Accordion & FAQ Security Vulnerabilities
Issue Overview: close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. (CVE-2022-48624) Affected Packages: less Note: This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras...
6.9AI Score
0.0004EPSS
Issue Overview: cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. (CVE-2015-1197) Affected Packages: cpio Note: This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this...
6.8AI Score
0.0004EPSS
Issue Overview: EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality....
6AI Score
0.006EPSS
Issue Overview: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack The package openssl098e is provided purely for binary compatibility with older Amazon Linux versions. It does not receive security updates. (CVE-2024-0727)...
6.4AI Score
0.002EPSS
Issue Overview: When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. (CVE-2024-1546) Through a series of A...
7.8AI Score
0.0004EPSS
Issue Overview: wpa_supplicant: potential authorization bypass (CVE-2023-52160) Affected Packages: wpa_supplicant Note: This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: ...
7AI Score
0.001EPSS
Issue Overview: A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive.....
7.7AI Score
0.008EPSS
Issue Overview: plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash). (CVE-2020-36774) Affected Packages: glade Note: This advisory is applicable to Amazon Linux 2...
6.8AI Score
0.0004EPSS
Issue Overview: dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. (CVE-2023-52429) A flaw was found in the ATA over Ethernet (AoE)...
7.2AI Score
0.0004EPSS
Issue Overview: Apache issued this CVE to indicate the correct versions of xerces-c, which included the fix for CVE-2018-1311. See the older CVE page for fix status. (CVE-2024-23807) Affected Packages: xerces-c Note: This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit...
6.8AI Score
0.003EPSS
[SECURITY] [DSA 5634-1] chromium security update
Debian Security Advisory DSA-5634-1 [email protected] https://www.debian.org/security/ Andres Salomon February 28, 2024 https://www.debian.org/security/faq Package : chromium CVE ID : CVE-2024-1938 CVE-2024-1939...
7.3AI Score
0.0004EPSS
[SECURITY] [DSA 5633-1] knot-resolver security update
Debian Security Advisory DSA-5633-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 27, 2024 https://www.debian.org/security/faq Package : knot-resolver CVE ID : CVE-2023-46317...
7.5CVSS
7.2AI Score
0.0005EPSS
HTTP/2 Cleartext Upgrade Support Detected
The HTTP/2 protocol is usually negotiated over the TLS application layer protocol negotiation extension (TLS-ALPN). A persistent HTTP/2 connection can also be made from a HTTP/1.1 request using the Upgrade header with the h2c value to specify a cleartext communication. The scanner detected that...
7.5AI Score
7.4AI Score
7.4AI Score
7.4AI Score
[SECURITY] [DSA 5631-1] iwd security update
Debian Security Advisory DSA-5631-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 25, 2024 https://www.debian.org/security/faq Package : iwd CVE ID : CVE-2023-52161 Debian Bug :...
7.5CVSS
6.9AI Score
0.001EPSS
[SECURITY] [DSA 5630-1] thunderbird security update
Debian Security Advisory DSA-5630-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 23, 2024 https://www.debian.org/security/faq Package : thunderbird CVE ID : CVE-2024-1546 CVE-2024-1547...
7.8AI Score
0.0004EPSS
[SECURITY] [DSA 5629-1] chromium security update
Debian Security Advisory DSA-5629-1 [email protected] https://www.debian.org/security/ Andres Salomon February 23, 2024 https://www.debian.org/security/faq Package : chromium CVE ID : CVE-2024-1669 CVE-2024-1670...
7.8AI Score
0.0004EPSS
Issue Overview: The description of this advisory is forthcoming. Affected Packages: sudo Note: This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update sudo to...
7.2AI Score
[SECURITY] [DSA 5628-1] imagemagick security update
Debian Security Advisory DSA-5628-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 22, 2024 https://www.debian.org/security/faq Package : imagemagick CVE ID : CVE-2021-3610 CVE-2022-1115...
7.5CVSS
8.2AI Score
0.0005EPSS
[SECURITY] [DSA 5627-1] firefox-esr security update
Debian Security Advisory DSA-5627-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 21, 2024 https://www.debian.org/security/faq Package : firefox-esr CVE ID : CVE-2024-1546 CVE-2024-1547...
7.4AI Score
0.0004EPSS
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, Safari 17.1, macOS Sonoma 14.1. Visiting a malicious website may lead to address bar spoofing. Notes Author| Note ---|--- jdstrand |...
7.5AI Score
0.0004EPSS
February 13, 2024—KB5034830 (Monthly Rollup)
February 13, 2024—KB5034830 (Monthly Rollup) IMPORTANT The installation of this Extended Security Update (ESU) might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU...
7.1AI Score
0.037EPSS
November 14, 2023—KB5032247 (Monthly Rollup)
November 14, 2023—KB5032247 (Monthly Rollup) IMPORTANT The installation of this Extended Security Update (ESU) might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU...
7.7AI Score
0.021EPSS
[SECURITY] [DSA 5626-1] pdns-recursor security update
Debian Security Advisory DSA-5626-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 18, 2024 https://www.debian.org/security/faq Package : pdns-recursor CVE ID : CVE-2023-50387...
7.5CVSS
7.2AI Score
0.0005EPSS
9.8CVSS
7.2AI Score
0.006EPSS
[SECURITY] [DSA 5625-1] engrampa security update
Debian Security Advisory DSA-5625-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 16, 2024 https://www.debian.org/security/faq Package : engrampa CVE ID : CVE-2023-52138 It was discovered...
9.6CVSS
6.8AI Score
0.003EPSS
Important: gstreamer1-plugins-bad-free
Issue Overview: GStreamer-SA-2024-0001: AV1 codec parser potential buffer overflow during tile list parsing NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970 NOTE: Fixed by:...
7.4AI Score
Issue Overview: Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial.....
6.7AI Score
0.008EPSS
Issue Overview: Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file. (CVE-2016-0775) Affected Packages: python-pillow Note: This advisory is applicable to Amazon...
7AI Score
0.013EPSS
Issue Overview: This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users. (CVE-2023-2454) Affected Packages: postgresql Note: This advisory...
7.9AI Score
0.003EPSS
Issue Overview: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely...
6.6AI Score
0.001EPSS
Issue Overview: A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by...
6.6AI Score
0.004EPSS
Issue Overview: 2024-02-29: CVE-2023-48706 was added to this advisory. Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is...
8.1AI Score
0.0005EPSS
Issue Overview: jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default...
5.6AI Score
0.001EPSS
Issue Overview: A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system...
6.9AI Score
0.001EPSS
Issue Overview: An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. (CVE-2023-34623) Affected Packages: jtidy Note: This advisory is applicable to Amazon Linux 2 (AL2) Core...
6.9AI Score
0.0005EPSS
Issue Overview: Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121. (CVE-2023-6135) Affected Packages: nss-softokn Note: This advisory is...
6.5AI Score
0.001EPSS
Issue Overview: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause.....
6.8AI Score
0.0004EPSS
Issue Overview: EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability....
7.1AI Score
0.0004EPSS
Issue Overview: Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature). (CVE-2020-36773) Affected Packages: ...
7.2AI Score
0.001EPSS
Issue Overview: NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation...
6.4AI Score
0.001EPSS
Issue Overview: Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack....
6.7AI Score
0.008EPSS
Issue Overview: Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11729) A heap-based buffe...
8.2AI Score
0.013EPSS
Issue Overview: Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. (CVE-2018-11577) Liblouis 3.5.0 has a stack-based Buffer Overflow in the function includeFile in compileTranslationTable.c. (CVE-2018-11684) Liblouis 3.5.0 has a stack-based Buffer Overflow in the function...
6.8AI Score
0.008EPSS
Issue Overview: 2024-04-11: CVE-2024-23252 was added to this advisory. A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 10, iOS 17 and iPadOS 17, tvOS 17, macOS Sonoma 14, Safari 17. Processing web content may lead to arbitrary code execution....
7.6AI Score
0.001EPSS
Issue Overview: 2024-04-24: CVE-2023-49568 was added to this advisory. 2024-02-29: CVE-2023-39326 was added to this advisory. 2024-02-29: CVE-2023-39325 was added to this advisory. The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset...
7.7AI Score
0.002EPSS
Issue Overview: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 (CVE-2023-6816) Reattaching to different master...
7.5AI Score
0.002EPSS
Issue Overview: Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. (CVE-2024-23301) Affected Packages: rear Note: This advisory is applicable to Amazon...
7.7AI Score
0.0004EPSS