zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: A specially-crafted SSL packet could cause Zeek to leak memory and potentially crash. A specially-crafted series of FTP packets could cause Zeek to log entries for requests that have already been completed, using resources unnecessarily and potentially causin...

openexr -- Heap Overflow in Scanline Deep Data Parsing

Austin Hackers Anonymous report: Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. ... it is...

open-vm-tools -- Multiple vulnerabilities

VMware reports: This update includes 2 security fixes: High CVE-2023-34058: SAML token signature bypass vulnerability High CVE-2023-34059: File descriptor hijack vulnerability in the vmware-user-suid-wrapper...

xorg-server -- Multiple vulnerabilities

The X.Org project reports: ZDI-CAN-22153/CVE-2023-5367: X.Org server: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty When prepending values to an existing property an invalid offset calculation causes the existing values to be appended at the wrong offset. The resulting memcpy would...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update includes 2 security fixes: 1491296 High CVE-2023-5472: Use after free in Profiles. Reported by @18楼梦想改造家 on 2023-10-10...

OpenSSL -- potential loss of confidentiality

The OpenSSL team reports: Moderate severity: A bug has been identified in the processing of key and initialisation vector IV lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers...

squid -- Multiple vulnerabilities

The squid-cache project reports: Denial of Service in FTP Request/Response smuggling in HTTP/1.1 and ICAP Denial of Service in HTTP Digest Authentication...

sdl2_sound -- multiple vulnerabilities

GitHub Security Lab reports: stbimage.h and stbvorbis libraries contain several memory access violations of different severity Wild address read in stbigifloadnext GHSL-2023-145. Multi-byte read heap buffer overflow in stbiverticalflip GHSL-2023-146. Disclosure of uninitialized memory in...

Apache httpd -- Multiple vulnerabilities

The Apache httpd project reports: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 CVE-2023-31122: modmacro buffer over-read...

electron{25,26} -- Use after free in Site Isolation

Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2023-5218...

redis -- Possible bypassing Unix socket permissions

Redis core team reports: The wrong order of listen2 and chmod2 calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup...

Request Tracker -- multiple vulnerabilities

Request Tracker reports: CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST...

jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty

Jenkins Security Advisory: Description High SECURITY-3291 / CVE-2023-36478, CVE-2023-44487 HTTP/2 denial of service vulnerability in bundled Jetty...

MySQL -- Multiple vulnerabilities

Oracle reports: This Critical Patch Update contains 37 new security patches, plus additional third party patches noted below, for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials...

putty -- add protocol extension against 'Terrapin attack'

Simon Tatham reports: PuTTY version 0.80 contains one security fix ... for a newly discovered security issue known as the 'Terrapin' attack, also numbered CVE-2023-48795. The issue affects widely-used OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305 cipher system, and...

nebula -- security fix for terrapin vulnerability

Upstream reports: Security fix: Update golang.org/x/crypto, which includes a fix for CVE-2023-48795...

Roundcube -- XSS vulnerability in SVG

The Roundcube project reports: cross-site scripting XSS vulnerability in handling of SVG in HTML messages...

mantis -- multiple vulnerabilities

Mantis 2.25.8 release reports: Security and maintenance release 0032432: Update guzzlehttp/psr7 to 1.9.1 CVE-2023-29197 0032981: Information Leakage on DokuWiki Integration CVE-2023-44394...

electron25 -- Use after free in extensions vulnerability

Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2023-5187...

apache -- Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication

[email protected] reports: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper quorum.auth.enableSasl=true, the authorization is done by verifying that the instance part in SASL authentication ID is liste...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update includes 20 security fixes: 1487110 Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18楼梦想改造家 on 2023-09-27 1062251 Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17 1414936 Medium...

traefik -- Resource exhaustion by malicious HTTP/2 client

The traefik authors report: There is a vulnerability in GO managing HTTP/2 requests, which impacts Traefik. This vulnerability could be exploited to cause a denial of service...

h2o -- HTTP/2 Rapid Reset attack vulnerability

Kazuo Okuhu reports: H2O is vulnerable to the HTTP/2 Rapid Reset attack. An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack...

libcue -- out-of-bounds array access

The libcue team reports: There is a vulnerability to out-of-bounds array access...

FreeBSD -- msdosfs data disclosure

Problem Description: In certain cases using the truncate or ftruncate system call to extend a file size populates the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. Impact: A user with write access to files on a msdosfs file system may ...

FreeBSD -- copy_file_range insufficient capability rights check

Problem Description: The syscall checked only for the CAPREAD and CAPWRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the syscall must additionally require the CAPSEEK capability. Impact: A sandboxed process with on...

FreeBSD -- arm64 boot CPUs may lack speculative execution protections

Problem Description: On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. Impact: No speculative execution workarounds are installed on CPU 0...

chromium -- type confusion in v8

Chrome Releases reports: This update includes 1 security fix: 1485829 High CVE-2023-5346: Type Confusion in V8. Reported by Amit Kumar on 2023-09-22...

Django -- multiple vulnerabilities

Django reports: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator...

curl -- SOCKS5 heap buffer overflow

The curl team reports: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255...

PptiPNG -- Global-buffer-overflow

Frank-Z7 reports: Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out" configuration options enabled raises a global-buffer-overflow bug, which could allow a remote attacker to conduct a denial-of-service attack or other unspecified effect on a crafted file...

Remote Code Execution via web-accessible composer

Composer project reports: Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has registerargcargv enabled in php.ini. Workaround: Make sure registerargcargv is disabled in php.ini, and...

Gitlab -- vulnerabilities

Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project Group import allows impersonation of users in CI pipelines Developers can bypass code owners approval by changing a MR's base branch Leaking source code of restricted...

electron{22,24,25} -- Heap buffer overflow in vp8 encoding in libvpx

Electron developers report: This update fixes the following vulnerability: Security: backported fix for CVE-2023-5217...

Phishing through a login page malicious URL in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker t...

Unallowed PHP script execution in GLPI

From the GLPI 10.0.10 Changelog: You will find below security issues fixed in this bugfixes version: SECURITY - Critical Unallowed PHP script execution CVE-2023-42802. The mentioned CVE is invalid...

Account takeover via SQL Injection in UI layout preferences in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL...

Users login enumeration by unauthenticated user in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are...

Privilege Escalation from technician to super-admin in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to chan...

Account takeover through API in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal...

File deletion through document upload process in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files...

xrdp -- unchecked access to font glyph info

xrdp team reports: Access to the font glyphs in xrdppainter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On...

Sensitive fields enumeration through API in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on...

Account takeover via Kanban feature in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to...

chromium -- multiple vulnerabilities

Chrome Releases reports: This update includes 10 security fixes: 1486441 High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25 1478889 High CVE-2023-5186: Use after free in Passwords. Reported by pwn2car on...

glpi-project -- SQL injection in ITIL actors in GLPI

[email protected] reports: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to...

Mailpit affected by vulnerability in included go markdown module

Mailpit author reports: Update Go modules to address CVE-2023-42821 go markdown module DoS...

x11/libXpm multiple vulnerabilities

The X.Org project reports: CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer An out-of-bounds read is located in ParseComment when reading from a memory buffer instead of a file, as it continued to look for the closing comment marker past the end of the buffer. CVE-2023-43789: Out...

11/libX11 multiple vulnerabilities

The X.Org project reports: CVE-2023-43785: out-of-bounds memory access in XkbReadKeySyms When libX11 is processing the reply from the X server to the XkbGetMap request, if it detected the number of symbols in the new map was less than the size of the buffer it had allocated, it always added room...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Medium SECURITY-3261 / CVE-2023-43494 Builds can be filtered by values of sensitive build variables High SECURITY-3245 / CVE-2023-43495 Stored XSS vulnerability High SECURITY-3072 / CVE-2023-43496 Temporary plugin file created with insecure permissions Low...