Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources

A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested=1 virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to...

openldap: denial of service via nested boolean expressions in LDAP search filters

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service daemon crash...

Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources

A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested=1 virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to...

A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that L1 guest could access L0's APIC register values via L2 guest when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue.

...

dovecot: Resource exhaustion via deeply nested MIME parts

A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability...

Important: Red Hat Security Advisory: dovecot security update

An update for dovecot is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

CentOS 7 : dovecot (RHSA-2020:3617)

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3617 advisory. - In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service resource...

libsndfile:sndfile_fuzzer: Nested bug in the same thread, aborting. with empty stacktrace

Detailed Report: https://oss-fuzz.com/testcase?key=5087344745775104 Project: libsndfile Fuzzing Engine: libFuzzer Fuzz Target: sndfilefuzzer Job Type: libfuzzermsanlibsndfile Platform Id: linux Crash Type: Nested bug in the same thread, aborting. Crash Address: Crash State: NULL Sanitizer: memory...

PT-2020-15864 · Taylor Otwell · Laravel

Name of the Vulnerable Software and Affected Versions: Laravel versions prior to 6.18.35 Laravel versions 7.x prior to 7.24.0 Description: An issue was discovered in Laravel where the $guarded property is mishandled in certain situations involving requests with JSON column nesting expressions...

dovecot: Resource exhaustion via deeply nested MIME parts

A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability...

Malicious Package in mx-nested-menu

Version 0.1.30 of mx-nested-menu contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and evaluat...

GHSA-48HW-37G6-3GW4 Malicious Package in mx-nested-menu

Version 0.1.30 of mx-nested-menu contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and evaluat...

RHEL 7 : dovecot (RHSA-2020:3617)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3617 advisory. Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3...

c-blosc2:decompress_fuzzer: Nested bug in the same thread, aborting. with empty stacktrace

Detailed Report: https://oss-fuzz.com/testcase?key=6211547465252864 Project: c-blosc2 Fuzzing Engine: libFuzzer Fuzz Target: decompressfuzzer Job Type: libfuzzermsanc-blosc2 Platform Id: linux Crash Type: Nested bug in the same thread, aborting. Crash Address: Crash State: NULL Sanitizer: memory...

USN-4456-2 dovecot vulnerabilities

USN-4456-1 fixed several vulnerabilities in Dovecot. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that Dovecot incorrectly handled deeply nested MIME parts. A remote attacker could possibly use this issue to cause Dovecot to...

ALPINE-CVE-2020-12100

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service resource consumption via a crafted e-mail message with deeply nested MIME parts...

DEBIAN-CVE-2020-12100

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service resource consumption via a crafted e-mail message with deeply nested MIME parts...

USN-4456-1 dovecot vulnerabilities

It was discovered that Dovecot incorrectly handled deeply nested MIME parts. A remote attacker could possibly use this issue to cause Dovecot to consume resources, resulting in a denial of service. CVE-2020-12100 It was discovered that Dovecot incorrectly handled memory when using NTLM. A remote...

UBUNTU-CVE-2020-12100

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service resource consumption via a crafted e-mail message with deeply nested MIME parts...

PT-2020-5172 · Dovecot +6 · Dovecot +6

Name of the Vulnerable Software and Affected Versions: Dovecot versions prior to 2.3.11.3 Description: The issue is caused by uncontrolled recursion in submission, lmtp, and lda, allowing remote attackers to cause a denial of service via a crafted e-mail message with deeply nested MIME parts...