Amazon Linux 2 : udisks2 (ALAS-2025-2894)

The version of udisks2 installed on the remote host is prior to 2.7.3-9. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2894 advisory. LPE from allowactive to root in libblockdev via udisks CVE-2025-6019 Tenable has extracted the preceding description block directly...

Amazon Linux 2 : libblockdev (ALAS-2025-2895)

The version of libblockdev installed on the remote host is prior to 2.18-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2895 advisory. LPE from allowactive to root in libblockdev via udisks CVE-2025-6019 Tenable has extracted the preceding description block...

Amazon Linux 2 : thunderbird (ALAS-2025-2896)

The version of thunderbird installed on the remote host is prior to 128.11.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2896 advisory. A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's deskto...

Important: perl-File-Find-Rule-Perl

Issue Overview: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when grep encounters a crafted filename. A file handle is opened with the 2 argument form of open allowing an attacker controlled filename to provide the MODE parameter to open, turning the filename...

Medium: python-requests

Issue Overview: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc...

Important: rclone

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Important: rclone

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Important: libvpx

Issue Overview: Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Medium Duplicate: https://console.harmony.a2z.com/al-cve-eval/cve/TEMP-1106689-EC87F6 CVE-2025-528...

Medium: aws-kinesis-agent

Issue Overview: Jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's JsonLocation.appendSourceDesc method allows up to 500 bytes of unintended...

Medium: libblockdev

Issue Overview: LPE from allowactive to root in libblockdev via udisks CVE-2025-6019 Affected Packages: libblockdev Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run...

Important: libvpx

Issue Overview: Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Medium Duplicate: https://console.harmony.a2z.com/al-cve-eval/cve/TEMP-1106689-EC87F6 CVE-2025-528...

Medium: python-requests

Issue Overview: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc...

Medium: postgresql

Issue Overview: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5...

Medium: postgresql

Issue Overview: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix invalid address access in lookuprec when index is 0 CVE-2023-53075 In the Linux kernel, the following vulnerability has been resolved: ext4: fix task hung in ext4xattrdeleteinode CVE-2023-53089 In the...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix invalid address access in lookuprec when index is 0 CVE-2023-53075 In the Linux kernel, the following vulnerability has been resolved: ext4: fix task hung in ext4xattrdeleteinode CVE-2023-53089 In the...

Important: libxml2

Issue Overview: A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. CVE-2025-6021 Affected Packages:...

Medium: udisks2

Issue Overview: LPE from allowactive to root in libblockdev via udisks CVE-2025-6019 Affected Packages: udisks2 Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum...

Medium: qt5-qt3d

Issue Overview: A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to...

Medium: amazon-cloudwatch-agent

Issue Overview: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result i...