RHCOS 3 : OpenShift Container Platform 3.11 (RHSA-2018:3537)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:3537 advisory. - kibana: Cross-site scripting via the source field formatter CVE-2018-3830 - nodejs: Out of bounds OOB write via UCS-2 encoding...

fast-uri 路径遍历漏洞

fast-uri is an open-source, dependency-free RFC 3986 URI parser and toolkit developed by Fastify. Versions of fast-uri 3.1.0 and earlier contained a path traversal vulnerability. This vulnerability stemmed from the normalize and equal functions decoding percent-encoded path separators and dots,...

PT-2026-36919

Name of the Vulnerable Software and Affected Versions fast-uri versions prior to 3.1.1 Description The normalize and equal functions decode percent-encoded path separators and dot segments before performing dot-segment removal. This causes encoded path data to be treated as actual slashes and...

PT-2026-37200

Name of the Vulnerable Software and Affected Versions Pillow versions 10.3.0 through 12.1.x Description Processing a malicious PSD file can lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This occurs because bounds checks for tile extents in PSD image...

RHCOS 4 / 9 : OpenShift Container Platform 4.17.2 (RHSA-2024:8232)

The remote Red Hat Enterprise Linux CoreOS 4 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:8232 advisory. - github.com/jaraco/zipp: Denial of Service infinite loop via crafted zip file in jaraco/zipp CVE-2024-5569 - go/parser: golang:...

Astra Linux - уязвимость в postgresql-11

Improper neutralization of quoting syntax in PostgreSQL’s libpq functions such as PQescapeLiteral, PQescapeIdentifier, PQescapeString, and PQescapeStringConn allows a database input provider to exploit SQL injection attacks under certain usage patterns. Specifically, SQL injection requires the...

Astra Linux - уязвимость в libvpx

VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding...

Astra Linux - уязвимость в postgresql-11

Over-reading of buffers in PostgreSQL’s GB18030 encoding validation allows a database input provider to cause temporary denial of service on platforms where a 1-byte over-reading can lead to process termination. This issue affects both the database server and libpq. Versions prior to PostgreSQL...

Astra Linux - уязвимость в chromium

The use of after-free in TextEncoding in Google Chrome before version 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: High...

Astra Linux - уязвимость в node-elliptic

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed...

Astra Linux - уязвимость в apache2

Apache HTTP Server versions 2.4.41 to 2.4.46 with modproxyhttp can become unstable when processing specially crafted requests that use both Content-Length and Transfer-Encoding headers. This can lead to a denial of service...

Astra Linux - уязвимость в waitress

In Waitress version 1.4.0, if a proxy server is used in front of Waitress, an attacker may send an invalid request that bypasses the front-end and is parsed differently by Waitress. This could lead to HTTP request smuggling. Specifically, requests containing special whitespace characters in the...

Astra Linux - уязвимость в gunicorn

Gunicorn fails to properly validate Transfer-Encoding headers, resulting in HTTP Request Smuggling HRS vulnerabilities. By creating requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue arises due to Gunicorn’s...

Astra Linux - уязвимость в gdk-pixbuf

There is a flaw in gdk-pixbuf, specifically within the gdkpixbufjpegimageloadincrement function io-jpeg.c, and in glib’s gbase64encodestep function glib/gbase64.c. When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing for out-of-bounds...

Astra Linux - уязвимость в twisted

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request...

Astra Linux - уязвимость в libvpx

There is a heap overflow vulnerability in libvpx. Encoding a frame with dimensions larger than the originally configured size using VP9 may lead to a heap overflow in libvpx. We recommend upgrading to version 1.13.1 or higher...

Astra Linux - уязвимость в firefox, thunderbird

Methods AppendEncodedAttributeValue, ExtraSpaceNeededForAttrEncoding, and AppendEncodedCharacters may experience integer overflows, resulting in underallocation of an output buffer and thus causing out-of-bounds write attacks. This vulnerability affects Firefox 124, Firefox ESR 115.9, and...

Astra Linux - уязвимость в ffmpeg5

When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data. We read rlerawsize from the input file at 0, decompress and decode it into the buffer td-rlerawdata of size rlerawsize a...

Astra Linux - уязвимость в netty

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace such as a spaceTransfer-Encoding:chunked line and a later Content-Length header. This issue exists due to an incomplete fix for CVE-2019-16869...

Astra Linux - уязвимость в node-body-parser

body-parser is a Node.js body parsing middleware. body-parser version 1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue has...