Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util

Summary Multiple issues were identified in Red Hat UBI packages curl, go and apar-util that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. Vulnerability Details CVEID:CVE-2023-27535 DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security...

Arbitrary file read vulnerability in Jenkins AWS CodeCommit Trigger Plugin

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system...

CVE-2023-35147

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system...

CVE-2023-35147

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system...

DEBIAN-CVE-2023-3159

A use after free issue was discovered in driver/firewire in outboundphypacketcallback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queueevent fails...

UBUNTU-CVE-2023-3159

A use after free issue was discovered in driver/firewire in outboundphypacketcallback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queueevent fails...

WordPress GD Mail Queue Plugin <= 3.9.3 is vulnerable to Cross Site Scripting (XSS)

Software GD Mail Queue Type Plugin Vulnerable versions = 3.9.3 Fixed in 4.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-3122 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID 1e928c6cc270 Credits Alex Thomas Required privile...

SUSE CVE-2023-3159

A use after free issue was discovered in driver/firewire in outboundphypacketcallback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queueevent fails...

CVE-2023-28937

DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and...

Welotec TK500 访问控制错误漏洞

The Welotec TK500 is an industrial-grade 4G LTE router from Welotec. The Welotec TK500 suffers from an access control error vulnerability that originates from the fact that an unauthenticated, remote attacker who knows the name of the MQTT topic can send and receive messages, including GET/SET...

SUSE CVE-2023-33297

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service e.g., CPU consumption because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023...

PT-2025-40217

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel’s SCSI subsystem, specifically within the UFS Universal Storage Flash core. The ufshcd queuecommand function may be invoked multiple times for a single...

Code injection

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service e.g., CPU consumption because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023...

CVE-2023-33297

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service e.g., CPU consumption because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023...

CVE-2023-33297

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service e.g., CPU consumption because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023...

VulnCheck KEV: CVE-2023-33297

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service e.g., CPU consumption because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023...

CVE-2023-33297

Bitcoin Core prior to v24.1 is affected by CVE-2023-33297. When debug mode is not enabled, the node’s inventory-to-send queue draining is inefficient, allowing a denial-of-service (e.g., CPU consumption). The issue has been observed in the wild (May 2023). A fix is provided in Bitcoin Core 24.1 a...

CVE-2023-33297

Removed by vendor...

CVE-2023-28514

IBM MQ 8.0, 9.0, and 9.1 could allow a local user to obtain sensitive credential information when a detailed technical error message is returned in a stack trace. IBM X-Force ID: 250398...

IBM MQ 安全漏洞

IBM MQ IBM WebSphere MQ is a messaging middleware product from International Business Machines IBM. The product is mainly for the service-oriented architecture SOA to provide a reliable and proven messaging backbone. An information disclosure vulnerability exists in IBM MQ versions 8.0, 9.0, and...