OPENSUSE-SU-2021:3454-1 Security update for krb5

This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field bsc1189929...

missing clamps for decimal args in external functions

Impact The following code does not properly validate that its input is in bounds. python @external def foox: decimal - decimal: return x Patches 0.3.0 / 2447 Workarounds Don't use decimal args...

MGASA-2021-0452 Updated apache-mod_auth_openidc packages fix security vulnerability

In versions prior to 2.4.9, oidcvalidateredirecturl does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. CVE-2021-32786 In modauthopenidc before version 2.4.9, the AES GCM encrypti...

PT-2021-10295 · Jfinalcms · Jfinalcms

Name of the Vulnerable Software and Affected Versions: Jfinal CMS versions 4.7.1 and earlier Description: The issue allows remote attackers to obtain sensitive information and/or execute arbitrary code via the FileManager.rename function in the component...

CVE-2021-23048

CVE-2021-23048 is a TMM GTP vulnerability in BIG-IP. When a GTP iRules command or GTP profile is configured on a virtual server, undisclosed GTP messages can cause TMM to terminate, potentially causing DoS by restarting the TMM. Connected advisories confirm affected product/version ranges and exp...

PT-2021-22411 · Xstream +5 · Xstream +5

Name of the Vulnerable Software and Affected Versions: XStream versions prior to 1.4.18 Description: The issue allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. Users who set up XStream's security framework with a whitelist...

PYSEC-2021-585

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.rawops.SdcaOptimizerV2. The implementation does not check that the length of...

PYSEC-2021-279

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixDiagV. The implementation has incomplete validation that the value of k is a valid...

CVE-2021-3655

A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. Recent assessments: fevar54 at August 08, 2021 4:18pm UTC reported: Considere la posibilidad de implementar planes de...

Misinterpretation of malicious XML input

Impact xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Patches Update to one of the fixed versions of @xmldom/xmld...

Improperly Controlled Modification of Object Prototype Attributes

Impact The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Patches [email protected] patched it, anyone used think-config should...

PT-2021-19453 · Unknown · Open Plc Webserver

Name of the Vulnerable Software and Affected Versions: Open PLC Webserver version 3 Description: Command Injection in Open PLC Webserver allows remote attackers to execute arbitrary code via the Hardware Layer Code Box component on the "/hardware" page of the application. Recommendations: As a...

PT-2021-7872 · Offis +5 · Dcmtk +5

Name of the Vulnerable Software and Affected Versions: OFFIS DCMTK versions prior to 3.6.7 Description: The issue is related to a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition. This vulnerability is associated with errors in...

NVIDIA Patches High-Severity GeForce Spoof-Attack Bug

NVIDIA gaming graphics software called GeForce Experience, bundled with the chipmaker’s popular GTX GPU, is flawed and opens the door to a remote attacker that can exploit the bug to steal or manipulate data on a vulnerable Windows computer. NVIDIA notified customers late last week of the bug and...

SUSE-SU-2021:2158-1 Security update for openexr

This update for openexr fixes the following issues: - Fixed CVE-2021-3605 bsc1187395: Heap buffer overflow in the rleUncompress function - Fixed CVE-2021-3598 bsc1187310: Heap buffer overflow in Imf31:CharPtrIO:readChars...

GHSA-6RG3-8H8X-5XFV Unchecked hostname resolution could allow access to local network resources by users outside the local network

Impact A newly implemented route allowing users to download files from remote endpoints was not properly verifying the destination hostname for user provided URLs. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This...

Multiple cross-site scripting vulnerabilities in EC-CUBE

Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20750 Cross-site scripting vulnerability CWE-79 - CVE-2021-20751 hibiki moriyama of STNet, Incorporated reported these...

MGASA-2021-0229 Updated lz4 packages fix a security vulnerability

An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential...

Cisco SD-WAN Software Signature Verification Bypass Vulnerability

A vulnerability in the Image Signature Verification feature of Cisco SD-WAN Software could allow an authenticated, remote attacker with Administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital...

SolarWinds Hack and the Case of DNS Security

It's not news that some of the top government agencies and companies in the world were victims of the SolarWinds attack. At this point, I can say it's the reason I didn't have a smoother transition back into work-life following a long vacation. As I understand it, the breaches happened after...