This Week in Spring - March 12th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! And what a week it's going to be! Do this first: we need your help! Please answer some questions in our State of Spring survey! Join me for a look at the latest-and-greatest, chronicling how I got started with Spring Boot in...
7AI Score
FreeBSD : Intel CPUs -- multiple vulnerabilities (b6dd9d93-e09b-11ee-92fc-1c697a616631)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b6dd9d93-e09b-11ee-92fc-1c697a616631 advisory. Intel reports: 2024.1 IPU - Intel Processor Bus Lock Advisory A potential security...
6.5CVSS
6.9AI Score
0.001EPSS
Amazon Linux 2023 : microcode_ctl (ALAS2023-2024-559)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-559 advisory. Non-transparent sharing of return predictor targets between contexts in some Intel Processors may allow an authorized user to potentially enable information disclosure via local access....
6.5CVSS
6.9AI Score
0.001EPSS
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:0855-1)
The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0855-1 advisory. In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free...
7.8CVSS
7.9AI Score
EPSS
Microsoft and Adobe Patch Tuesday, March 2024 Security Update Review
Welcome to another insightful dive into Microsoft's Patch Tuesday! This month's security updates address a significant number of CVEs, underscoring the ongoing battle against digital vulnerabilities. We invite you to join us to review and discuss the details of these security updates and patches......
8.1CVSS
9AI Score
0.001EPSS
Summary IBM Sterling Partner Engagement Manager uses Apache Commons FileUpload. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details ** CVEID: CVE-2023-24998 DESCRIPTION: **Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused.....
7.5CVSS
6.9AI Score
0.034EPSS
Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 8 used by IBM Installation Manager and IBM Packaging Utility. The IBM Installation Manager and IBM Packaging Utility have addressed the applicable CVEs. Vulnerability Details ** IBM X-Force ID: PSIRT-ADV0103951 .....
6.5AI Score
x86: Register File Data Sampling
ISSUE DESCRIPTION Intel have disclosed RFDS, Register File Data Sampling, affecting some Atom cores. This came from internal validation work. There is no information provided about how an attacker might go about inferring data from the register files. For more details, see:...
6.5CVSS
6.6AI Score
0.0004EPSS
software: firefox 118.0.2 OS: ROSA-CHROME package_evr_string: firefox-118.0.2-1.src.rpm CVE-ID: CVE-2011-0064 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, used in Pango, Firefox, and other products, does not check for successful memory...
9.8CVSS
7.9AI Score
0.609EPSS
Issue Overview: Non-transparent sharing of return predictor targets between contexts in some Intel® Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2023-38575) Protection mechanism failure of bus lock regulator for some Intel® Processors.....
6.5CVSS
6.9AI Score
0.001EPSS
Summary The commons-fileupload package is used by IBM Cloud Pak for Data System 2.0. IBM Cloud Pak for Data System 2.0 has addressed the applicable CVE [CVE-2023-24998] Vulnerability Details ** CVEID: CVE-2023-24998 DESCRIPTION: **Apache Commons FileUpload and Tomcat are vulnerable to a denial of.....
7.5CVSS
6.7AI Score
0.034EPSS
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user....
7AI Score
0.0004EPSS
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user....
6.8AI Score
0.0004EPSS
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user....
7AI Score
0.0004EPSS
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user....
7.1AI Score
0.0004EPSS
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an...
7AI Score
0.0004EPSS
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an...
7.2AI Score
0.0004EPSS
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an...
7.3AI Score
0.0004EPSS
CVE-2024-26288 PHOENIX CONTACT: Lack of SSL support in CHARX Series
An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a MITM. Charging is not...
8.7CVSS
8.7AI Score
0.002EPSS
CVE-2024-26288 PHOENIX CONTACT: Lack of SSL support in CHARX Series
An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a MITM. Charging is not...
8.7CVSS
6.9AI Score
0.002EPSS
CVE-2024-26005 PHOENIX CONTACT: Privilege gain through incomplete cleanup in CHARX Series
An unauthenticated remote attacker can gain service level privileges through an incomplete cleanup during service restart after a...
4.8CVSS
5.8AI Score
0.001EPSS
An unauthenticated remote attacker can DoS a control agent due to access of a uninitialized pointer which may prevent or disrupt the charging...
7.5CVSS
7.8AI Score
0.001EPSS
An unauthenticated remote attacker can DoS a control agent due to access of a uninitialized pointer which may prevent or disrupt the charging...
7.5CVSS
7.1AI Score
0.001EPSS
CVE-2024-26003 PHOENIX CONTACT: DoS of the control agent in CHARX Series
An unauthenticated remote attacker can DoS the control agent due to a out-of-bounds read which may prevent or disrupt the charging...
7.5CVSS
7AI Score
0.001EPSS
CVE-2024-26003 PHOENIX CONTACT: DoS of the control agent in CHARX Series
An unauthenticated remote attacker can DoS the control agent due to a out-of-bounds read which may prevent or disrupt the charging...
7.5CVSS
7.7AI Score
0.001EPSS
CVE-2024-26002 PHOENIX CONTACT: File ownership manipulation in CHARX Series
An improper input validation in the Qualcom plctool allows a local attacker with low privileges to gain root access by changing the ownership of specific...
7.8CVSS
7.8AI Score
0.0005EPSS
CVE-2024-26002 PHOENIX CONTACT: File ownership manipulation in CHARX Series
An improper input validation in the Qualcom plctool allows a local attacker with low privileges to gain root access by changing the ownership of specific...
7.8CVSS
6.8AI Score
0.0005EPSS
CVE-2024-25997 PHOENIX CONTACT: Log injection in CHARX Series
An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is...
5.3CVSS
7.4AI Score
0.001EPSS
CVE-2024-25997 PHOENIX CONTACT: Log injection in CHARX Series
An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is...
5.3CVSS
5.9AI Score
0.001EPSS
An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service...
5.3CVSS
7.9AI Score
0.001EPSS
An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. The access is limited to the service...
5.3CVSS
6.3AI Score
0.001EPSS
CVE-2024-25995 PHOENIX CONTACT: Remote code execution in CHARX Series
An unauthenticated remote attacker can modify configurations to perform a remote code execution due to a missing authentication for a critical...
9.8CVSS
10AI Score
0.002EPSS
CVE-2024-25995 PHOENIX CONTACT: Remote code execution in CHARX Series
An unauthenticated remote attacker can modify configurations to perform a remote code execution due to a missing authentication for a critical...
9.8CVSS
8.2AI Score
0.002EPSS
CVE-2024-25994 PHOENIX CONTACT: Unintended script file upload in CHARX Series
An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write...
5.3CVSS
5.8AI Score
0.001EPSS
CVE-2024-25994 PHOENIX CONTACT: Unintended script file upload in CHARX Series
An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write...
5.3CVSS
7.2AI Score
0.001EPSS
Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an...
7.2AI Score
0.0004EPSS
Amazon Linux 2 : microcode_ctl (ALAS-2024-2491)
The version of microcode_ctl installed on the remote host is prior to 2.1-47. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2491 advisory. Non-transparent sharing of return predictor targets between contexts in some Intel Processors may allow an...
6.5CVSS
6.1AI Score
0.001EPSS
EulerOS 2.0 SP8 : shim (EulerOS-SA-2024-1299)
According to the versions of the shim package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain...
6.5CVSS
7AI Score
0.003EPSS
Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local...
6.1CVSS
6.6AI Score
0.001EPSS
Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local...
6.5CVSS
7.2AI Score
0.0004EPSS
Grandstream IP Phones GXP14xx <= 1.0.8.9 / GXP16xx <= 1.0.7.70 Privilege Escalation Vulnerability
Grandstream GXP14xx and GXP16xx Series IP phones are prone to a privilege escalation...
7AI Score
0.0004EPSS
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-1260)
The remote host is missing an update for the Huawei...
6.5CVSS
7.9AI Score
0.001EPSS
2024.1 IPU OOB - Intel® Xeon® D Processor Advisory
Summary: A potential security vulnerability in some Intel® Xeon® D Processors with Intel® Software Guard Extensions (SGX) may allow information disclosure. Intel is releasing microcode updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2023-43490 Description:...
6.4AI Score
0.0004EPSS
Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network...
6.5CVSS
6.5AI Score
0.001EPSS
2024.1 IPU - Intel® Atom® Processor Advisory
Summary: A potential security vulnerability in some Intel® Atom® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2023-28746 Description: Information exposure through microarchitectural...
6.7AI Score
0.0004EPSS
EulerOS 2.0 SP8 : curl (EulerOS-SA-2024-1260)
According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met....
6.5CVSS
7.3AI Score
0.001EPSS
Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local...
5.3CVSS
5.2AI Score
0.0004EPSS
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local...
5.5CVSS
5.6AI Score
0.0004EPSS
7.8CVSS
7.2AI Score
0.002EPSS
Rocky Linux 8 : firefox (RLSA-2024:0955)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:0955 advisory. When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory...
9.7AI Score
0.0004EPSS