AZL-56446 CVE-2024-27137 affecting package cassandra 4.0.10-1

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these...

PT-2026-2482

Name of the Vulnerable Software and Affected Versions cmd/go affected versions not specified Description A malicious file created using cmd/go can result in a write operation to a file controlled by an attacker, with partial control over the file's content. The issue stems from the use of the 'cg...

PT-2026-2489

Name of the Vulnerable Software and Affected Versions Go affected versions not specified Description A flaw exists where downloading and building modules with malicious version strings can lead to local code execution. Systems utilizing Mercurial hg are susceptible to unexpected code execution wh...

SUSE CVE-2024-56687

In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usbepqueue call trace below, supplemented with missing calls: req-complete from...

UBUNTU-CVE-2024-56687

In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usbepqueue call trace below, supplemented with missing calls: req-complete from...

CVE-2024-56540 accel/ivpu: Prevent recovery invocation during probe and resume

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Prevent recovery invocation during probe and resume Refactor IPC send and receive functions to allow correct handling of operations that should not trigger a recovery process. Expose ivpusendreceiveinternal, which is...

CVE-2024-56540

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Prevent recovery invocation during probe and resume Refactor IPC send and receive functions to allow correct handling of operations that should not trigger a recovery process. Expose ivpusendreceiveinternal, which is...

CVE-2024-56540

The CVE-2024-56540 entry concerns the Linux kernel, affecting the acceleration driver path for ivpu. It patches IPC send/receive flows to avoid triggering recovery during probe/resume by exposing ivpu_send_receive_internal() and adjusting ivpu_probe() and ivpu_resume() paths to propagate errors g...

SUSE CVE-2024-53099

In the Linux kernel, the following vulnerability has been resolved: bpf: Check validity of link-type in bpflinkshowfdinfo If a newly-added link type doesn't invoke BPFLINKTYPE, accessing bpflinktypestrslink-type may result in an out-of-bounds access. To spot such missed invocations early in the...

CVE-2024-50263 fork: only invoke khugepaged, ksm hooks if no error

In the Linux kernel, the following vulnerability has been resolved: fork: only invoke khugepaged, ksm hooks if no error There is no reason to invoke these hooks early against an mm that is in an incomplete state. The change in commit d24062914837 "fork: use mtdup to duplicate maple tree in dupmma...

CVE-2024-23370 Use After Free in Automotive Multimedia

Memory corruption when a process invokes IOCTL calls from user-space to create a HAB virtual channel and another process invokes IOCTL calls to destroy the same...

CVE-2023-50883

ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression IIFE, and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446...

Announcing the CVRF API 3.0 upgrade

At the Microsoft Security Response Center, we are committed to continuously improving the security and performance of our services to meet the evolving needs of our customers. We are excited to announce the rollout of the latest version of our Common Vulnerability Reporting CVRF API. This update...

CVE-2024-35223 Dapr API Token Exposure

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a...

Dapr API Token Exposure

Summary A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the...

GHSA-284C-X8M7-9W5H Dapr API Token Exposure

Summary A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the...

CLSA-2024-1716272273 less: Fix of CVE-2022-48624

CVE-2022-48624: filename.c: shell-quote filenames when invoking LESSCLOSE...

CLSA-2024-1716271951 less: Fix of CVE-2022-48624

CVE-2022-48624: shell-quote filenames when invoking LESSCLOSE...

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware. "These campaigns typically involve a recognizable infection chain involving oversized...

CLSA-2024-1713523598 less: Fix of CVE-2022-48624

CVE-2022-48624: shell-quote filenames when invoking LESSCLOSE...