14 chromium -- multiple security fixes chromium 121.0.6167.160 ungoogled-chromium 121.0.6167.160 qt5-webengine 5.15.16.p5_5 qt6-webengine 6.6.1_5

Chrome Releases reports:

This update includes 3 security fixes:

[41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25

[41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25

CVE-2024-1284 CVE-2024-1283 https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop.html 2024-02-06 2024-02-08 clamav -- Multiple vulnerabilities clamav 1.2.2,1 clamav-lts 1.0.5,1

The ClamAV project reports:

CVE-2024-20290

A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.

CVE-2024-20328

Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.

CVE-2024-20290 CVE-2024-20328 https://blog.clamav.net/2023/11/clamav-130-122-105-released.html 2024-02-07 2024-02-07 Django -- multiple vulnerabilities py39-django32 py310-django32 py311-django32 3.2.24 py39-django42 py310-django42 py311-django42 4.2.8 py311-django50 5.0.2

Django reports:

CVE-2024-24680:Potential denial-of-service in intcomma template filter.

CVE-2024-24680 https://www.djangoproject.com/weblog/2024/feb/06/security-releases/ 2024-01-09 2024-02-07 chromium -- multiple security fixes chromium 121.0.6167.139 ungoogled-chromium 121.0.6167.139 qt5-webengine 5.15.16.p5_5 qt6-webengine 6.6.1_5

Chrome Releases reports:

This update includes 4 security fixes:

[1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14

[1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29

[1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13

CVE-2024-1060 CVE-2024-1059 CVE-2024-1077 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html 2024-01-30 2024-02-02 chromium -- multiple security fixes chromium 121.0.6167.85 ungoogled-chromium 121.0.6167.85

Chrome Releases reports:

This update includes 17 security fixes:

[1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19

[1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24

[1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26

[1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11

[1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30

[1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25

[1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01

[1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03

[1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21

[1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31

CVE-2024-0812 CVE-2024-0808 CVE-2024-0810 CVE-2024-0814 CVE-2024-0813 CVE-2024-0806 CVE-2024-0805 CVE-2024-0804 CVE-2024-0811 CVE-2024-0809 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html 2024-01-23 2024-02-02 electron{26,27,28} -- Use after free in Web Audio electron26 26.6.8 electron27 27.3.1 electron28 28.2.1

Electron developers reports:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-0807.

CVE-2024-0807 https://github.com/advisories/GHSA-hjm7-v5pw-x89r 2024-01-31 2024-02-01 qt6-webengine -- Multiple vulnerabilities qt5-webengine 5.15.16.p5_5 qt6-webengine 6.6.1_4

Qt qtwebengine-chromium repo reports:

Backports for 3 security bugs in Chromium:

[1505080] High CVE-2024-0807: Use after free in WebAudio

[1504936] Critical CVE-2024-0808: Integer underflow in WebUI

[1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools

CVE-2024-0807 CVE-2024-0808 CVE-2024-0810 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=112-based 2024-01-30 2024-01-31 OpenSSL -- Multiple vulnerabilities openssl 3.0.13,1 openssl-quictls 3.0.13 openssl31 3.1.5 openssl31-quictls 3.1.5 openssl32 3.2.1

The OpenSSL project reports:

Excessive time spent checking invalid RSA public keys (CVE-2023-6237)

PKCS12 Decoding crashes (CVE-2024-0727)

CVE-2024-0727 CVE-2023-6237 https://www.openssl.org/news/secadv/20240125.txt https://www.openssl.org/news/secadv/20240115.txt https://www.openssl.org/news/openssl-3.0-notes.html https://www.openssl.org/news/openssl-3.1-notes.html https://www.openssl.org/news/openssl-3.2-notes.html 2024-01-30 2024-01-31 lizard -- Negative size passed to memcpy resulting in memory corruption lizard 1.0_1

cve@mitre.org reports:

In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.

CVE-2018-11498 https://nvd.nist.gov/vuln/detail/CVE-2018-11498 2018-05-26 2024-01-31 qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.6.1_3

Qt qtwebengine-chromium repo reports:

Backports for 15 security bugs in Chromium:

[1505053] High CVE-2023-6345: Integer overflow in Skia

[1500856] High CVE-2023-6346: Use after free in WebAudio

[1494461] High CVE-2023-6347: Use after free in Mojo

[1501326] High CVE-2023-6702: Type Confusion in V8

[1502102] High CVE-2023-6703: Use after free in Blink

[1505708] High CVE-2023-6705: Use after free in WebRTC

[1500921] High CVE-2023-6706: Use after free in FedCM

[1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC

[1501798] High CVE-2024-0222: Use after free in ANGLE

[1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE

[1505086] High CVE-2024-0224: Use after free in WebAudio

[1506923] High CVE-2024-0225: Use after free in WebGPU

[1513379] High CVE-2024-0333: Insufficient data validation in Extensions

[1507412] High CVE-2024-0518: Type Confusion in V8

[1517354] High CVE-2024-0519: Out of bounds memory access in V8

CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6702 CVE-2023-6703 CVE-2023-6705 CVE-2023-6706 CVE-2023-7024 CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225 CVE-2024-0333 CVE-2024-0518 CVE-2024-0519 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=112-based 2024-01-08 2024-01-29 qt5-webengine -- Multiple vulnerabilities qt5-webengine 5.15.16.p5_4

Qt qtwebengine-chromium repo reports:

Backports for 8 security bugs in Chromium:

[1505053] High CVE-2023-6345: Integer overflow in Skia

[1501326] High CVE-2023-6702: Type Confusion in V8

[1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC

[1501798] High CVE-2024-0222: Use after free in ANGLE

[1505086] High CVE-2024-0224: Use after free in WebAudio

[1513379] High CVE-2024-0333: Insufficient data validation in Extensions

[1507412] High CVE-2024-0518: Type Confusion in V8

[1517354] High CVE-2024-0519: Out of bounds memory access in V8

CVE-2023-6345 CVE-2023-6702 CVE-2023-7024 CVE-2024-0222 CVE-2024-0224 CVE-2024-0333 CVE-2024-0518 CVE-2024-0519 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2024-01-08 2024-01-29 rclone -- Multiple vulnerabilities rclone 1.65.1

Multiple vulnerabilities in ssh and golang

CVE-2023-45286: HTTP request body disclosure in go-resty disclosure across requests.

CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks.

CVE-2023-45286 CVE-2023-48795 https://nvd.nist.gov/vuln/detail/CVE-2023-45286 https://nvd.nist.gov/vuln/detail/CVE-2023-48795 2023-11-28 2024-01-26 Gitlab -- vulnerabilities gitlab-ce 16.8.016.8.1 16.7.016.7.4 16.6.016.6.6 12.7.016.5.8

Gitlab reports:

Arbitrary file write while creating workspace

ReDoS in Cargo.toml blob viewer

Arbitrary API PUT requests via HTML injection in user's name

Disclosure of the public email in Tags RSS Feed

Non-Member can update MR Assignees of owned MRs

CVE-2024-0402 CVE-2023-6159 CVE-2023-5933 CVE-2023-5612 CVE-2024-0456 https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ 2024-01-25 2024-01-26 jenkins -- multiple vulnerabilities jenkins 2.422 jenkins-lts 2.426.3

Jenkins Security Advisory:

Description

(Critical) SECURITY-3314 / CVE-2024-23897

Arbitrary file read vulnerability through the CLI can lead to RCE

Description

(High) SECURITY-3315 / CVE-2024-23898

Cross-site WebSocket hijacking vulnerability in the CLI

CVE-2024-23897 CVE-2024-23898 https://www.jenkins.io/security/advisory/2024-01-24/ 2024-01-24 2024-01-24 TinyMCE -- mXSS in multiple plugins tinymce 6.7.3 roundcube 1.6.6,1

TinyMCE reports:

Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin

CVE-2023-48219 https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8 https://github.com/roundcube/roundcubemail/releases/tag/1.6.6 2023-11-15 2024-01-23 zeek -- potential DoS vulnerability zeek 6.0.3

Tim Wojtulewicz of Corelight reports:

A specially-crafted series of packets containing nested MIME entities can cause Zeek to spend large amounts of time parsing the entities.

https://github.com/zeek/zeek/releases/tag/v6.0.3 2024-01-22 2024-01-22 electron26 -- Out of bounds memory access in V8 electron26 26.6.7

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-0519.

CVE-2024-0519 https://github.com/advisories/GHSA-vg6w-jr5m-86c8 2024-01-18 2024-01-19 electron{26,27} -- multiple vulnerabilities electron26 26.6.6 electron27 27.2.4

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-0518.

Security: backported fix for CVE-2024-0517.

CVE-2024-0518 https://github.com/advisories/GHSA-4pvg-f3m8-ff3j CVE-2024-0517 https://github.com/advisories/GHSA-v39r-662x-j524 2024-01-17 2024-01-17 2024-01-18 chromium -- multiple security fixes chromium 120.0.6099.224 ungoogled-chromium 120.0.6099.224

Chrome Releases reports:

This update includes 4 security fixes:

[1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06

[1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03

[1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11

CVE-2024-0517 CVE-2024-0518 CVE-2024-0519 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html 2024-01-16 2024-01-17 xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.11,1 xorg-nextserver 21.1.11,2 xwayland 23.2.4 xwayland-devel 21.0.99.1.653

The X.Org project reports:

CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used.

CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access
If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function.

CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow.

CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.

CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 https://lists.x.org/archives/xorg/2024-January/061525.html 2024-01-16 2024-01-16 electron{26,27} -- multiple vulnerabilities electron26 26.6.5 electron27 27.2.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-0224.

Security: backported fix for CVE-2024-0225.

Security: backported fix for CVE-2024-0223.

Security: backported fix for CVE-2024-0222.

CVE-2024-0224 https://github.com/advisories/GHSA-83wx-v283-85g9 CVE-2024-0225 https://github.com/advisories/GHSA-gqr9-4fcc-c9jq CVE-2024-0223 https://github.com/advisories/GHSA-w8x8-g534-x4rp CVE-2024-0222 https://github.com/advisories/GHSA-c87c-56pw-mwgh 2024-01-10 2024-01-12 Gitlab -- vulnerabilities gitlab-ce 16.7.016.7.2 16.6.016.6.4 8.13.016.5.6

Gitlab reports:

Account Takeover via Password Reset without user interactions

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user

Bypass CODEOWNERS approval removal

Workspaces able to be created under different root namespace

Commit signature validation ignores headers after signature

CVE-2023-7028 CVE-2023-5356 CVE-2023-4812 CVE-2023-6955 CVE-2023-2030 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ 2024-01-11 2024-01-12 OpenSSL -- Vector register corruption on PowerPC openssl 3.0.12_2,1 openssl-quictls 3.0.12_2 openssl31 3.1.4_2 openssl31-quictls 3.1.4_2 openssl32 3.2.0_1

SO-AND-SO reports:

The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

CVE-2023-6129 https://www.openssl.org/news/secadv/20240109.txt 2024-01-09 2024-01-11 chromium -- security fix chromium 120.0.6099.216 ungoogled-chromium 120.0.6099.216

Chrome Releases reports:

This update includes 1 security fix:

[1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20

CVE-2024-0333 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_9.html 2024-01-09 2024-01-10 QtNetwork -- potential buffer overflow qt5-network 5.15.12p148_1 qt6-base 6.6.1_2

Andy Shaw reports:

A potential integer overflow has been discovered in Qt's HTTP2 implementation. If the HTTP2 implementation receives more than 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.

CVE-2023-51714 https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-http2-implementation 2023-12-14 2024-01-07 mantis -- multiple vulnerabilities mantis-php74 mantis-php80 mantis-php81 mantis-php82 mantis-php83 2.25.8,1

Mantis 2.25.8 release reports:

Security and maintenance release

0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)

0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)

CVE-2023-29197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29197 CVE-2023-44394 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44394 2023-10-14 2024-01-06 chromium -- multiple security fixes chromium 120.0.6099.199 ungoogled-chromium 120.0.6099.199

Chrome Releases reports:

This update includes 6 security fixes:

[1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13

[1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24

[1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25

[1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01

CVE-2024-0222 CVE-2024-0223 CVE-2024-0224 CVE-2024-0225 https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html 2024-01-03 2024-01-04 electron27 -- multiple vulnerabilities electron27 27.2.1

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2023-6706.

Security: backported fix for CVE-2023-6705.

Security: backported fix for CVE-2023-6703.

Security: backported fix for CVE-2023-6702.

Security: backported fix for CVE-2023-6704.

CVE-2023-6706 https://github.com/advisories/GHSA-jqrg-rvpw-5fw5 CVE-2023-6705 https://github.com/advisories/GHSA-h27f-fw5q-c2gh CVE-2023-6703 https://github.com/advisories/GHSA-9v72-359m-2vx4 CVE-2023-6702 https://github.com/advisories/GHSA-7hjc-c62g-4w73 CVE-2023-6704 https://github.com/advisories/GHSA-587x-fmc5-99p9 2024-01-04 2024-01-04 electron26 -- multiple vulnerabilities electron26 26.6.4

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2023-6704.

Security: backported fix for CVE-2023-6705.

Security: backported fix for CVE-2023-6703.

Security: backported fix for CVE-2023-6702.

CVE-2023-6704 https://github.com/advisories/GHSA-587x-fmc5-99p9 CVE-2023-6705 https://github.com/advisories/GHSA-h27f-fw5q-c2gh CVE-2023-6703 https://github.com/advisories/GHSA-9v72-359m-2vx4 CVE-2023-6702 https://github.com/advisories/GHSA-7hjc-c62g-4w73 2024-01-04 2024-01-04 FreeBSD -- Prefix Truncation Attack in the SSH protocol FreeBSD 14.014.0_4 13.213.2_9

Problem Description:

The SSH protocol executes an initial handshake between the server and the client. This protocol handshake includes the possibility of several extensions allowing different options to be selected. Validation of the packets in the handshake is done through sequence numbers.

Impact:

A man in the middle attacker can silently manipulate handshake messages to truncate extension negotiation messages potentially leading to less secure client authentication algorithms or deactivating keystroke timing attack countermeasures.

CVE-2023-48795 SA-23:19.openssh 2023-12-19 2024-01-02 gitea -- Prevent anonymous container access gitea 1.21.5

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.

https://blog.gitea.com/release-of-1.21.5/ 2024-01-24 2024-02-15 diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index b8d669821d8b..8f68010d3ba5 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,9964 +1,9976 @@ SQLite -- integer overflow in key info allocation sqlite3 - 3.39.23.41.1 + 3.39.2,13.41.2,1 +

cve-coordination@google.com reports:

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.

CVE-2025-7458 https://nvd.nist.gov/vuln/detail/CVE-2025-7458 2025-07-29 2025-07-31 + 2025-08-01 p5-Crypt-CBC -- Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) p5-Crypt-CBC 3.07

Lib-Crypt-CBC project reports:

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.

CVE-2025-2814 https://nvd.nist.gov/vuln/detail/CVE-2025-2814 2025-04-12 2025-07-29 viewvc -- Arbitrary server filesystem content viewvc 1.1.01.1.30 viewvc 1.2.01.2.3 viewvc-devel 1.3.0.20250316_1

cmpilato reports:

The ViewVC standalone web server (standalone.py) is a script provided in the ViewVC distribution for the purposes of quickly testing a ViewVC configuration. This script can in particular configurations expose the contents of the host server's filesystem though a directory traversal-style attack.

CVE-2025-54141 https://nvd.nist.gov/vuln/detail/CVE-2025-54141 2025-07-22 2025-07-25 rubygem-resolv -- Possible denial of service rubygem-resolv 0.6.2 ruby 3.2.0.p1,13.2.9,1 3.3.0.p1,13.3.9,1 3.4.0.p1,13.4.5,1 3.5.0.p1,13.5.0.p2,1 ruby32 3.2.9,1 ruby33 3.3.9,1 ruby34 3.4.5,1 ruby35 3.5.0.p2,1

Manu reports:

The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.

This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

CVE-2025-24294 https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/ 2025-07-08 2025-07-25 Mozilla -- Multiple vulnerabilities firefox 141.0,2 thunderbird 141.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

Focus incorrectly truncated URLs towards the beginning instead of around the origin.

CVE-2025-8044 https://nvd.nist.gov/vuln/detail/CVE-2025-8044 CVE-2025-8043 https://nvd.nist.gov/vuln/detail/CVE-2025-8043 2025-07-22 2025-07-24 Mozilla -- Memory safety bugs firefox 141.0,2 firefox-esr 140.1 thunderbird 141.0 thunderbird-esr 140.1

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-8040 https://nvd.nist.gov/vuln/detail/CVE-2025-8040 2025-07-22 2025-07-24 Mozilla -- Persisted search terms in the URL bar firefox 141.0,2 firefox-esr 140.1 thunderbird 141.0 thunderbird-esr 140.1

security@mozilla.org reports:

In some cases search terms persisted in the URL bar even after navigating away from the search page.

CVE-2025-8039 https://nvd.nist.gov/vuln/detail/CVE-2025-8039 2025-07-22 2025-07-24 Mozilla -- Ignored paths while checking navigations firefox 141.0,2 firefox-esr 140.1 thunderbird 141.0 thunderbird-esr 140.1

security@mozilla.org reports:

Thunderbird ignored paths when checking the validity of navigations in a frame.

CVE-2025-8038 https://nvd.nist.gov/vuln/detail/CVE-2025-8038 2025-07-22 2025-07-24 Mozilla -- cookie shadowing firefox 141.0,2 firefox-esr 140.1 thunderbird 141.0 thunderbird-esr 140.1

security@mozilla.org reports:

Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute.

CVE-2025-8037 https://nvd.nist.gov/vuln/detail/CVE-2025-8037 2025-07-22 2025-07-24 Mozilla -- CORS circumvention firefox 141.0,2 firefox-esr 140.1 thunderbird 141.0 thunderbird-esr 140.1

security@mozilla.org reports:

Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding.

CVE-2025-8036 https://nvd.nist.gov/vuln/detail/CVE-2025-8036 2025-07-22 2025-07-24 Mozilla -- Memory safety bugs firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-8035 https://nvd.nist.gov/vuln/detail/CVE-2025-8035 2025-07-22 2025-07-24 Mozilla -- Memory safety bugs firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 firefox-esr 115.26 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-8034 https://nvd.nist.gov/vuln/detail/CVE-2025-8034 2025-07-22 2025-07-24 Mozilla -- nullptr dereference firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 firefox-esr 115.26 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.

CVE-2025-8033 https://nvd.nist.gov/vuln/detail/CVE-2025-8033 2025-07-22 2025-07-24 Mozilla -- XSLT document CSP bypass firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

XSLT document loading did not correctly propagate the source document which bypassed its CSP.

CVE-2025-8032 https://nvd.nist.gov/vuln/detail/CVE-2025-8032 2025-07-22 2025-07-24 Mozilla -- HTTP Basic Authentication credentials leak firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 thunderbird 141.0 thunderbird-esr 140.1

security@mozilla.org reports:

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.

CVE-2025-8031 https://nvd.nist.gov/vuln/detail/CVE-2025-8031 2025-07-22 2025-07-24 Mozilla -- Insufficient input escaping firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into executing unexpected code.

CVE-2025-8030 https://nvd.nist.gov/vuln/detail/CVE-2025-8030 2025-07-22 2025-07-24 Mozilla -- 'javascript:' URLs execution firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags.

CVE-2025-8029 https://nvd.nist.gov/vuln/detail/CVE-2025-8029 2025-07-22 2025-07-24 Mozilla -- Incorrect computation of branch address firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 firefox-esr 115.26 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.

CVE-2025-8028 https://nvd.nist.gov/vuln/detail/CVE-2025-8028 2025-07-22 2025-07-24 Mozilla -- IonMonkey-JIT bad stack write firefox 141.0,2 firefox-esr 140.1 firefox-esr 128.13 firefox-esr 115.26 thunderbird 141.0 thunderbird-esr 140.1 thunderbird 128.13

security@mozilla.org reports:

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.

CVE-2025-8027 https://nvd.nist.gov/vuln/detail/CVE-2025-8027 2025-07-22 2025-07-24 gdk-pixbuf2 -- a heap buffer overflow gdk-pixbuf2 2.42.12_2

cve@mitre.org reports:

A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.

CVE-2025-7345 https://www.cve.org/CVERecord?id=CVE-2025-7345 2025-07-24 2025-07-24 powerdns-recursor -- cache pollution powerdns-recursor 5.2.4

PowerDNS Team reports:

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

CVE-2025-30192 https://nvd.nist.gov/vuln/detail/CVE-2025-30192 2025-07-21 2025-07-24 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 18.2.018.2.1 18.1.018.1.3 15.0.018.0.5

Gitlab reports:

Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE

Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs

Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE

Improper Access Control issue impacts GitLab EE

Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE

Improper Access Control issue impacts GitLab CE/EE

CVE-2025-4700 CVE-2025-4439 CVE-2025-7001 CVE-2025-4976 CVE-2025-0765 CVE-2025-1299 https://about.gitlab.com/releases/2025/07/23/patch-release-gitlab-18-2-1-released/ 2025-07-23 2025-07-24 sqlite -- Integer Truncation on SQLite sqlite3 + 3.50.2,1 + + + linux-c7-sqlite 3.50.2 + + linux_base + 0 +

cve-coordination@google.com reports:

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue.

CVE-2025-6965 https://nvd.nist.gov/vuln/detail/CVE-2025-6965 2025-07-15 2025-07-23 + 2025-08-01 7-Zip -- Multi-byte write heap buffer overflow in NCompress::NRar5::CDecoder 7-zip 25.00

security-advisories@github.com reports:

7-Zip is a file archiver with a high compression ratio. Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0. Version 25.0.0 contains a fix for the issue.

CVE-2025-53816 https://nvd.nist.gov/vuln/detail/CVE-2025-53816 2025-07-17 2025-07-22 libwasmtime -- host panic with fd_renumber WASIp1 function libwasmtime 24.0.024.0.4 33.0.033.0.2 34.0.034.0.2

WasmTime development team reports:

A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder).

CVE-2025-53901 https://nvd.nist.gov/vuln/detail/CVE-2025-53901 2025-07-18 2025-07-20 unbound -- Cache poisoning via the ECS-enabled Rebirthday Attack unbound 1.6.11.23.0

sep@nlnetlabs.nl reports:

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

CVE-2025-5994 https://nvd.nist.gov/vuln/detail/CVE-2025-5994 2025-07-16 2025-07-18 liboqs -- Secret-dependent branching in HQC liboqs 0.14.0

The OpenQuantumSafe project reports:

Secret-dependent branching in HQC reference implementation when compiled with Clang 17-20 for optimizations above -O0

CVE-2025-52473 https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-qq3m-rq9v-jfgm 2025-07-10 2025-07-14 GnuTLS -- multiple vulnerabilities gnutls 3.8.10

Daiki Ueno reports:

libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]

libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]

certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990]

libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]

CVE-2025-32989 CVE-2025-32988 CVE-2025-32990 CVE-2025-6395 https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html 2025-07-09 2025-07-14 libxslt -- unmaintained, with multiple unfixed vulnerabilities libxslt 2 linux-c7-libxslt 2 linux-rl9-libxslt 2

Alan Coopersmith reports:

On 6/16/25 15:12, Alan Coopersmith wrote:

BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

2 of the 3 have now been disclosed:

(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://project-zero.issues.chromium.org/issues/409761909

(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369

Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt.

Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

CVE-2025-7424 CVE-2025-7425 https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://gitlab.gnome.org/GNOME/libxslt/-/issues/140 https://gitlab.gnome.org/GNOME/libxslt/-/issues/144 https://gitlab.gnome.org/GNOME/libxslt/-/issues/148 https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988 2025-04-10 2025-07-12 libxml2 -- multiple vulnerabilities libxml2 2.14.5 linux-c7-libxml2 2.14.5 linux-rl9-libxml2 2.14.5

Alan Coopersmith reports:

As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the security policy of libxml2 has been changed to disclose vulnerabilities before fixes are available so that people other than the maintainer can contribute to fixing security issues in this library.

As part of this, the following 5 CVE's have been disclosed recently:

(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 [...]

(CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 [...]

(CVE-2025-49796) Type confusion leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 [...]

For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/935.

(CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName() https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 [...]

(CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 [...]

CVE-2025-6021 CVE-2025-6170 CVE-2025-49794 CVE-2025-49795 CVE-2025-49795 https://www.openwall.com/lists/oss-security/2025/06/16/6 https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 https://gitlab.gnome.org/GNOME/libxml2/-/issues/935 https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 2025-05-27 2025-07-12 2025-07-15 mod_http2 -- Multiple vulnerabilities mod_http2 2.0.33

The mod_http2 project reports:

a client can increase memory consumption for a HTTP/2 connection via repeated request header names,leading to denial of service

certain proxy configurations whith mod_proxy_http2 as the backend, an assertion can be triggered by certain requests, leading to denial of service

CVE-2025-53020 CVE-2025-49630 https://github.com/icing/mod_h2/releases/tag/v2.0.33 2025-07-10 2025-07-11 Apache httpd -- Multiple vulnerabilities apache24 2.4.64

The Apache httpd project reports:

moderate: Apache HTTP Server: HTTP response splitting (CVE-2024-42516)

low: Apache HTTP Server: SSRF with mod_headers setting Content-Type header (CVE-2024-43204)

moderate: Apache HTTP Server: SSRF on Windows due to UNC paths (CVE-2024-43394)

low: Apache HTTP Server: mod_ssl error log variable escaping (CVE-2024-47252)

moderate: Apache HTTP Server: mod_ssl access control bypass with session resumption (CVE-2025-23048)

low: Apache HTTP Server: mod_proxy_http2 denial of service (CVE-2025-49630)

moderate: Apache HTTP Server: mod_ssl TLS upgrade attack (CVE-2025-49812)

moderate: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020)

CVE-2024-42516 CVE-2024-43204 CVE-2024-43394 CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 CVE-2025-53020 https://httpd.apache.org/security/vulnerabilities_24.html 2025-07-10 2025-07-11 Apache Tomcat -- Multiple Vulnerabilities tomcat110 11.0.011.0.9 tomcat101 10.1.010.1.43 tomcat9 9.0.09.0.107

security@apache.org reports:

A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections.

An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS.

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits.

CVE-2025-52434 https://nvd.nist.gov/vuln/detail/CVE-2025-52434 CVE-2025-52520 https://nvd.nist.gov/vuln/detail/CVE-2025-52520 CVE-2025-53506 https://nvd.nist.gov/vuln/detail/CVE-2025-53506 2025-07-10 2025-07-10 2025-07-15 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 18.1.018.1.2 18.0.018.0.4 13.3.017.11.6

Gitlab reports:

Cross-site scripting issue impacts GitLab CE/EE

Improper authorization issue impacts GitLab CE/EE

Improper authorization issue impacts GitLab EE

Improper authorization issue impacts GitLab EE

CVE-2025-6948 CVE-2025-3396 CVE-2025-4972 CVE-2025-6168 https://about.gitlab.com/releases/2025/07/09/patch-release-gitlab-18-1-2-released/ 2025-07-09 2025-07-10 git -- multiple vulnerabilities git git-cvs git-gui git-p4 git-svn 2.50.1

Git development team reports:

CVE-2025-27613: Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.

CVE-2025-27614: Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure.

CVE-2025-46835: Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.

CVE-2025-48384: Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.

CVE-2025-48385: Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.

CVE-2025-48386: Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows.

CVE-2025-27613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27613 CVE-2025-27614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27614 CVE-2025-46835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46835 CVE-2025-48384 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384 CVE-2025-48385 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48385 CVE-2025-48386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48386 2025-04-11 2025-07-08 MongoDB -- Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections mongodb60 6.0.23 mongodb70 7.0.20 mongodb80 8.0.9

cna@mongodb.com reports:

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. Required Configuration: This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.

CVE-2025-6714 https://nvd.nist.gov/vuln/detail/CVE-2025-6714 2025-07-07 2025-07-08 MongoDB -- may be susceptible to privilege escalation due to $mergeCursors stage mongodb60 6.0.22 mongodb70 7.0.20

cna@mongodb.com reports:

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation.

CVE-2025-6713 https://nvd.nist.gov/vuln/detail/CVE-2025-6713 2025-07-07 2025-07-08 MongoDB -- may be susceptible to DoS due to Accumulated Memory Allocation mongodb80 8.0.10

cna@mongodb.com reports:

MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability.

CVE-2025-6712 https://nvd.nist.gov/vuln/detail/CVE-2025-6712 2025-07-07 2025-07-08 MongoDB -- Incomplete Redaction of Sensitive Information in MongoDB Server Logs mongodb60 6.0.21 mongodb70 7.0.18 mongodb80 8.0.5

cna@mongodb.com reports:

An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered.

CVE-2025-6711 https://nvd.nist.gov/vuln/detail/CVE-2025-6711 2025-07-07 2025-07-08 ModSecurity -- empty XML tag causes segmentation fault ap24-mod_security 2.9.11

security-advisories@github.com reports:

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

CVE-2025-52891 https://nvd.nist.gov/vuln/detail/CVE-2025-52891 2025-07-02 2025-07-08 redis,valkey -- DoS Vulnerability due to bad connection error handling redis 8.0.08.0.3 redis74 7.4.07.4.5 redis72 7.2.07.2.10 redis62 6.2.06.2.19 valkey 8.1.3

@julienperriercornet reports:

An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service.

CVE-2025-48367 https://github.com/redis/redis/security/advisories/GHSA-4q32-c38c-pwgq 2025-07-06 2025-07-07 redis,valkey -- Out of bounds write in hyperloglog commands leads to RCE redis 8.0.08.0.3 redis74 7.4.07.4.5 redis72 7.2.07.2.10 redis62 6.2.06.2.19 valkey 8.1.3

Seunghyun Lee reports:

An authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution.

CVE-2025-32023 https://github.com/redis/redis/security/advisories/GHSA-rp2m-q4j6-gr43 2025-07-06 2025-07-07 redis,valkey -- {redis,valkey}-check-aof may lead to stack overflow and potential RCE redis 8.0.08.0.2 redis74 7.4.07.4.4 redis72 7.2.07.2.9 valkey 8.1.2

Simcha Kosman & CyberArk Labs reports:

A user can run the {redis,valkeyu}-check-aof cli and pass a long file path to trigger a stack buffer overflow, which may potentially lead to remote code execution.

CVE-2025-27151 https://github.com/redis/redis/security/advisories/GHSA-5453-q98w-cmvm 2025-05-28 2025-07-07 FreeBSD -- Use-after-free in multi-threaded xz decoder FreeBSD 14.214.2_4 13.513.5_2

Problem Description:

A worker thread could free its input buffer after decoding, while the main thread might still be writing to it. This leads to an use-after-free condition on heap memory.

Impact:

An attacker may use specifically crafted .xz file to cause multi-threaded xz decoder to crash, or potentially run arbitrary code under the credential the decoder was executed.

CVE-2025-31115 SA-25:06.xz 2025-07-02 2025-07-06 gstreamer1-plugins-bad -- stack buffer overflow in H.266 video parser gstreamer1-plugins-bad 1.26.2

GStreamer Security Center reports:

It is possible for a malicious third party to trigger a buffer overflow that can result in a crash of the application and possibly also allow code execution through stack manipulation.

CVE-2025-6663 https://gstreamer.freedesktop.org/security/sa-2025-0007.html 2025-06-26 2025-07-06 firefox -- multiple vulnerabilities firefox 140.0,2

security@mozilla.org reports:

An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.

When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding.

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors".

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP.

If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable.

Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-6427 https://nvd.nist.gov/vuln/detail/CVE-2025-6427 CVE-2025-6432 https://nvd.nist.gov/vuln/detail/CVE-2025-6432 CVE-2025-6433 https://nvd.nist.gov/vuln/detail/CVE-2025-6433 CVE-2025-6434 https://nvd.nist.gov/vuln/detail/CVE-2025-6434 CVE-2025-6435 https://nvd.nist.gov/vuln/detail/CVE-2025-6435 CVE-2025-6436 https://nvd.nist.gov/vuln/detail/CVE-2025-6436 2025-06-24 2025-07-04 firefox -- multiple vulnerabilities firefox 128.12.0,2 140.0,2

security@mozilla.org reports:

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack.

CVE-2025-6429 https://nvd.nist.gov/vuln/detail/CVE-2025-6429 CVE-2025-6430 https://nvd.nist.gov/vuln/detail/CVE-2025-6430 2025-06-24 2025-07-04 Mozilla -- persistent UUID that identifies browser firefox 140.0,2 firefox-esr 115.25.0 128.12 thunderbird 140.0 thunderbird 128.12

security@mozilla.org reports:

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

CVE-2025-6425 https://nvd.nist.gov/vuln/detail/CVE-2025-6425 2025-06-24 2025-07-04 php -- Multiple vulnerabilities php81 8.1.33 php82 8.2.29 php83 8.3.23 php84 8.4.10

php.net reports:

CVE-2025-1735: pgsql extension does not check for errors during escaping

CVE-2025-6491: NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix

CVE-2025-1220: Null byte termination in hostnames

CVE-2025-1735 CVE-2025-6491 CVE-2025-1220 2025-02-27 2025-07-03 Mozilla -- exploitable crash firefox 140.0,2 firefox-esr 115.25.0 thunderbird 140.0

security@mozilla.org reports:

A use-after-free in FontFaceSet resulted in a potentially exploitable crash.

CVE-2025-6424 https://nvd.nist.gov/vuln/detail/CVE-2025-6424 2025-06-24 2025-07-03 chromium -- multiple security fixes chromium 138.0.7204.96 ungoogled-chromium 138.0.7204.96

Chrome Releases reports:

This update includes 1 security fix:

[427663123] High CVE-2025-6554: Type Confusion in V8.

CVE-2025-6554 https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html 2025-06-30 2025-07-02 chromium -- multiple security fixes chromium 138.0.7204.49 ungoogled-chromium 138.0.7204.49

Chrome Releases reports:

This update includes 11 security fixes:

[407328533] Medium CVE-2025-6555: Use after free in Animation. Reported by Lyra Rebane (rebane2001) on 2025-03-30

[40062462] Low CVE-2025-6556: Insufficient policy enforcement in Loader. Reported by Shaheen Fazim on 2023-01-02

[406631048] Low CVE-2025-6557: Insufficient data validation in DevTools. Reported by Ameen Basha M K on 2025-03-27

CVE-2025-6555 CVE-2025-6556 CVE-2025-6557 https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_24.html 2025-06-24 2025-07-02 sudo -- privilege escalation vulnerability through host and chroot options sudo 1.9.17p1 sudo-sssd 1.9.17p1

Todd C. Miller reports, crediting Rich Mirch from Stratascale Cyber Research Unit (CRU):

Sudo 1.9.17p1:

Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified when running a command or editing a file. This could enable a local privilege escalation attack if the sudoers file allows the user to run commands on a different host. For more information, see Local Privilege Escalation via host option.

Fixed CVE-2025-32463. An attacker can leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. The chroot support has been deprecated an will be removed entirely in a future release. For more information, see Local Privilege Escalation via chroot option.

CVE-2025-32462 CVE-2025-32463 https://www.sudo.ws/releases/stable/ https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot 2025-04-01 2025-07-01 xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.18,1 xorg-nextserver 21.1.18,2 xwayland 24.1.8,1

The X.Org project reports:

CVE-2025-49176: Integer overflow in Big Requests Extension
The Big Requests extension allows requests larger than the 16-bit length limit. It uses integers for the request length and checks for the size not to exceed the maxBigRequestSize limit, but does so after translating the length to integer by multiplying the given size in bytes by 4. In doing so, it might overflow the integer size limit before actually checking for the overflow, defeating the purpose of the test.

CVE-2025-49176 https://lists.x.org/archives/xorg/2025-June/062055.html 2025-06-17 2025-07-01 xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.17,1 xorg-nextserver 21.1.17,2 xwayland 24.1.7,1

The X.Org project reports:

CVE-2025-49175: Out-of-bounds access in X Rendering extension (Animated cursors)
The X Rendering extension allows creating animated cursors providing a list of cursors. By default, the Xserver assumes at least one cursor is provided while a client may actually pass no cursor at all, which causes an out-of-bound read creating the animated cursor and a crash of the Xserver.

CVE-2025-49177: Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode)
The handler of XFixesSetClientDisconnectMode does not check the client request length. A client could send a shorter request and read data from a former request.

CVE-2025-49178: Unprocessed client request via bytes to ignore
When reading requests from the clients, the input buffer might be shared and used between different clients. If a given client sends a full request with non-zero bytes to ignore, the bytes to ignore may still be non-zero even though the request is full, in which case the buffer could be shared with another client who's request will not be processed because of those bytes to ignore, leading to a possible hang of the other client request.

CVE-2025-49179: Integer overflow in X Record extension
The RecordSanityCheckRegisterClients() function in the X Record extension implementation of the Xserver checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length.

CVE-2025-49180: Integer overflow in RandR extension (RRChangeProviderProperty)
A client might send a request causing an integer overflow when computing the total size to allocate in RRChangeProviderProperty().

CVE-2025-49175 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 https://lists.x.org/archives/xorg/2025-June/062055.html 2025-06-17 2025-07-01 podman -- TLS connection used to pull VM images was not validated podman 5.5.2

RedHat, Inc. reports:

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

CVE-2025-6032 https://nvd.nist.gov/vuln/detail/CVE-2025-6032 2025-06-30 2025-06-30 MongoDB -- Running certain aggregation operations with the SBE engine may lead to unexpected behavior mongodb60 6.0.21 mongodb70 7.0.17 mongodb80 8.0.4

cna@mongodb.com reports:

An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.

CVE-2025-6706 https://nvd.nist.gov/vuln/detail/CVE-2025-6706 2025-06-26 2025-06-26 MongoDB -- Race condition in privilege cache invalidation cycle mongodb50 5.0.31 mongodb60 6.0.24 mongodb70 7.0.21 mongodb80 8.0.5

NVD reports:

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator.

CVE-2025-6707 https://nvd.nist.gov/vuln/detail/CVE-2025-6707 2025-06-26 2025-06-26 MongoDB -- Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication mongodb60 6.0.21 mongodb70 7.0.17 mongodb80 8.0.5

NVD reports:

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash.

CVE-2025-6709 https://nvd.nist.gov/vuln/detail/CVE-2025-6709 2025-06-26 2025-06-26 MongoDB -- Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB mongodb70 7.0.17 mongodb80 8.0.5

cna@mongodb.com reports:

MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

CVE-2025-6710 https://nvd.nist.gov/vuln/detail/CVE-2025-6710 2025-06-26 2025-06-26 kanboard -- Password Reset Poisoning via Host Header Injection kanboard 1.2.45

GitHub Security Advisories reports:

Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set.

CVE-2025-52560 https://nvd.nist.gov/vuln/detail/CVE-2025-52560 2025-06-26 2025-06-26 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 18.1.018.1.1 18.0.018.0.3 16.10.017.11.5

Gitlab reports:

Denial of Service impacts GitLab CE/EE

Missing Authentication issue impacts GitLab CE/EE

Improper access control issue impacts GitLab CE/EE

Elevation of Privilege impacts GitLab CE/EE

Improper access control issue impacts GitLab EE

CVE-2025-3279 CVE-2025-1754 CVE-2025-5315 CVE-2025-2938 CVE-2025-5846 https://about.gitlab.com/releases/2025/06/25/patch-release-gitlab-18-1-1-released/ 2025-06-25 2025-06-26 cisco -- OpenH264 Decoding Functions Heap Overflow Vulnerability openh264 2.5.1,2

Cisco reports:

A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bistream. An exploit could allow the attacker to cause an unexpected crash in the victim's user decoding client and, possibly, perform arbitrary commands on the victim's host by abusing the heap overflow.

CVE-2025-27091 https://nvd.nist.gov/vuln/detail/CVE-2025-27091 2025-02-20 2025-06-22 clamav -- ClamAV UDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability clamav 1.2.0,11.4.3,1

Cisco reports:

A vulnerability in Universal Disk Format (UDF) processing of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a memory overread during UDF file scanning. An attacker could exploit this vulnerability by submitting a crafted file containing UDF content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. For a description of this vulnerability, see the .

CVE-2025-20234 https://nvd.nist.gov/vuln/detail/CVE-2025-20234 2025-06-18 2025-06-20 clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability clamav 1.4.3,1

Cisco reports:

A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service (DoS) condition, or execute arbitrary code on an affected device. This vulnerability exists because memory buffers are allocated incorrectly when PDF files are processed. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.

CVE-2025-20260 https://nvd.nist.gov/vuln/detail/CVE-2025-20260 2025-06-18 2025-06-20 chromium -- multiple security fixes chromium 137.0.7151.119 ungoogled-chromium 137.0.7151.119

Chrome Releases reports:

This update includes 3 security fixes:

[420697404] High CVE-2025-6191: Integer overflow in V8. Reported by Shaheen Fazim on 2025-05-27

[421471016] High CVE-2025-6192: Use after free in Profiler. Reported by Chaoyuan Peng (@ret2happy) on 2025-05-31

CVE-2025-6191 CVE-2025-6192 https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_17.html 2025-06-17 2025-06-19 Navidrome -- SQL Injection via role parameter navidrome 0.55.00.56.0

Deluan reports:

This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.

CVE-2025-48949 https://nvd.nist.gov/vuln/detail/CVE-2025-48949 2025-05-29 2025-06-18 Grafana -- DingDing contact points exposed in Grafana Alerting grafana 10.4.19+security-01 11.0.011.2.10+security-01 11.3.011.3.7+security-01 11.4.011.4.5+security-01 11.5.011.5.5+security-01 11.6.011.6.2+security-01 12.0.012.0.1+security-01 grafana8 8.0.0 grafana9 9.0.0

Grafana Labs reports:

An incident occurred where the DingDing alerting integration URL was inadvertently exposed to viewers due to a setting oversight, which we learned about through a bug bounty report.

The CVSS 3.0 score for this vulnerability is 4.3 (Medium).

CVE-2025-3415 https://grafana.com/blog/2025/06/13/grafana-security-update-medium-severity-security-release-for-cve-2025-3415/ 2025-04-05 2025-06-18 Grafana -- User deletion issue grafana 5.4.010.4.18+security-01 11.0.011.2.9+security-01 11.3.011.3.6+security-01 11.4.011.4.4+security-01 11.5.011.5.4+security-01 11.6.011.6.1+security-01 12.0.012.0.0+security-01 grafana8 8.0.0 grafana9 9.0.0

Grafana Labs reports:

On April 15, we discovered a vulnerability that stems from the user deletion logic associated with organization administrators. An organization admin could remove any user from the specific organization they manage. Additionally, they have the power to delete users entirely from the system if they have no other org membership. This leads to two situations:

They can delete a server admin if the organization the Organization Admin manages is the server admin’s final organizational membership.

They can delete any user (regardless of whether they are a server admin or not) if that user currently belongs to no organizations.

These two situations allow an organization manager to disrupt instance-wide activity by continually deleting server administrators if there is only one organization or if the server administrators are not part of any organization.

The CVSS score for this vulnerability is 5.5 Medium.

CVE-2025-3580 https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/ 2025-04-15 2025-05-23 Firefox -- Multiple vulnerabilities firefox 139.0.4,2

security@mozilla.org reports:

CVE-2025-49709: Certain canvas operations could have lead to memory corruption.

CVE-2025-49710: An integer overflow was present in `OrderedHashTable` used by the JavaScript engine.

CVE-2025-49709 https://nvd.nist.gov/vuln/detail/CVE-2025-49709 CVE-2025-49710 https://nvd.nist.gov/vuln/detail/CVE-2025-49710 2025-06-11 2025-06-17 chromium -- multiple security fixes chromium 137.0.7151.103 ungoogled-chromium 137.0.7151.103

Chrome Releases reports:

This update includes 2 security fixes:

[$8000][420150619] High CVE-2025-5958: Use after free in Media. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2025-05-25

[NA][422313191] High CVE-2025-5959: Type Confusion in V8. Reported by Seunghyun Lee as part of TyphoonPWN 2025 on 2025-06-04

CVE-2025-5958 CVE-2025-5959 https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_10.html 2025-06-10 2025-06-17 chromium -- multiple security fixes chromium 137.0.7151.68 ungoogled-chromium 137.0.7151.68

Chrome Releases reports:

This update includes 3 security fixes:

[420636529] High CVE-2025-5419: Out of bounds read and write in V8. Reported by Clement Lecigne and Benoît Sevens of Google Threat Analysis Group on 2025-05-27. This issue was mitigated on 2025-05-28 by a configuration change pushed out to Stable across all Chrome platforms.

[409059706] Medium CVE-2025-5068: Use after free in Blink. Reported by Walkman on 2025-04-07

CVE-2025-5419 CVE-2025-5068 https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html 2025-06-02 2025-06-17 Mozilla -- control access bypass firefox 138.0,2 firefox-esr 128.10 thunderbird 128.0

security@mozilla.org reports:

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10.

CVE-2025-2817 https://nvd.nist.gov/vuln/detail/CVE-2025-2817 2025-04-29 2025-06-15 webmin -- CGI Command Injection Remote Code Execution webmin 2.105

Webmin reports:

A less-privileged Webmin user can execute commands as root via a vulnerability in the shell autocomplete feature.

CVE-2024-12828 https://webmin.com/security/ https://nvd.nist.gov/vuln/detail/CVE-2024-12828 2024-12-30 2025-06-15 Yelp -- arbitrary file read yelp-xsl 42.3

secalert@redhat.com reports:

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

CVE-2025-3155 https://nvd.nist.gov/vuln/detail/CVE-2025-3155 2025-04-03 2025-06-14 Yelp -- arbitrary file read yelp 42.3

secalert@redhat.com reports:

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

CVE-2025-3155 https://nvd.nist.gov/vuln/detail/CVE-2025-3155 2025-04-03 2025-06-14 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 18.0.018.0.2 17.11.017.11.4 2.1.017.10.8

Gitlab reports:

HTML injection impacts GitLab CE/EE

Cross-site scripting issue impacts GitLab CE/EE

Missing authorization issue impacts GitLab Ultimate EE

Denial of Service impacts GitLab CE/EE

Denial of Service via unbounded Webhook token names impacts GitLab CE/EE

Denial of Service via unbounded Board Names impacts GitLab CE/EE

Information disclosure issue impacts GitLab CE/EE

Denial of Service (DoS) via uncontrolled HTTP Response Processing impacts GitLab CE/EE

Information disclosure via authorization bypass impacts GitLab CE/EE

Sensitive information disclosure via Group IP restriction bypass

CVE-2025-4278 CVE-2025-2254 CVE-2025-5121 CVE-2025-0673 CVE-2025-1516 CVE-2025-1478 CVE-2024-9512 CVE-2025-5996 CVE-2025-5195 CVE-2025-5982 https://about.gitlab.com/releases/2025/06/11/patch-release-gitlab-18-0-2-released/ 2025-06-11 2025-06-12 PostgreSQL JDBC library -- Improper Authentication postgresql-jdbc 42.7.7

PostgreSQL JDBC Driver project reports:

Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration. Fix channel binding required handling to reject non-SASL authentication Previously, when channel binding was set to "require", the driver would silently ignore this requirement for non-SASL authentication methods. This could lead to a false sense of security when channel binding was explicitly requested but not actually enforced. The fix ensures that when channel binding is set to "require", the driver will reject connections that use non-SASL authentication methods or when SASL authentication has not completed properly.

CVE-2025-49146 https://nvd.nist.gov/vuln/detail/CVE-2025-49146 2025-06-12 2025-06-12 ModSecurity -- possible DoS vulnerability ap24-mod_security 2.9.10

security-advisories@github.com reports:

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.

CVE-2025-48866 https://nvd.nist.gov/vuln/detail/CVE-2025-48866 2025-06-02 2025-06-06 ModSecurity -- possible DoS vulnerability ap24-mod_security 2.9.8

security-advisories@github.com reports:

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

CVE-2025-47947 https://nvd.nist.gov/vuln/detail/CVE-2025-47947 2025-05-21 2025-06-06 Mozilla -- clickjacking vulnerability firefox-esr 128.11.0 firefox 139.0,2

security@mozilla.org reports:

A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page.

CVE-2025-5267 https://nvd.nist.gov/vuln/detail/CVE-2025-5267 2025-05-27 2025-06-05 Mozilla -- XS-leak attack firefox-esr 128.11.0 firefox 139.0,2

security@mozilla.org reports:

Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks.

CVE-2025-5266 https://nvd.nist.gov/vuln/detail/CVE-2025-5266 2025-05-27 2025-06-05 Mozilla -- local code execution firefox-esr 115.24.0 firefox 139.0,2

security@mozilla.org reports:

Due to insufficient escaping of the newline character in the Copy as cURL feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.

CVE-2025-5264 https://nvd.nist.gov/vuln/detail/CVE-2025-5264 2025-05-27 2025-06-05 Mozilla -- cross-origin leak attack firefox-esr 115.24.0 firefox 139.0,2

security@mozilla.org reports:

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks.

CVE-2025-5263 https://nvd.nist.gov/vuln/detail/CVE-2025-5263 2025-05-27 2025-06-05 Chrome -- Out of bounds read chromium 137.0.7151.68

chrome-cve-admin@google.com reports:

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2025-5419 https://nvd.nist.gov/vuln/detail/CVE-2025-5419 2025-06-03 2025-06-04 electron{34,35,36} -- Out of bounds read and write in V8 electron34 34.5.8 electron35 35.5.1 electron36 36.4.0

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2025-5419.

CVE-2025-5419 https://github.com/advisories/GHSA-x828-wp24-7h9m 2025-06-04 2025-06-04 2025-06-04 Post-Auth Remote Code Execution found in Roundcube Webmail roundcube-php81 1.6.11 roundcube-php82 1.6.11 roundcube-php83 1.6.11 roundcube-php84 1.6.11

Roundcube Webmail reports:

Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v

CVE-2025-49113 https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 2025-06-01 2025-06-03 Gimp -- GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability gimp 3.0.0,2

zdi-disclosures@trendmicro.com reports:

GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FLI files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25100.

CVE-2025-2761 https://nvd.nist.gov/vuln/detail/CVE-2025-2761 2025-04-23 2025-06-02 Gimp -- GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability gimp 3.0.0,2

zdi-disclosures@trendmicro.com reports:

GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25082.

CVE-2025-2760 https://nvd.nist.gov/vuln/detail/CVE-2025-2760 2025-04-23 2025-06-02 curl -- Multiple vulnerabilities curl 8.5.08.14.0

curl security team reports:

CVE-2025-5025: No QUIC certificate pinning with wolfSSL

CVE-2025-4947: QUIC certificate check skip with wolfSSL

CVE-2025-5025 https://nvd.nist.gov/vuln/detail/CVE-2025-5025 CVE-2025-4947 https://nvd.nist.gov/vuln/detail/CVE-2025-4947 2025-05-28 2025-06-01 libxml2 -- Out-of-bounds memory access py39-libxml2 py310-libxml2 py311-libxml2 py312-libxml2 2.11.9_3 2.12.02.13.8 2.14.02.14.2

cve@mitre.org reports:

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

CVE-2025-32414 https://nvd.nist.gov/vuln/detail/CVE-2025-32414 2025-04-08 2025-05-31 libxml2 -- Stack-based Buffer Overflow libxml2 2.11.9_1 2.12.02.12.10 2.13.02.13.6

cve@mitre.org reports:

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

CVE-2025-24928 https://nvd.nist.gov/vuln/detail/CVE-2025-24928 2025-02-18 2025-05-31 libxml2 -- Use After Free libxml2 2.11.9_1 2.12.02.12.10 2.13.02.13.6

cve@mitre.org reports:

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

CVE-2024-56171 https://nvd.nist.gov/vuln/detail/CVE-2024-56171 2025-02-18 2025-05-31 chromium -- multiple security fixes chromium 137.0.7151.55 ungoogled-chromium 137.0.7151.55

Chrome Releases reports:

This update includes 11 security fixes:

[411573532] High CVE-2025-5063: Use after free in Compositing. Reported by Anonymous on 2025-04-18

[417169470] High CVE-2025-5280: Out of bounds write in V8. Reported by [pwn2car] on 2025-05-12

[40058068] Medium CVE-2025-5064: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-29

[40059071] Medium CVE-2025-5065: Inappropriate implementation in FileSystemAccess API. Reported by NDevTK on 2022-03-11

[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31

[417215501] Medium CVE-2025-5281: Inappropriate implementation in BFCache. Reported by Jesper van den Ende (Pelican Party Studios) on 2025-05-12

[419467315] Medium CVE-2025-5283: Use after free in libvpx. Reported by Mozilla on 2025-05-22

[40075024] Low CVE-2025-5067: Inappropriate implementation in Tab Strip. Reported by Khalil Zhani on 2023-10-17

CVE-2025-5063 CVE-2025-5280 CVE-2025-5064 CVE-2025-5065 CVE-2025-5066 CVE-2025-5281 CVE-2025-5283 CVE-2025-5067 https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html 2025-05-27 2025-05-31 Chrome -- Heap corruption exploitation chromium 137.0.7151.55

chrome-cve-admin@google.com reports:

Use after free in Compositing in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2025-5063 https://nvd.nist.gov/vuln/detail/CVE-2025-5063 2025-05-27 2025-05-30 Mozilla -- memory corruption firefox-esr 128.11.0 thunderbird 128.11.0

security@mozilla.org reports:

Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

CVE-2025-5269 https://nvd.nist.gov/vuln/detail/CVE-2025-5269 2025-05-27 2025-05-30 Mozilla -- Memory safety bugs firefox 139.0,2 firefox-esr 128.11 thunderbird 128.11

security@mozilla.org reports:

Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-5268 https://nvd.nist.gov/vuln/detail/CVE-2025-5268 2025-05-27 2025-05-30 Firefox -- unencrypted SNI firefox 139.0,2

security@mozilla.org reports:

In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled.

CVE-2025-5270 https://nvd.nist.gov/vuln/detail/CVE-2025-5270 2025-05-27 2025-05-30 Firefox -- content injection attack firefox 139.0,2

security@mozilla.org reports:

Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks.

CVE-2025-5271 https://nvd.nist.gov/vuln/detail/CVE-2025-5271 2025-05-27 2025-05-30 Mozilla -- Memory safety bugs firefox 139.0,2 thunderbird 129.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-5272 https://nvd.nist.gov/vuln/detail/CVE-2025-5272 2025-05-27 2025-05-30 ModSecurity -- Possible DoS Vulnerability ap24-mod_security 2.9.8

security-advisories@github.com reports:

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

CVE-2025-47947 https://nvd.nist.gov/vuln/detail/CVE-2025-47947 2025-05-21 2025-05-30 traefik -- Path traversal vulnerability traefik 3.4.1

The traefik project reports:

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it's possible to target a backend, exposed using another router, by-passing the middlewares chain.

CVE-2025-47952 https://nvd.nist.gov/vuln/detail/CVE-2025-47952 2025-05-27 2025-05-29 glpi-project -- GLPI multiple vulnerabilities glpi 10.0.18

security-advisories@github.com reports:

CVE-2024-11955: A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

CVE-2025-23024: Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

CVE-2025-23046: Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

CVE-2025-25192: Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

CVE-2025-21626: Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

CVE-2025-21627: In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

CVE-2025-21619: An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.

CVE-2025-24799: An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

CVE-2025-24801: An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

CVE-2024-11955 https://nvd.nist.gov/vuln/detail/CVE-2024-11955 CVE-2025-23024 https://nvd.nist.gov/vuln/detail/CVE-2025-23024 CVE-2025-23046 https://nvd.nist.gov/vuln/detail/CVE-2025-23046 CVE-2025-25192 https://nvd.nist.gov/vuln/detail/CVE-2025-25192 CVE-2025-21626 https://nvd.nist.gov/vuln/detail/CVE-2025-21626 CVE-2025-21627 https://nvd.nist.gov/vuln/detail/CVE-2025-21627 CVE-2025-21619 https://nvd.nist.gov/vuln/detail/CVE-2025-21619 CVE-2025-24799 https://nvd.nist.gov/vuln/detail/CVE-2025-24799 CVE-2025-24801 https://nvd.nist.gov/vuln/detail/CVE-2025-24801 2025-02-25 2025-05-29 electron{34,35} -- multiple vulnerabilities electron34 34.5.7 electron35 35.5.0

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2025-4609.

Security: backported fix for CVE-2025-4664.

CVE-2025-4609 CVE-2025-4664 https://github.com/advisories/GHSA-vxhm-55mv-5fhx 2025-05-29 2025-05-29 ISC KEA -- Multiple vulnerabilities kea 2.6.3

Internet Systems Consortium, Inc. reports:

Loading a malicious hook library can lead to local privilege escalation https://kb.isc.org/docs/cve-2025-32801

Insecure handling of file paths allows multiple local attacks https://kb.isc.org/docs/cve-2025-32802

Insecure file permissions can result in confidential information leakage https://kb.isc.org/docs/cve-2025-32803

CVE-2025-32801 CVE-2025-32802 CVE-2025-32803 2025-05-28 2025-05-28 grafana -- XSS vulnerability grafana 8.0.010.4.18+security-01 11.0.011.2.9+security-01 11.3.011.3.6+security-01 11.4.011.4.4+security-01 11.5.011.5.4+security-01 11.6.011.6.1+security-01 12.0.012.0.0+security-01 grafana8 8.0.0 grafana9 9.0.0

security@grafana.com reports:

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

CVE-2025-4123 https://nvd.nist.gov/vuln/detail/CVE-2025-4123 2025-04-26 2025-05-27 cpython -- Use-after-free in "unicode_escape" decoder with error handler python39 3.9.22_1 python310 3.10.17_1 python311 3.11.12_1 python312 3.12.10_1

cna@python.org reports:

There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.

CVE-2025-4516 https://nvd.nist.gov/vuln/detail/CVE-2025-4516 2025-05-15 2025-05-24 OpenSSL -- Inverted security logic in x509 app openssl35 3.5.0_1

The OpenSSL project reports:

The x509 application adds trusted use instead of rejected use (low)

CVE-2025-4575 https://openssl-library.org/news/secadv/20250522.txt 2025-05-23 2025-05-23 Firefox -- memory corruption due to race condition firefox 137.0.2,2

security@mozilla.org reports:

A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition.

CVE-2025-3608 https://nvd.nist.gov/vuln/detail/CVE-2025-3608 2025-04-15 2025-05-22 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 18.0.018.0.1 17.11.017.11.3 10.2.017.10.7

Gitlab reports:

Unprotected large blob endpoint in GitLab allows Denial of Service

Improper XPath validation allows modified SAML response to bypass 2FA requirement

A Discord webhook integration may cause DoS

Unbounded Kubernetes cluster tokens may lead to DoS

Unvalidated notes position may lead to Denial of Service

Hidden/masked variables may get exposed in the UI

Two-factor authentication requirement bypass

View full email addresses that should be partially obscured

Branch name confusion in confidential MRs

Unauthorized access to job data via a GraphQL query

CVE-2025-0993 CVE-2024-12093 CVE-2024-7803 CVE-2025-3111 CVE-2025-2853 CVE-2025-4979 CVE-2025-0605 CVE-2025-0679 CVE-2024-9163 CVE-2025-1110 https://about.gitlab.com/releases/2025/05/21/patch-release-gitlab-18-0-1-released/ 2025-05-21 2025-05-23 screen -- multiple vulnerabilities screen 5.0.1

The screen project reports:

Multiple security issues in screen.

CVE-2025-46805 CVE-2025-46804 CVE-2025-46803 CVE-2025-46802 CVE-2025-23395 https://lists.gnu.org/archive/html/info-gnu/2025-05/msg00002.html 2025-05-12 2025-05-21 firefox -- out-of-bounds read/write firefox 138.0.4,2 firefox-esr 128.10.1

security@mozilla.org reports:

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.

CVE-2025-4918 https://nvd.nist.gov/vuln/detail/CVE-2025-4918 CVE-2025-4919 https://nvd.nist.gov/vuln/detail/CVE-2025-4919 2025-05-17 2025-05-19 WeeChat -- Multiple vulnerabilities weechat 4.6.3

The Weechat project reports:

Multiple integer and buffer overflows in WeeChat core.

https://weechat.org/doc/weechat/security/ 2025-05-11 2025-05-17 chromium -- multiple security fixes chromium 136.0.7103.113 ungoogled-chromium 136.0.7103.113

Chrome Releases reports:

This update includes 4 security fixes:

[415810136] High CVE-2025-4664: Insufficient policy enforcement in Loader. Source: X post from @slonser_ on 2025-05-05

[412578726] High CVE-2025-4609: Incorrect handle provided in unspecified circumstances in Mojo. Reported by Micky on 2025-04-22

CVE-2025-4664 CVE-2025-4609 https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html 2025-05-14 2025-05-15 Mozilla -- memory safety bugs firefox 138.0,2 firefox-esr 128.10 thunderbird 138.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-4091 https://nvd.nist.gov/vuln/detail/CVE-2025-4091 2025-04-29 2025-05-14 Mozilla -- memory corruption firefox-esr 128.10 thunderbird 128.10

security@mozilla.org reports:

Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

CVE-2025-4093 https://nvd.nist.gov/vuln/detail/CVE-2025-4093 2025-04-29 2025-05-14 vscode -- security feature bypass vulnerability vscode 1.100.1

VSCode developers report:

A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.

CVE-2025-21264 https://github.com/microsoft/vscode/security/advisories/GHSA-742r-ggwg-vqxm https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21264 2025-05-13 2025-05-14 libxslt -- multiple vulnerabilities libxslt 1.1.43

[CVE-2024-55549] Fix UAF related to excluded namespaces

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

[CVE-2025-24855] Fix use-after-free of XPath context node

numbers.c in libxslt before 1.1.43 has a use-after-free because , in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

CVE-2024-55549 CVE-2025-24855 https://nvd.nist.gov/vuln/detail/CVE-2024-55549 https://nvd.nist.gov/vuln/detail/CVE-2025-24855 2025-03-13 2025-05-13 www/varnish7 -- Request Smuggling Attack varnish7 7.7.1

The Varnish Development Team reports:

A client-side desync vulnerability can be triggered in Varnish Cache and Varnish Enterprise. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 requests.

An attacker can abuse a flaw in Varnish's handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.

https://varnish-cache.org/security/VSV00016.html 2025-05-12 2025-05-12 Mozilla -- memory corruption firefox 138.0,2 thunderbird 138.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 137 and Thunderbird 137. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-4092 https://nvd.nist.gov/vuln/detail/CVE-2025-4092 2025-04-29 2025-05-11 Mozilla -- insufficient character escaping firefox 138.0,2 thunderbird 138.0

security@mozilla.org reports:

Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.

CVE-2025-4089 https://nvd.nist.gov/vuln/detail/CVE-2025-4089 2025-04-29 2025-05-11 Mozilla -- Cross-Site Request Forgery firefox 138.0,2 thunderbird 138.0

security@mozilla.org reports:

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins.

CVE-2025-4088 https://nvd.nist.gov/vuln/detail/CVE-2025-4088 2025-04-29 2025-05-11 Mozilla -- XPath parsing undefined behavior firefox 138.0,2 firefox-esr 128.10,1 thunderbird 138

security@mozilla.org reports:

A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption.

CVE-2025-4087 https://nvd.nist.gov/vuln/detail/CVE-2025-4087 2025-04-29 2025-05-11 Mozilla -- Information leak firefox 138.0,2 thunderbird 138.0

security@mozilla.org reports:

An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges.

CVE-2025-4085 https://nvd.nist.gov/vuln/detail/CVE-2025-4085 2025-04-29 2025-05-11 Mozilla -- javascript content execution firefox 138.0,2 firefox-esr 128.10,1 thunderbird 138.0

security@mozilla.org reports:

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.

CVE-2025-4083 https://nvd.nist.gov/vuln/detail/CVE-2025-4083 2025-04-29 2025-05-11 Gitlab -- vulnerabilities gitlab-ce gitlab-ee 17.11.017.11.2 17.10.017.10.6 12.0.017.9.8

Gitlab reports:

Partial Bypass for Device OAuth flow using Cross Window Forgery

Denial of service by abusing Github import API

Group IP restriction bypass allows disclosing issue title of restricted project

CVE-2025-0549 CVE-2024-8973 CVE-2025-1278 https://about.gitlab.com/releases/2025/05/07/patch-release-gitlab-17-11-2-released/ 2025-05-07 2025-05-10 PostgreSQL -- PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation postgresql17-client 17.5 postgresql16-client 16.9 postgresql15-client 15.13 postgresql14-client 14.18 postgresql13-client 13.21 postgresql17-server 17.5 postgresql16-server 16.9 postgresql15-server 15.13 postgresql14-server 14.18 postgresql13-server 13.21

PostgreSQL project reports:

A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

CVE-2025-4207 https://www.postgresql.org/support/security/CVE-2025-4207/ 2025-05-08 2025-05-08 chromium -- multiple security fixes chromium 136.0.7103.92 ungoogled-chromium 136.0.7103.92

Chrome Releases reports:

This update includes 2 security fixes:

[412057896] Medium CVE-2025-4372: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2025-04-20

CVE-2025-4372 https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop.html 2025-05-06 2025-05-07 chromium -- multiple security fixes chromium 136.0.7103.59 ungoogled-chromium 136.0.7103.59

Chrome Releases reports:

This update includes 8 security fixes:

[409911705] High CVE-2025-4096: Heap buffer overflow in HTML. Reported by Anonymous on 2025-04-11

[409342999] Medium CVE-2025-4050: Out of bounds memory access in DevTools. Reported by Anonymous on 2025-04-09

[404000989] Medium CVE-2025-4051: Insufficient data validation in DevTools. Reported by Daniel Fröjdendahl on 2025-03-16

[401927528] Low CVE-2025-4052: Inappropriate implementation in DevTools. Reported by vanillawebdev on 2025-03-10

CVE-2025-4096 CVE-2025-4050 CVE-2025-4051 CVE-2025-4052 https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_29.html 2025-04-29 2025-05-06 fcgi -- Heap-based buffer overflow via crafted nameLen/valueLen in ReadParams fcgi 2.4.5

cve@mitre.org reports:

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

CVE-2025-23016 https://nvd.nist.gov/vuln/detail/CVE-2025-23016 https://github.com/FastCGI-Archives/fcgi2/issues/67 2025-01-10 2025-05-04 dnsdist -- Denial of service via crafted DoH exchange null null

security@open-xchange.com reports:

When DNSdist is configured to provide DoH via the nghttp2provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention.

CVE-2025-30194 https://nvd.nist.gov/vuln/detail/CVE-2025-30194 2025-04-29 2025-05-04 powerdns-recursor -- denial of service powerdns-recursor 5.2.0

PowerDNS Team reports:

PowerDNS Security Advisory 2025-01: A crafted zone can lead to an illegal memory access in the Recursor

CVE-2025-30195 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-01.html 2025-04-07 2025-04-22 sqlite -- integer overflow sqlite 3.49.1

cve@mitre.org reports:

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

CVE-2025-29087 https://nvd.nist.gov/vuln/detail/CVE-2025-29087 2025-04-07 2025-04-30 h11 accepts some malformed Chunked-Encoding bodies py39-h11 py310-h11 py311-h11 py312-h11 0.16.0

h11 reports:

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

CVE-2025-43859 https://nvd.nist.gov/vuln/detail/CVE-2025-43859 2025-04-24 2025-04-29 Grafana -- Authorization bypass in data source proxy API grafana 8.0.010.4.17+security-01 11.0.011.2.8+security-01 11.3.011.3.5+security-01 11.4.011.4.3+security-01 11.5.011.5.3+security-01 11.6.011.6.0+security-01 grafana8 8.0.0 grafana9 9.0.0

Grafana Labs reports:

This vulnerability, which was discovered while reviewing a pull request from an external contributor, effects Grafana’s data source proxy API and allows authorization checks to be bypassed by adding an extra slash character (/) in the URL path. Among Grafana-maintained data sources, the vulnerability only affects the read paths of Prometheus (all flavors) and Alertmanager when configured with basic authorization.

The CVSS score for this vulnerability is 5.0 MEDIUM.

CVE-2025-3454 https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/ 2025-03-25 2025-04-24 Grafana -- Bypass Viewer and Editor permissions grafana 11.6.011.6.0+security-01

Grafana Labs reports:

During the development of a new feature in Grafana 11.6.x, a security vulnerability was introduced that allows for Viewers and Editors to bypass dashboard-specific permissions. As a result, users with the Viewer role could view all the dashboards within their org and users with the Editor role could view, edit, and delete all the dashboards in their org.

Note: Organization isolation boundaries still apply, which means viewers and editors in one organization cannot view or edit dashboards in another org. Also this vulnerability does not allow users to query data via data sources they don’t have access to.

The CVSS score for this vulnerability is 8.3 HIGH.

CVE-2025-3260 https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/ 2025-04-04 2025-04-24 Grafana -- DOM XSS vulnerability grafana 11.1.011.2.8+security-01 11.3.011.3.5+security-01 11.4.011.4.3+security-01 11.5.011.5.3+security-01 11.6.011.6.0+security-01

Grafana Labs reports:

An external security researcher responsibly reported a security vulnerability in Grafana’s built-in XY chart plugin that is vulnerable to a DOM XSS vulnerability.

The CVSS score for this vulnerability is 6.8 MEDIUM.

CVE-2025-2703 https://grafana.com/security/security-advisories/cve-2025-2703/ 2025-03-14 2025-04-24 redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client redis 7.4.3 redis72 7.2.8 redis62 6.2.18 valkey 8.1.1

Axel Mierczuk reports:

By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable.

When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory.

CVE-2025-21605 https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff 2025-04-23 2025-04-24 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.11.017.11.1 17.10.017.10.5 16.6.017.9.7

Gitlab reports:

Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives

Cross Site Scripting (XSS) in Maven dependency proxy through cache headers

Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Browser Activity Monitoring

Denial of service (DOS) via issue preview

Unauthorized access to branch names when Repository assets are disabled in the project

CVE-2025-1763 CVE-2025-2443 CVE-2025-1908 CVE-2025-0639 CVE-2024-12244 https://about.gitlab.com/releases/2025/04/23/patch-release-gitlab-17-11-1-released/ 2025-04-23 2025-04-24 chromium -- multiple security fixes chromium 135.0.7049.114 ungoogled-chromium 135.0.7049.114

Chrome Releases reports:

This update includes 1 security fix.

https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_22.html 2025-04-22 2025-04-23 Navidrome -- Authentication bypass in Subsonic API navidrome 0.52.00.54.5

Deluan reports:

In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error.

CVE-2025-27112 https://nvd.nist.gov/vuln/detail/CVE-2025-27112 2025-02-25 2025-04-22 Erlang -- Erlang/OTP SSH Vulnerable to Pre-Authentication RCE erlang 26.2.5.11 erlang-runtime21 25.3.2.20 erlang-runtime22 25.3.2.20 erlang-runtime23 25.3.2.20 erlang-runtime24 25.3.2.20 erlang-runtime25 25.3.2.20 erlang-runtime26 26.2.5.11 erlang-runtime27 27.3.3

security-advisories@github.com reports:

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

CVE-2025-32433 https://nvd.nist.gov/vuln/detail/CVE-2025-32433 2025-04-16 2025-04-20 ejabberd -- mod_muc_occupantid: Fix handling multiple occupant-id ejabberd 25.04

ejabberd team reports:

Fixed issue with handling of user provided occupant-id in messages and presences sent to muc room. Server was replacing just first instance of occupant-id with its own version, leaving other ones untouched. That would mean that depending on order in which clients send occupant-id, they could see value provided by sender, and that could be used to spoof as different sender.

https://www.process-one.net/blog/ejabberd-25-04/#occupantid 2025-04-16 2025-04-19 chromium -- multiple security fixes chromium 135.0.7049.95 ungoogled-chromium 135.0.7049.95

Chrome Releases reports:

This update includes 2 security fixes:

[409619251] Critical CVE-2025-3619: Heap buffer overflow in Codecs. Reported by Elias Hohl on 2025-04-09

[405292639] High CVE-2025-3620: Use after free in USB. Reported by @retsew0x01 on 2025-03-21

CVE-2025-3619 CVE-2025-3620 https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_15.html 2025-04-15 2025-04-16 chromium -- multiple security fixes chromium 135.0.7049.84 ungoogled-chromium 135.0.7049.84

Chrome Releases reports:

This update includes 2 security fixes:

[405140652] High CVE-2025-3066: Use after free in Site Isolation. Reported by Sven Dysthe (@svn-dys) on 2025-03-21

CVE-2025-3066 https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_8.html 2025-04-08 2025-04-15 py-matrix-synapse -- federation denial of service via malformed events py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse py311-matrix-synapse 1.127.1

element-hq/synapse developers report:

A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild.

CVE-2025-30355 https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 2025-03-26 2025-03-26 jenkins -- multiple vulnerabilities jenkins 2.504 jenkins-lts 2.492.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-3512 / CVE-2025-31720

Missing permission check allows retrieving agent configurations

Description

(Medium) SECURITY-3513 / CVE-2025-31721

Missing permission check allows retrieving secrets from agent configurations

CVE-2025-31720 CVE-2025-31721 https://www.jenkins.io/security/advisory/2025-04-02/ 2025-04-02 2025-04-11 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.10.017.10.4 17.9.017.9.6 7.7.017.8.7

Gitlab reports:

Denial of service via CI pipelines

Unintentionally authorizing sensitive actions on users behalf

IP Restriction Bypass through GraphQL Subscription

Unauthorized users can list the number of confidential issues

Debugging Information Disclosed

CVE-2025-1677 CVE-2025-0362 CVE-2025-2408 CVE-2024-11129 CVE-2025-2469 https://about.gitlab.com/releases/2025/04/09/patch-release-gitlab-17-10-4-released/ 2025-04-09 2025-04-10 expat: improper restriction of xml entity expansion depth expat 2.7.0

secalert@redhat.com reports:

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

CVE-2024-8176 https://nvd.nist.gov/vuln/detail/CVE-2024-8176 2025-03-14 2025-04-09 Mozilla -- memory corruption firefox 137.0,2 librewolf 137.0 thunderbird 137.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-3034 https://nvd.nist.gov/vuln/detail/CVE-2025-3034 2025-04-01 2025-04-07 Mozilla -- privilege escalation attack firefox 137.0,2 librewolf 137.0 thunderbird 137.0

security@mozilla.org reports:

Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks.

CVE-2025-3032 https://nvd.nist.gov/vuln/detail/CVE-2025-3032 2025-04-01 2025-04-07 Mozilla -- stack memory read firefox 137.0,2 librewolf 137.0 thunderbird 137.0

security@mozilla.org reports:

An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function.

CVE-2025-3031 https://nvd.nist.gov/vuln/detail/CVE-2025-3031 2025-04-01 2025-04-07 Mozilla -- Memory corruption firefox 137.0 firefox-esr 128.9.0 firefox 137.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-3030 https://nvd.nist.gov/vuln/detail/CVE-2025-3030 2025-04-01 2025-04-07 Mozilla -- URL spoofing attack firefox 137.0,2 firefox-esr 128.9 librewolf 137.0 thunderbird 137.0

security@mozilla.org reports:

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack.

CVE-2025-3029 https://nvd.nist.gov/vuln/detail/CVE-2025-3029 2025-04-01 2025-04-07 Mozilla -- use-after-free error firefox 137.0,2 firefox-esr 115.22 librewolf 137.0 thunderbird 137.0

security@mozilla.org reports:

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free.

CVE-2025-3028 https://nvd.nist.gov/vuln/detail/CVE-2025-3028 2025-04-01 2025-04-07 chromium -- multiple security fixes chromium 135.0.7049.52 ungoogled-chromium 135.0.7049.52

Chrome Releases reports:

This update includes 13 security fixes:

[376491759] Medium CVE-2025-3067: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2024-10-31

[401823929] Medium CVE-2025-3068: Inappropriate implementation in Intents. Reported by Simon Rawet on 2025-03-09

[40060076] Medium CVE-2025-3069: Inappropriate implementation in Extensions. Reported by NDevTK on 2022-06-26

[40086360] Medium CVE-2025-3070: Insufficient validation of untrusted input in Extensions. Reported by Anonymous on 2017-01-01

[40051596] Low CVE-2025-3071: Inappropriate implementation in Navigations. Reported by David Erceg on 2020-02-23

[362545037] Low CVE-2025-3072: Inappropriate implementation in Custom Tabs. Reported by Om Apip on 2024-08-27

[388680893] Low CVE-2025-3073: Inappropriate implementation in Autofill. Reported by Hafiizh on 2025-01-09

[392818696] Low CVE-2025-3074: Inappropriate implementation in Downloads. Reported by Farras Givari on 2025-01-28

CVE-2025-3067 CVE-2025-3068 CVE-2025-3069 CVE-2025-3070 CVE-2025-3071 CVE-2025-3072 CVE-2025-3073 CVE-2025-3074 https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop.html 2025-04-01 2025-04-05 Mozilla -- Memory corruption bug firefox 134.0,2 librewolf 134.0 firefox-esr 128.6.0 thunderbird 134.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-0243 https://nvd.nist.gov/vuln/detail/CVE-2025-0243 2025-01-07 2025-04-04 Mozilla -- Memory safety bugs firefox 134.0,2 librewolf 134.0 thunderbird 134.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-0247 https://nvd.nist.gov/vuln/detail/CVE-2025-0247 2025-01-07 2025-04-04 firefox -- authentication bypass firefox 134.0,2 librewolf 134.0

security@mozilla.org reports:

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed.

CVE-2025-0245 https://nvd.nist.gov/vuln/detail/CVE-2025-0245 2025-01-07 2025-04-04 Mozilla -- Memory safety bugs firefox 134.0,2 librewolf 134.0 firefox-esr 115.19 thunderbird 134.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-0242 https://nvd.nist.gov/vuln/detail/CVE-2025-0242 2025-01-07 2025-04-04 Mozilla -- DoS via segmentation fault firefox 134.0,2 librewolf 134.0 firefox-esr 128.6.0 thunderbird 134.0

security@mozilla.org reports:

When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash.

CVE-2025-0241 https://nvd.nist.gov/vuln/detail/CVE-2025-0241 2025-01-07 2025-04-04 Mozilla -- use-after-free while parsing JSON firefox 134.0,2 librewolf 134.0 firefox-esr 128.6.0 thunderbird 134.0

security@mozilla.org reports:

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free.

CVE-2025-0240 https://nvd.nist.gov/vuln/detail/CVE-2025-0240 2025-01-07 2025-04-04 Mozilla -- redirection to insecure site firefox 134.0,2 librewolf 134.0 firefox-esr 128.6.0 thunderbird 134.0

security@mozilla.org reports:

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site.

CVE-2025-0239 https://nvd.nist.gov/vuln/detail/CVE-2025-0239 2025-01-07 2025-04-04 Mozilla -- use-after-free after failed memory allocation firefox 134.0,2 librewolf 134.0 firefox-esr 128.6.0 thunderbird 128.6

security@mozilla.org reports:

Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash.

CVE-2025-0238 https://nvd.nist.gov/vuln/detail/CVE-2025-0238 2025-01-07 2025-04-04 Mozilla -- privilege escalation attack firefox 134.0,2 librewolf 134.0 firefox-esr 128.6.0 thunderbird 128.6

security@mozilla.org reports:

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks.

CVE-2025-0237 https://nvd.nist.gov/vuln/detail/CVE-2025-0237 2025-01-07 2025-04-04 mozilla -- memory corruption firefox 136.0,2 librewolf 136.0 thunderbird 136.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-1943 https://nvd.nist.gov/vuln/detail/CVE-2025-1943 2025-03-04 2025-04-03 mozilla -- memory corruption firefox 136.0,2 librewolf 136.0 firefox-esr 128.8,1 thunderbird 136.0

security@mozilla.org reports:

CVE-2025-1938: Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-1935: A web page could trick a user into setting that site as the default handler for a custom URL protocol.

CVE-2025-1934: It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it.

CVE-2025-1938 https://nvd.nist.gov/vuln/detail/CVE-2025-1938 CVE-2025-1935 https://nvd.nist.gov/vuln/detail/CVE-2025-1935 CVE-2025-1934 https://nvd.nist.gov/vuln/detail/CVE-2025-1934 2025-03-04 2025-04-03 mozilla -- Memory safety bugs firefox 136.0,2 librewolf 136.0 firefox-esr 115.21,1 thunderbird 136.0

security@mozilla.org reports:

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-1937 https://nvd.nist.gov/vuln/detail/CVE-2025-1937 2025-03-04 2025-04-03 mozilla -- use-after-free in WebTransport connection firefox 136.0,2 librewolf 136.0 firefox-esr 115.21,1 thunderbird 136.0

security@mozilla.org reports:

It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash.

CVE-2025-1931 https://nvd.nist.gov/vuln/detail/CVE-2025-1931 2025-03-04 2025-04-03 mozilla -- 64 bit JIT WASM read on left over memory firefox 136.0,2 firefox-esr 115.21,1 librewolf 136.0 thunderbird 136.0

security@mozilla.org reports:

On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type.

CVE-2025-1933 https://nvd.nist.gov/vuln/detail/CVE-2025-1933 2025-03-04 2025-04-03 MongoDB -- crash due to improper validation of explain command mongodb50 5.0.31 mongodb60 6.0.20 mongodb70 7.0.16 mongodb80 8.0.4

cna@mongodb.com reports:

When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4

CVE-2025-3084 https://nvd.nist.gov/vuln/detail/CVE-2025-3084 2025-04-01 2025-04-03 MongoDB -- Malformed wire protocol messages may cause mongos to crash mongodb50 5.0.31 mongodb60 6.0.20 mongodb70 7.0.16

cna@mongodb.com reports:

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to6.0.20 and MongoDB v7.0 versions prior to 7.0.16

CVE-2025-3083 https://nvd.nist.gov/vuln/detail/CVE-2025-3083 2025-04-01 2025-04-03 MongoDB -- Unauthorized access to underlying data mongodb50 5.0.31 mongodb60 6.0.20 mongodb70 7.0.16

cna@mongodb.com reports:

A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.

CVE-2025-3082 https://nvd.nist.gov/vuln/detail/CVE-2025-3082 2025-04-01 2025-04-03 openvpn -- server-side denial-of-service vulnerability with tls-crypt-v2 openvpn 2.6.12.6.14 openvpn-devel g20250402,1

Gert Doering reports:

OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets.

To trigger the bug, a valid tls-crypt-v2 client key is needed, or network observation of a handshake with a valid tls-crypt-v2 client key

No crypto integrity is violated, no data is leaked, and no remote code execution is possible.

This bug does not affect OpenVPN clients.

CVE-2025-2704 https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst#overview-of-changes-in-2614 2025-03-26 2025-04-02 gitea -- Multiple vulnerabilities gitea 1.23.6

security@golang.org reports:

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.

golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

CVE-2025-22870 https://nvd.nist.gov/vuln/detail/CVE-2025-22870 CVE-2025-29923 https://nvd.nist.gov/vuln/detail/CVE-2025-29923 CVE-2025-30204 https://nvd.nist.gov/vuln/detail/CVE-2025-30204 2025-03-12 2025-03-31 mozilla -- multiple vulnerabilities firefox 136.0,2 firefox-esr 128.8,1 thunderbird 136.0 thunderbird 128.8 librewolf 136.0

security@mozilla.org reports:

An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.

When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136.

Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136.

CVE-2025-1932 https://nvd.nist.gov/vuln/detail/CVE-2025-1932 CVE-2025-1941 https://nvd.nist.gov/vuln/detail/CVE-2025-1941 CVE-2025-1942 https://nvd.nist.gov/vuln/detail/CVE-2025-1942 CVE-2025-27424 https://nvd.nist.gov/vuln/detail/CVE-2025-27424 2025-03-04 2025-03-30 suricata -- Multiple vulnerabilities suricata 7.0.9

Suricate team reports:

Multiple vulnerabilities

CVE-2025-29915: Severity HIGH. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets.
CVE-2025-29916: Severity Moderate. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation
CVE-2025-29917: Severity HIGH. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations of up to 4 GiB per thread.
CVE-2025-29918: Severity HIGH. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode.

CVE-2025-29915 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29915 CVE-2025-29916 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29916 CVE-2025-29917 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29917 CVE-2025-29918 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29918 2025-03-12 2025-03-30 qt6-webengine -- Multiple vulnerabilities qt6-pdf qt6-webengine 6.8.3

Qt qtwebengine-chromium repo reports:

Backports for 11 security bugs in Chromium:

CVE-2024-11477: 7-Zip Zstd decompression integer underflow

CVE-2025-0762: Use after free in DevTools

CVE-2025-0996: Inappropriate implementation in Browser UI

CVE-2025-0998: Out of bounds memory access in V8

CVE-2025-0999: Heap buffer overflow in V8

CVE-2025-1006: Use after free in Network

CVE-2025-1426: Heap buffer overflow in GPU

CVE-2025-1918: Out of bounds read in Pdfium

CVE-2025-1919: Out of bounds read in Media

CVE-2025-1921: Inappropriate implementation in Media

CVE-2025-2036: Use after free in Inspector

CVE-2024-11477 CVE-2025-0762 CVE-2025-0996 CVE-2025-0998 CVE-2025-0999 CVE-2025-1006 CVE-2025-1426 CVE-2025-1918 CVE-2025-1919 CVE-2025-1921 CVE-2025-2036 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=122-based 2025-02-20 2025-03-29 electron{33,34} -- Incorrect handle provided in unspecified circumstances in Mojo electron33 33.4.8 electron34 34.4.1

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2025-2783.

CVE-2025-2783 https://github.com/advisories/GHSA-hfqm-jfc6-rh2f 2025-03-27 2025-03-28 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.10.017.10.1 17.9.017.9.3 12.10.017.8.6

Gitlab reports:

Cross-site Scripting (XSS) through merge-request error messages

Cross-site Scripting (XSS) through improper rendering of certain file types

Admin Privileges Persists After Role is Revoked

External user can access internal projects

Prompt injection in Amazon Q integration may allow unauthorized actions

Uncontrolled Resource Consumption via a maliciously crafted terraform file in merge request

Maintainer can inject shell code in Harbor project name configuration when using helper scripts

CVE-2025-2255 CVE-2025-0811 CVE-2025-2242 CVE-2024-12619 CVE-2024-10307 CVE-2024-9773 https://about.gitlab.com/releases/2025/03/26/patch-release-gitlab-17-10-1-released/ 2025-03-26 2025-03-26 electron{33,34} -- Type Confusion in V8 electron33 33.4.6 electron34 34.3.4

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2025-1920.

CVE-2025-1920 https://github.com/advisories/GHSA-fhwv-7gx3-h767 2025-03-20 2025-03-25 qt5-webengine -- Use after free in Compositing qt5-webengine 5.15.18p7

Qt qtwebengine-chromium repo reports:

Backports for 1 security bug in Chromium:

CVE-2024-12694: Use after free in Compositing

CVE-2024-12694 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based 2025-02-14 2025-03-23 www/varnish7 -- client-side desync vulnerability varnish7 7.6.2

The Varnish Development Team reports:

A client-side desync vulnerability can be triggered in Varnish Cache and Varnish Enterprise. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 requests.

CVE-2025-30346 https://varnish-cache.org/security/VSV00015.html#vsv00015 2024-12-17 2025-03-22 chromium -- multiple security fixes chromium 134.0.6998.117 ungoogled-chromium 134.0.6998.117

Chrome Releases reports:

This update includes 2 security fixes:

[401029609] Critical CVE-2025-2476: Use after free in Lens. Reported by SungKwon Lee of Enki Whitehat on 2025-03-05

CVE-2025-2476 https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_19.html 2025-03-19 2025-03-20 php -- Multiple vulnerabilities php81 8.1.32 php82 8.2.28 php83 8.3.19 php84 8.4.5

php.net reports:

CVE-2024-11235: Core: Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free).

CVE-2025-1219: LibXML: Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource).

CVE-2025-1736: Streams: Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header).

CVE-2025-1861: Streams: Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes).

CVE-2025-1734: Streams: Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon).

CVE-2025-1217: Streams: Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers).

CVE-2024-11235 CVE-2025-1219 CVE-2025-1736 CVE-2025-1861 CVE-2025-1734 CVE-2025-1217 https://www.php.net/ChangeLog-8.php 2025-03-13 2025-03-13 shibboleth-sp -- Parameter manipulation allows the forging of signed SAML messages opensaml 3.3.1

The Shibboleth Project reports:

An updated version of the OpenSAML C++ library is available which corrects a parameter manipulation vulnerability when using SAML bindings that rely on non-XML signatures. The Shibboleth Service Provider is impacted by this issue, and it manifests as a critical security issue in that context.

Parameter manipulation allows the forging of signed SAML messages

A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages.

Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly.

The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise).

The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so.

Prior to updating, it is possible to mitigate the POST-SimpleSign vulnerability by editing the protocols.xml configuration file and removing this line: <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" path="/SAML2/POST-SimpleSign" />

https://shibboleth.net/community/advisories/secadv_20250313.txt 2025-03-13 2025-03-13 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.9.017.9.2 17.8.017.8.5 11.517.7.7

Gitlab reports:

CVE-2025-25291 and CVE-2025-25292 (third party gem ruby-saml)

CVE-2025-27407 (third party gem graphql)

Denial of Service Due to Inefficient Processing of Untrusted Input

Credentials disclosed when repository mirroring fails

Denial of Service Vulnerability in GitLab Approval Rules due to Unbounded Field

Internal Notes in Merge Requests Are Emailed to Non-Members Upon Review Submission

Maintainer can inject shell code in Google integrations

Guest with custom Admin group member permissions can approve the users invitation despite user caps

CVE-2025-25291 CVE-2025-25292 CVE-2025-27407 CVE-2024-13054 CVE-2024-12380 CVE-2025-1257 CVE-2025-0652 CVE-2024-8402 CVE-2024-7296 https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/ 2025-03-12 2025-03-13 vim -- potential data loss with zip.vim and specially crafted zip files vim 9.1.1198

Vim reports:

See https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf

CVE-2025-29768 https://github.com/vim/vim/security/advisories/GHSA-693p-m996-3rmf 2025-03-12 2025-03-12 chromium -- multiple security fixes chromium 134.0.6998.88 ungoogled-chromium 134.0.6998.88

Chrome Releases reports:

This update includes 5 security fixes:

[398065918] High CVE-2025-1920: Type Confusion in V8. Reported by Excello s.r.o. on 2025-02-21

[400052777] High CVE-2025-2135: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2025-03-02

[401059730] High CVE-TBD: Out of bounds write in GPU. Reported on 2025-03-05

[395032416] Medium CVE-2025-2136: Use after free in Inspector. Reported by Sakana.S on 2025-02-10

[398999390] Medium CVE-2025-2137: Out of bounds read in V8. Reported by zeroxiaobai@ on 2025-02-25

CVE-2025-1920 CVE-2025-2135 CVE-2025-2136 CVE-2025-2137 https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html 2025-03-10 2025-03-11 libreoffice -- Macro URL arbitrary script execution libreoffice 24.824.8.5 25.225.2.1

security@documentfoundation.org reports:

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.

CVE-2025-1080 https://nvd.nist.gov/vuln/detail/CVE-2025-1080 2025-03-04 2025-03-10 vim -- Improper Input Validation in Vim vim 9.1.1164 vim-gtk2 9.1.1164 vim-gtk3 9.1.1164 vim-motif 9.1.1164 vim-tiny 9.1.1164 vim-x11 9.1.1164

security-advisories@github.com reports:

Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shellcommands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).

CVE-2025-27423 https://nvd.nist.gov/vuln/detail/CVE-2025-27423 2025-03-03 2025-03-10 electron33 -- multiple vulnerabilities electron33 33.4.3

Electron develpers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2025-0445.

Security: backported fix for CVE-2025-0995.

Security: backported fix for CVE-2025-0998.

CVE-2025-0445 https://github.com/advisories/GHSA-q4fq-38gr-ccp3 CVE-2025-0995 https://github.com/advisories/GHSA-377p-4737-hx6m CVE-2025-0998 https://github.com/advisories/GHSA-4v9x-qxmv-4h58 2025-03-06 2025-03-08 electron32 -- multiple vulnerabilities electron32 32.3.3

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2025-0445.

Security: backported fix for CVE-2025-0998.

CVE-2025-0445 https://github.com/advisories/GHSA-q4fq-38gr-ccp3 CVE-2025-0998 https://github.com/advisories/GHSA-4v9x-qxmv-4h58 2025-03-03 2025-03-07 Jinja2 -- Sandbox breakout through attr filter selecting format method py38-Jinja2 py39-Jinja2 py310-Jinja2 py311-Jinja2 3.1.6

security-advisories@github.com reports:

Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.

CVE-2025-27516 https://nvd.nist.gov/vuln/detail/CVE-2025-27516 2025-03-05 2025-03-06 xorg server -- Multiple vulnerabilities xorg-server xephyr xorg-vfbserver 21.1.16,1 xorg-nextserver 21.1.16,2 xwayland 24.1.6

The X.Org project reports:

CVE-2025-26594: Use-after-free of the root cursor
The root cursor is referenced in the xserver as a global variable. If a client manages to free the root cursor, the internal reference points to freed memory and causes a use-after-free.

CVE-2025-26595: Buffer overflow in XkbVModMaskText()
The code in XkbVModMaskText() allocates a fixed sized buffer on the stack and copies the names of the virtual modifiers to that buffer. The code however fails to check the bounds of the buffer correctly and would copy the data regardless of the size, which may lead to a buffer overflow.

CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
The computation of the length in XkbSizeKeySyms() differs from what is actually written in XkbWriteKeySyms(), which may lead to a heap based buffer overflow.

CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If later, the same function is called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size.

CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
The function GetBarrierDevice() searches for the pointer device based on its device id and returns the matching value, or supposedly NULL if no match was found. However the code will return the last element of the list if no matching device id was found which can lead to out of bounds memory access.

CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
The function compCheckRedirect() may fail if it cannot allocate the backing pixmap. In that case, compRedirectWindow() will return a BadAlloc error without the validation of the window tree marked just before, which leaves the validate data partly initialized, and the use of an uninitialized pointer later.

CVE-2025-26600: Use-after-free in PlayReleasedEvents()
When a device is removed while still frozen, the events queued for that device remain while the device itself is freed and replaying the events will cause a use after free.

CVE-2025-26601: Use-after-free in SyncInitTrigger()
When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object. This can be used to cause a use after free when the alarm eventually triggers.

CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601 https://lists.x.org/archives/xorg-announce/2025-February/003584.html 2025-02-25 2025-03-06 caldera -- Remote Code Execution caldera 5.2.0 caldera4 4.2.0

MITRE Caldera contributor report:

In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.

CVE-2025-27364 https://nvd.nist.gov/vuln/detail/CVE-2025-27364 2025-02-16 2025-03-06 jenkins -- multiple vulnerabilities jenkins 2.500 jenkins-lts 2.492.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-3495 / CVE-2025-27622

Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission

Description

(Medium) SECURITY-3496 / CVE-2025-27623

Encrypted values of secrets stored in view configuration revealed to users with View/Read permission

Description

(Medium) SECURITY-3498 / CVE-2025-27624

CSRF vulnerability

Description

(Medium) SECURITY-3501 / CVE-2025-27625

Open redirect vulnerability

CVE-2025-27622 CVE-2025-27623 CVE-2025-27624 CVE-2025-27625 https://www.jenkins.io/security/advisory/2025-03-05/ 2025-03-05 2025-03-05 Spotipy -- Spotipy's cache file, containing spotify auth token, is created with overly broad permissions py38-spotipy py39-spotipy py310-spotipy py311-spotipy 2.25.1

security-advisories@github.com reports:

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

CVE-2025-27154 https://nvd.nist.gov/vuln/detail/CVE-2025-27154 2025-02-27 2025-03-05 chromium -- multiple security fixes chromium 134.0.6998.35 ungoogled-chromium 134.0.6998.35

Chrome Releases reports:

This update includes 14 security fixes:

[397731718] High CVE-2025-1914: Out of bounds read in V8. Reported by Zhenghang Xiao (@Kipreyyy) and Nan Wang (@eternalsakura13) on 2025-02-20

[391114799] Medium CVE-2025-1915: Improper Limitation of a Pathname to a Restricted Directory in DevTools. Reported by Topi Lassila on 2025-01-20

[376493203] Medium CVE-2025-1916: Use after free in Profiles. Reported by parkminchan, SSD Labs Korea on 2024-10-31

[329476341] Medium CVE-2025-1917: Inappropriate Implementation in Browser UI. Reported by Khalil Zhani on 2024-03-14

[388557904] Medium CVE-2025-1918: Out of bounds read in PDFium. Reported by asnine on 2025-01-09

[392375312] Medium CVE-2025-1919: Out of bounds read in Media. Reported by @Bl1nnnk and @Pisanbao on 2025-01-26

[387583503] Medium CVE-2025-1921: Inappropriate Implementation in Media Stream. Reported by Kaiido on 2025-01-04

[384033062] Low CVE-2025-1922: Inappropriate Implementation in Selection. Reported by Alesandro Ortiz on 2024-12-14

[382540635] Low CVE-2025-1923: Inappropriate Implementation in Permission Prompts. Reported by Khalil Zhani on 2024-12-06

CVE-2025-1914 CVE-2025-1915 CVE-2025-1916 CVE-2025-1917 CVE-2025-1918 CVE-2025-1919 CVE-2025-1921 CVE-2025-1922 CVE-2025-1923 https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html 2025-03-04 2025-03-05 electron{32,33} -- multiple vulnerabilities electron32 32.3.2 electron33 33.4.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2025-0611.

Security: backported fix for CVE-2025-0612.

Security: backported fix for CVE-2025-0999.

CVE-2025-0611 https://github.com/advisories/GHSA-83vc-v46q-mv3w CVE-2025-0612 https://github.com/advisories/GHSA-c6xg-jh94-mf2w CVE-2025-0999 https://github.com/advisories/GHSA-f2jv-hxph-r5wm 2025-02-27 2025-03-04 unit -- potential security issue unit unit-java 1.11.01.34.2

SO-AND-SO reports:

Unit 1.34.2 fixes two issues in the Java language module websocket code.

It addresses a potential security issue where we could get a negative payload length that could cause the Java language module process(es) to enter an infinite loop and consume excess CPU. This was a bug carried over from the initial Java websocket code import. It has been re-issued a CVE number (CVE-2025-1695).

It addresses an issue whereby decoded payload lengths would be limited to 32 bits.

CVE-2025-1695 https://mailman.nginx.org/pipermail/unit/2025-March/QVYLJKLBIDWOJ7OLYGT27VUWH7RGBRQM.html 2025-03-03 2025-03-03 vim -- Potential code execution vim vim-gtk2 vim-gtk3 vim-motif vim-x11 vim-tiny 9.1.1164

vim reports:

Summary

Potential code execution with tar.vim and special crafted tar files

Description

Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files.

Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim to support permissions), the tar.vim plugin uses the ":read " ex command line to append below the cursor position, however the is not sanitized and is taken literaly from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL).

Impact

Impact is high but a user must be convinced to edit such a file using Vim which will reveal the filename, so a careful user may suspect some strange things going on.

https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3 2025-03-02 2025-03-02 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.9.017.9.1 17.8.017.8.4 15.10.017.7.6

Gitlab reports:

XSS in k8s proxy endpoint

XSS Maven Dependency Proxy

HTML injection leads to XSS on self hosted instances

Improper Authorisation Check Allows Guest User to Read Security Policy

Planner role can read code review analytics in private projects

CVE-2025-0475 CVE-2025-0555 CVE-2024-8186 CVE-2024-10925 CVE-2025-0307 https://about.gitlab.com/releases/2025/02/26/patch-release-gitlab-17-9-1-released/ 2025-02-26 2025-02-28 chromium -- multiple security fixes chromium 133.0.6943.141 ungoogled-chromium 133.0.6943.141

Chrome Releases reports:

This update includes 1 security fix.

https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_25.html 2025-02-25 2025-02-27 exiv2 -- Use after free in TiffSubIfd exiv2 0.28.00.28.5

Kevin Backhouse reports:

A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as fixiso.

CVE-2025-26623 https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7 2025-02-18 2025-02-25 Emacs -- Arbitrary code execution vulnerability emacs emacs-canna emacs-nox emacs-wayland 30.1,3 emacs-devel emacs-devel-nox 30.0.50.20240115,3

Problem Description

A shell injection vulnerability exists in GNU Emacs due to improper handling of custom man URI schemes.

Impact

Initially considered low severity, as it required user interaction with local files, it was later discovered that an attacker could exploit this vulnerability by tricking a user into visiting a specially crafted website or an HTTP URL with a redirect, leading to arbitrary shell command execution without further user action.

CVE-2025-1244 https://nvd.nist.gov/vuln/detail/CVE-2025-1244 2025-02-11 2025-02-24 2025-02-25 Emacs -- Shell injection vulnerability emacs emacs-canna emacs-nox emacs-wayland 30.1,3 emacs-devel emacs-devel-nox 31.0.50.20250101,3

Problem Description:

An Emacs user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.

CVE-2024-53920 https://nvd.nist.gov/vuln/detail/CVE-2024-53920 2024-11-27 2025-02-24 exim -- SQL injection exim 4.98.1

cve@mitre.org reports:

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.

CVE-2025-26794 https://nvd.nist.gov/vuln/detail/CVE-2025-26794 2025-02-21 2025-02-24 FreeBSD -- Multiple vulnerabilities in OpenSSH FreeBSD 14.214.2_2 14.114.1_8 13.413.4_4 openssh-portable 9.9.p2_1,1 openssh-portable-hpn 9.9.p2_1,1 openssh-portable-gssapi 9.9.p2_1,1

Problem Description:

OpenSSH client host verification error (CVE-2025-26465)

ssh(1) contains a logic error that allows an on-path attacker to impersonate any server during certain conditions when the VerifyHostKeyDNS option is enabled.

OpenSSH server denial of service (CVE-2025-26466)

The OpenSSH client and server are both vulnerable to a memory/CPU denial of service while handling SSH2_MSG_PING packets.

Impact:

OpenSSH client host verification error (CVE-2025-26465)

Under specific circumstances, a machine-in-the-middle may impersonate any server when the client has the VerifyHostKeyDNS option enabled.

OpenSSH server denial of service (CVE-2025-26466)

During the processing of SSH2_MSG_PING packets, a server may be subject to a memory/CPU denial of service.

CVE-2025-26465 CVE-2025-26466 SA-25:05.openssh https://nvd.nist.gov/vuln/detail/CVE-2025-26465 https://nvd.nist.gov/vuln/detail/CVE-2025-26466 2025-02-21 2025-02-24 2025-03-08 chromium -- multiple security fixes chromium 133.0.6943.126 ungoogled-chromium 133.0.6943.126

Chrome Releases reports:

This update includes 3 security fixes:

[394350433] High CVE-2025-0999: Heap buffer overflow in V8. Reported by Seunghyun Lee (@0x10n) on 2025-02-04

[383465163] High CVE-2025-1426: Heap buffer overflow in GPU. Reported by un3xploitable and GF on 2024-12-11

[390590778] Medium CVE-2025-1006: Use after free in Network. Reported by Tal Keren, Sam Agranat, Eran Rom, Edouard Bochin, Adam Hatsir of Palo Alto Networks on 2025-01-18

CVE-2025-0999 CVE-2025-1426 CVE-2025-1006 https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html 2025-02-18 2025-02-20 chromium -- multiple security fixes chromium 133.0.6943.98 ungoogled-chromium 133.0.6943.98

Chrome Releases reports:

This update includes 4 security fixes:

[391907159] High CVE-2025-0995: Use after free in V8. Reported by Popax21 on 2025-01-24

[391788835] High CVE-2025-0996: Inappropriate implementation in Browser UI. Reported by yuki yamaoto on 2025-01-23

[391666328] High CVE-2025-0997: Use after free in Navigation. Reported by asnine on 2025-01-23

[386857213] High CVE-2025-0998: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-31

CVE-2025-0995 CVE-2025-0996 CVE-2025-0997 CVE-2025-0998 https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_12.html 2025-02-12 2025-02-20 chromium -- multiple security fixes chromium 133.0.6943.53 ungoogled-chromium 133.0.6943.53

Chrome Releases reports:

This update includes 12 security fixes:

[390889644] High CVE-2025-0444: Use after free in Skia. Reported by Francisco Alonso (@revskills) on 2025-01-19

[392521083] High CVE-2025-0445: Use after free in V8. Reported by 303f06e3 on 2025-01-27

[40061026] Medium CVE-2025-0451: Inappropriate implementation in Extensions API. Reported by Vitor Torres and Alesandro Ortiz on 2022-09-18

CVE-2025-0444 CVE-2025-0445 CVE-2025-0451 https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop.html 2025-02-04 2025-02-20 vscode -- multiple vulnerabilities vscode 1.97.1

VSCode developers report:

The update addresses these issues, including a fix for a security vulnerability.

Scope node_module binary resolution in js-debug

Elevation of Privilege Vulnerability with VS Code server for web UI

CVE-2025-24042 https://github.com/microsoft/vscode/security/advisories/GHSA-f85p-3684-2g3j CVE-2025-24039 https://github.com/microsoft/vscode/security/advisories/GHSA-532g-4pv9-25f2 2025-02-11 2025-02-13 security/openvpn-auth-ldap -- Fix buffer overflow in challenge/response openvpn-auth-ldap 2.0.4_3

Graham Northup reports:

A buffer overflow in extract_openvpn_cr allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this field and cause a buffer overflow.

CVE-2024-28820 https://nvd.nist.gov/vuln/detail/CVE-2024-28820 2024-06-27 2025-02-13 PostgreSQL -- PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation postgresql17-client 17.3 postgresql16-client 16.7 postgresql15-client 15.11 postgresql14-client 14.16 postgresql13-client 13.19

The PostgreSQL Project reports:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

CVE-2025-1094 https://www.postgresql.org/support/security/CVE-2025-1094/ 2025-02-13 2025-02-13 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.8.017.8.2 17.7.017.7.4 8.3.017.6.5

Gitlab reports:

A CSP-bypass XSS in merge-request page

Denial of Service due to Unbounded Symbol Creation

Exfiltrate content from private issues using Prompt Injection

A custom permission may allow overriding Repository settings

Internal HTTP header leak via route confusion in workhorse

SSRF via workspaces

Unauthorized Incident Closure and Deletion by Planner Role in GitLab

ActionCable does not invalidate tokens after revocation

CVE-2025-0376 CVE-2024-12379 CVE-2024-3303 CVE-2025-1042 CVE-2025-1212 CVE-2024-9870 CVE-2025-0516 CVE-2025-1198 https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/ 2025-02-12 2025-02-13 Intel CPUs -- multiple vulnerabilities cpu-microcode-intel 20250211

Intel reports:

A potential security vulnerability in some Intel Processors may allow denial of service. Intel released microcode updates to mitigate this potential vulnerability.

A potential security vulnerability in some Intel Software Guard Extensions (Intel SGX) Platforms may allow denial of service. Intel is released microcode updates to mitigate this potential vulnerability.

Potential security vulnerabilities in the UEFI firmware for some Intel Processors may allow escalation of privilege, denial of service, or information disclosure. Intel released UEFI firmware and CPU microcode updates to mitigate these potential vulnerabilities.

A potential security vulnerability in some 13th and 14th Generation Intel Core™ Processors may allow denial of service. Intel released microcode and UEFI reference code updates to mitigate this potential vulnerability.

A potential security vulnerability in the Intel Data Streaming Accelerator (Intel DSA) for some Intel Xeon Processors may allow denial of service. Intel released software updates to mitigate this potential vulnerability.

CVE-2024-31068 CVE-2024-36293 CVE-2023-43758 CVE-2024-39355 CVE-2024-37020 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211 2025-02-11 2025-02-12 OpenSSL -- Man-in-the-Middle vulnerability openssl32 3.2.4 openssl33 3.3.2 openssl34 3.4.1

The OpenSSL project reports:

RFC7250 handshakes with unauthenticated servers don't abort as expected (High). Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set.

CVE-2024-12797 https://openssl-library.org/news/secadv/20250211.txt 2025-02-11 2025-02-11 mozilla -- multiple vulnerabilities firefox 135.0.0,2 firefox-esr 128.7,1 thunderbird 128.7 129135

security@mozilla.org reports:

A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution.

A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak.

Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed.

Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-1011 https://nvd.nist.gov/vuln/detail/CVE-2025-1011 CVE-2025-1013 https://nvd.nist.gov/vuln/detail/CVE-2025-1013 CVE-2025-1014 https://nvd.nist.gov/vuln/detail/CVE-2025-1014 CVE-2025-1017 https://nvd.nist.gov/vuln/detail/CVE-2025-1017 2025-02-04 2025-02-07 mozilla -- multiple vulnerabilities mozilla 135.0.0,2

security@mozilla.org reports:

Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack.

CVE-2025-1018 https://nvd.nist.gov/vuln/detail/CVE-2025-1018 CVE-2025-1019 https://nvd.nist.gov/vuln/detail/CVE-2025-1019 CVE-2025-1020 https://nvd.nist.gov/vuln/detail/CVE-2025-1020 2025-02-04 2025-02-07 mozilla -- multiple vulnerabilities firefox 135.0.0,2 firefox-esr 115.20,1 116.0,1128.6,1 thunderbird 128.7 129135

security@mozilla.org reports:

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.

An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.

A race during concurrent delazification could have led to a use-after-free.

Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-1009 https://nvd.nist.gov/vuln/detail/CVE-2025-1009 CVE-2025-1010 https://nvd.nist.gov/vuln/detail/CVE-2025-1010 CVE-2025-1012 https://nvd.nist.gov/vuln/detail/CVE-2025-1012 CVE-2025-1016 https://nvd.nist.gov/vuln/detail/CVE-2025-1016 2025-02-04 2025-02-07 Thundirbird -- unprivileged JavaScript code execution mozilla 128.7,1

security@mozilla.org reports:

The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the Other field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.

CVE-2025-1015 https://nvd.nist.gov/vuln/detail/CVE-2025-1015 2025-02-04 2025-02-07 MariaDB -- DoS vulnerability in InnoDB mariadb105-server 10.5.28 mariadb106-server 10.6.21 mariadb1011-server 10.11.11 mariadb114-server 11.4.5

MariaDB reports:

Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.

CVE-2025-21490 http://mariadb.com/kb/en/security/ 2025-02-04 2025-02-07 libcaca -- Multiple vulnerabilities libcaca 0.99.b20

Sam Hocevar reports:

Multiple memory leaks and invalid memory accesses:

CVE-2018-20545: Illegal WRITE memory access at common-image.c

CVE-2018-20546: Illegal READ memory access at caca/dither.c

CVE-2018-20547: Illegal READ memory access at caca/dither.c

CVE-2018-20548: Illegal WRITE memory access at common-image.c

CVE-2018-20549: Illegal WRITE memory access at caca/file.c

CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize

CVE-2021-30498: Heap buffer overflow in export.c in function export_tga

CVE-2021-30499: Buffer overflow in export.c in function export_troff

CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549 CVE-2021-3410 CVE-2021-30498 CVE-2021-30499 https://github.com/cacalabs/libcaca/releases/tag/v0.99.beta20 2021-10-19 2025-02-07 cacti -- Multiple vulnerabilities cacti 1.2.29

Cacti repo reports:

security #GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses

security #GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API

security #GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices

security #GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE

security #GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path

security #GHSA-vj9g-p7f2-4wqj: SQL Injection vulnerability when view host template

CVE-2025-22604 CVE-2025-24368 CVE-2024-54145 CVE-2025-24367 CVE-2024-45598 CVE-2024-54146 2025-02-02 2025-02-05 nginx-devel -- SSL session reuse vulnerability nginx-devel 1.27.4 nginx 1.26.3

The nginx development team reports:

This update fixes the SSL session reuse vulnerability.

CVE-2025-23419 2025-02-05 2025-02-05 qt6-webengine -- Multiple vulnerabilities qt6-webengine 6.8.2

Qt qtwebengine-chromium repo reports:

Backports for 9 security bugs in Chromium:

CVE-2024-12693: Out of bounds memory access in V8

CVE-2024-12694: Use after free in Compositing

CVE-2025-0436: Integer overflow in Skia

CVE-2025-0437: Out of bounds read in Metrics

CVE-2025-0438: Stack buffer overflow in Tracing

CVE-2025-0441: Inappropriate implementation in Fenced Frames

CVE-2025-0443: Insufficient data validation in Extensions

CVE-2025-0447: Inappropriate implementation in Navigation

CVE-2025-0611: Object corruption in V8

CVE-2024-12693 CVE-2024-12694 CVE-2025-0436 CVE-2025-0437 CVE-2025-0438 CVE-2025-0441 CVE-2025-0443 CVE-2025-0447 CVE-2025-0611 https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=122-based 2025-01-09 2025-02-02 chromium -- multiple security fixes chromium 132.0.6834.159 ungoogled-chromium 132.0.6834.159

Chrome Releases reports:

This update includes 2 security fixes:

[384844003] Medium CVE-2025-0762: Use after free in DevTools. Reported by Sakana.S on 2024-12-18

CVE-2025-0762 https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_28.html 2025-01-18 2025-01-31 dendrite -- Server-side request forgery vulnerability dendrite 0.14.1

Dendrite team reports:

This is a security release, gomatrixserverlib was vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.

CVE-2024-52594 https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822 2025-01-16 2025-01-30 FreeBSD -- Uninitialized kernel memory disclosure via ktrace(2) FreeBSD-kernel 14.214.2_1

Problem Description:

In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.

Impact:

It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.

CVE-2025-0662 SA-25:04.ktrace 2025-01-29 2025-01-30 FreeBSD -- Unprivileged access to system files FreeBSD 14.214.2_1 14.114.1_7 13.413.4_3

Problem Description:

When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.

Impact:

An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.

CVE-2025-0374 SA-25:03.etcupdate 2025-01-29 2025-01-30 FreeBSD -- Buffer overflow in some filesystems via NFS FreeBSD-kernel 14.214.2_1 14.114.1_7 13.413.4_3

Problem Description:

In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9).

On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.

Impact:

A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.

CVE-2025-0373 SA-25:02.fs 2025-01-29 2025-01-30 FreeBSD -- OpenSSH Keystroke Obfuscation Bypass FreeBSD 14.114.1_7

Problem Description:

A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective.

Impact:

A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing.

CVE-2024-39894 SA-25:01.openssh 2025-01-29 2025-01-30 oauth2-proxy -- Non-linear parsing of case-insensitive content oauth2-proxy 7.8.0

Golang reports:

This update include security fixes:

CVE-2024-45338: Non-linear parsing of case-insensitive content

CVE-2024-45338 2025-01-14 2025-01-30 Vaultwarden -- Multiple vulnerabilities vaultwarden 1.33.0

The Vaultwarden project reports:

RCE in the admin panel.

Getting access to the Admin Panel via CSRF.

Escalation of privilege via variable confusion in OrgHeaders trait.

CVE-2025-24364 https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797 CVE-2025-24365 https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h6cc-rc6q-23j4 2025-01-25 2025-01-25 chromium -- multiple security fixes chromium 132.0.6834.110 ungoogled-chromium 132.0.6834.110

Chrome Releases reports:

This update includes 3 security fixes:

[386143468] High CVE-2025-0611: Object corruption in V8. Reported by 303f06e3 on 2024-12-26

[385155406] High CVE-2025-0612: Out of bounds memory access in V8. Reported by Alan Goodman on 2024-12-20

CVE-2025-0611 CVE-2025-0612 https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_22.html 2025-01-22 2025-01-25 chromium -- multiple security fixes chromium 132.0.6834.83 ungoogled-chromium 132.0.6834.83

Chrome Releases reports:

This update includes 16 security fixes:

[374627491] High CVE-2025-0434: Out of bounds memory access in V8. Reported by ddme on 2024-10-21

[379652406] High CVE-2025-0435: Inappropriate implementation in Navigation. Reported by Alesandro Ortiz on 2024-11-18

[382786791] High CVE-2025-0436: Integer overflow in Skia. Reported by Han Zheng (HexHive) on 2024-12-08

[378623799] High CVE-2025-0437: Out of bounds read in Metrics. Reported by Xiantong Hou of Wuheng Lab and Pisanbao on 2024-11-12

[384186539] High CVE-2025-0438: Stack buffer overflow in Tracing. Reported by Han Zheng (HexHive) on 2024-12-15

[371247941] Medium CVE-2025-0439: Race in Frames. Reported by Hafiizh on 2024-10-03

[40067914] Medium CVE-2025-0440: Inappropriate implementation in Fullscreen. Reported by Umar Farooq on 2023-07-22

[368628042] Medium CVE-2025-0441: Inappropriate implementation in Fenced Frames. Reported by someoneverycurious on 2024-09-21

[40940854] Medium CVE-2025-0442: Inappropriate implementation in Payments. Reported by Ahmed ElMasry on 2023-11-08

[376625003] Medium CVE-2025-0443: Insufficient data validation in Extensions. Reported by Anonymous on 2024-10-31

[359949844] Low CVE-2025-0446: Inappropriate implementation in Extensions. Reported by Hafiizh on 2024-08-15

[375550814] Low CVE-2025-0447: Inappropriate implementation in Navigation. Reported by Khiem Tran (@duckhiem) on 2024-10-25

[377948403] Low CVE-2025-0448: Inappropriate implementation in Compositing. Reported by Dahyeon Park on 2024-11-08

CVE-2025-0434 CVE-2025-0435 CVE-2025-0436 CVE-2025-0437 CVE-2025-0438 CVE-2025-0439 CVE-2025-0440 CVE-2025-0441 CVE-2025-0442 CVE-2025-0443 CVE-2025-0446 CVE-2025-0447 CVE-2025-0448 https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html 2025-01-14 2025-01-25 electron32 -- multiple vulnerabilities electron32 32.3.0

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-12693.

Security: backported fix for CVE-2024-12694.

Security: backported fix for CVE-2024-12695.

Security: backported fix for CVE-2025-0434.

Security: backported fix for CVE-2025-0436.

Security: backported fix for CVE-2025-0437.

CVE-2024-12693 https://github.com/advisories/GHSA-m84q-p89f-6cc5 CVE-2024-12694 https://github.com/advisories/GHSA-cgc6-4xgf-5q5x CVE-2024-12695 https://github.com/advisories/GHSA-6895-2frg-pq5j CVE-2025-0434 https://github.com/advisories/GHSA-fpmx-pfpg-92xg CVE-2025-0436 https://github.com/advisories/GHSA-ww3g-8h77-wr7v CVE-2025-0437 https://github.com/advisories/GHSA-4353-vp82-4qq4 2025-01-23 2025-01-25 electron33 -- multiple vulnerabilities electron33 33.3.2

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2025-0434.

Security: backported fix for CVE-2025-0436.

Security: backported fix for CVE-2025-0437.

CVE-2025-0434 https://github.com/advisories/GHSA-fpmx-pfpg-92xg CVE-2025-0436 https://github.com/advisories/GHSA-ww3g-8h77-wr7v CVE-2025-0437 https://github.com/advisories/GHSA-4353-vp82-4qq4 2025-01-22 2025-01-23 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.8.017.8.1 17.7.017.7.3 15.7.017.6.4

Gitlab reports:

Stored XSS via Asciidoctor render

Developer could exfiltrate protected CI/CD variables via CI lint

Cyclic reference of epics leads resource exhaustion

CVE-2025-0314 CVE-2024-11931 CVE-2024-6324 https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/ 2025-01-22 2025-01-23 clamav -- Possbile denial-of-service vulnerability clamav 1.0.0,11.4.2,1 clamav-lts 1.0.0,11.0.8,1

The ClamAV project reports:

A possible buffer overflow read bug is found in the OLE2 file parser that could cause a denial-of-service (DoS) condition.

CVE-2025-20128 https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html 2025-01-22 2025-01-23 electron32 -- Type Confusion in V8 electron32 32.2.8

Electron developers report:

This update fixes the following vulnerability:

Security: backported fix for CVE-2024-12053.

CVE-2024-12053 https://github.com/advisories/GHSA-wvx7-72hc-rp32 2025-01-06 2025-01-22 go -- multiple vulnerabilities go122 1.22.11 go123 1.23.5

The Go project reports:

crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.

net/http: sensitive headers incorrectly sent after cross-domain redirect

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.

CVE-2024-45341 CVE-2024-45336 https://go.dev/issue/71156 https://go.dev/issue/70530 2025-01-07 2025-01-21 electron31 -- multiple vulnerabilities electron31 31.7.7

Electron developers report:

This update fixes the following vulnerabilities:

Security: backported fix for CVE-2024-12053.

Security: backported fix for CVE-2024-12693.

Security: backported fix for CVE-2024-12694.

CVE-2024-12053 https://github.com/advisories/GHSA-wvx7-72hc-rp32 CVE-2024-12693 https://github.com/advisories/GHSA-m84q-p89f-6cc5 CVE-2024-12694 https://github.com/advisories/GHSA-cgc6-4xgf-5q5x 2025-01-14 2025-01-20 age -- age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution age 1.2.1

Filippo Valsorda reports:

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.

Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.

https://github.com/advisories/GHSA-32gq-x56h-299c 2024-12-18 2025-01-18 openvpn -- too long a username or password from a client can confuse openvpn servers openvpn 2.6.13

Frank Lichtenheld reports:

[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.

https://github.com/OpenVPN/openvpn/releases/tag/v2.6.13 2024-10-28 2025-01-17 rsync -- Multiple security fixes rsync 3.4.0

rsync reports:

This update includes multiple security fixes:

CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing

CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR

CVE-2024-12086: Server leaks arbitrary client files

CVE-2024-12087: Server can make client write files outside of destination directory using symbolic links

CVE-2024-12088: --safe-links Bypass

CVE-2024-12747: symlink race condition

CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 2025-01-14 2025-01-14 git -- multiple vulnerabilities git git-cvs git-gui git-p4 git-svn 2.48.1

Git development team reports:

CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead.

CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that.

CVE-2024-50349 https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr CVE-2024-52006 https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp 2024-10-29 2025-01-14 keycloak -- Multiple security fixes keycloak 26.0.8

Keycloak reports:

This update includes 2 security fixes:

CVE-2024-11734: Unrestricted admin use of system and environment variables

CVE-2024-11736: Denial of Service in Keycloak Server via Security Headers

CVE-2024-11734 CVE-2024-11736 2025-01-13 2025-01-13 asterisk - path traversal asterisk18 18.26.2 asterisk20 20.11.0

cve@mitre.org reports:

An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.

CVE-2024-53566 https://nvd.nist.gov/vuln/detail/CVE-2024-53566 2024-12-02 2025-01-12 redis,valkey -- Denial-of-service valnerability due to malformed ACL selectors redis 7.0.07.4.2 redis72 7.2.7 redis-devel 7.4.2.20250201 valkey 8.0.2

Redis core team reports:

An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.The problem exists in Redis 7.0.0 or newer.

CVE-2024-51741 https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9 2025-01-06 2025-01-10 redis,valkey -- Remote code execution valnerability redis 7.4.2 redis72 7.2.7 redis62 6.2.17 redis-devel 7.4.2.20250201 valkey 8.0.2

Redis core team reports:

An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting.

CVE-2024-46981 https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c 2025-01-06 2025-01-10 Gitlab -- Vulnerabilities gitlab-ce gitlab-ee 17.7.017.7.1 17.6.017.6.3 11.0.017.5.5

Gitlab reports:

Possible access token exposure in GitLab logs

Cyclic reference of epics leads resource exhaustion

Unauthorized user can manipulate status of issues in public projects

Instance SAML does not respect external_provider configuration

CVE-2025-0194 CVE-2024-6324 CVE-2024-12431 CVE-2024-13041 https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/ 2025-01-08 2025-01-08