UBUNTU-CVE-2024-42263

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix potential memory leak in the timestamp extension If fetching of userspace memory fails during the main loop, all drm sync objs looked up until that point will be leaked because of the missing drmsyncobjput. Fix it by...

CVE-2024-7845

A vulnerability was found in SourceCodester Online Graduate Tracer System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /tracking/admin/fetchit.php. The manipulation of the argument request leads to sql injection. The attack may be launched...

PT-2024-38624 · Sourcecodester · Sourcecodester Online Graduate Tracer System

Name of the Vulnerable Software and Affected Versions: SourceCodester Online Graduate Tracer System version 1.0 Description: A critical issue was found in the system, affecting some unknown functionality of the file /tracking/admin/fetch it.php. The manipulation of the request argument leads to s...

Security Bulletin: IBM Storage Ceph is vulnerable to the Exposure of Sensitive Information to an Unauthorized Actor in the RHEL UBI (CVE-2023-45143)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-45143. Vulnerability Details CVEID:CVE-2023-45143 DESCRIPTION: Node.js undici module could allow a remote authenticated...

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

...

Malicious code in ndoe-fethc (npm)

The package contains a preinstall hook to execute unhook.js, which has cryptocurrency stealing functionality. --- -= Per source details. Do not edit below this line.=-...

CVE-2024-42109

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: unconditionally flush pending work before notifier syzbot reports: KASAN: slab-uaf in nftctxupdate include/net/netfilter/nftables.h:1831 KASAN: slab-uaf in nftcommitrelease net/netfilter/nftablesapi.c:9530...

PT-2024-38065 · Red Hat · Openshift Console

Name of the Vulnerable Software and Affected Versions: Openshift console affected versions not specified Description: A flaw was found in the Openshift console, specifically in the /API/helm/verify endpoint, which is responsible for fetching and verifying the installation of a Helm chart from a...

kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability

A flaw was found in KVM AMD Secure Encrypted Virtualization SEV in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the VMGEXIT handler recursively. If an attacker manages to call the handler multiple time...

RHEL 9 : nodejs (RHSA-2024:4721)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4721 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

CVE-2024-40636 Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness

Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service UR...

CVE-2024-40636 Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness

Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service UR...

nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service

A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fetch function in Node.js that always decodes Brotli, making it possible for an attacker to caus...

RHEL 8 : grafana (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - nodejs-underscore: Arbitrary code execution via the template function CVE-2021-23358 - node-fetch is...

MGASA-2024-0262 Updated php packages fix security vulnerability

This update ships the latest version of php 8.2. It brings fixed security issues and the usual bug fixes. Vulnerability: A code logic error, filtering functions such as filtervar when validating URLs FILTERVALIDATEURL for certain types of URLs the function will result in invalid user information...

GHSA-3G92-W8C5-73PQ Undici vulnerable to data leak when using response.arrayBuffer()

Impact Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. Patches This has been patched in v6.19.2. Workarounds There are no known workaround. References https://github.com/nodejs/undici/issues/3337...

Undici vulnerable to data leak when using response.arrayBuffer()

Impact Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. Patches This has been patched in v6.19.2. Workarounds There are no known workaround. References https://github.com/nodejs/undici/issues/3337...

CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

PT-2024-27966 · Node.Js · Undici

Name of the Vulnerable Software and Affected Versions: Undici versions prior to 6.19.2 Description: Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include a portion of memory from the Node....

GHSA-P9CG-VQCC-GRCX Server Side Request Forgery (SSRF) attack in Fedify

Summary At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the @id or other resources present within the activity it has received from the web. This activity could reference an @id that points to an internal IP address,...