7625 matches found
Astra Linux - уязвимость в linux-5.10, linux
In the Linux kernel, the following vulnerability has been resolved: cipso: Fixed data races related to sysctl. When reading sysctl variables, they can be changed concurrently. Therefore, we need to add READONCE to avoid data races...
Astra Linux - уязвимость в sudo
In Sudo before 1.9.12p2, the sudoedit also known as -e feature improperly handles additional arguments passed in the user-provided environment variables SUDOEDITOR, VISUAL, and EDITOR. This allows a local attacker to append arbitrary entries to the list of files to process. This can lead to...
Astra Linux - уязвимость в libreoffice
Exposure of environmental variables and arbitrary INI file values to unauthorized actors is a vulnerability in The Document Foundation LibreOffice. URLs that expand environmental variables or INI file values may lead to potentially sensitive information being exfiltrated to a remote server upon...
Astra Linux - уязвимость в containerd
In containerd a industry-standard container runtime, before versions 1.3.10 and 1.4.4, containers launched through containerd’s CRI implementation via Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service that share the same image might receive incorrect...
Astra Linux - уязвимость в postgresql-11
Incorrect control of environment variables in PostgreSQL PL/Perl allows a non-privileged database user to modify sensitive process environment variables e.g., PATH. This often sufficient to enable arbitrary code execution, even if the attacker does not have a role as a database server operating...
Astra Linux - уязвимость в opensc
A vulnerability was discovered in OpenSC, OpenSC tools, the PKCS11 module, minidrivers, and CTK. The issue arises from the lack of initialization of variables that should be initialized as arguments to other functions, etc...
Astra Linux - уязвимость в firefox, thunderbird
Firefox behaved slightly differently for already-known resources when loading CSS resources that involved CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird 91.9, Firefox ESR 91.9, and Firefox 100...
Astra Linux - уязвимость в apache2
Improper neutralization of vulnerabilities related to escape, meta, or control sequences in the Apache HTTP Server, caused by environment variables set through Apache configuration, which unexpectedly override variables calculated by the server for CGI programs. This issue affects the Apache HTTP...
Astra Linux - уязвимость в opensc
A vulnerability was discovered in the pkcs15-init function in OpenSC. An attacker could use a specially crafted USB Device or Smart Card, causing the system to send a specially crafted response to APDUs. Insufficient or missing checks on the return values of functions lead to unexpected behavior...
Astra Linux - уязвимость в linux-5.10
In the Linux kernel, the following vulnerabilities have been resolved: Firmware: qcom: uefisecapp: fixed the race condition in efivars registration. Since the transition to using the TZ allocator, the efivars service is registered before the memory pool has been allocated. This can lead to a NULL...
Astra Linux - уязвимость в linux-6.1
In the Linux kernel, the following vulnerability has been resolved: 9p/net: fixed improper handling of bogus negative read/write responses. In p9clientwrite and p9clientreadonce, if the server incorrectly responds with a success message but a negative write/read count, then we would consider the...
Astra Linux - уязвимость в linux-5.10, linux
In the Linux kernel, the following vulnerability has been resolved: gsmi: fixed a null dereference in gsmigetvariable. We can access EFI variables without retrieving the attributes; therefore, we must allow this behavior in gsmi. Commit 859748255b43 “efi: pstore: Omit efivars caching EFI varstore...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the compressed-token decoder process. An attacker can access sensitive memory contents, including environment variables, passwords, heap and stack data, and library memory pointers, by sending speciall...
Malicious code in mcp-server-iehub-proxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba03746ec3542dbe6ea365d04c04a7b9ac1366a547da3a6e7bc146900ad67a51 proxy.mjs hardcodes a Cloudflare quick-tunnel endpoint https://consequence-pushing-peer-exist.trycloudflare.com and uses fetch... POST... with...
Malicious code in figma-d2c-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b65db74a06749bbb141552f97e91b15d5bdd91b57a0136dfc8bfb4034b659c8f The package ships dist/report.js, a one-line module that issues an HTTPS POST to https://www.baidu.com carrying values read from process.env. The...
SUSE CVE-2026-8711
NGINX JavaScript has a vulnerability when the jsfetchproxy directive is configured with at least one client-controlled NGINX variable for example, $http, $arg, $cookie and a location invoking the ngx.fetch operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability...
CVE-2026-43618
Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended...
MAL-2026-4379 Malicious code in @deadcode09284814/axios-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a On npm install, postinstall.js reads installer-owned secrets — SSH private keys idrsa, ided25519, iddsa, config, authorizedkeys, knownhosts,...
MAL-2026-4543 Malicious code in customerdigital-ui-containers-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a314a5b253dcb30b2781bda216266b7ab1b49b62eec416bd9be07b48ab46a348 On npm install, postinstall.js collects git identity, OS user/uid, hostname, internal network interface addresses, Cloudflare Pages environment...
EUVD-2026-31011
Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended...