CVE-2023-7245

The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 Windows/3.4.7 macOS was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRONRUNASNODE environment variable...

CVE-2023-7245

The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 Windows/3.4.7 macOS was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRONRUNASNODE environment variable...

Code injection

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAPNETBINDSERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this...

CVE-2024-21892

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAPNETBINDSERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this...

PT-2024-4011 · Less +9 · Less +9

Name of the Vulnerable Software and Affected Versions: less versions prior to 606 Description: The issue is related to the close altfile function in filename.c, which omits shell quote calls for LESSCLOSE. This can allow an attacker to execute arbitrary commands. Recommendations: For versions pri...

CentOS 8 : glibc (CESA-2023:5455)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2023:5455 advisory. - A flaw was found in glibc. When the getaddrinfo function is called with the AFUNSPEC address family and the system is configured with no-aaaa mode vi...

CVE-2024-24557

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions most important being HEALTHCHECK and ONBUILD would not cause a cache miss. An...

Design/Logic Flaw

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions most important being HEALTHCHECK and ONBUILD would not cause a cache miss. An...

Use After Free

The Apache Xerces is vulnerable to use-after-free. The vulnerability is due to improper handling of memory, leading to potential arbitrary code execution or denial of service. As a remedy, it is recommended to disable DTD processing, either through DOM parser features or by setting the...

PT-2024-3588 · Openvpn · Openvpn Connect

Name of the Vulnerable Software and Affected Versions: OpenVPN Connect versions 3.0 through 3.4.3 Windows OpenVPN Connect versions 3.0 through 3.4.7 macOS Description: The issue is related to the nodejs framework in OpenVPN Connect, which was not properly configured. This configuration issue allo...

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBCTUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBCTUNABLES environment variables when launching binaries with SUID permission to execute code...

EulerOS 2.0 SP8 : ncurses (EulerOS-SA-2023-3138)

According to the versions of the ncurses packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security- relevant memory corruption via malforme...

Apache Solr allows read access to host environmet variables

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designe...

The vulnerability of the OpenVPN Connect software lies in its inability to properly execute instructions in the dynamically executed code, allowing a violator to execute arbitrary code.

The vulnerability of the OpenVPN Connect software is related to the failure to implement measures to neutralize the instructions in the dynamically executed code. Exploiting this vulnerability can allow an attacker to execute arbitrary code using the DYILDINSERTLIBRARIES environment variable...

Code injection

The issue was addressed with improved validation of environment variables. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to access sensitive user data...

glibc: buffer overflow in ld.so leading to privilege escalation

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBCTUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBCTUNABLES environment variables when launching binaries with SUID permission to execute code...

CVE-2023-47039

A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell cmd.exe. When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system...

Code injection

A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell cmd.exe. When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system...

CVE-2023-47039

A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell cmd.exe. When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system...

nvdApiKey is logged in debug mode

Summary The value of nvdApiKey configuration parameter is logged in clear text in debug mode. Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print Note that...