220 matches found
Amazon Linux 2022 : log4j, log4j-jcl, log4j-slf4j (ALAS2022-2021-003)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2021-003 advisory. A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system log...
Amazon Linux 2022 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2022-2022-013)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-013 advisory. An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations a...
Amazon Linux 2022 : qt, qt-assistant, qt-common (ALAS2022-2021-006)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2021-006 advisory. Qt5 versions up to qt 5.12.7, qt 5.14.1, qt 5.15.0 allows plugins to be loaded from current working directory, this can lead to compromised plugins to loaded leading to possible arbitrary code execution...
Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2022-009)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-009 advisory. A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. CVE-2021-33196...
Amazon Linux 2022 : vim-common, vim-data, vim-default-editor (ALAS2022-2022-020)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-020 advisory. A flaw was found in vim. The vulnerability occurs due to not checking the length for the NameBuff function, which can lead to a heap buffer overflow. This flaw allows an attacker to input a...
Amazon Linux 2022 : vim-common, vim-data, vim-default-editor (ALAS2022-2022-023)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-023 advisory. A flaw was found in vim. The vulnerability occurs due to too many recursions, which can lead to a segmentation fault. This flaw allows an attacker to input a specially crafted file, leading to ...
Amazon Linux 2022 : ctdb, ctdb-pcp-pmda, libsmbclient (ALAS2022-2022-022)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-022 advisory. A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was...
Amazon Linux 2022 : freetype, freetype-demos, freetype-devel (ALAS2022-2022-033)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2022-033 advisory. A heap buffer overflow leading to out-of-bounds write was found in freetype. Memory allocation based on truncated PNG width and height values allows for an out-of-bounds write to occur in application...
Amazon Linux 2022 : log4j, log4j-jcl, log4j-slf4j (ALAS2022-2022-011)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2022-011 advisory. Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution RCE attack where an attacker with permission to modify the...
Amazon Linux 2022 : expat, expat-devel, expat-static (ALAS2022-2022-028)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-028 advisory. expat libexpat is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate...
Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2021-007)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2021-007 advisory. A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten...
Amazon Linux 2022 : httpd, httpd-devel, httpd-filesystem (ALAS2022-2022-018)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-018 advisory. There's a null pointer dereference and server-side request forgery flaw in httpd's modproxy module, when it is configured to be used as a forward proxy. A crafted packet could be sent on the...
Amazon Linux 2022 : libsepol, libsepol-devel, libsepol-static (ALAS2022-2022-030)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-030 advisory. The CIL compiler in SELinux 3.2 has a use-after-free in cilverifyclassperms called from cilverifyclasspermission and cilpreverifyhelper. CVE-2021-36084 The CIL compiler in SELinux 3.2 has a...
Amazon Linux 2022 : jdom, jdom-demo, jdom-javadoc (ALAS2022-2022-010)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2022-010 advisory. An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. CVE-2021-33813 Tenable has extracted the preceding description block directly...
Amazon Linux 2022 : expat, expat-devel, expat-static (ALAS2022-2022-017)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-017 advisory. In Expat aka libexpat before 2.4.3, a left shift by 29 or more places in the storeAtts function in xmlparse.c can lead to realloc misbehavior e.g., allocating too few bytes, or only freeing...
Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2022-128)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-128 advisory. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating chunked encoding. This issue could allow request smuggling, but only if combined with an...
Amazon Linux 2022 : bcel, bcel-javadoc (ALAS2022-2023-275)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2023-275 advisory. Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitra...
Amazon Linux 2022 : vim-common, vim-data, vim-default-editor (ALAS2022-2023-269)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2023-269 advisory. The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a he...
Amazon Linux 2022 : python3.10, python3.10-devel, python3.10-idle (ALAS2022-2023-274)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2023-274 advisory. Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non- default configuration. The Python multiprocessing library, when used with the forkserver...
Amazon Linux 2022 : ruby3.1, ruby3.1-bundled-gems, ruby3.1-default-gems (ALAS2022-2023-262)
It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2023-262 advisory. The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP...